There’s a new method for rooting Android devices that’s believed to work reliably on every version of the mobile operating system and a wide array of hardware, and it could be the most serious Linux escalation bug ever.
Independent security researcher David Manouchehri said that this proof-of-concept code that exploits Dirty Cow on Android gets devices close to root. With a few additional lines, Manouchehri’s code provides persistent root access on all five of the Android devices he has tested.
Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
New privilege escalation exploits show up all the time, most often in Linux-based systems, and that’s exactly what the newest threat is. Found ‘out in the wild’ by Phil Oester of the security and enterprise centered Red Hat Linux project, the bug consists of an exploit in the core Linux kernel’s handling of timed and ordered events. The exploit allows any local user on a system to gain access to the deepest privilege-locked file systems.
Since Android is based on Linux, the implications here are pretty clear; full system control for any app that runs the exploit. This can range from letting a remote user in to messing around with system files and even hijacking the device entirely.
The bug takes advantage of the Linux kernel’s flawed handling of breakages in the private, deep-level system memory as it pertains to copy-on-write functions, thus the name, Dirty COW. Copy-on-write is often used for redundancy or when working with volatile memory such as RAM, meaning that nearly any running app could potentially be used to trigger the bug.
When the bug is triggered, usually by breaking the expected write sequence of a program that talks directly to the kernel, any and all systems, up to and including the system’s read-only memory, is compromised and can be edited with full privileges from the user account that the exploit originated from for the remainder of the session.
This means that apps can use the bug to gain root access and slip into deep system files unnoticed, where they can proceed to wreak all sorts of havoc as mentioned above.
“The exploits allow end users to root Android phones so they have capabilities such as tethering that are often restricted by individual manufacturers or carriers. By gaining access to the core parts of the Android OS, owners can bypass such limitations and vastly expand the things their devices can do. The darker side of rooting is that it’s sometimes done surreptitiously so that malicious apps can spy on users by circumventing application sandboxing and other security measures built into Android.” Dan Goodin wrote on Ars Technician.
Goodin continues, “Just as Dirty Cow has allowed untrusted users or attackers with only limited access to a Linux server to dramatically elevate their control, the flaw can allow shady app developers to evade Android defenses that cordon off apps from other apps and from core OS functions. The reliability of Dirty Cow exploits and the ubiquity of the underlying flaw makes it an ideal malicious root trigger, especially against newer devices running the most recent versions of Android.”