Kernel Privilege Escalation - Online Cyber Security News

Dirty COW — Critical Linux Kernel Flaw Being Exploited in the Wild

Thursday, October 20, 2016 Swati Khandelwal

A nine-year-old critical vulnerability has been discovered in virtually all versions of the Linux operating system and is actively being exploited in the wild.

Dubbed "Dirty COW," the Linux kernel security flaw (CVE-2016-5195) is a mere privilege-escalation vulnerability, but researchers are taking it extremely seriously due to many reasons.

First, it's very easy to develop exploits that work reliably. Secondly, the Dirty COW flaw exists in a section of the Linux kernel, which is a part of virtually every distro of the open-source operating system, including RedHat, Debian, and Ubuntu, released for almost a decade.

And most importantly, the researchers have discovered attack code that indicates the Dirty COW vulnerability is being actively exploited in the wild.

Dirty COW potentially allows any installed malicious app to gain administrative (root-level) access to a device and completely hijack it within just 5 seconds.

Earlier this week, Linus Torvalds admitted that 11 years ago he first spotted this issue and also tried to fix it, but then he left it unpatched because at the time it was hard to trigger.

Why is the Flaw called Dirty COW?

The bug, marked as "High" priority, gets its name from the copy-on-write (COW) mechanism in the Linux kernel, which is so broken that any application or malicious program can tamper with read-only root-owned executable files and setuid executables.

"A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings," reads the website dedicated to Dirty COW.

"An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system."

The Dirty COW vulnerability has been present in the Linux kernel since version 2.6.22 in 2007, and is also believed to be present in Android, which is powered by the Linux kernel.

Patch Your Linux-powered Systems Immediately

According to the website, the Linux kernel has been patched, and major vendors such as RedHat, Ubuntu and Debian have already rolled out fixes for their respective Linux distributions.

Organizations and individuals have been urged to install a patch for their Linux-powered systems, phones and gadgets as soon as possible and risk falling victim in order to kill off the Linux kernel-level security flaw affecting nearly every distro of the open-source OS.

The vulnerability was discovered by security researcher Phil Oester, who fund at least one in-the-wild attack exploiting this particular vulnerability. He found the exploit using an HTTP packet capture.

The vulnerability disclosure followed the tradition of branding high-profile security vulnerabilities like Heartbleed, Poodle, FREAK, and GHOST.

The Dirty COW website states:

"It would have been fantastic to eschew this ridiculousness because we all make fun of branded vulnerabilities too, but this was not the right time to make that stand. So we created a website, an online shop, a Twitter account, and used a logo that a professional designer created."

You can find more technical details about the Dirty COW vulnerability and exploit on the bug's official website, RedHat site, and GitHub page.

Apple left iOS 10 Kernel Code Unencrypted, Intentionally!

Thursday, June 23, 2016 Mohit Kumar

Apple’s new iOS 10 recently made headlines after MIT Technology Review revealed that the company had left the kernel of the mobile operating system unencrypted.

Yes, the first developer preview of iOS 10 released at WWDC has an unencrypted kernel.

When the headline broke, some of the users were surprised enough that they assumed Apple had made a mistake by leaving unencrypted kernel in iOS 10, and therefore, would get reverted in the next beta version of the operating system.

However, Apple managed to confirm everyone that the company left the iOS 10 kernel unencrypted intentionally, as the kernel cache does not contain any critical or private information of users.

On iOS, the kernel is responsible for things like security and how applications are capable of accessing the parts of an iPhone or an iPad.

But, Why Apple had left the iOS wide open when other features like iMessage offer end-to-end encryption?

Apple did this on purpose, because by leaving the iOS 10 kernel unencrypted, the company was "able to optimize the operating system's performance without compromising security," an Apple spokesperson told TechCrunch.

The kernel is the heart of any operating system. Apple has always kept the kernel under several layers of protection in previous versions of iOS, leaving developers as well as researchers in the dark.

So, the unencrypted kernel could help developers and security researchers look more closely at its code and find security flaws. After all, if more eyes are looking for flaws, it would be easier to discover and patch the issues more quickly than before.

MIT Technology Review also pointed out that this could prevent government and law enforcement agencies from exploiting vulnerabilities to crack locked iOS devices, like what the FBI did to hack into the San Bernardino shooter's iPhone.

Zero-Day Flaw Found in 'Linux Kernel' leaves Millions Vulnerable

Tuesday, January 19, 2016 Mohit Kumar

A new critical zero-day vulnerability has been discovered in the Linux kernel that could allow attackers to gain root level privileges by running a malicious Android or Linux application on an affected device.

The critical Linux kernel flaw (CVE-2016-0728) has been identified by a group of researchers at a startup named Perception Point.

The vulnerability was present in the code since 2012, and affects any operating system with Linux kernel 3.8 and higher, so there are probably tens of millions of computers, both 32-bit and 64-bit, exposed to this flaw.

However, the most bothersome part is that the problem affects Android versions KitKat and higher, which means about 66 percent of all Android devices are also exposed to the serious Linux kernel flaw.

Impact of the Zero-Day Vulnerability

An attacker would only require local access to exploit the flaw on a Linux server.

If successfully exploited, the vulnerability can allow attackers to get root access to the operating system, enabling them to delete files, view private information, and install malicious apps.

"It's pretty bad because a user with legitimate or lower privileges can gain root access and compromise the whole machine," Yevgeny Pats, co-founder and CEO at security vendor Perception Point, said in a blog post published today.
"With no auto update for the kernel, these versions could be vulnerable for a long time. Every Linux server needs to be patched as soon the patch is out."

Usually, flaws in Linux kernel are patched as soon as they are found; therefore, Linux-based operating systems are considered to be more secure than others. However, zero-day vulnerability recently discovered in the Linux kernel made its way for almost 3 years.

The Cause of the Critical Linux Kernel Vulnerability

The vulnerability is actually the result of a Reference Leak in the keyrings facility built into various flavors of Linux. The keyrings facility is primarily a way to encrypt and store login data, encryption keys and certificates, and then make them available to applications.

However, a reference leak could be abused by attackers to ultimately execute arbitrary code in the Linux kernel.

So far, the researchers said, no exploits have been discovered in the wild that take advantage of this vulnerability.

Perception Point has provided a technical analysis of the vulnerability and how one can exploit it, including proof-of-concept (PoC) exploit code published on its Github page.

Patch Expected to Roll Out Soon

The good news is that Perception Point has already reported the flaw to the Linux team, and patches are expected to roll out today to devices with automatic updates.

However, it may take a little longer on Android devices to receive the patch, given the fact that most updates aren’t pushed automatically by manufacturers and carriers.

How Patch Linux Kernel Vulnerability (CVE-2016-0728)

Type following commands as per your Linux distro:

Debian or Ubuntu Linux: sudo apt-get update && sudo apt-get upgrade
RHEL / CentOS Linux: sudo yum update

UPDATE — Kernel bug Not A Big Deal for Android Users

Now, Google has claimed, as expected, that Perception Point claims – about 66 percent of all Android devices are also exposed to the serious Linux kernel flaw – are not entirely accurate.

According to the search engine giant, the number of Android devices affected by this zero-day flaw is significantly smaller than initially reported by Perception Point.

"We believe that no Nexus devices are vulnerable to exploitation by 3rd party applications. Further, devices with Android 5.0 and above are protected, as the Android SELinux policy prevents 3rd party applications from reaching the affected code," said Adrian Ludwig, Android's lead security engineer.

"Also, many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in Linux kernel 3.8, as those newer kernel versions not common on older Android devices."

The company also added that it has prepared a patch that has already been released to open source and provided to partners, and that "the patch will be required on all devices with a security patch level of March 1, 2016, or greater."

DRAM Rowhammer vulnerability Leads to Kernel Privilege Escalation

Monday, March 09, 2015 Swati Khandelwal

Security researchers have find out ways to hijack the Intel-compatible PCs running Linux by exploiting the physical weaknesses in certain varieties of DDR DRAM (double data rate dynamic random-access memory) chips and gaining higher kernel privileges on the system.

The technique, dubbed "rowhammer", was outlined in a blog post published Monday by Google's Project Zero security initiative, a team of top security researchers dedicatedly identifies severe zero-day vulnerabilities in different software.

Rowhammer is a problem with recent generation DRAM chips in which repeatedly accessing a row of memory can cause "bit flipping" in an adjacent row which could allow anyone to change the value of contents stored in computer memory.

WHAT IS ROWHAMMER BUG

DDR memory is arranged in an array of rows and columns, which are assigned to various services, applications and OS resources in large blocks. In order to prevent each application from accessing the memory of other application, they are kept in a "sandbox" protection layer.

However, Sandbox protection can be bypassed using Bit flipping technique in which a malicious application needs to repeatedly access adjacent rows of memory in a tiny fraction of a second.

As a result, hammering two aggressor memory regions can disturb neighbouring locations, causing charge to leak into or out of neighbouring cells.

“With enough accesses, this can change a cell’s value from 1 to 0 or vice versa. In other words, the selected zero area will be transferred to the victims, or vice versa.” researchers explained.

The Bit flipping technique was first presented in an experimental study paper published by Carnegie Mellon University, entitled, "Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors."

Bit flipping technique shouldn’t be confused with Buffer overflow or use-after-free memory corruption techniques where an attacker funnels malicious shellcode into protected regions of victim’s computer.

TWO WORKING EXPLOITS DEMONSTRATE THE FLAW

As we know, DRAM manufacturing scales down chip features to smaller physical dimensions. Latest Technology demands more memory capacity onto a chip, so it has become harder to prevent DRAM cells from interacting electrically with each other.

The Project Zero team has folded such bit flipping into an actual attack by demonstrating two proof-of-concept exploits that successfully take over control of many x86 computers running Linux and believes the same could be done with other operating systems as well.

First, Page table entries (PTEs) based exploit uses rowhammer induced bit flips to achieve kernel privileges on x86-64 Linux and hence, gain read-write access to entire of physical memory.
Second exploit demonstrates the exploitation of same vulnerability by escaping from the Native Client sandbox.

MITIGATION TECHNIQUES

Cyber Security experts also provided a way to mitigate kernel privilege escalation attack. Researchers changed Native Client to disallow the x86 CLFLUSH instruction that’s required to make the first exploit works.

Whereas, preventing the Row Hammer exploit with the second proof-of-concept is a more difficult task to achieve on existing machines.

With the help of above exploits, the Project Zero team conducted tests on eight models of x86 notebook computers, built between 2010 and 2014, using five different vendors of DDR3 DRAM and five different CPU families. A large subset of these machines i.e. 15 out of 29 were found to be vulnerable.

The above attack doesn't work against the latest DDR4 silicon or DIMMs that contain ECC (error correcting code) capabilities.

Project Zero team is asking DRAM manufacturers, CPU makers, and BIOS creators to release details about the steps they've taken to mitigate rowhammer-like security issues on their products.