On March 18, Google published a security advisory for a critical vulnerability CVE-2015-1805 that applied to rooting apps. This bug allows malicious apps to gain “root” access to all Android phones below kernel version 3.18. This can greatly affect devices that no longer receive patches, or those with long rollout time. Initially, this flaw has been tagged as ‘medium’ in terms of severity. However, a zero-day exploit was found out that showed the vulnerability could still be exploited successfully, compromising the security of the device. As such, the level of severity was changed to ‘critical.’
The vulnerability was found in the Linux kernel in April 2014. However, the fix for this issue was not brought over to Android’s branch of the kernel. Google already released a patch to address this last March 16, 2016 and moved to block any rooting apps that may leverage the said vulnerability.
Earlier this month, we reported several vulnerabilities (CVE-2016-0819 and CVE-2016-0805) that could also lead to root access on Snapdragon-powered Android devices. While there have been recent rooting exploits such as TowelRoot (CVE-2014-3153), PingPongRoot (CVE-2015-3636) that gain root privileges, this latest flaw features a gaping hole that cybercriminals will try to attack. There are already various root exploit codes in the wild, and vulnerabilities like this gives root app developers a chance to write exploits on their own.
Delving through the vulnerability details
This vulnerability can cause an iovec array overrun in a race condition. With a specially constructed iovec struct, kernel arbitrary write can be achieved.
Figure 1. The rooting app reaches 1.5 million downloads
An infamous rooting app team found that the vulnerability still existed in Android, and implemented it as a successor rooting solution when PingPongRoot was no longer working. For now, we are currently monitoring in-the-wild exploits and are expecting more exploits to rely on this vulnerability.
Figure 2. Race condition to trigger pipe_iov_copy_from_user redo
Figure 3. Spray iovec struct with target kernel address to write
The vulnerability can be traced back to the Linux kernel file fs/pipe.c function pipe_iov_copy_to_user. If pipe_iov_copy_to_user fails, the function goes to a redo routine that uses the same source buffer and copies it after the last position where the failed copy. This makes the destination iovec array overrun with the size of data the first step copied.
Figure 4. iovec overrun
This situation of overrun causes an undefined memory access which leads to a denial of service. However, the exploit uses tricks which can prevent system crash. For instance, if the total length of iovec array is set larger than the source buffer size which in default equals to PIPE_BUF of 4096 bytes, overrun can be avoided in redo routine.
Figure 5. Preventing crash in the redo
This then continues the “for” loop to enter pipe_iov_copy_to_user for a third time to copy the remaining data. This time, it triggers the overrun accessing data beyond the end of the iovec buffer which is sprayed with iovec and iov_base set to a kernel address. Unlike a redo routine, this step uses __copy_to_user_inatomoc instead of protective copy_to_user to achieve kernel memory arbitrary write. This is the reason why it did not trigger the overrun in the redo.
Figure 6. Vulnerable codes
Although this has been viewed as a denial of service bug, if an exploit code becomes available in the wild, it can compromise the security of the Android device. A cybercriminal can gain root privileges which allows them to do a wide-array of malicious activities on the device. To secure your device, it is best to install apps from the official Google Play store. You can also install Trend Micro Mobile Security Personal Edition, which detects malicious apps.