Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Researchers Devise New Dirty COW Attack Against Android

A newly discovered attack that abuses the Dirty COW vulnerability in the Linux kernel can be leveraged to write malicious code directly into processes, Trend Micro security researchers say.

A newly discovered attack that abuses the Dirty COW vulnerability in the Linux kernel can be leveraged to write malicious code directly into processes, Trend Micro security researchers say.

Tracked as CVE-2016-5195 and discovered by Phil Oester, Dirty COW allows a local, unprivileged attacker to escalate their privileges by modifying existing setuid files. The flaw gets its name from relying on a race condition in the kernel between the operation that writes to copy-on-write (COW) memory mappings and the one that clears that memory, and it can even escape containers.

Found in Linux kernel, the vulnerability was expected to impact Android as well, and it didn’t take long before security researchers discovered that it would allow an attacker to gain root access targeted devices. Google already rolled out a fix for Nexus and Pixel products, and all Android devices running a security patch level of 2016-11-06 are safe from Dirty COW.

Now, Trend Micro researchers say that Dirty COW can be triggered in a manner that is different from existing attacks and which allows for malicious code to be directly written into processes. They also note that all Android versions are currently believed to be affected by the issue and that the attack would provide an actor with a significant amount of control over an affected device.

The researchers also published a video to demonstrate the attack on an Android phone running the latest patch at the time of the research. The attack resulted in a proof-of-concept application being installed on the target device without asking for permissions.

“Once run, Dirty COW is exploited to steal information and change system settings (in this case, get the phone’s location, turn on Bluetooth and the Wi-Fi hotspot). It is also used to silently install an app onto the device, even if it is set not to accept apps from sources outside the Google Play store,” the security researchers explain.

According to Trend Micro, the attack is possible because the Linux kernel maps an ELF executable into memory when running it for the first time, and then reuses the mapping when opening the file again. By leveraging Dirty COW on a running ELF executable, an attacker changes the running process’s image.

The vulnerability allows an attacker to modify any running process that is readable. Even if the process is not readable, they can use cat /proc/{pid}/maps to find if readable ELF modules have been loaded. On Android, the actor can dynamically modify an Android Runtime (ART) process in the same way: as long as the attacker can run an application on a vulnerable device, they can modify a readable process and inject code and control the context of any process.

By leveraging this attack, an actor is no longer limited to only read/write to files, but also gains the ability to write code directly to memory. Thus, a successful attack could result in root access without causing a crash or requiring a device reboot, the security researchers explain.

In their proof of concept video, the researchers dynamically modify libbinder.so to gain system/root privileges for their application, which also allows them to bypass Android’s permission security model and steal information and control system functions.

“We have notified Google about this flaw. Dirty COW was initially patched as part of the November 2016 round of Android updates, but the fix did not become mandatory until the December 2016 round of updates. Users can check with their device manufacturer and/or phone carriers when their devices will receive this update,” the security researchers said.

Related: Google Washes Dirty COW From Android

Related: “Dirty COW” Linux Kernel Exploit Seen in the Wild

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.