Don't Burn Your Android Yet

A few days ago, security firm Perception Point released the details of a zero-day exploit in the Linux kernel, which has sparked a wave of panic as the report indicated that millions of Android devices are vulnerable.

Although patching security problems is quite easy on most Linux distros, it's a lot harder for Android users. PC users and server admins usually can update their systems with a few terminal commands or through a GUI software store.

The update process is different for Android devices. Android users have to wait for over-the-air updates from the manufacturer.

However, Google's Android security lead Adrian Ludwig claims that the majority of Android devices are actually safe. Android 4.4 and earlier use older versions of the kernel that never contained the bug. And even after the bug was introduced into the kernel, most versions of Android don't include the keyrings feature in the kernel. Finally, more recent versions of Android use SELinux, which blocks userspace programs from deploying a payload that can be executed using the exploit.

The "keyrings" exploit takes advantage of a bug inside the keyrings feature. In an ironic twist, keyrings is supposed to make Linux more secure. It's used to cache security details, keys and certificates.

Although you would expect a keyrings exploit to expose passwords and logins, it's actually a lot less direct. A small bug makes it possible to use the feature to force the kernel to execute arbitrary code. The malicious payload gains full root privileges, putting the entire system at risk.

Perception Point has done a great job of documenting the bug and how it could be exploited. You can read the details at http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/.

In short, a malicious process requests a new keyring for the session, and then it spams the kernel with requests for a keyring with an identical name. The code in the kernel recognizes that the keyring already exists and sends an error code.

The bug is that the internal "reference count" for the keyring is increased each time a request is sent. This reference count is used by the kernel to keep track of how many programs are using the keyring. When all applications have finished with the keyring, the kernel is free to delete it.

Each extra request increases the reference count by one. By sending billions of spurious requests, the malicious code can force the reference count to overflow to zero. At that point, from the kernel's point of view, the key is released and can be erased.

After tricking the kernel, the malicious process overwrites the freed memory with a sinister payload. One way it can achieve this is through the inter-process communication feature (IPC).

Because the malicious code has a reference to the keyring in memory, it can force the kernel to treat it as a normal keyring. Certain system calls get the kernel to execute code from a keyring object, but the actual code stored in memory isn't a keyring object anymore. And so the malicious process is able to trick the kernel to run the payload with root-level privileges.

This is pretty scary stuff. Fortunately, Perception Point informed the Linux kernel team before announcing the news to the rest of the world. Patches are available and can be installed through the normal channels.

The initial reports that 66% of Android devices are vulnerable were an overstatement, but some devices are affected. The Android team is working on a fix, but it won't be available until March 1, 2016.

______________________