[History] How the Droid was Rooted topic

Originally written by Evan Charlton, however his site is down and I'm preserving this here for "history"

Quote:

Posted: Monday, Dec 14 2009 How Droid Was Rooted As you may (or may not) know, the Verizon Droid was recently rooted. That is to say that the average user can get root/superuser access on the device. Here's how it was pulled off: In Android, updates must be signed by a known private key in order for the phone to install them. The recovery image checks these updates and installs (or does not install) these binaries. In Android 2.0, this code was rewritten for some reason. Here's what a certain portion of the vulnerable file (now fixed) looks like: int i; for (i = 4; i < eocd_size-3; ++i) { if (eocd[i ] == 0x50 && eocd[i+1] == 0x4b && eocd[i+2] == 0x05 && eocd[i+1] == 0x06) { // if the sequence b appears anywhere after // the real one, minzip will find the later (wrong) one, // which could be exploitable. Fail verification if // this sequence occurs anywhere after the real one. LOGE("EOCD marker occurs after start of EOCD\n"); fclose(f); return VERIFY_FAILURE; } } It's important to know what happens with verification. First, the zip's signing key is verified. This is located at the beginning of the file. Next, the file is read from the end backwards until it finds a certain series of bytes, known as EOCD (end-of-central-directory). The author correctly noted that you could get around this by sticking two .zips together--the first one would have the correct signature and the second one would be the one applied, and they put in a check for it. However, they made a crucial typo in this line of code: if (eocd[i ] == 0x50 && eocd[i+1] == 0x4b && eocd[i+2] == 0x05 && eocd[i+1] == 0x06) { If you still don't see it, look at the offsets. Here is why the check fails: if(foo == 1 && foo == 2) { // there's an exploit! // note that the above condition is never true } With that discovered, all that had to happen was getting a signed zip from Verizon and then stick a payload zip on the end (it's a tiny bit more difficult than that, but that's the general idea). Just to clarify: I can claim no credit for this hack. Zinx created the magical zip (but wants it to be known that he did not find the exploit).

Proper link for the fixed file : http://androidxref.com/2.1/xref/boot...ery/verifier.c