CVE request: sunxi-debug (root privilege escalation in Allwinner kernel)

[David Manouchehri <david.manouchehri () riseup net>]

The official Allwinner 3.4 kernels (H3, H8 and A83T) shipped a driver
called sunxi-debug, which allows any process (file permissions are set to
666) to escalate to root without any interaction.

Full PoC/"exploit" is simply:

echo "rootmydevice" > /proc/sunxi_debug/sunxi_debug

This was originally spotted in April 2016 and removed after media coverage
in May. If a CVE could be assigned to it, that would be appreciated.

Thanks,

David Manouchehri

References:

https://github.com/Manouchehri/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c#L41-L52
(The
original repository has had the backdoor erased from history.)
http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390
http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/
https://www.rapid7.com/db/modules/post/multi/escalate/allwinner_backdoor
http://www.theregister.co.uk/2016/05/09/allwinners_allloser_custom_kernel_has_a_nasty_root_backdoor/
http://arstechnica.com/security/2016/05/chinese-arm-vendor-left-developer-backdoor-in-kernel-for-android-pi-devices/
http://www.androidauthority.com/chinese-arm-vendor-left-developer-backdoor-in-kernel-for-android-692146/
http://news.softpedia.com/news/chinese-arm-chip-vendor-left-god-mode-feature-in-android-kernel-code-504037.shtml
https://www.heise.de/security/meldung/Allwinner-vergisst-Root-Cheatcode-im-Kernel-fuer-Sunxi-SoCs-3207356.html
https://news.ycombinator.com/item?id=11672590
https://olimex.wordpress.com/2016/05/10/how-to-root-any-allwinner-device-running-android-and-most-of-the-chinese-pi-clones-which-bet-on-allwinner-android-linux-kernel/