DirtyCOW Linux hole works on Android too – “root at will”

Late last week, we wrote about a newly-patched Linux security exploit dubbed DirtyCOW.

Super-simply, the attack works like this:

  • Choose two files, one you can write to and one you can’t, and get the kernel to load them both into memory.
  • Write over and over again into the file you’re allowed to change.
  • At the same time, tell the kernel over and over again that it can borrow back the memory used for the file you can’t change.
  • Wait a short while. (A fraction of a second in our tests on 32-bit Intel Linux 4.4.19.)

The vulnerability, officially called CVE-2016-5195, means that the kernel will eventually mix up the memory buffer that you’re writing into with the memory buffer you’re saying you don’t really need any more.

As a result, you get to overwrite the read-only file, which is something of a security catastrophe if it’s a critical system executable or configuration file.

This bug was in the Linux source code for the the last eleven years of kernel releases, and in theory affected every version on every platform during that time.

We only tested it on what you might call a “regular” Linux distribution (for Intel CPUs), but it turns out that DirtyCOW affects Android running on ARM chips as well.

That’s because Google’s largely proprietary Android ecosystem is built on top of the open-source Linux operating system, in much the same way as Apple’s macOS and iOS are built on a BSD-derived open-source core.

A Github user going by Timwr has published a proof-of-concept project that shows how to replace the Android program called run-as.

The idea of run-as is to allow an application to be run as if launched by a different user, just like Run As... on Windows.

That’s useful in development and testing, but it’s also dangerous because run-as automatically acquires root privileges when it starts, and can pass its rootness on to the apps it loads.

To keep things safe, the standard Google version of run-as therefore requires the user who started it to be root in the first place, as would be the case on a typical development or test device connected up for debugging.

Loosely speaking, then, you can use run-as to root a phone, but only if the phone is already rooted in the first place.

Clearly, replacing the admin-capable run-as program with a version that can be started by any user creates a gateway to root a phone permanently.

The risk of rooting

Google’s own Nexus and Pixel devices are sold so that they can be rooted if you like, and are thus commonly used by developers, but other vendors such as Samsung keep their phones locked down, Apple-and-Microsoft style.

As a result, rooting – like its close cousin jailbreaking on Apple phones – is a popular pastime for users who want to do things differently.

For many, it’s a way to remove what they see as vendor bloatware or to replace system apps with leaner, meaner or merely different variants.

For others it’s a way to apply security patches that the vendor hasn’t got round to yet, or to update phones that the vendor no longer supports at all.

And for some, sadly, it’s a gateway to piracy and other scofflaw shenanigans, including carelessly installing maliciously-hacked apps and making ill-advised configuration changes that introduce security problems that would otherwise have been avoided.

In particular, an app that can “get root” can work around the data sandboxing restrictions imposed on regular Android apps, and thereby access files such as logs, messages, databases and other possibly personally identifiable information (PII) that would usually be off-limits.

What to do?

If you genuinely want to root your vendor-locked Android phone, DirtyCOW could be a handy way to get the job done, at least until your vendor’s next security update – though on some devices, that might be a dangerously long time.

On the other hand, if you are a sysadmin looking after a menagerie of corporate devices, where the likely risk of rooting outweighs any potential benefits, you might not be so delighted at the prospect of easily-rooted devices.

Worse still, dodgy off-market apps sometimes secretly use root exploits to get more power than you agreed to give them at install time, which is a danger to any organisation’s network.

We suggest that you ask your Android phone vendors when their DirtyCOW updates will be available.

PS. Sophos Mobile Control can help you to keep rooted phones off your business network by detecting that they’ve been rooted and taking corrective action. That could range from a simple popup warning, through the automatic removal of corporate email, to a forced remote wipe.