Allwinner News – Root Exploit in Linux and Fake Pine A64 Boards

Orange Pi Development Boards

There’s been a lot of buzz about a root exploit in Linux 3.4 kernel for Allwinner H3/H83T SoCs found by linux-sunxi & armbian developers in the last few days. Since the kernel for H3 / H83T is stuck to 3.4, and not always updated on the vast majority of hardware platforms, it’s quite likely there are many ways to breach into such systems, and even the majority of Android devices are not secure, not only the ones powered by Allwinner. So I did not really pay attention at first, but it went viral with  stories reporting a hidden backdoor, and hitting to ill-intent. But is that really the case? That’s the code from github, now removed from the master branch, but still in A83T branch.

allwinner_rootmydeviceIt’s now super easy to gain root access by simply running one command which works for any users:


That’s obviously pretty bad, but is that a hidden backdoor? Considering Allwinner released the source code, and the kernel log would show “now you are root” each time the method would be used, that would be very stupid backdoor, and it’s not hidden since the code was there for everyone to see. A developer most probably added the code to sunxi_debug in order to ease debugging, and did not realize there was a security issue. I’ve been told the exploit only affect Allwinner H3 & A83T processors, so if you have devices with one of those, you’d better check if the exploit works, and if it does, get an updated firmware, or kernel. Using proper code review procedures, or going Linux mainline,  would avoid such PR disasters. Speaking of which, Allwinner issued the following statement in response:

Allwinner Technology committed to resolving Linux Kernel software issue

Zhuhai, China – Allwinner Technology.Co.Ltd (SHE: CN:300458) is working with its device manufacturers to fix a current software issue. We are aware that code, which was supplied to device manufacturers for the purpose of developing products, should have been removed prior to shipping. We recommend that anyone who is concerned about this issue should contact the relevant device manufacturer.

In relation to the source code on Github, it is released for the open source community only and not for shipping certain devices. Since a debugging function is not needed it has subsequently been removed.

Allwinner is committed to producing quality SoCs with security a key priority. We are currently working hard to address this issue and revising our current processes so we can continue to evolve our range of SoCs in the future.

In other news, one of Pine64 managers informed me that fake/copy versions of Pine A64 development board, based Allwinner H64 SoC, had started selling on Taobao.

Fake_Pine_A64It’s unclear if those are exact copies, but to be safe, you should probably avoid purchasing Pine A64 on Taobao, or Taobao forwarding services.

13
Leave a Reply

avatar
13 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
9 Comment authors
tkaiserMike T.cortex-a72ssvbRK Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Tsvetan
Guest
Tsvetan

something is fishy here, why one would buy the $15 advertised to be Pine64 board on taobao for $45-$75?

Bobby
Guest
Bobby

Agree fully with your analysis on the Allwinner issue. It is not with bad intent, but does point to a company which does not take software quality seriously. Having once spent some time on the community efforts for the A10 back in the day, I can but gloat. The way they acted back then still makes me avoid them at every turn. I like to see this issue as karma.

tkaiser
Guest
tkaiser

If the fake Pine64 on Taobao would have Micro USB replaced with a good barrel plug for DC-IN I would buy there 😉

And regarding rootmydevice let’s hope that Allwinner doesn’t move back but instead continues to release even more code (using appropriate licenses so community can do something with it). Linux-sunxi community wants to proceed with mainline kernel support for A64 and is eagerly waiting for some code only available as blob now.

quillan
Guest

@cnxsoft
“59.80 to 99.80” is advance payment, and 299-499 is total payment. I am a chinese in Hangzhou.

cortex-a72
Guest
cortex-a72

@tkaiser
maybe you know, they (pine64) sell usb cable on their shop, is it good for powering the board?

tkaiser
Guest
tkaiser

@cortex-a72
At least it’s rated 20 AWG (less resistance) but with Micro USB for DC-IN a few more problems are associated (like encouraging users to choose the wrong PSU). Pine64 forums are flooded with boot problems and this list here is not even complete: http://forum.pine64.org/showthread.php?tid=514

RK
Guest
RK

This would never have happened if commit history would have been pushed along with the changes. A 3k pull request that merger only has a single comment to work with isn’t enough to go by. It might have been fine a decade ago when static analysis tools were so bad and rare that every working merge requests have gone through very thorough reviews… But nowadays huge amounts of C code can be committed without a second glance and reading through it is often too time consuming to ever get done.

ssvb
Guest
ssvb

@RK
Never say never. Security issues are getting discovered on a regular basis even in the mainline kernel and other respectable open source projects. But yes, it is always possible to do a better job by adhering to good practices and allocating more time/resources.

cortex-a72
Guest
cortex-a72

@tkaiser
thank you.
(I also am happy when a board has dedicated power jack, and a normal PSU in the kit.)

Mike T.
Guest

Debating whether this was was malicious or not misses the entire point. There is _NO_ reason/excuse for any developer to ever put something like this into kernel source much less push it into a distribution. “But they may have needed to debug something.” If that’s the case, they would have had root access to the box. The only reason to put something like this in is to get access to a box you don’t have privileges on.

tkaiser
Guest
tkaiser

Little update how SBC vendors affected by this exploit did react in the meantime (Armbian team opened Github issues where possible 16 days ago). The only ones rolling out new OS images besides Armbian are SinoVoip (they also provide a way to update the kernel for BPi M2+/M3 images but that’s so complicated/weird that most probably no one of their users is able to follow the instructions).

Some vendors reacted and deactivated the exploit code in their Github repos without providing any fixes to their users, two still ignore the whole issue (LinkSprite and Xunlong) but no one thought about informing users and providing a quick workaround until a real fix has been rolled out like setting in a start script something like this:

chmod 000 /proc/sunxi_debug/sunxi_debug

But to be honest. At least the few Orange Pi OS images I tried out so far before we started to support H3 in Armbian were so horrible regarding security that it really doesn’t matter that much whether fix/workaround is applied or not (only Armbian/OpenELEC upgraded sun8i BSP kernel to 3.4.112, all the others still remain at 3.4.39 for no other reason than laziness, all OS images except of one I tried out before allow sudo without authentication, none of them regenerates SSH host keys so man-in-the-middle attacks are possible and so on. Of course most of the aforementioned applies to SinoVoip’s OS images for BPi M3 too)