Fortinet Blog | News and Threat Research

Zerg Rush - Image courtesy of http://sheezyart.com/art/view/1244706/

As you probably do not know, I am a StarCraft II player. I really hadn’t expected it to be of any use to my job as an analyst, until yesterday where I read this tweet:

“I don’t even know what ‘zerg rush’ means and now I can’t google for answer either”

This is about the first time I am going to be able to boast for some StarCraft culture! Yeah! :))

StarCraft is real time strategy game developed by Blizzard. It features three different races: Zerg, Terran, Protoss. Each race has its own units and characteristics. In particular, Zergs are particularly ugly, slimy (personal opinion!) and one of their best known strategies consists in quickly creating numerous basic attack troops, called zerglings, and sending them out for attack. Other races tend to need more time to build their army, and a pack of basic zerglings is often enough to cause havoc. This strategy is called a Zerg Rush (see link and video).

On Android, Zerg Rush refers to a local root exploit. Its developer obviously plays StarCraft II, see the comments:

[+] Found a GingerBread ! 0x00017118
[*] Sending 149 zerglings ...
[*] Trying a new path ...
[*] Sending 149 zerglings ...
[*] Trying a new path ...
[*] Sending 149 zerglings ...
[*] Trying a new path ...
[*] Sending 149 zerglings ...
[+] Zerglings caused crash (good news): 0x401219c4 0x0054
[..]

The program (source code named zergRush.c) crafts a specific FrameworkCommand that it sends to the vold daemon. Initially, the command is not perfectly crafted, so it expects a crash. If a crash occurs, this is “good news” for the program because the device is likely to be vulnerable. It then crafts the command more precisely to cause a stack buffer overflow and returns to a chain of Return Oriented Exploitation (ROP) gadgets. That chain of gadgets execute as root

system("boomsh")

The program probably does not directly execute boomsh because the stack is marked as unexecutable, so it makes the device believe the commands are issued by vold.

What is boomsh? No more than a copy of the zergRush program, but when run as root, it falls in a particular case where it simply calls a shell. That’s how we end up with root shell on the device.

To be honest, the analogy with StarCraft is a bit far fetched:

* the number of zerglings corresponds to the amount of dummy data to write at the beginning of the command.

* the nydus (Zerg base) corresponds to the communication socket with vold

* collossus and high templars are powerful Protoss units. They correspond to error cases where the exploit is unable to root the device.

* hellion, siege tanks are Terran units. They correspond to other error cases.

* speedlings are upgraded zerglings. To do this upgrade, you must launch the Metabolic boost research. In the exploit, the metabolic boost research corresponds to searching for ROP gadgets

* walling is a StarCraft 2 technique which consists in defending one’s base by constructing many contiguous buildings on the base’s access road. Attackers have to destroy the buildings first to access your base, which usually leaves enough time to defend. In the exploit, this corresponds a case where the instruction to jump to is too far away

Thanks to David Maciejak for dissecting the exploit code with me and Guillaume Lovet for reviewing my post!

gl hf

– the Crypto Girl

PS. Actually I am a lame Protoss player. The real masters are bogbert and starlu :)