Exploit.Linux.Lotoor.b

Technical Details

This program is a conditionally malicious software granting super user privileges to the user on devices running Android operating system by exploiting a vulnerability in the security system (CVE-2009-1185).


Installation


This exploit program has to be placed in one of the directories to insure that it is launched:

/sqlite_stmt_journals/
or
/data/local/tmp

Permissions are assigned to this file before it is launched.
- rwx r-x r-x

Payload

If the actual user ID identifier in the current process does not match the effective user ID in the current process, then the exploit attempts to assign "root" privileges to this process, and then deletes the following files:

/sqlite_stmt_journals/data
/sqlite_stmt_journals/hotplug
/sqlite_stmt_journals/loading
/sqlite_stmt_journals/mount
/sqlite_stmt_journals/fs_type
/data/local/tmp/data
/data/local/tmp/hotplug
/data/local/tmp/loading
/data/local/tmp/mount
/data/local/tmp/fs_type
/data/data/com.corner23.android.universalandroot/files/data
/data/data/com.corner23.android.universalandroot/files/hotplug
/data/data/com.corner23.android.universalandroot/files/loading
/data/data/com.corner23.android.universalandroot/files/mount
/data/data/com.corner23.android.universalandroot/files/fs_type

Then it executes commands in command line. These commands are sent to the exploit as parameters: If an error occurs when executing this command, the worm will display the following message::
[-] execve

Then it executes commands in command line. These commands are sent to the exploit as parameters: If an error occurs when executing this command, the worm will display the following message:
[-] readlink

If the user ID has not been set for this file or if the effective user ID value equals "0" it will delete the content of this file:
/proc/sys/kernel/hotplug

It will then check for files:
/sqlite_stmt_journals/mount
/data/local/tmp/mount
/data/data/com.corner23.android.universalandroot/files/mount

If none of the files is found, it will display the following message:

It then opens "mount", "fs_type" files and reads data required for mounting. Then it re-mounts the directory:
/system

It then creates the directory
/system/bin/rootshell

It copies its working directory to this directory and sets permissions for files:
-rws--x--x

It will input the following lines in the command line:
[*] Android local root exploid (C) The Android Exploid Crew
[*] Modified by shakalaca for various devices

Then one of the base directories is entered:
/sqlite_stmt_journals
/data/data/com.corner23.android.universalandroot/files
/data/local/tmp

The following directory is set by default:
/sqlite_stmt_journals

The following messages are then displayed in the command line:
[+] Using basedir=, path=

[+] opening NETLINK_KOBJECT_UEVENT socket

It deletes the files from the base directory:
%BaseDir%/data
%BaseDir%/hotplug
%BaseDir%/loading
%BaseDir%/mount
%BaseDir%/fs_type
%BaseDir%/remount_as_ro.sh

It then creates these files and saves the information about the mounted device in these files as well as the information about the file system type for the following directory:
/system

It creates a script that will reconnect the file system:
%BaseDir%/remount_as_ro.sh

It then uses a vulnerability that exists during incorrect NETLINK messages processing, by enhancing "root" privileges for the current user (CVE-2009-1185). At the end it displays the following lines:
[*] Try to invoke hotplug now, clicking at the wireless
[*] settings, plugin USB key etc.
[*] You succeeded if you find /system/bin/rootshell.
[*] GUI might hang/restart meanwhile so be patient.

This exploit program may run on the following devices:
Google Nexus One (2.2)
Google G1 (1.6)
HTC Hero (2.1)
HTC Magic (1.5)
HTC Tattoo (1.6)
Dell Streak (2.1)
Motorola Milestone (2.1)
Motorola XT701
Motorola XT800 (2.1)
Motorola ME511
Motorola Charm
Motorola Droid (2.01/2.1/2.2 with FRG01B)
Sony Ericsson X10 (1.6)
Sony Ericsson X10 Mini (1.6)
Sony Ericsson X10 Mini Pro (1.6)
Acer Liquid (2.1)
Acer beTouch E400 (2.1)
Samsung Galaxy Beam
Samsung galaxy 5 (gt-i5500)
Vibo A688 (1.6)
Lenovo Lephone (1.6)
LG GT540 (1.6)
Gigabyte GSmart G1305

Removal Instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Delete the original program file (its location will depend on how the program originally penetrated the victim machine).
  2. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


MD5: 6ec31587f26b999013cb423c604db046
SHA1: 514c44835086d874342d9e3b8b10d5372d2e74e5