9 Year Old Linux Kernel bug dubbed ‘Dirty Cow’ can Root every version of Android

We may earn a commission for purchases made using our links.

Despite the fact that tens of thousands of users actively pore over the Linux kernel source code actively looking for security flaws, it’s not unheard of for serious bugs to go unnoticed. After all, though the chances of missing something incredibly serious are lowered by having more eyes auditing the code, we’re all still human and are bound to make a mistake. The mistake this time seems to be quite serious, unfortunately. A privilege-escalation exploit was recently discovered last week, and although it has already been patched in the mainline Linux kernel, the bug could potentially be exploited on nearly every Android phone on the market until each device receives the appropriate kernel patch.

Enter Dirty Cow

The privilege-escalation bug is known colloquially as the Dirty Cow exploit, but it is cataloged in the Linux kernel’s bug tracker system as CVE-2016-5195. Though only discovered last week, the bug has existed within the Linux kernel’s code for 9 years. Furthermore, the exploitable code is found in a section of the Linux kernel that is shipped on virtually every modern operating system built on top of the Linux kernel — that includes Android, by the way. What’s worse is that the researchers who uncovered the exploit have found evidence that the exploit is being used maliciously in the real-world, so they are advising any and all vendors shipping software built on the Linux kernel to immediately patch the exploit.

Dirty Cow in itself is not an exploit, but rather a vulnerability. However, this vulnerability allows for escalating the privilege of a user space process, granting it super user privileges. By exploiting this vulnerability, a malicious user space process can have unfettered root access on a victim’s device. In more technical terms, the bug involves a race condition of the Linux memory duplication technique known as copy on write. By exploiting this race condition, users can gain write-access to memory mappings that are normally set to read-only. More details of the vulnerability can be gleaned from here, here, and here.

The security vulnerability is said to be rather trivial to exploit, and indeed within mere days of the vulnerability being made public a proof-of-concept privilege-escalation exploit has been demonstrated for all Android devices. Any Android device running a Linux kernel version greater than 2.6.22 (read: every single Android distribution in existence) can potentially fall victim to this proof-of-concept exploit. Though the proof-of-concept exploit does not actually attain root access, attacking the system using this vulnerability makes that quite simple. In an e-mail sent to ArsTechnica, Phil Oester, a Linux kernel developer who is cataloging known real-world exploits of Dirty Cow on his website had this to say about the bug:

Any user can become root in < 5 seconds in my testing, very reliably. Scary stuff. The vulnerability is easiest exploited with local access to a system such as shell accounts. Less trivially, any web server/application vulnerability which allows the attacker to upload a file to the impacted system and execute it also works. The particular exploit which was uploaded to my system was compiled with GCC 4.8.5 released 20150623, though this should not imply that the vulnerability was not available earlier than that date given its longevity. As to who is being targeted, anyone running Linux on a web facing server is vulnerable. For the past few years, I have been capturing all inbound traffic to my webservers for forensic analysis. This practice has proved invaluable on numerous occasions, and I would recommend it to all admins. In this case, I was able to extract the uploaded binary from those captures to analyze its behavior, and escalate to the appropriate Linux kernel maintainers.

After further work by developers on demonstrating the effectiveness of exploiting Dirty Cow on Android, one developer was able to successfully root his HTC device within seconds by exploiting the vulnerability. We at XDA generally welcome the ability for users to acquire root access, but we do not celebrate the existence of root exploits such as this, especially one which is so widespread and potentially incredibly dangerous to end users. To give you an idea of how dangerous Dirty Cow can be in the wild, YouTuber Computerphile put together a quick video demonstrating the potential malicious attack vectors that hackers can use to quietly attain root access on your device.