Share this page!

John Wu Profile picture
Twitter logo
9 Feb, 5 tweets, 2 min read
Remember when I said using SELinux permissive is really bad? Here is a privilege escalation PoC where the only requirement is SELinux permissive. If you are still releasing custom ROMs/kernels with permissive, YOU ARE LITERALLY BACKDOORING YOUR USERS!
github.com/vvb2060/Magica
In this PoC, when you press install, it will gain (restricted yet still powerful) root access in a service and install Magisk to your boot image. This demo shows that any ARBITRARY app, including malware, can PERMANENTLY root your device without your consent and permission.
Imagine this scenario: you are using a custom kernel that ships with SELinux permissive. You accidentally install a malware using this loophole. The malware installs a modified "malicious Magisk" to permanently gain full root access. BOOM, your device is now #pwned.
Please help spread this information! We should stop the toxic and irresponsible mentality of releasing SELinux permissive ROMs/kernels in this community. You should never, *EVER* switch to permissive unless actually doing development/debugging.
I had shared a longer technical explanation on Reddit: reddit.com/r/Android/comm…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with John Wu

John Wu Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @topjohnwu

John Wu Profile picture
30 Aug 20
Watching LPC 2020, Android 12 is going to ship with GKIs (Generic Kernel Image), making interesting implications for Android security. Just like iOS, security researchers can focus on a single kernel across all Android devices. This makes exploit based root much more practical.
This could be the next step forward for the Android rooting ecosystem as no bootloader unlock would be required. This basically makes all the recent SafetyNet changes useless, and since we comprise the kernel, no easy detection can work when we root with vulnerabilities.
However, I would say most interesting vulnerabilities might not be in the core Linux kernel itself. Most likely they will exist in vender specific modules. So I still think userspace root (such as Magisk) will still be mainstream going into the future.
Read 4 tweets
John Wu Profile picture
11 Aug 20
I'd like to address the increasingly complaints of "Magisk is too bloated" argument.

Right off the bat: Magisk is first a systemless module framework, and then a root solution. Root is trivial with the foundation of the systemless infrastructure Magisk has created.
With the increasingly complexity of modern Android, unless you build a custom ROM changing the code, you HAVE to rely on all the "bloat" to achieve root, period. People might not realize how difficult things have become, and unfairly compare Magisk to "the good old root software"
So the REAL bloat in Magisk is MagiskHide, and I agree it is such a dirty hack. However, if you look at the grand picture, at least in previous years, I would say 80% of users *EXPECT* root to be hidden. You cannot achieve hiding without it deeply integrated into the framework.
Read 8 tweets
John Wu Profile picture
11 Mar 20
FAQ regarding new SafetyNet changes:

Q1: SafetyNet is passing fine on my device
A1: It seems this new measure is not fully enforced, most likely to prevent false negatives. If your device is old, or somehow key attestation fails in keymaster HAL, SN will simply ignore it
Q2: <insert name> Xposed/Riru module allows me to pass SafetyNet
A2: The SN test in Magisk Manager is technically *not* a proper attestation. Proper SafetyNet checks will verify results on a remote server, not on device which can be manipulated by code injection frameworks
Q3: Can't we just create a fake SafetyNet test result?
A3: Nope, SafetyNet responses come from Google servers and are signed with Google's private key, which we do not have access to.
Read 7 tweets
John Wu Profile picture
11 Mar 20
So here we go, after years of fun messing around using Magisk, it seems that Google FINALLY decided to "fix" SafetyNet to something useful, and that is to use key attestation to verify device status (after 3 years since introduced to Android's platform!)
From what we've seen so far, key attestation doesn't seem to be fully enforced yet, as devices with incompatible, potentially buggy(?) keymaster implementations (e.g. some OnePlus devices) that result in attest key cmd failures still pass SafetyNet regardless.
To hack this thing, you have to either find a vulnerability in TEE firmware (which will be patched ASAP once found) or hardware (less likely to happen) to break the cryptography.

Breaking TEE won't be easy, which is why many security researchers are actively working on it.
Read 4 tweets
John Wu Profile picture
25 Feb 20
Addressing some valid criticism people had on Magisk: there never seems to be a universally "stable" release.

Unfortunately, there are so many moving parts in Magisk that even if unit tests exists, it still cannot cover the full functionality of it.
For projects like Linux, they branch the source code each release. The community test/report bugs for a specific branch, and bug fixes will be pushed to each release branch.

Linux maintainers will pick a release as "Long-Term Support", and that specific kernel version will...
...receive bug fixes for many years down the road. Basically, users who need a rock solid kernel that wants to perform an upgrade to a specific LTS release will thoroughly test the LTS branch chosen using their own setup, report/fix bugs, then finally switch to the new version.
Read 8 tweets
John Wu Profile picture
19 Feb 20
Just flashed Android 11 on my Pixel 4 XL, there's a new partition named system_ext, which I think is part of early boot partitions. Would need to update MagiskInit for that...
Great, device won't boot. If partial source code is out, will check that, otherwise time for some very "fun" trial and error since pre-init is basically impossible to properly debug 😂
Hats off to Android engineers who gave me this kind of excitement every year LOL. Gonna head out to do some real world crap, will continue hacking after heading back home throughout this whole day.
Read 16 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @topjohnwu has new unrolls!

Check out other threads from @topjohnwu!

Read all threads by @topjohnwu