Go to the profile of redens
redens

Chinese Chip Manufacturer Contains Backdoor

Hoplite Cyber Atmospherics Report Executive Summary: Allwinner, a Chinese manufacturer of chips used in cheap IOT, Android, and other Linux devices, has been found to contain an easily exploitable backdoor. While the company claims the code was left in the system accidentally during a debugging process, further analysis reveals a laundry list of developer complaints related to Allwinner’s secretive coding practices.

Body

The Hacker News reported a kernel backdoor was found in Chinese ARM manufacturer Allwinner. The easy to use backdoor was a local privilege escalation vulnerability. Any process with /proc/ access need only use the following command to gain root access on the Linux 3.4-sunxi kernel.

echo “rootmydevice” > /proc/sunxi_dbug/sunxi_debug

The Linux 2.4-sunxi kernel is found is a large number of devices, typically cheap android devices and other products using Allwinnner processors. A fairly exhaustive list of devices using Allwinner processors can be found here: https://linux-sunxi.org/Category:Devices.

While the process is trivial, exploit code has been developed to make the process even simpler, and has been found here: http://pastebin.com/sjej62iz.

While most public discussions on the vulnerability appear to accept the explanation that Allwinner simply left the backdoor in by mistake after completing the debugging processes, there is more to the story.

Allwinner is known to have received special attention from the Chinese government last year. On July 25, 2015, Allwinner Technology became “the latest beneficiary of this 10 year and a trillion of yuan ($161.1 billion, £103.86 billion, €147 billion) plan by the Chinese authorities to create a word-class semiconductor business.” (http://news.softpedia.com/news/allwinner-plans-to-merge-with-rockchip-with-chinese-government-support-487782.shtml) The move appears to have specifically to help China compete in the growing wearable electronics and Internet-of-Things markets. The article notes the Chinese government might be making moves in the semiconductor business with “key military applications in mind” and “increase the quality of products delivered to its key government institutions.”

A deeper dive into the history of Allwinner reveals the organization has been repeatedly chastised by the open source development community for violating open source licensing. On the main development wiki, developers have placed the following notice:

“Allwinner has repeatedly violated the GPL (and by proxy so have most hardware manufacturers and resellers using or selling products based on Allwinner chipsets).

Either by not providing (Linux/Android) kernel or u-boot source at all, or by delivering trees with pre-built binaries and no matching source code. They even blatantly use LGPL licensed code in their userspace libraries for media decoding.

Over time, Allwinner has only increased the binary blobs present in their kernel trees, showing clearly that — even though Allwinner in the meantime joined Linaro — it is not progressing. Quite the opposite actually, and one has to worry about what value Linaro membership really has if a member is allowed to behave like this.

Allwinner also joined the Linux Foundation as of June 2015, while compliance issues clearly remain.” * https://linux-sunxi.org/GPL_Violations

Apart from noting that Allwinner is blatantly ignoring industry standards, the above quote also highlights that Allwinner’s inclusion in certain industry groups may degrade the open source standards that those groups are founded to support. Both the Linux Foundation and Linaro have the mission of bringing together industry and the open source community. Allwinner’s inclusion in these organizations, some contest, degrade the trust of developers in these organizations and harms the security of the industry overall.

These issues are not new for Allwinner. Comments from a phoronix.com article in May, 2015 suggest that some developers were suggesting that Allwinner was on track to getting banned in major countries.

“Due to the way the GPLv2 works, once you violate it even once you lose the license. Combined with the way kernel copyrights are maintained, this means that *any* contributor can sue you for copyright infringement and get your Linux-using products import banned in any country. Recovering is basically impossible — you have to get a new license directly from each copyright holder.” * https://www.phoronix.com/forums/forum/software/general-linux-open-source/801551-allwinner-publishes-new-cedarx-open-source-code

Hoplite analysts joined the #linux-sunxi IRC network and observed promising developments. Allwinner developers were observed attempting to remove closed-sourced aspects of Allwinner products from their devices. Developers were found to be replacing Allwinner’s closed sourced boot binaries with open source code.

<longsleep> apritzel: https://github.com/longsleep/sunxi-pack-tools

<longsleep> apritzel: extracted them from the BSP a while ago

<apritzel> ah, cheers

<longsleep> apritzel: your built u-boot is a little smaller than the one built with all the allwinner tools, 928K vs 944K

<apritzel> from a first glance integrating update_uboot_fdt looks doable, it’s bascially an aligned concatenation plus entering the start address

<apritzel> longsleep: I use 512 Byte padding, I think they use a bigger alignment

<longsleep> apritzel: yeah all the tools are pretty trivial but _very_ ugly

<apritzel> indeed!

<longsleep> and do not ask me about character encoding

<apritzel> I put some chinese comments from github into the google translator the other day — and it was actually useful

<longsleep> hehe nice

<longsleep> apritzel: all right, boot0img works fine with the rest of my image building gear — full bootlog at http://paste.ubuntu.com/16380400/

Source

Irc.freenode.net #linux-sunxi.org http://thehackernews.com/2016/05/android-kernal-exploit.html http://defence.pk/threads/allwinner-plans-to-merge-with-rockchip-with-chinese-government-support.387978/ http://news.softpedia.com/news/allwinner-plans-to-merge-with-rockchip-with-chinese-government-support-487782.shtml http://linux-sunxi.org/Main_Page

Tags

Allwinner

Root

Zero Day

China

Espionage