Zero-day vulnerability affects Linux and Android
Security is a never-ending battle for any operating system, including Linux. A new report notes that Android and Linux are both vulnerable to a zero-day exploit that allows applications to escalate privileges to gain root access.
Mario Korolov reports for CSO:
A new zero-day vulnerability has been discovered that allows Android or Linux applications to escalate privileges and gain root access, according to a report released this morning by Perception Point.
Any machine with Linux Kernel 3.8 or higher is vulnerable, he said, including tens of millions of Linux PCs and servers, both 32-bit and 64-bit.
Although Linux lags in popularity on the desktop, the operating system dominates the Internet, mobile, embedded systems and the Internet of Things, and powers nearly all of the world's supercomputers.
Using this vulnerability, attackers are able to delete files, view private information, and install unwanted programs. According to Pats, this vulnerability has existed in the Linux kernel since 2012.
Pats said that the Linux team has been notified, and patches should be available and pushed out soon to devices with automatic updates. Perception Point has also created proof of concept code that exploits this vulnerability to gain root access.
You can get much more detail from the Perception Point report:
The Perception Point Research team has identified a 0-day local privilege escalation vulnerability in the Linux kernel. While the vulnerability has existed since 2012, our team discovered the vulnerability only recently, disclosed the details to the Kernel security team, and later developed a proof-of-concept exploit.
As of the date of disclosure, this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices (phones/tablets). While neither us nor the Kernel security team have observed any exploit targeting this vulnerability in the wild, we recommend that security teams examine potentially affected devices and implement patches as soon as possible.
In this write-up, we'll discuss the technical details of the vulnerability as well as the techniques used to achieve kernel code execution using the vulnerability. Ultimately, the PoC provided successfully escalates privileges from a local user to root.
CVE-2016-0728 is caused by a reference leak in the keyrings facility. Before we dive into the details, let's cover some background required to understand the bug.
Quoting directly from its manpage, the keyrings facility is primarily a way for drivers to retain or cache security data, authentication keys, encryption keys and other data in the kernel. System call interfaces – keyctl syscall (there are two other syscalls that are used for handling keys: add_key and request_key. keyctl, however, is definitely the most important one for this write-up.) are provided so that userspace programs can manage those objects and use the facility for their own purposes.