Researchers have created an exploit to get root-access to Android-based smartphones using the Rowhammer vulnerability

An international group of researchers from Austria, the Netherlands and the United States, information security has developed an attack that allows you to get root access to a large number of Android devices, writes Ars Tehnica. To do this, use the Rowhammer technique, which allows manipulations with data stored in memory cells. At the same time, it was previously believed that attacks using the Rowhammer vulnerability have limited prospects for real use - a new exploit demonstrates that it is exposed to far more devices than expected (including those running on ARM chips).

The researchers created a special exploit application Drammer , which does not require any special rights to work and does not use any Android vulnerabilities. The attack is carried out using a hardware vulnerability - like the Rowhammer technique described, it “knocks” the device’s memory bits, changing important data. This allows you to get root access to gadgets manufactured by LG, Motorola, Samsung, OnePlus, and possibly other vendors.
')

What is the problem

The Rowhammer technique was described in one of our previous materials:

DDR memory is an array of block-separated rows and columns. These are accessed by various applications and operating systems. Each large area of ​​memory has its own sandbox, which can be accessed only by a specific process or application.

If you run the software, which will turn hundreds and thousands of times in a split second to specific lines in such areas (“knocking” them like a hammer, hence the name hammering), then, as a result of certain physical phenomena, this may affect the next memory segment. This can lead to a change in the values ​​of bits in it from zero to one and vice versa.

Having the opportunity to influence the content of even blocked areas of memory, attackers can carry out attacks that lead to elevation of privileges up to administrative ones. Accordingly, it is possible to launch malicious code or intercept actions of users or programs.

One of the creators of the exploit for attacks on Android-based smartphones, a researcher named Victor van der Veen: “Until recently, we could not even think about such hardware bugs, and never wrote software to take them into account. Now we can use these security holes to hack smartphones and tablets with a high level of reliability and without the need to exploit software vulnerabilities. And there is no way to quickly release a patch that solves the problem. ”

At the moment, with the help of Drammer, root-access was able to get to the following devices: Nexus 4, Nexus 5 and G4 from LG, Moto G models from 2013 and 2014 from Motorola, Galaxy S4 and Galaxy S5 from Samsung, as well as One from OnePlus. In some cases, it was not always possible to achieve proper consistency of results - for example, it was possible to get root access only for 12 of the 15 Nexus 5 models, in the case of the Galaxy S5 one of the two tested smartphones was compromised.

Researchers do not fully understand why this is happening, but they suggest that the case may be at different "ages" of the devices under test - more active or prolonged use may lead to "wear" of memory cells. In addition, it is possible that memory chips from certain manufacturers are more resistant to the Rowhammer vulnerability than others, and different generations of the same smartphone may use different chips.

Demonstration of work

The researchers published two demonstration videos of the Drammer to get root access on the LG Nexus 5. On the video, the smartphone is connected to the computer via USB, but this is not necessary to launch an attack.

Presented on the first video smartphone running Android 6.0.1 with security patches installed on October 5. Starting at approximately 0:15, the application starts knocking the memory and between 0:30 and 0:50 the exploit adds new entries to the table of memory pages. At 0:50, Drammer gets root access and opens a shell, giving full control over the device.



In the second video, Drammer is used in conjunction with the code that exploits the Stagefright vulnerability - it remains uncorrected on many devices. As a result, the attack allows you to gain control over the OS kernel. In the video you can see that the Stagefright exploit also opens the shell, however, it still has only limited rights and, for example, cannot access the SD card of the smartphone. In turn, later launched Drammer gets root access (starting from 3:30 on the video).



Researchers notified Google engineers about their work back in July 2016, and the company assigned vulnerabilities to the highest, critical status. In addition, researchers received $ 4,000 through the Bug Bounty program. The company notified its manufacturing partners in October, and the release of updates is planned in November. Nevertheless, the developers warn that even then the Rowhammer hardware vulnerability will not be completely closed, the attacker will simply become harder to use.

A detailed report on the work done will be presented at the ACM Conference on Computer and Communications Security, which takes place these days in Vienna. Details of the discovered vulnerability are published on a special information page .