Inspecting file permissions
One of the most commonly exploited ways to escalate privileges from within a local context is to abuse discrepancies and inadequacies in the way filesystem permissions—or access rights—are set up in an operating system. There are countless instances of vulnerabilities and privilege escalation attack methods that abuse file permissions, be it the setuid
flag on a globally executable vulnerable binary, such as su
or symlink
, or the race condition attack on a file that is globally readable and written to by a superuser-owned application; for example, pulse audio CVE-2009-1894.
Being able to clearly identify any potential entry points presented by the filesystem is a good place to start defining the Android native attack surface. The walkthrough in this section details a few methods you can use to find dangerous or potential files that possibly enable exploitation while interacting with the device through an ADB shell.
Seeing that the following tutorial is focused on...