Researchers have published details of a new method for exploiting a problem with Android devices tied to a hardware flaw within DRAM memory modules that can allow attackers to get root-level access to target machines. The vulnerability, dubbed Drammer, could give an attacker root access to millions of Android handsets including Nexus, Samsung, LG and Motorola.
The attack method employs an existing PC-based hack known as Rowhammer, a technique that targets rows of cells of memory in DRAM devices to induce cells to flip from one state to another. “Our work is the first to show that Rowhammer is possible on mobile, ARM-based hardware,” said researchers in the VUSec Lab at Vrije Universiteit Amsterdam in a report released Sunday.
“Drammer is the first Android root exploit that relies on no software vulnerability and is an instance of the Flip Feng Shui exploitation technique,” researchers wrote. A Flip Feng Shui exploitation technique carefully selects the sizes of the portion of memory where dynamically allocated memory resides (heap). Next, the Rowhammer attack targets that portion of memory which can “flip” or change the state of adjacent memory bits creating circumstances ripe for memory manipulation. Those bit flips could include simply changing a 0-to-1 or 1-to-0, according to researchers. The name Drammer is short for deterministic Rowhammer.
Researchers explain the details of the vulnerability in a technical paper (PDF) “Drammer: Deterministic Rowhammer Attacks on Mobile Platforms” this way:
“Armed with bit flips from the memory templating step, we rely on Phys Feng Shui to place the victim page table in a vulnerable template-matching location and proceed to reproduce an exploitable bit flip. This step allows us to control one of our own page tables, enabling root privilege escalation. To complete our Android root exploit, we overwrite the controlled page table to probe kernel memory for our own struct cred structure.”
The resulting Drammer attack is a privilege-escalation exploit that impacts over a dozen leading Android handset models. Using its own Drammer test app, researchers said out of 27 devices tested they were able to flip bits on 18 of them. You can test mobile Android devices for the vulnerability with an app developed by researchers.
Researchers say they told Google’s Android Security team of the flaw on July 25. Google notified hardware partners of the flaw on Oct., 3. The Android Security team said it would issue a partial fix for the flaw (CVE-2016-6728) with its November security bulletin. However researchers point out, Google’s patch will make it much harder for an attacker to launch a Drammer attack, it does not eradicate it. “We hope to see a more sophisticated fix soon,” according to researchers.
Google has classified the vulnerability as “critical.”
In the researchers’ proof-of-concept attack, a malicious Drammer application was created that required no permissions, raising little suspicion by those installing the targeted app. Worse, researchers warn that the vulnerability becomes especially potent when combined with existing vulnerabilities such as Stagefright or BAndroid.
In a proof-of-concept attack implemented in collaboration with the University of California, Santa Barbara, researchers showed how Stagefright mitigation techniques can be bypassed via a Drammer attack.
“By tricking the victim into opening a malicious URL, an attacker gains remote shell access to the vulnerable device,” the researchers wrote. “Since the exploited mediaserver is not running with root-privileges, however, he still cannot access /sdcard, for example. The attacker then launches the Drammer exploit which does give him full control over the device.”
Defenses against Drammer attacks range from software blacklisting of specific rewriting instructions such as CLFLUSH. One hardware defense includes doubling DRAM refresh rates. However, both of these mitigation attempts don’t eliminate the threat completely. Furthermore, researchers say, doubling DRAM refresh rates would have “severe consequences for both power consumption and performance” on devices.