Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Researchers Devise New Dirty COW Attack Against Android

A newly discovered attack that abuses the Dirty COW vulnerability in the Linux kernel can be leveraged to write malicious code directly into processes, Trend Micro security researchers say.

A newly discovered attack that abuses the Dirty COW vulnerability in the Linux kernel can be leveraged to write malicious code directly into processes, Trend Micro security researchers say.

Tracked as CVE-2016-5195 and discovered by Phil Oester, Dirty COW allows a local, unprivileged attacker to escalate their privileges by modifying existing setuid files. The flaw gets its name from relying on a race condition in the kernel between the operation that writes to copy-on-write (COW) memory mappings and the one that clears that memory, and it can even escape containers.

Found in Linux kernel, the vulnerability was expected to impact Android as well, and it didn’t take long before security researchers discovered that it would allow an attacker to gain root access targeted devices. Google already rolled out a fix for Nexus and Pixel products, and all Android devices running a security patch level of 2016-11-06 are safe from Dirty COW.

Now, Trend Micro researchers say that Dirty COW can be triggered in a manner that is different from existing attacks and which allows for malicious code to be directly written into processes. They also note that all Android versions are currently believed to be affected by the issue and that the attack would provide an actor with a significant amount of control over an affected device.

The researchers also published a video to demonstrate the attack on an Android phone running the latest patch at the time of the research. The attack resulted in a proof-of-concept application being installed on the target device without asking for permissions.

“Once run, Dirty COW is exploited to steal information and change system settings (in this case, get the phone’s location, turn on Bluetooth and the Wi-Fi hotspot). It is also used to silently install an app onto the device, even if it is set not to accept apps from sources outside the Google Play store,” the security researchers explain.

According to Trend Micro, the attack is possible because the Linux kernel maps an ELF executable into memory when running it for the first time, and then reuses the mapping when opening the file again. By leveraging Dirty COW on a running ELF executable, an attacker changes the running process’s image.

The vulnerability allows an attacker to modify any running process that is readable. Even if the process is not readable, they can use cat /proc/{pid}/maps to find if readable ELF modules have been loaded. On Android, the actor can dynamically modify an Android Runtime (ART) process in the same way: as long as the attacker can run an application on a vulnerable device, they can modify a readable process and inject code and control the context of any process.

Advertisement. Scroll to continue reading.

By leveraging this attack, an actor is no longer limited to only read/write to files, but also gains the ability to write code directly to memory. Thus, a successful attack could result in root access without causing a crash or requiring a device reboot, the security researchers explain.

In their proof of concept video, the researchers dynamically modify libbinder.so to gain system/root privileges for their application, which also allows them to bypass Android’s permission security model and steal information and control system functions.

“We have notified Google about this flaw. Dirty COW was initially patched as part of the November 2016 round of Android updates, but the fix did not become mandatory until the December 2016 round of updates. Users can check with their device manufacturer and/or phone carriers when their devices will receive this update,” the security researchers said.

Related: Google Washes Dirty COW From Android

Related: “Dirty COW” Linux Kernel Exploit Seen in the Wild

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.