Android Marshmallow Settings Icons AH-1

Security Bug In Linux May Affect Over Half Of All Android Devices

January 20, 2016 - Written By Daniel Fuller

For those not in the know, a kernel, the core of any Linux-based system, controls things like the hardware to driver interface, core command software and input/output. This core is present in any devices running a Linux backend. To spare you the exhaustive list, Linux-based PCs and servers, along with all Android devices, are on that list. A security research firm called Perception Point has identified and reported a security hole that could affect up to 66 percent of all Android devices, among other devices running a Linux kernel as the core software. The exploit has not been spotted in the wild so far and, for all intents and purposes has been patched, but users should still exercise caution.

The exploit is what’s called a “privilege escalation” exploit. This exploit makes use of a memory leak in the keyring software, required for storing and interfacing with authentication credentials. Essentially, the idea is to obtain root privileges on a device. In testing, Perception Point was able to do just that. In gory detail, the exploit can work because applications are all allowed to create and manage their own keyrings; this includes sharing them. Once a keyring is in a system’s internals, it sticks around for the duration of a given login session and can be called upon by name, under the right circumstances. Objects, being assets or bits of code that have been saved, can be shared between applications. Naturally, the same applies to keyrings. Normally, when an object or application makes an invalid request for a keyring, it’s either ignored and given an error message or a new one is generated. When a keyring call is for the same keyring an application is already using, however, it skips a vital step in that process and ends up allowing users to grab the credentials of the current keyring.

This can cause a memory leak if used in just the wrong way, but the true consequences run a bit deeper. Using the leaked details, if a user can trick the system into creating the same leak for a different object, the system will think the object has been freed. A freed object can then be used for an overflow attack that will, in essence, trick the system into executing whatever code the attacker wants. This can be anything ranging from downloading adware to full control. Any Linux Kernel version 3.8 and higher has the bug in place, but Android devices in particular, have a scheme called SELinux that makes it a bit harder to trigger. For most users, the moral of the story here is to never trust strange software, as always. Developers, programmers and other interested parties can, of course, hit up the source link to see the entire disclosure in its full glory. Most applicable software developers should already be at work patching this one, so don’t expect it to hang around for long or get too big.