How to use Rowhammer vulnerability Root Android phone with Video demo+Exploit source code-the vulnerabilities and early warning-the black bar safety net

ID MYHACK58:62201680782
Type myhack58
Reporter 佚名
Modified 2016-11-01T00:00:00



Recently, security research experts through research found a root the Android phone to the new method, i.e., by Rowhammer vulnerability to root Android phone. In addition, the attacker can even use this exploit with presently known Android vulnerabilities Bandroid and Stagefright to the target user to implement the attack. In the beginning of last year, and Google's ProjectZero project group of Security Studies experts discovered, the attacker can through the memory of a design flaw to hijack install a Linux system of the computer, and get to the target system the kernel of the advanced permissions. Now, the attacker still can exploit this design flaw to root tens of thousands of Android phones. Prior to that, the Amsterdam Free University VUSec security Labs researchers discovered a named Rowhammer of the attack, the attacker or can be obtained by this method of attack to attack the target device in the dynamic random access memory(DRAM)。 Although we have long been known Rowhammer attack, but this is a security research specialist for the first time the attack app to your mobile device. For dynamic random access memory(DRAM)Rowhammer attack in the end is what? For mobile devices Rowhammer attack lethality is also very huge, at Google to develop the appropriate patch before, this problem will make the millions of Android phones in the important data in the grip of a security risk. When the attacker attempts to initiate a Rowhammer attack, he needs to perform a malware, and by this malicious software to repeatedly access the memory chip in a row transistor, and the attack of the second step is called“tap”and Hammering it. When malicious software to a piece of memory area to“tap”will affect neighboring memory rows, and cause charge leakage. And this interference would eventually lead to the other rows of the memory data bits of the bit flip in. In this case, the data in memory will be changed, and also this became a obtain device control of the new method. Simple to say, Rowhammer attack refers to a new generation of DRAM chips on the repeated access to the line memory, and this operation will likely result in the adjacent memory rows in the data occur bit flip, this attack technique will allow anyone to modify the device's memory to save the data content. ! Project Zero project group in its published study, write to: “Now DRAM manufacturing precision are high, the components in the physical layer of the surface become smaller and smaller. So for the producers, both on a single chip integrated larger memory capacity, but also to allow each memory cell does not occur between the electromagnetic interference, is actually very hard to do. In this case the resulting consequences for: a memory of a single area of the read and write will be possible interference to the adjacent memory region, resulting in current flow into or out of the adjacent memory unit. If repeated a large number of read and write operations, it will be possible to change the adjacent memory unit of the content, so that the original bit data 0 becomes 1 or 1 becomes 0.” Your Android phone will be affected? In order to Android phone to test Rowhammer attacks, security research experts to build out a new exploit PoC, i.e., the DRAMMER of. By testing found that this new exploit method can not only successfully modify many popular mobile phone in the data, but also can successfully root these Android phones. Researchers successfully root Android phones including Google Nexus 4 and Nexus 5, LG G4, Samsung GalaxyS4 and GalaxyS5, Motorola MotoG(2013/2014), as well as the domestic one plus one phone. But does not exclude also other brands of Android phones will also be a DRAMMER attacks. Security research experts in the test report, write to【PDF】: “We designed the DRAMMER attack is sufficient to prove that Rowhammer attack for the billions of mobile users is definitely a real security threat. Moreover, our experiments also show that Rowhammer attack can not only invade the x86 platform, but also for mobile devices also applies.” DRAMMER attack the working mechanism ! In order to exploit this vulnerability, a security researcher developed a piece of malware, which contains the corresponding exploit code, see the end of this article. In order to avoid anti-virus software detects this malware does not need to obtain any special user permissions to root target phone. However, in order to successfully perform the DRAMMER attack, we have to let the user to download the exploit Code of the malicious software. In order to achieve the attack, the researchers also needed by the Android system called“ION memory allocation/management”mechanism to get to the DRAM direct access. In addition to can be for each application to provide a DRAM direct access to the outside, the ION memory Manager can also allow the application to identify the DRAM of adjacent rows of memory space, and this also is to let the memory data occurs the bit flip of the important premise. Learned this information, researchers will need to find a way how to use the“bit-flipping”to the root of the target device. In access to the target phone complete control, they can be from the target phone to extract any data. Security researchers says: “In short, our method of attack, mainly through the depletion of different size block of memory to the physical memory allocation of the program into a working state, in this state, it will use we can predict to the memory area to be filled is exhausted that part of the memory space. Next, we can control the memory allocation of the program to the target device of sensitive data, such as a memory page table is transferred to a piece of easy to bit-flipping of the physical memory. As a result, we can by DRAMMER to attack.” When the target device download and install our malware after DRAMMER exploit code will be in a few minutes taken over target phone, sometimes just a few seconds, and the entire process is completely does not require any user interaction. Even when you use other apps or put the phone into“sleep”mode, the attack process still does not stop. There is currently no viable solution Security research experts already this year in the month of July has been about the vulnerability of the information submitted to the Google company. Google company has the vulnerability categorization to“high risk vulnerability”, based on the vulnerability reward program provisions, the Google for these research experts to provide a four thousand dollars of the vulnerability reward. ! Google said, the company in acquired about the vulnerability of the details after they notify the relevant cooperation manufacturers. In November, the security update announcement, Google will provide customers with the ability to alleviate the DRAMMER attack solutions.

[1] [2] next