Recently, I found an interesting issue Remote Code Execution for AT&T bug bounty program.
But before going into this let’s understand Arbitrary Code Execution -
Arbitrary Code Execution also know as command injection is a technique used via a web interface in order to execute OS commands on a web server. The user supplies operating system commands through a web interface in order to execute OS commands. Any web interface that is not properly sanitized is subject to this exploit. With the ability to execute OS commands, the user can upload malicious programs or even obtain passwords. OS command injection is preventable when security is emphasized during the design and development of applications.
Issue was reported on October 21, 2014 to AT&T Security Team.
Resolved on Jan 27, 2015 by AT&T
Recently Security Researcher has uncovered an critical vulnerability in 2.6.22 versions(which was released in 2007) of Linux Platform and Android Platform. In short this vulnerability attackers to gain root access to servers and take control over the whole system.
This week security researcher made this issue public. A vulnerability discovered in the Linux kernel has been present for nine years.
But the vulnerability gained attention only recently when hackers started exploiting it.
The security hole was detected by researcher Phil Oester, who found out a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakages of private read-only memory mappings.Attackers can use this to gain write access to otherwise read-only mappings and this way take control over whole systems.
Now Next Step is accessing an application internal storage
Windows do not allow access to the internal storage of its application even when the “mass storage” mode is enabled.
Failed To Access Internal Storage of Application Windows
To get an access to the internal storage we need to perform an “Interop Unlock”.
For an Interop Unlock there are various procedures mentioned in the “xda-developers” forum.
I have used simple techniques which allows an Interop unlock on windows Lumia 920 without using SD Card.
Below are the steps for the same (SD Card is not required):