The “Dirty COW” vulnerability (CVE-2016–5195) discovered last year in Linux was incompletely patched, Bindecy researchers say.

The vulnerability was found to be caused by a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings. Discovered by Phil Oester, the bug could allow an unprivileged local attacker to escalate their privileges on a targeted system.

The vulnerability was found to impact Android as well, and could even escape containers. Soon after Google released a patch for the vulnerability, however, new attacks exploiting Dirty COW on Android were devised.

The most recent malware family to exploit the issue was observed in September of this year.

Although Dirty COW was one of the most hyped and branded vulnerabilities published, with every Linux version from the last decade affected, including Android, being vulnerable, the patch released for it stirred far little interest, Bindecy says. Because of that, over a year has passed since the patch was released, and no one noticed it was incomplete.

The original vulnerability impacted the get_user_pages function

the bug would allow writing to the read-only privileged version of a page.

The fix for the vulnerability doesn’t reduce the requested permissions.

The problem, the security researchers say, is that the patch “assumes that the read-only privileged copy of a page will never have a PTE pointing to it with the dirty bit on.”

“Huge Dirty COW” (CVE-2017–1000405)
The incomplete Dirty COW patch
https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0

The bug has been found in malware designed to root and install backdoors into Android handsets.

For the first time, threat actors have added the Dirty Cow Android exploit to malware designed to compromise devices running on the mobile platform.

On Monday, researchers from Trend Micro said the vulnerability, traced as CVE-2016-5195, has been discovered in a malware sample of ZNIU — detected as AndroidOS_ZNIU — and this is the first malware sample to contain an exploit for the flaw.

Dirty Cow was publicly disclosed back in 2016. The vulnerability has been present in the kernel and Linux distributions for years and permits attackers to escalate to root privileges through a race condition bug, gain access to read-only memory, and permit remote attacks.

“Dirty COW attacks on Android has been silent since its discovery, perhaps because it took attackers some time to build a stable exploit for major devices,” the company said.

In a blog post, Trend Micro researchers Jason Gu, Veo Zhang, and Seven Shen said ZNIU was present in at least 40 countries last month, with the majority of victims found in China and India.

Individuals in the US, Japan, Canada, and Germany, among others, have also been targeted.

ZNIU: First Android Malware to Exploit Dirty COW Vulnerability
Posted on:September 25, 2017 at 5:00 am
Posted in:Bad Sites, Malware, Mobile, Vulnerabilities
Author: Mobile Threat Response Team
By Jason Gu, Veo Zhang, and Seven Shen
http://blog.trendmicro.com/trendlabs-security-intelligence/zniu-first-android-malware-exploit-dirty-cow-vulnerability/

It’s that time of year again…when consumers, retailers and manufacturers need to understand and be alert to the latest cyber attacks that threaten to dampen the spirit and excitement of the holidays. This year we’re seeing two twists on some tried and true tactics that are cause for concern among the online gaming industry and retailers.

Gaming industry and DDoS

The use of botnets comprised of compromised IoT devices (cameras, DVRs, routers or other internet-connected hardware) is not a new development. But the recently discovered Mirai malware involved in attacks that targeted Krebs on Security, the French Internet Service Provider OVH, DynDNS and a mobile telecommunications provider in Liberia, have been some of the largest distributed denial of service (DDoS) attacks measured to date.

These attacks highlight the inherent vulnerability of basing network infrastructure around centralized DNS providers and the potential power of large IoT botnets to enable low capability actors to launch high impact attacks. Mirai spreads by scanning for IoT devices operating Telnet – a network protocol that allows a user on one computer to log onto another computer that is part of the same network – and then uses the default credentials in an attempt to brute-force access to the device.

Here are a few tips for how the gaming industry can protect itself and its customers:

• Change access credentials for devices and implement complex passwords.

• Evaluate your dependence on DNS, specifically for your most critical domains, and investigate the use of multiple DNS providers.

• Develop a DDoS process and review monitoring capabilities; to minimize downtime it is important to quickly identify the attack, characterize the attack traffic and take the appropriate action.

• Consider disabling all remote access to devices and perform administrative tasks internally – instead of Telnet, FTP and HTTP, use SSH, SFTP and HTTPS.

FastPOS malware aimed at retailers

POS malware is clearly under active development. To prevent and mitigate damage from such attacks retailers can:

• Conduct audits, penetration testing, assessments and red teaming exercises to understand your risk posture and attack surface.

• Consider PoS systems and networks as vital extensions of your enterprise environments; the technology that is used to protect the enterprise should be leveraged on PoS systems and networks where possible and, if not possible, comparable alternates should be sought out.

• Adopt technologies that are becoming more commonplace, such as chip and pin.

• Share intelligence with peers, for example in the form of an ISAC, for the betterment of the industry.

A newly discovered attack that abuses the Dirty COW vulnerability in the Linux kernel can be leveraged to write malicious code directly into processes, Trend Micro security researchers say.

Tracked as CVE-2016-5195 and discovered by Phil Oester, Dirty COW allows a local, unprivileged attacker to escalate their privileges by modifying existing setuid files. The flaw gets its name from relying on a race condition in the kernel between the operation that writes to copy-on-write (COW) memory mappings and the one that clears that memory, and it can even escape containers.

Found in Linux kernel, the vulnerability was expected to impact Android as well, and it didn’t take long before security researchers discovered that it would allow an attacker to gain root access targeted devices. Google already rolled out a fix for Nexus and Pixel products, and all Android devices running a security patch level of 2016-11-06 are safe from Dirty COW.

Now, Trend Micro researchers say that Dirty COW can be triggered in a manner that is different from existing attacks and which allows for malicious code to be directly written into processes.

“Once run, Dirty COW is exploited to steal information and change system settings (in this case, get the phone’s location, turn on Bluetooth and the Wi-Fi hotspot). It is also used to silently install an app onto the device, even if it is set not to accept apps from sources outside the Google Play store,” the security researchers explain.

Proof of Concept of New Dirty Cow Attack
https://www.youtube.com/watch?v=gupelQZrcow

This video demonstrates a new variant of the already known Dirty Cow attack. An app is able to turn on/off Bluetooth, Internet sharing, as well as download and install a separate app.

In October, reported a decade linux kernel code involved in the bug, which has been used for a long time. The problem also touched on Android and Google – now indicates the position at Dirty Dirty Cow COW) vulnerability.

Since the bottom of the Android Linux kernel, the problem was also included in all Android mobile phones that have not been updated to the latest kernel version. This was the most Andrdoid-smart phones.

On Monday, Google announced the launch of the latest version of Android. 7.1.1-release, came with more than 50 security patch, which Google will be critical to eleven. One of the adjustments relates specifically to Dirty Cow

Of course, the correction does not protect against most of the Android devices. The vast majority of smartphones works in older versions of Android.

Source: http://etn.fi/index.php?option=com_content&view=article&id=5538:google-tavallaan-paikkasi-likaisen-lehman&catid=13&Itemid=101

Google’s Android Security Bulletin for November 2016 patched a total of 83 vulnerabilities in the operating system, one of which was the Dirty COW flaw in Linux kernel that was disclosed a few weeks back.

Tracked as CVE-2016-5195, the bug was found to impact Android devices as well, and security researchers even published exploit codes to prove that. The Dirty COW vulnerability could be exploited to gain root access on affected Android products, and all devices running a Linux kernel higher than 2.6.22 are believed to be affected by the issue, especially with many of them not being patched in due time.

Only a few weeks after the flaw was publicly disclosed, Google released a patch for it as part of the Android Security Bulletin for November 2016, which came out on Monday. According to Google, the vulnerability is resolved on devices running the security patch level of 2016-11-06, which was the third security patch level in the new set of updates.

In its advisory, Google described the vulnerability as an elevation of privilege vulnerability in the kernel memory subsystem, explaining that it could be leveraged by a local malicious application to execute arbitrary code within the context of the kernel. The bug was rated Critical because it could lead to a local permanent device compromise, supposedly requiring a reflash of the operating system to repair the device.

The Dirty COW vulnerability in the Linux kernel that was revealed late last month can’t be mitigated with the help of containers, security researchers have discovered.

The flaw (CVE-2016-5195) relies on a race condition in the kernel, between the operation that performs writes to copy-on-write (COW) memory mappings, and the one that continuously disposes of that memory. When the race condition appears, the kernel might end up writing data to read-only memory mapping, instead of making a private copy first.

Proof of concept (POC) exploit codes that leverage the vulnerability have already started to emerge, including some targeted at Android devices. These POCs revealed that one can write to read-only files, and that root access could be achieved, and even how to break out of a container.

Aqua’s Sagie Dulce explains that even users with root privileges shouldn’t have write access to a mapped read-only volume in a container, let alone a non-root user. However, Dirty COW makes it possible for data on the host to be manipulated from within the container.

Dirty COW Vulnerability: Impact on Containers
http://blog.aquasec.com/dirty-cow-vulnerability-impact-on-containers

There has been plenty of buzz lately regarding an old-new privilege escalation vulnerability, adorably named “Dirty COW” after the Copy-On-Write memory protection in the Linux kernel. The whole thing started roughly eleven years ago, when a kernel developer left a race condition issue opened: “This is an ancient bug that was actually attempted to be fixed once (badly) by me eleven years ago”. The bug was eventually committed on October 18th 2016, and was quickly reported a day later as CVE-2016-5195. Shortly after, many public proof-of-concept codes popped up, demonstrating how one can write to readonly files, gain root access or even break out of a container.

In the wild, many proof-of-concept exploit codes have begun to pop up. They offer various flavors of privilege escalation techniques, such as patching an SUID file, writing shellcode to shared objects in memory etc. To be able to perform the exploit, the process must access its memory. It does so by either calling ptrace (which requires the SYS_PTRACE capability) or by opening its own memory like a “file” via /proc/self/mem. Because the SYS_PTRACE approach is less usable in containers (this capability is not added to containers by default), we will focus on the /proc/self/mem POCs and see if they pose any threat in containerized environments.

Here’s another reason to pay attention to patching your Linux systems against the Dirty COW vulnerability: it can be used to escape Docker containers.

That news comes from Paranoid Software’s Gabriel Lawrence, who describes the escape here.

Dirty COW is a race condition in Linux arising from how Copy-On-Write (the COW in the name) is handled by the kernel’s memory subsystem’s use of private mappings.

Lawrence writes: “more interesting to me than a local privilege escalation, this is a bug in the Linux kernel, containers such as Docker won’t save us.”

Dirty COW – (CVE-2016-5195) – Docker Container Escape
https://blog.paranoidsoftware.com/dirty-cow-cve-2016-5195-docker-container-escape/

Last week reported a decade linux kernel code involved in the bug, which has been used for a long time. It is about the vulnerability in CVE-2016-5195. Its discoverers named the problem of “dirty a cow” (Dirty COW). Now, the security firm Sophos reports that the vulnerability is also included in Android.

It is not very critical vulnerability based on the user’s point of view. It does not allow malicious code to perform themselves, but allow elevation of privilege, ie the so-called. escalation.

Since the bottom of the Android Linux kernel, the problem is also included in all Android mobile phones that have not been updated to the latest kernel version. This must currently apply to all Andrdoi-smart phones.

Sophos according to the vulnerability of Android means that an attacker can get the applications to open the root-level privileges

Source: http://etn.fi/index.php?option=com_content&view=article&id=5287:linuxin-tuore-bugi-toimii-myos-androidissa&catid=13&Itemid=101