HTC Incredible Rooting status

So I’ve been looking at rooting the Incredible and currently believe our best attack vector may very well lie in /system/bin/installd. It executable by us, it runs as root, it stays running. Heck, it installs our stuff. It appears to call setuid. Thus it may well be exploitable by the shoruyken attack, and may very well have some other vulnerabilities itself that remain to be discovered. Starting to play with it…

See here for more details on this potential attack vector.

UPDATE: Well that was short lived, we discovered that is in fact patched in our kernel. However we have a NULL pointer dereference bug that is not! Bad news, I also have now discovered we have NO WHERE to run it! everywhere we have write access we have a noexec flag. I’m going to explore rolling my exploit code into a native apk somehow… I’m new to this however, so if you have experience PLEASE let me know!

This entry was written by shadowmite , posted on Wednesday May 05 2010at 09:05 pm , filed under News and tagged , , , . Bookmark the permalink . Post a comment below or leave a trackback: Trackback URL.

Comments are closed.