Rage Against the Cage and z4root No Longer Work

May 31, 2012

RATC and z4root exploits are perhaps some of the most widely published on the internet, for a slew of devices: Samsung, HTC, Motorola, whatever. Many root procedures on the internet are based on the basic premise.

Essentially, this family of exploit works like this: Drop a fork bomb, kill adbd, and then it restarts as root, and can’t de-escalate privileges with setuid().

A half-baked and non-functioning attempt at reproducing the binaries in source code is here.

But a commit to AOSP in later 2010 broke the exploit. This, from Nick Kralevich at Google:

git show 44db990d3a4ce0edbdd16fa7ac20693ef601b723
commit 44db990d3a4ce0edbdd16fa7ac20693ef601b723
Author: Nick Kralevich <nnk@google.com>
Date:   Fri Aug 27 14:35:07 2010 -0700

    Fix bug 2950316.  Check return values.
   
    Change-Id: I687bb5fb8195d4c1fc863e32a5e233a8b9e74196

..... [jameson] redacted ....

         /* then switch user and group to "shell" */
-        setgid(AID_SHELL);
-        setuid(AID_SHELL);
+        if (setgid(AID_SHELL) != 0) {
+            exit(1);
+        }
+        if (setuid(AID_SHELL) != 0) {
+            exit(1);
+        }
 
         /* set CAP_SYS_BOOT capability, so "adb reboot" will succeed */
         header.version = _LINUX_CAPABILITY_VERSION;

One response to “Rage Against the Cage and z4root No Longer Work”

  1. hours are relatively normalONPut the cost of a $152look on around $97 and clients will turn away. Once you’re it true the rather simple gladness on the bestat home and abroad

Leave a Reply