Android Root Exploits Abuse Dirty COW Vulnerability


 Ionut Arghire wrote an interesting post about Android Root Exploits Abuse Dirty COW Vulnerability that I would like to share.

The “Dirty COW” Linux kernel vulnerability that was publicly disclosed last week can be leveraged to achieve root privileges on Android devices, security researchers reveal.

The security flaw was dubbed Dirty COW because it is caused by a race condition in the manner in which the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings. Tracked as CVE-2016-5195, the bug can be exploited by a local attacker to escalate privileges by modifying existing setuid files.

Last week Red Hat said that the vulnerability was important and that an exploit leveraging it was already used in the wild. A fix for the Linux kernel was released on October 13, and Linux distributions have started releasing updates.

By altering the copy-on-write cache provided by the kernel, an attacker changes what the system and apps see when reading the affected files (they modify the contents in memory of any file readable and mapable by the user). The flaw can be used to modify almost any file, even if the partition is mounted as read-only, but, because the change only affects the cache in memory, it won’t persist after reboot.

However, the flaw can be exploited to gain root privileges and compromise an entire system, and all devices running a Linux kernel higher than 2.6.22 are most probably affected by this, NowSecure researchers say. According to them, all devices running a vulnerable version of Android, regardless of the manufacturer, can be compromised through this flaw if they haven’t been patched.

To exploit the vulnerability, however, an attacker needs to run code on the affected device, which can be done via the Android Debug Bridge (ADB) over USB or by installing an app that makes use of the exploit. Because this is a local vulnerability, users can protect themselves by avoiding installing software from unknown sources.

NowSecure has released a plugin that takes advantage of the Dirty COW vulnerability, but they are not the only ones to have done so. Others also came up with working exploits for this security flaw on Android, allowing users to easily get persistent root access.

While many people can use these exploits to bypass the limitations imposed by manufacturers or carriers, the vulnerability could also be abused by malicious applications to compromise devices. Many of the Android malware families out there rely on root access not only to perform nefarious operations, but also to improve resilience and hinder removal operations.”



Ionut Arghire