The recently discovered Dirty COW Linux kernel vulnerability, which can allow an attacker to gain root access,...
has also been found to affect Android devices running on ARM chips. How does this work, and what are the risks of this attack for mobile users?
The COW in the Dirty COW vulnerability is short for copy-on-write, a computer programming time and resource management technique that uses the abstraction of virtual memory to efficiently implement a duplicate or copy operation on modifiable resources.
If a resource, such as a file or a block of memory, is duplicated, but not modified, there's no need for the system to create a new version, as it can be shared between the copy and the original. This avoids the overhead of creating a full copy. However, if either process makes a change to the resource, a real copy operation takes place -- hence, the term COW, as the copy operation is deferred until the first write occurs.
The Dirty COW vulnerability is a privilege escalation vulnerability, and it is caused by a race condition found in the way the Linux kernel's memory subsystem handles the copy-on-write breakage of private, read-only memory mappings. A race condition occurs when two threads are racing to access or change shared data, but the thread scheduling algorithm fails to ensure that the events occur in the order the programmer intended. In this instance, data can be written into the wrong memory location, giving an attacker write access to read-only memory mappings of system files that would usually require a root login to modify.
Race conditions are notoriously difficult to find, reproduce and debug. They are usually only found by accident when a system becomes overloaded in a manner unforeseen by the programmer.
Linux creator Linus Torvalds was, in fact, aware of this bug 11 years ago, but it was only considered a theoretical problem back then. A potential fix was removed because it caused problems on the IBM mainframe version of Linux.
The Dirty COW vulnerability only came to light again when Linux researchers demonstrated that advances in technology meant it was no longer theoretical. They created an abnormal load by instructing one thread to hammer away writing changes into the writeable private map, with another thread repeatedly telling the kernel it could temporarily free up any memory used for the mapped file, eventually causing an access collision -- the race condition. This resulted in the data being written into the private memory map of the read-only file, instead. If this were to happen to a system executable or configuration file, the attacker could compromise the system's configuration and integrity, and even gain root control.
The Dirty COW vulnerability can't be exploited remotely -- the attacker must first be able to run the attack code on the system. However, attackers who already have a presence on a network are likely to find this a useful method to increase their privileges, particularly as the vulnerability is almost impossible for antivirus and other security software to detect.
Since this vulnerability has existed since 2007, most Linux-based systems are affected, including Android phones, which are based on Linux. Android users are also slightly more at risk, as apps run with user-level privileges, and could use the exploit to install additional malware and to steal data.
Patches have been released and should be applied to enterprise systems. Google released an Android-wide patch in December 2016.
Find out how the SFG malware dropper bypasses antimalware software
Learn about the Linux kernel memory protection feature on the Android OS
Read how a Linux vulnerability on Android devices allows attacks on TCP communications
Dig Deeper on Mobile security threats and prevention
Related Q&A from Michael Cobb
An ad network used domain generation algorithms to bypass ad blockers and launch cryptomining malware. Expert Michael Cobb explains how and the best ... Continue Reading
Researchers at Duo Security discovered a SAML vulnerability that enabled attackers to dupe single sign-on systems. Expert Michael Cobb explains how ... Continue Reading
Hackers were able to exploit a Telegram vulnerability to launch cryptomining malware. Expert Michael Cobb explains how they were able to do so and ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.