Dirty COW Privilege Bug Gives Android Root Access

Root 5.0.2 AH

Privilege escalation, one of the most common types of bugs in computer systems, involves exactly what it says it does; users who would otherwise have no or very little access to something, like a root file system, suddenly has partial or full access via an exploit. New privilege escalation exploits show up all the time, most often in Linux-based systems, and that’s exactly what the newest threat is. Found ‘out in the wild’ by Phil Oester of the security and enterprise centered Red Hat Linux project, the bug consists of an exploit in the core Linux kernel’s handling of timed and ordered events. The exploit allows any local user on a system to gain access to the deepest privilege-locked file systems. Since Android is based on Linux, the implications here are pretty clear; full system control for any app that runs the exploit. This can range from letting a remote user in to messing around with system files and even hijacking the device entirely.

To delve into specifics, the bug takes advantage of the Linux kernel’s flawed handling of breakages in the private, deep-level system memory as it pertains to copy-on-write functions, thus the name, Dirty COW. Copy-on-write is often used for redundancy or when working with volatile memory such as RAM, meaning that nearly any running app could potentially be used to trigger the bug. When the bug is triggered, usually by breaking the expected write sequence of a program that talks directly to the kernel, any and all systems, up to and including the system’s read-only memory, is compromised and can be edited with full privileges from the user account that the exploit originated from for the remainder of the session. This means that apps can use the bug to gain root access and slip into deep system files unnoticed, where they can proceed to wreak all sorts of havoc as mentioned above.

Due to the nature of the bug, trying to distinguish between normal activity and use of the exploit is hard, making it nearly impossible for antivirus apps and the like to do any good. This means that users of any kind of Linux-based system, such as an Android device, are encouraged to keep their security patches and other updates current. For now, the bug has only been found once in the wild. Since it’s already known and being patched, this means that the threat should be largely mitigated. Still, users are cautioned to look out for suspicious activity on their systems until they are sure that they are running patched software. The exploit is demonstrated in a GitHub repository, which inquisitive users can find through the source link.