The exploit known as Dirty Cow, part of the Linux source code since 2007, is now being exploited to undermine Android app security testing. The potential reach of this exploit is near universal due to how much Linux is used across desktops, servers, routers, and embedded devices and on operating systems such as Android, Firefox OS, and Sailfish.
Here’s a brief overview of how the bug works:
- Choose a file that’s writable and a file that’s read-only, load them into memory with the kernel.
- Repeatedly write onto the writable file and instruct the kernel to borrow memory each time from the read only
- In a fraction of a second, the kernel will confuse the memory buffer of the file you are writing into with that of the read only file.
- The read-only file ends up being overwritten.
This bug creates serious risks for businesses, especially if the overwritten file is a configuration file or a system executable file. The open-source Linux Operating System is the foundation of Android so this poses serious problems for Android app security testing. The bug is an example of privilege escalation and it has the potential to be used in tandem with other exploits to remotely gain root access.
A user on Github has come up with a proof-of-concept for a project,“run-as”, as a patch for Android. “Run-as” mirrors Run-as on windows, and allows an application to run as if launched by a different user. Though this is good for writing and testing code, it will take root privilege and has the ability to pass the rootness to all apps it loads.
To avoid this, the “run-as” program by Google requires the user to be root in the same way as it would in debug mode. Replacing the “run-as” program that can only be managed by an admin with another version that can be managed by any user offers a route to root a phone.
There are various motives for rooting their phones e.g. removing access programs installed with vendor software, installing security patches, or for piracy. This may lead to the installation of malicious applications that lead to security issues within a device. Hence, a rooted app will get around the sandboxing restriction on Android and gain unauthorized access to log files, messages and other personally identifiable information.
To get your locked Android phone genuinely rooted, the DirtyCOW mechanism maybe a good stop gap until there is an Android app security update. System admins who manage a network of corporate systems may however, consider the risks of rooting outweigh the benefits and prefer to avoid dealing with rooted devices.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android app security testing, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing i try out Codified Security.