A newly discovered attack that abuses the Dirty COW vulnerability in the Linux kernel can be leveraged to write malicious code directly into processes, Trend Micro security researchers say.
Tracked as CVE-2016-5195 and discovered by Phil Oester, Dirty COW allows a local, unprivileged attacker to escalate their privileges by modifying existing setuid files. The flaw gets its name from relying on a race condition in the kernel between the operation that writes to copy-on-write (COW) memory mappings and the one that clears that memory, and it can even escape containers.
Found in Linux kernel, the vulnerability was expected to impact Android as well, and it didn’t take long before security researchers discovered that it would allow an attacker to gain root access targeted devices. Google already rolled out a fix for Nexus and Pixel products, and all Android devices running a security patch level of 2016-11-06 are safe from Dirty COW.
Now, Trend Micro researchers say that Dirty COW can be triggered in a manner that is different from existing attacks and which allows for malicious code to be directly written into processes. They also note that all Android versions are currently believed to be affected by the issue and that the attack would provide an actor with a significant amount of control over an affected device.
The researchers also published a video to demonstrate the attack on an Android phone running the latest patch at the time of the research. The attack resulted in a proof-of-concept application being installed on the target device without asking for permissions.
“Once run, Dirty COW is exploited to steal information and change system settings (in this case, get the phone’s location, turn on Bluetooth and the Wi-Fi hotspot). It is also used to silently install an app onto the device, even if it is set not to accept apps from sources outside the Google Play store,” the security researchers explain.
According to Trend Micro, the attack is possible because the Linux kernel maps an ELF executable into memory when running it for the first time, and then reuses the mapping when opening the file again. By leveraging Dirty COW on a running ELF executable, an attacker changes the running process’s image.
The vulnerability allows an attacker to modify any running process that is readable. Even if the process is not readable, they can use cat /proc/{pid}/maps to find if readable ELF modules have been loaded. On Android, the actor can dynamically modify an Android Runtime (ART) process in the same way: as long as the attacker can run an application on a vulnerable device, they can modify a readable process and inject code and control the context of any process.
By leveraging this attack, an actor is no longer limited to only read/write to files, but also gains the ability to write code directly to memory. Thus, a successful attack could result in root access without causing a crash or requiring a device reboot, the security researchers explain.
In their proof of concept video, the researchers dynamically modify libbinder.so to gain system/root privileges for their application, which also allows them to bypass Android’s permission security model and steal information and control system functions.
“We have notified Google about this flaw. Dirty COW was initially patched as part of the November 2016 round of Android updates, but the fix did not become mandatory until the December 2016 round of updates. Users can check with their device manufacturer and/or phone carriers when their devices will receive this update,” the security researchers said.
Related: Google Washes Dirty COW From Android
Related: "Dirty COW" Linux Kernel Exploit Seen in the Wild
Tags: