Every Android device potentially vulnerable to "most serious" Linux escalation attack, ever



The Dirty Cow vulnerability dates back to code included in the Linux kernel in 2007, and it can be trivially weaponized into an easy-to-run exploit that allows user-space programs to execute as root, meaning that attackers can take over the entire device by getting their targets to run apps without administrator privileges.


The attack also makes it trivial to jailbreak vendor-locked phones, for example to add tethering to devices sold with that feature disabled.

Security researcher David Manouchehri has developed a proof-of-concept Dirty Cow exploit that has worked successfully on every Android device he's tested it on. Manouchehri says that the vulnerability was present in the kernel that shipped with Android 1.0, and he expects that therefore his attack will work on any Android device.

The vulnerability that Dirty Cow exploits has been fixed in the latest version of Android and will be coming to official Android devices soon, but Android suffers from serious fragmentation and many devices are unlikely to ever be updated, especially those that come locked in such a way as to only accept updates from the carrier or manufacturer — unless these carriers/vendors choose to push out a patch, those users have no official upgrade path (in theory, they could use a Dirty Cow-based exploit to defeat this).


A separate security researcher who asked to not be identified said he independently developed a separate rooting script. It's based on this publicly available Dirty Cow exploit that he modified to make it work on Android and to give it additional capabilities.

"We are using a rather unique route on it that we can use elsewhere in the future as well," the researcher said when asked why he didn't want to disclose the code or want his name published. "I don't want Google or anyone shutting down that route."

The video below shows the researcher using his app to root an Android-powered HTC phone, which is connected to a computer by a USB cable. The first ID and su commands show that the device is unrooted. After running "moo"—the name of the file containing the exploit code—and then running the su and ID commands again, it's clear that the device has been rooted.

CVE-2016-5195 (dirtycow/dirtyc0w) proof of concept for Android [David Manouchehri/Github]

Android phones rooted by “most serious” Linux escalation bug ever
[Dan Goodin/Ars Technica]


(Image: Mud Cow Racing – Pacu Jawi – West Sumatra, Indonesia, Rodney Ee, CC-BY)