Resultados 1 a 2 de 2
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    [EN] Android users left exposed to 'Dirty COW' flaw

    Fix for critical Android rooting bug is a no-show in November patches.

    Juha Saarinen
    Nov 9 2016

    Google's latest collection of Android security patches has failed to address an actively and easily exploited privilege escalation security flaw known as 'Dirty COW'.

    The flaw - with Common Vulnerabilities and Exposures tag CVE-2016-5195 - was discovered last month and affects the Linux kernel used in Android to take advantage of a bug in the copy on write performance optimisation feature.

    Dirty COW has been patched in the mainstream Linux kernel.

    But it is thought to have existed for some nine years, so affects every version of Android.

    Google has issued a supplemental update to its November patches, but won't require Android partners to implement the Dirty COW fix until December. The company insisted it has had no reports of active customer exploitation or abuse of the issues.

    The November patch level does fix the critical deterministic Rowhammer memory attack known as DRAMMER, that could be used to gain root superuser privileges on Android devices.

    It also plugs a critical flaw in the troublesome Android Mediaserver component, that Google said "could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files".

    The flaw in Mediaserver could be exploited by sending a specially crafted attachment, or luring people to visit a malicious web page, with no user interaction needed.

    A further 16 high-risk flaws are patched in the main November bunch of fixes. Google also issued a second, 2016-11-05 patch level that includes fixes for 21 critical flaws in kernel hardware drivers and file systems, Android networking and sound, and the USB subsystem.

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    “Most serious” Linux privilege-escalation bug ever is under active exploit

    Lurking in the kernel for nine years, flaw gives untrusted users unfettered root access.

    Dan Goodin

    A serious vulnerability that has been present for nine years in virtually all versions of the Linux operating system is under active exploit, according to researchers who are advising users to install a patch as soon as possible.

    While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers are taking it extremely seriously. For one thing, it's not hard to develop exploits that work reliably. For another, the flaw is located in a section of the Linux kernel that's a part of virtually every distribution of the open-source OS released for almost a decade. What's more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild.

    "It's probably the most serious Linux local privilege escalation ever," Dan Rosenberg, a senior researcher at Azimuth Security, told Ars. "The nature of the vulnerability lends itself to extremely reliable exploitation. This vulnerability has been present for nine years, which is an extremely long period of time."

    The underlying bug was patched this week by the maintainers of the official Linux kernel. Downstream distributors are in the process of releasing updates that incorporate the fix. Red Hat has classified the vulnerability as "important."

    As their names describe, privilege-escalation or privilege-elevation vulnerabilities allow attackers with only limited access to a targeted computer to gain much greater control. The exploits can be used against Web hosting providers that provide shell access, so that one customer can attack other customers or even service administrators. Privilege-escalation exploits can also be combined with attacks that target other vulnerabilities. A SQL injection weakness in a website, for instance, often allows attackers to run malicious code only as an untrusted user. Combined with an escalation exploit, however, such attacks can often achieve highly coveted root status.

    The in-the-wild attacks exploiting this specific vulnerability were found by Linux developer Phil Oester, according to an informational site dedicated to the vulnerability. It says Oester found the exploit using an HTTP packet capture, but the site doesn't elaborate.

    Update: In e-mails received about nine hours after this post went live, Oester wrote:

    Any user can become root in < 5 seconds in my testing, very reliably. Scary stuff.

    The vulnerability is easiest exploited with local access to a system such as shell accounts. Less trivially, any web server/application vulnerability which allows the attacker to upload a file to the impacted system and execute it also works.

    The particular exploit which was uploaded to my system was compiled with GCC 4.8.5 released 20150623, though this should not imply that the vulnerability was not available earlier than that date given its longevity. As to who is being targeted, anyone running Linux on a web facing server is vulnerable.

    For the past few years, I have been capturing all inbound traffic to my webservers for forensic analysis. This practice has proved invaluable on numerous occasions, and I would recommend it to all admins. In this case, I was able to extract the uploaded binary from those captures to analyze its behavior, and escalate to the appropriate Linux kernel maintainers.
    The vulnerability, a variety known as a race condition, was found in the way Linux memory handles a duplication technique called copy on write.

    Untrusted users can exploit it to gain highly privileged write-access rights to memory mappings that would normally be read-only. More technical details about the vulnerability and exploit are available here, here, and here. Using the acronym derived from copy on write, some researchers have dubbed the vulnerability Dirty COW.

    Disclosure of the nine-year-old vulnerability came the same week that Google researcher Kees Cook published research showing that the average lifetime of a Linux bug is five years.

    "The systems using a Linux kernel are right now running with security flaws," Cook wrote. "Those flaws are just not known to the developers yet, but they’re likely known to attackers."

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens