New Flavor of Dirty COW Attack Discovered, Patched

Share this…

Dirty COW (designated as CVE-2016-5195) is a Linux vulnerability that was first disclosed to the public in October 2016. It was a serious privilege escalation flaw that allowed an attacker to gain root access on the targeted system. It was described as an “ancient bug” by Linus Torvalds and was quickly patched once it was disclosed, with most Linux distributions pushing the patch to their users as soon as possible.

Android is also vulnerable to Dirty COW, although SELinux policies severely limited the attack range. We have found a new way to target Dirty COW that is different from existing attacks. Our discovered method allows for malicious code to be directly written into processes, giving an attacker a significant amount of control over an affected device. All Android versions are currently thought to be affected by this problem.

Proof of Concept

The video below demonstrates our attack. It shows an Android phone with the latest patch at the time of our research installing our proof-of-concept app without any permissions being requested. Once run, Dirty COW is exploited to steal information and change system settings (in this case, get the phone’s location, turn on Bluetooth and the Wi-Fi hotspot). It is also used to silently install an app onto the device, even if it is set not to accept apps from sources outside the Google Play store

Why does this happen? When executing an ELF file, the Linux kernel maps the executable into memory. This mapping will be reused when you open the same ELF executable again. When Dirty COW is used to modify an ELF executable that is already running, the running process’s image is changed too. Let’s consider what this means: Dirty COW can modify any running process that is readable. If a process is not readable, you still use cat /proc/{pid}/maps to find if any loaded ELF modules are readable.

On Android, the same process applies. An Android Runtime (ART) process can be dynamically modified in same way. This allows an attacker who can run an app on an Android device to modify any other process that is readable. This allows an attacker to inject code and control the context of any process.

Figure 1. Improved Dirty COW attack

This attack broadens the ability of the attack to not just read/write to files, but to write code directly to memory. This allows for an attack to gain root access without any reboots or crashes taking place.

Our proof of concept video dynamically patches to give our app system/root privileges. We used this ability to We used this ability to bypass Android’s permission security model to steal information and control system functions.

Mitigation and Disclosure

We have notified Google about this flaw. Dirty COW was initially patched as part of the November 2016 round of Android updates, but the fix did not become mandatory until the December 2016round of updates. Users can check with their device manufacturer and/or phone carriers when their devices will receive this update.

We are now monitoring for threats that use this attack. Users should only install apps from the Google Play or trusted third-party app stores and use mobile security solutions such as Trend Micro™ Mobile Security to block threats from app stores before they can be installed and cause damage your device or data.

Enterprise users should consider a solution like Trend Micro™ Mobile Security for Enterprise. This includes device management, data protection, application management, compliance management, configuration provisioning, and other features so employers can balance privacy and security with the flexibility and added productivity of BYOD programs.