NOWSECURE CONNECT 2022 CONFERENCE - REGISTER TODAY!

NowSecure Connect — THE mobile AppSec + AppDev community online event — returns with new content and the latest training. Join the world’s brightest innovators, practitioners, community leaders, and industry influencers LIVE online for in-depth training, discussions, strategy sessions, CTF and more. Gain access to keynotes, exclusive breakouts, expert panels, on-demand sessions, plus an interactive peer-to-peer community. #NSConnect22 is your source for cutting-edge mobile AppDev, mobile AppSec and mobile DevSecOps insight. Register your crew today!

NOWSECURE CONNECT 2022 CONFERENCE - REGISTER TODAY! NOWSECURE CONNECT 2022 CONFERENCE - REGISTER TODAY! Show More
magnifying glass icon

Android Dirty COW patch and exploiting vulnerable devices without root

Posted by

Sergi Àlvarez i Capilla

Mobile Security Analyst at NowSecure
Sergi, also known as Pancake, performs mobile security research at NowSecure and is the creator of Radare, an open-source reverse-engineering tool.
Android Dirty COW patch and exploiting vulnerable devices without root

Android Dirty COW patch released

On Monday, Google announced putting the Dirty COW vulnerability (CVE-2016-5195) out to pasture with the 2016-12-05 patch level in the December 2016 Android Security Update. That’s welcome news for owners of Google Nexus and Pixel devices.

Of course even with the patch from Google, the long standing problem of Android fragmentation remains and only some Android users will receive protections in the immediate future. It’s not clear how long it will take for a fix to trickle down to devices manufactured by other vendors, which potentially leaves a large number of Android users exposed. Samsung, though, seems to be making strides to get updates out more quickly having announced a patch in their November 2016 Samsung Android Security Update.

In a blog post in October, I explained how the Dirty COW vulnerability affects mobile and how dangerous it is. Particularly so because it’s portable (one piece of code can run on a variety of different Android devices) and several proof-of-concept (PoC) exploits are publicly available. Judging from the nine elevation-of-privilege vulnerabilities in the kernel reported in this month’s bulletin, however, it’s one of many methods for gaining control of an Android device.

In total, and including the Dirty COW patch, this month’s security bulletin includes fixes for 11 critical, 43 high, and 20 moderate risk vulnerabilities across the 2016-12-01 and 2016-12-05 patch levels.

The staged rollout of the over-the-air (OTA) update for Nexus and Pixel devices, which includes the Dirty COW patch, has begun. The process unfurls something like this:

  • One percent of devices receive the update within the first 24-48 hours of the announcement
  • Google watches the results and addresses bugs
  • In batches over the course of a week or two:
    • 25 percent of devices receive the update
    • Then 50 percent of devices receive the update
    • And finally 100 percent of devices receive the update

If you simply can’t wait your turn, you can manually update by downloading and installing the Android OTA image appropriate to your device here. This method does require some additional work on the user’s part.

Exploiting Dirty COW without rooting an Android device

In many cases, rooting the device is not necessary to extract privileged information or manipulate the system to hijack the communications. An attacker can take advantage of the Dirty COW vulnerability in many different ways. In the video below, I demonstrate a successful attack on an instance of Android 7 that does not have the 2016-12-05 security update installed.

Name resolutions in Android make use of the /system/etc/hosts file to find the IP address that corresponds to a specific host name. Using the cowpy tool, included with the Radare2 dirtycow plug-in, I can overwrite the contents of the file to insert an IP address that I control.

To demonstrate, I installed cowpyin Termux on Android and ran the commands you’ll see on-screen in the video:

 

Here’s what you’re witnessing in the video:

  1. Google Chrome has it’s own DNS cache, but after that it will check the /system/etc/hosts file before resolving a name against the DNS server
  2. I create a newly tweaked hosts file containing the IP address of apple.com as the resolver for google.com
  3. I use the cowpy plug-in for Radare2 to overwrite the contents of this system file without having root privileges
  4. With that change, the system resolves google.com as if it was apple.com

As you may have noticed, the host redirection fails the first time because Google Chrome caches the name resolutions, but only until the cache is cleared. This may sound like a weak point in this attack vector. However, it turns out that after rebooting the tablet, Chrome keeps resolving google.com to apple.com even if the etc/hosts changes are lost.

What’s worth noting about this demonstration is that it’s just a random example of what Dirty COW allows attackers to do with little effort and without having to root the device.