Android Linux Security

This Insane Flaw in Linux Gives Anyone Root Access To Your Box

Matthew Hughes 22-01-2016

Android phones, and Linux desktops and servers all share a common ancestry. They’re all based on a common kernel, and share common utilities and components. Whenever a security vulnerability is found in these areas, the contagion is massive, and hundreds of millions of computers and mobile devices will inevitably be affected.


A recently discovered vulnerability (CVE-2016-0728) in the Linux kernel is an astonishing example of this. It takes advantage of a flaw in the OS keyring, and would allow any unprivileged attacker or user to gain root access to the system in question. Here’s how it works, and what you need to be wary of.

Understanding This Vulnerability

This vulnerability was discovered by Perception Point – a major Tel Aviv based information security consultancy firm. The flaw was first introduced around three years ago, with the release of the Linux Kernel What Is a Kernel in Linux and How Do You Check Your Version? Linux is an operating system, right? Well, not exactly! It's actually a kernel. But what is the Linux kernel? Read More version 3.8. Perception Point estimate that around two-thirds of Android devices, and an unknowable amount of Linux desktops and servers (probably in the tens of millions) are vulnerable.

As previously mentioned, this flaw is found in the OS keyring. This is the component used in Linux which allows drivers to cache security data, such as encryption keys and authentication tokens. By design, the data held in the OS keyring shouldn’t be accessible to other applications.


The exploit itself takes advantage of a flaw with how memory is managed in the OS Keyring. By executing a buffer overflow, the attackers can trigger the operating system to running some arbitrary shellcode, which would be executed as root.


It’s expected that the majority of Linux distributions will issue fixes by the start of next week. But if you’ve got a modern Intel processor (Broadwell or later), SMAP (Supervisory Mode Access Prevention) and SMEP (Supervisory Mode Execution Prevention) should be enabled, and will limit the damage this vulnerability can inflict.

Meanwhile, if you’re on Android, SELinux should likewise do the trick. It’s worth pointing out that Google has vehemently downplayed the risks presented by this vulnerability. In a statement, they said that all devices running Android 5.0 Lollipop and later are protected by SELinux, and the majority of older devices (running Android 4.4 KitKat and earlier) do not contain the vulnerable code that was introduced in version 3.8 of the Linux Kernel.

The Android Security Team also complained that they weren’t given notice to issue a patch. Essentially, they said that the Perception Point didn’t perform responsible disclosure Full or Responsible Disclosure: How Security Vulnerabilities Are Disclosed Security vulnerabilities in popular software packages are discovered all the time, but how are they reported to developers, and how do hackers learn about vulnerabilities that they can exploit? Read More .

Essentially, they’re not saying there isn’t a problem, but that it affects a much smaller proportion of Android devices as was earlier claimed by Perception Point. Despite that, they’re issuing a fix, which when released, should close this gaping vulnerability once and for all.


Checking Your Privilege

One of the most fundamental principles of computer security can be succinctly summed up as: not all users should be able to do all things at all times.

If a user was perpetually logged in as root, or administrator, it would be significantly easier for a piece of malware or a remote attacker to cause significant damage. It is for this reason why most users and applications exist in a restricted mode with limited permissions. When they want to do something that could result in damage to the computer – such as install a new program or change an important configuration file – they must first elevate their privileges. This concept is universal, and can be found of virtually every operating system.

Suppose someone is logged into a Linux or Mac computer with an administrator account, and they wish to edit their hosts How To Edit The Mac OS X Hosts File (And Why You Might Want To) The hosts file is used by your computer to map hostnames to IP addresses. By adding or removing lines to your hosts file you can change where certain domains will point when you access them... Read More file to remap a hostname to a local IP address. If they just try to open it immediate with a text editor, the operating system will return with an error message saying something like “access denied”.

To make it work, they’d have to elevate their privileges. They can enter superuser mode indefinitely What Is SU & Why Is It Important to Using Linux Effectively? The Linux SU or root user account is a powerful tool that can be helpful when used correctly or devastating if used recklessly. Let's look at why you should be responsible when using SU. Read More by running “sudo su”. This is helpful if they’re going to be running a series of restricted actions, over an unspecified amount of time. To exit this mode and return to the normal user account, simply use the “exit” command.


To run just one command as super user, just preface that command with “sudo”. Using the example of the hosts file, you can edit it with “sudo vim etc/hosts”. You will then be prompted for your password. If the account doesn’t have administrator privileges (i.e. is a standard user account), the command will fail to work.

On Android, they have a fundamentally different model of permissions, where applications are atomized and sandboxed, and users can make limited under-the-hood changes. Users are actively discouraged from gaining access to the root. It’s for this reason why most carriers and manufacturers (with HTC among the exceptions How To Root Your First Generation HTC One Unusually, there are no special utilities that enable this – instead, you must use HTC's approved rooting method. Read More ) actively discourage users from rooting their phones, and why it’s become a bit of a “dark art”.

Windows too has its own system of elevated privileges. Whenever a program makes a change to the system which requires enhanced permissions, Windows will prompt the user with a UAC window (User Access Control). This shows the program that’s requesting elevated permissions. If the code has been given a cryptographic signature, it’ll show who signed it, allowing you to spot impostor programs. The user can then choose to give the program the permissions requested, or decline.



While this process is not without its flaws (UAC windows are regarded as rather annoying Stop Annoying UAC Prompts - How To Create A User Account Control Whitelist [Windows] Ever since Vista, we Windows users have been pestered, bugged, annoyed, and tired of the User Account Control (UAC) prompt telling us a program is starting up that we intentionally launched. Sure, it has improved,... Read More , and are generally just ‘clicked away’, for instance), it’s one that generally works. However, it can be easily circumvented by flaws in the operating system, much like the one identified by Perception Point.

Increasing Threats to Linux Devices

In recent years, we’ve seen a deluge of attacks targeting Linux-based operating systems, as it cements its hold on the server market, and increases its market share on the desktop.

Recently, researcher in Russia discovered a Remote Access Trojan How To Simply and Effectively Deal With Remote Access Trojans Smell a RAT? If you think you've been infected with a Remote Access Trojan, you can get easily get rid of it by following these simple steps. Read More that was designed to help an attacker spy on users. Called Linux.Ekoms.1, the Trojan takes a screenshot every 30 seconds and saves it in a temporary folder as a JPEG disguised with a different file extension. Further analysis of the Trojan revealed that the developers were working on features that would allow it to record audio. These files would then be sent to a remote server. The attackers would also be able to issue commands through a command-and-control server.

Another rootkit for Linux – called Snakso-A – targeted 64-bit Linux webservers, and silently hijacked the webpages that were being served, in order to inject a malware-serving iFrame.


Then, of course, there are the vulnerabilities which were so severe, they became international news. I’m talking about the likes of Shellshock Worse Than Heartbleed? Meet ShellShock: A New Security Threat For OS X and Linux Read More , the GHOST vulnerability The Linux Ghost Flaw: Everything You Need To Know The GHOST vulnerability is a flaw in a vital part of every major Linux distro. It could, in theory, allow hackers to take control of computers without the need for a username or password. Read More , and Heartbleed Heartbleed – What Can You Do To Stay Safe? Read More .

These threats are generally resolved in an expedient manner by the maintainers and the developers of the Linux components they effect. However, in recent months, their ability to do so has been put under question, as a result of funding and staffing shortages, leading some to question whether Linux has been a victim of its own success Has Linux Been A Victim of Its Own Success? Why did Linux Foundation head, Jim Zemlin, recently say that the "golden age of Linux" might soon come to an end? Has the mission to "promote, protect and advance Linux" failed? Read More .

Check for Updates

Over the next few days, the majority of Linux distributions will be issuing patches, as will Google for Android. You’re advised to regularly check your package manager for updates.

Has this vulnerability made you question whether you should continue to use Linux? Tell me about it in the comments below.   

Photo Credits: Crypt (Christian Ditaputratama), PasswordFile (Christiaan Colen)

Related topics: Computer Security, Online Security, Trojan Horse.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Ronny
    January 26, 2016 at 10:56 pm

    Security is not an all responsibility of the kernel and/or the OS developers, the security is responsibility by the admin/user, simple solutions like virtual patching, IPS, firewalls and siem can help to monitor privilege scalation. I'm with linux through the end! This is just another vulnerability.

    • Matthew Hughes
      January 28, 2016 at 3:48 pm

      Fair enough!

      • David Hollinger
        February 9, 2016 at 6:08 am

        It's also important to note that, despite this being patched now, it was tested and proven that SELinux Android and SELinux for Servers/Desktops was blocking this particular vulnerability from being exploited. I'm not sure if anyone tested the vulnerability against AppArmor.

        Unfortunately, SELinux is not installed by default in Ubuntu and hasn't been maintained in their repos, so someone would have to build that from source to install and use it.... and you'd need to know a lot about how to configure it. Many distributions that use SELinux have it pre-configured really well by default. Some still complain about it, but really, if you're following best practices of the OS/Distro Vendor you should run into any issues. Usually most complaints that I know of come from Admins/Devs that want to do things their way, but don't want to learn the basics of how to manage SELinux.......

        HINT: Install sealert - it'll parse your audit logs and tell you what commands to run to enable the functionality that was blocked. If a rule doesn't exist, the log will tell you what commands to run so that it parses the log and generates a new rule FOR YOU from that log entry. Really simple, really powerful, really secure.

  2. Joseph Smith
    January 24, 2016 at 8:50 am

    FreeBSD rocks!

    • Matthew Hughes
      January 28, 2016 at 3:48 pm

      MS-DOS 4 lyfe!

    • Martin
      July 15, 2016 at 9:13 pm

      You've got to be kidding. It's not as secure as Linux and it's years behind.

  3. GKG
    January 23, 2016 at 4:53 am

    @FCD76218 and CMD: You are missing the point here, the point is to explain the Linux exploit. Linux is robust so it has few exploits. Lot of people need to be aware of these exploits becasue general assumption is that Linus is safe.

    As far as comparing windows to Linux, its like comparing apples to oranges. I will leave it at that.

    • Matthew Hughes
      January 28, 2016 at 3:52 pm

      Thanks for your comment!

    • Anonymous
      January 28, 2016 at 4:57 pm

      I did not miss the point. I am glad that Matt informed us about the problem but does he have to use such dramatic and sensationalized wording? Unless, of course, he has an axe to grind. When Matt writes about Windows problems, he never uses phrases such as "contagion is massive" and/or "hundreds of millions of computers".

      "general assumption is that Linus is safe."
      LINUS is safe. It is LINUX that has problems. :-)

      "As far as comparing windows to Linux, its like comparing apples to oranges."
      Please, spare me. When it suits Window Fans, they compare the two at a drop of a hat. When it doesn't suit them, as in this case, the two are "apples and oranges."

  4. Anonymous
    January 22, 2016 at 6:52 pm

    " Whenever a security vulnerability is found in these areas, the contagion is massive, and hundreds of millions of computers and mobile devices will inevitably be affected."
    How disingenuous of you. As if Windows vulnerabilities affect only few devices.

    • Matthew Hughes
      January 28, 2016 at 3:53 pm

      You're totally right. Windows vulnerabilities affect more machines, therefore we should never ever ever talk about Linux vulns, no matter how jaw-droppingly insane they are.

      • Anonymous
        January 28, 2016 at 4:35 pm

        "we should never ever ever talk about Linux vulns, no matter how jaw-droppingly insane they are. "
        My, my, my. Did I hit a sore spot?
        I was just commenting on the tendentious, FUD-generating wording of your article. Whenever you write about Windows vulnerabilities, it is never with "OMG, the sky is falling, hundreds of millions of computers will die!!!' urgency. It's as if M$ was paying you to tone down the seriousness of the problem.

        ALL vulnerabilities should be publicized but let's keep the hyperbole and FUD out of the reports.

        • Matthew Hughes
          January 28, 2016 at 8:56 pm

          Microsoft is, and I would have gotten away with it too if it wasn't for you pesky kids. ;)

          Nah, I'm kidding. Your point is something to consider. Thanks man. :)

  5. Anass Eljondy (IronJaeger)
    January 22, 2016 at 4:43 pm

    I'll keep using it. All platform s habe flaws but Linux is the one that rolls fixes faster than others

  6. CMD
    January 22, 2016 at 4:21 pm

    Besides which the flaw has been fixed and updates have rolled out to every major distro.

    • Matthew Hughes
      January 28, 2016 at 3:47 pm

      That wasn't the case when I wrote the piece!

      • CMD
        January 28, 2016 at 3:48 pm

        Then you should update with new info!

  7. CMD
    January 22, 2016 at 4:09 pm

    Seriously, Windows has thousands and vulnerabilities and privacy issues and you don't bat an eye, and continue to use it, yet you get one or two Linux exploits that are usually fixed within hours/days and you lose your f*cking minds!?

    • macuser
      January 22, 2016 at 10:50 pm

      Linux is horrible.

      • CMD
        January 23, 2016 at 2:14 am

        your OSX is more vulnerable than my Linux.

    • Matthew Hughes
      January 28, 2016 at 3:46 pm

      Er, I write about security issues. I've covered issues with all major operating systems, including Windows. I'm not sure what your point is bro.

      • CMD
        January 28, 2016 at 3:49 pm

        Your article is sensationalist and full of hyperbole