04
Jun
thumb

Ask anybody that spends time in the security circles and they'll tell you that every large software project is bound to have a few long-standing vulnerabilities in the code. Fortunately, there are usually a few people who are paid to close up those holes so you, the customer, don't find yourself the victim of nefarious evildoers someday. Like so many before it, the latest update to Android came with a boatload of changes, at least one of which fixes a potentially dangerous vulnerability that can be used for numerous attacks, including a way to acquire root.

The Vulnerability

As described in a post on the Cassidian CyberSecurity blog, the vulnerability exists in a system component known as VOLD (Volume Management daemon). Its responsibility is to "create and maintain a file system image rooted at root-dir that contains symbolic names for removable media." As far as most Android users will be concerned, this is the part of the OS that takes care of mounting your SD card and creating the /sdcard path. In addition to this basic task, it is also used for mounting virtual filesystems, including a special type called ASEC (Android Secure External Caches). These ASEC files are tiny encrypted filesystems intended for use by individual apps, giving them a convenient way to securely store data on otherwise insecure volumes, like a removable SD card.

The exploitable weakness in VOLD is in the command that's used to mount one of these ASEC files. At no point did Android check to ensure that the path passed in by a user is entirely valid. An attacker can pass in a relative path to a location that already exists, and the VOLD will grant write access to that filesystem. There are several limitations to this, but it's an extremely powerful way to manipulate the files belonging to other apps or even the operating system.

The Fix

A patch (0de7c61) for the issue was quickly identified after source code for Android 4.4.3 was uploaded to AOSP on Monday. Google's fix for the issue was to simply install a check in VOLD to confirm that any path passed into the method calls do not include symbols ('..' or '/') that are used to redirect the path from the predefined mounting location. Since this path went live, quite a few security researchers have commented that the vulnerability was fairly old and well-known in their circles.

A Temp-Root Method

Among the security specialists to speak out on the issue, Justin Case has shared a working exploit capable of acquiring "tethered root" on a number of Motorola devices. This is a temporary method that must be run from a computer (using adb) and reverts to an unrooted state when the device shuts down or reboots. This exploit is customized for Motorola brand devices, and will only work on those running 4.4.2 and earlier. The basic method will also work on several other models, but some devices like the LG G3, HTC One m8 (just the latest OTAs), and many Samsung handsets have already backported this fix to their models running on 4.4.2.

Tethered root isn't mentioned very often in the Android community, but it has been a fairly common part of hacking history for iOS users, who refer to it as "tethered jailbreak." Being tied to a computer to enable root isn't the most convenient option, and it would surely interfere with a few of the popular use cases for rooting, but it can be handy if you only need occasional access (e.g. backing up app data). This is also a decent alternative if you're trying to avoid incrementing the flash counter or triggering the tamper flag on newer devices. This particular exploit also lacks the ability to enable write access to /system, which means many common tweaks aren't possible, like those that depend on modifying the build.prop file.

Closing

Due to the age and moderately widespread awareness of this bug, some people suspect it may have already been exploited maliciously in the wild. While there really aren't practical ways to completely prevent this attack on devices that will never receive any more updates, the methods to execute it are fairly limited without using multiple exploits.

Source: Cassidian CyberSecurity, Pie for Motorola (by Justin Case)

Cody Toombs
Cody is a Software Engineer and Writer with a mildly overwhelming obsession with smartphones and the mobile world. If he’s been pulled away from the computer for any length of time, you might find him talking about cocktails and movies, sometimes resulting in the consumption of both.

  • siddude11

    FIRST....

    • http://twitter.com/anishbhalerao Anish Bhalerao

      Oh yeah? Then no cookie for you. Just suck my dick.

      • http://www.androidpolice.com/author/pamela-hill/ Pamela Hill

        Wow, that's an uncalled for response.

        • derk p

          um no pamela it wasnt. youre uncalled for

        • Arthur Dent

          It was called for very loudly.

        • Gaurav Arora

          Maybe Anish is a homosexual male, some people prefer dicks over cookies, it's ok :] !

          • http://twitter.com/anishbhalerao Anish Bhalerao

            #FigureOfSpeech

        • Fatal1ty_93_RUS

          Still hilarious though

      • Problem kid

        Ha ha ha! You sir win the internet! Needed a good laugh πŸ˜‚

        • siddude11

          won*

  • usamaisawake

    Wow that WAS a pretty huge security gap. Hopefully 4.4.3 rollouts happen quickly to those that need it. (Motorola and Nexus users).

    • http://dabuxian.com/ Dabu

      While over 90% Android users are on 4.3 or older. Am I right?

      • usamaisawake

        Yeah but it seems some of the big companies like Samsung, LG and HTC backported the fix (at least that is what the article says) to either their latest flagship or maybe even other models (Samsung). So hopefully that'll continue to be the case with their previous flagships. Point is they're already on the ball whereas Google (and Motorola) were waiting for 4.4.3.

  • Matthew Fry

    I'm sure the modder community will patch this immediately in their respective roms. For those who want to remain stock, there's xposed. Which, btw, is another reason why Google shouldn't get rid of writes to /system.

    • Simon Belmont

      Pretty sure this was already patched in CM and others. The dev of CM for my B&N Nook Color mentioned it several weeks ago and that it was patched.

      A lot of third party ROMs get security enhancements way before OEMs can push them out. Gotta love it.

    • Plerisei

      Where do I get this xposed?

    • DaveNull

      Lol, patching a security vulnerability by opening even a bigger one. Even xposed itself is by definition a classic man-in-the-middle exploit.

  • ffgtfr

    Why the Nexus 7 2013 LTE doesn't have a 4.4.3 factory image?

    • Thomas Cai Jinzhan

      probably because of the qualcomm's holding back to share their radio drivers..

  • scorpeeon

    Justin Case - cool name :)

  • Jeffrey Fazal

    Google
    is now concentrating more towards the security features in this latest Android
    4.4.3 version. Well, I recently installed this updated version on my Nexus 5 in
    order to get rid of camera bug that were causing quick battery drainage issue
    from last 4 months. Now I have to put my Smartphone once in a day on qi wireless charger as compare to thrice in a day during this camera bug.

  • Renu Bisht
  • Richard Rubinkowski

    What about the people who own the Samsung Galaxy s5? Will we be getting the update soon?