"DirtyCred" Gives Hackers Full Control of Linux and Android Systems
Vložit
- čas přidán 21. 08. 2022
- In this video I discuss the dirty cred vulnerability that allows for an unprivileged user to escalate privileges to root on the Linux kernel (all architectures) the bug is also believe to present in the android kernel and docker images using the Linux kernel.
Link to slides
zplin.me/papers/DirtyCred-Zhe...
Link to github repo
github.com/Markakd/DirtyCred
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF
Dash
Xh9PXPEy5RoLJgFDGYCDjrbXdjshMaYerz
Zcash
t1aWtU5SBpxuUWBSwDKy4gTkT2T1ZwtFvrr
Chainlink
0x0f7f21D267d2C9dbae17fd8c20012eFEA3678F14
Bitcoin Cash
qz2st00dtu9e79zrq5wshsgaxsjw299n7c69th8ryp
Etherum Classic
0xeA641e59913960f578ad39A6B4d02051A5556BfC
USD Coin
0x0B045f743A693b225630862a3464B52fefE79FdB
Subscribe to my CZcams channel goo.gl/9U10Wz
and be sure to click that notification bell so you know when new videos are released. - Věda a technologie
TL;DW: Go abuse this to root your Android device and modify your OS before the security patch drops from your manufacturer.
I found this video and thought: "Damn, I can root my phone this way". I can't root it with normal ways cuz i have blocked bootloader and no code, but yeah, gonna try that
Kid named locked bootloader and propiretary firmware code:
i was thinking the same exact thing! i've got a samsung a54, and the thing is locked down tight...anyone have any idea how to use this on an adroid device with user/terminal access? maybe modify the exploit code for sudo access or a root group? this would be an AWESOME way for TONS of phone modders to root their devices before the phone gets patched! lets come up with something!
hmm, i compiled this on my arch desktop as well as a raspberry pi running aarch64, and i get the same error:
"fsconfig: Invalid argument
[-] failed to write, retry..."
I want to reuse old android phones to run windows I know it is the worst os but to recycle old devices.
That's why TempleOS is best
You can't have privilege escalation bugs if you run everything at ring-0, big brain moment
Checkmate root kit
@Hope You are alone, child. There is only darkness for you, and only death for your people. These ancients are just the beginning. I will command a great and terrible army, and we will sail to a billion worlds. We will sail until every light has been extinguished. You are strong, child, but I am beyond strength. I am the end, and I have come for you. Hope.
Run literally everything in ring 0, what escalation?
Front line, you are joking, right?
This is why I do all my computing on paper
😎
I hope you run your sudo commands on red paper, so you remember it’s potentially dangerous.
"let Me search for that file..." ;; Opens a file cabinet;;
Until your paper connects to the Internet and gets hacked.
@@keithberjeron763 * takes about 10 seconds or more depending on their file system management techniques *
This is getting to the point where you should just turn off your internet whenever you don't explicitly need it.
Or use windows so you are pre-hacked :p
@@theopendoor3716 time to mix up some concrete then lol
@@theopendoor3716 pre hacked?
@@chrissi.enbyYT Yep b/ Windows is glowing AF
@@BruceCarbonLakeriver what u mean
write(fd, "HACKED", 6) does not write "HACKED" to the line 6, "6" is the buffer size, which is the length of the "HACKED" string. it is needed as there are different buffer representations that can be given to the syscall.
@whaaa t fucking bots.
@whaaa t 袜子
@@MoradorDeCalcada ?
@whaaa t Ratio
@whaaa t
🤡🤡🤡🤡🤡🤡
For android, this is a good thing and a bad thing. You can root previously unrootable phones. But so can badguys, who can permanently lock you out of your device.
How? there's no unprivileged users able to remotely log into an android phone. By default android doesn't even include a sudo binary. Are you sure you understand what this exploit does? You would have to willingly download and execute malware for this to be effective on android, at which point your security is fucked with or without DirtyCred.
@@silverywingsagain you can include yourself now, lol.
Well to be a little more explicit, androids can generally be rooted with common procedures but the issue comes with advanced cellular features locked behind A/B partitions (pitched as partitioning to help with live updates) that break when edited. Some have magisk/xposed modules that re-establish those security features allowing a rooted android to actually be usable. Thankfully, it means that if this was leveraged to gain root access to any given android it would likely break most networking to begin with
@@silverywingsagain you are downloading whatever software from PlayStore. But it somehow guarded by android OS, uless you give permission to storage/camera/etc. After this exploit you would be vulnurable to bad apps in paly store.
@@silverywingsagain There are actually two different exploits. One for processes and second for files. For one with processes no code published yet.
But you can use files to get executable. Just need to owerwrite any binary with suid(root) on device.
Memory management vulns are scarce but when they appear it's always a giant mess
so this is what all those people mean when they say "you need to check your privilege"
Based 😂
So what you're saying is: *don't update* if you want to root your phone, but *do update* your computer running Linux, yeah?
It's super bad actually. Now literally any app on your phone can do whatever the developer wants with everything that's on your phone
And many phones will never be patched
@@NJ-wb1cz well, don't install shitware but only FOSS apps from developers you trust
@Omelette au Fromage Just buy from a manufacturer that will let you unlock the bootloader. I got a google pixel straight from google and i can unlock it and root it without any magic
"sales people doing provisioning" picturing an ansible task that gets a salesperson on the telephone and gives them instructions to build out your cloud infrastructure over text to speech
Imagine that shit? If you're letting your rank and file spin up infrastructure directly you're objectively bad at your job.
Dear god, I hope they're able to patch this quickly. It could be a disaster for the entire internet if hackers managed to take down entire major servers.
Do not click the sussy link from Hope because like... he sends it to multiple people
same. this is a big one.
i have a factory locked bootloader Android phone (SM-G960U) so as soon as i saw this notification i turned off the phone, i want to learn how to do this exploit so i can use it to root my phone before AT&T and samsung force upgrade its kernel to a patched one, this is 100% legal reason to perform this exploit right?
I long for the day the internet is dead.
It's not as likely to happen. Servers have a much smaller attack surface than regular computers.
Privilege escalation is a bigger deal on Linux not only because they're servers... but because Windows/MacOS are usually "single user admin" and you hardly have to escalate to do anything.
Windows yes, macOS no. macOS is a (very locked down) UNIX system at its core since 2001 and requires privilege execution to write to system files, however applications can be installed without the administrator password as long as your account is an administrator (and not a "Standard") account. However, privilege escalation bugs can't usually cause any harm to a system (besides deleting/stealing files, but that could be done without admin privileges) due to Apple making the system files read only, even to root, by default in 2015, and further when they put them on a read-only partition.
@@DistrosProjects I guess you're mainly talking about SIP here. And yeah, for most macOS users, it makes sense. Most are dumb enough to just click "yes" to anything the computer asks and thus infect the system. For more experienced users it's not really necessary I guess, but still pretty useful.
@@DistrosProjects UAC does the same thing in Windows for admin users, as MacOS. The 1st user on MacOS is always an admin just like Windows. The only difference is MacOS prompts the user to enter their password, where as UAC just asks the user Yes or No. UAC made most malware happy to run in userspace, which subsequently became the exact same behavior in MacOS.
@@blkspade23 you can log as user and use an admin password for UAC. i couldnt quite make it practical but it works
@Kris Nicholson you got it wrong. Unix is Unix, Linux is a Unix-clone (others call it Unix-like) and never shared some code from Unix . Hence, you can't just say Unix is derived Linux. :) other points are correct though.
Linux: "There's a biiig bug. But you have to sit on the on the Keyboard in front of the pc to use it."
Windows: "... before you turn on your machine make sure that it isn't connected to the outside world!"
I had the same thought LOL
Actually you don't for this. If you, as it was said in the video, have an unpriviliged access to machine and can launch arbitrary code - boom, you have a root.
It's a serious bug, and it will be interesting to see what is the ROOT (lmao) of this problem.
@@rogo7330 Shell access is the same as being at the keyboard in UNIX. If you have unprivileged access to a machine you can still run arbitrary code and do a ton of damage even without root. The root of the problem is that computers use buffers, and buffers can overflow. Unless you can think of a completely different paradigm, exploits will always exist. The solution is to make sure USERS don't have unprivileged access, only APPS and SERVICES do. Then you can implement security on a case by case basis instead of trying to "herd cats" on a system-wide basis.
Of course all of this is better than windows and mac where escalation is boiled down to a brain-dead popup that 99% of users will click "OK" without thinking.
@@silverywingsagain "apps and services" are users. You at the keyboard not doing much unless you executing something. If you as user only answering questions from apps and services ("There is 10 people in the room. Is it true? [y/n]", "Press Enter to continue", etc.), you can't do much. If your service or app is a big clusterfuck of code that doing some weird shit and because of that you put it inside docker or something - there it is, just put some symbols into Minecraft chat on the server and you have access to minecraft server's user and its shell.
you are so butthurt, that you to bring up Windows
10:08
last argument of 'write' is number of bytes to write, not a line number.
an year ago, i switched to Linux because of you. its awesome and thank you
This was interesting and could explain how some roommates got into my Linux NAS a few years back. Thanks for the content...
Hurray my favorite topic for content
Pretty Cool one of Siemens 101 Classes in cyber security is called 'From Web to Root". Where we use a weak user base system to get admins account and then use a form to executed shell code in turn giving use a remote login and use this exploit to take over the docker to get to the host shell with SU access. It just took 4 hours to teach a whole class to do this with most not having an ounce of training or Linux knowledge.
Thank you, Kenny!
May the CZcams algorithm bless the channel with growth and prosperity forever.
Love your channel
This is neat. I tried it out. I check all of my systems to see if they were vuln, and everything seemed to be patched. Nice testing tool. But I also played around with it. This could very easily be a copy past script fast and bang in. We all know plenty of systems admins out there slow to update....
little did the penguin know this was a planned sabotage by the rustceans to overthrow C and rewrite the kernel in rust
thank you for your videos
I hope the patches come soon.
Oh no! Better switch to an even less secure system so I don't need to worry about this one bug.
Like FreeBSD?
You know, I like to point the positives - and this could maybe allow plenty of phones to be be rooted.
Dude imagine installing Roblox on somebodies system by force
Based
This is so simple. Crazy it took this long to discover it.
I wonder if this effects GrapheneOS because they use a hardened memory allocator, it would be nice to see thay spare them
something else to patch up, great. somebody man the bilge! thanks for the info.
It's almost as if C is not good for memory management
SHUT UP
Well, C is good for memory management, and that's the problem...
Because _people_ aren't good at memory management
Hilldawg did the big brain corruption move, windows servers, bit bleach, hammers
Lets hope for a wave of root on Auto head units/Android/settop boxes/consoles ect!
That's why you should always delete the Linux kernel to remove any bloat and run Linux from a spaghetti.
Run Bsd
Woah nice I hope nothing bad happens next
Good thing I don't run a public access Linux shell host where there's lots of unprivileged and untrusted users on a system...
openBSD users be like: "what's a privilege escalation?"
sad that most of our critical, low-level infrastructure is using unsafe languages. the amount of code is so large in these projects that not one single person can manage or know it all. vulnerabilities become inevitable
Still better than Microsoft or Apple. Not that it _shouldn't_ be fixed. But rather that it _can_ be fixed
Wdym unsafe
@@ratchicken8159 he means that it's very easy to introduce a vulnerability writing in C because it allows you to do practically anything, it doesn't check for memory management errors, unlike say, Rust, with its borrow checker, or Python, where you don't have to manage memory at all.
@@WofWca yes ofc but making a language memory safe doesnt solve all the vulnerabilities
only a couple
@@ratchicken8159 well, a ton of vulnerabilities are memory-related, including this one, so I'd say using safer tools is worth.
nice hack alright, thanks for the vid ^^
I like how you gave up on censoring the gun 1/3rd of the way through. :D
Biggest problem are old Android devices which no longer receive security updates...
Bad news for my 2011 Samsung Galaxy Mini
Reject technology return to monke
yes
Nice vid, mind doing a video about vim plugins? I started learning vim now to fit in wiv the femboys, great progress so far, and vim plugins seem quite hard to understand
Check your privilege
White male cis froma poor family and with no future whatsoever.
10/10 ?
I hate containers. I hate all-in-one packaging like Flatpak. Both are used so inappropriately all the damn time. _edit to add, since I was asked "why are those bad?":_ You know how the end of firmware updates for IoT stuff like a wireless router means that the router is forever frozen with all its security flaws after firmware stops being put out? Now imagine that for every program on your system. That's the problem with "containers." They package everything required for a program at the time of building, including the version of every single library in use on the build system. If, say, glibc (the most common/widely used Linux C standard library that the vast majority of software uses in some capacity) patches a horribly massive flaw and you update your packages and the fixed glibc build is in those, it does not update the glibc instance in ANY of your containerized software. This is just one facet; it completely avoids the point of reusable shared library code as well, blah blah.
Can you elaborate further why it's bad?
@@TwelveLetter956 He's got bitten by a rabid container when he was a child 😔😔😔😔😔
@@TwelveLetter956 Oh god. Where do I start? You know how the end of firmware updates for IoT stuff like a wireless router means that the router is forever frozen with all its security flaws after firmware stops being put out? Now imagine that for every program on your system. That's the problem with "containers." They package *everything* required for a program at the time of building, *including the version of every single library in use on the build system.* If, say, glibc (the most common/widely used Linux C standard library that the vast majority of software uses in some capacity) patches a horribly massive flaw and you update your packages and the fixed glibc build is in those, *it does not update the glibc instance in ANY of your containerized software.* This is just one facet; it completely avoids the point of reusable shared library code as well, blah blah.
But you can update containers as well?
@@Cookiekeks the problem is that you have to rely on the application developer to update it.
Though when normal software packs it's own dependencies it's the same, but this is rarer and usually requires using the system wide updated ones.
FlatPak allows for ways of having the runtime updated normally, but it depends on the choice of the developer.
And if they abandon the software, it becomes insecure or breaks in the future.
OH BOY Muta has something to talk about
Dirty pipe has been known about forever, this is a local exploit. Secure your infrastructure properly and it's a non issue. If you already have access to a system there will always be another overflow exploit waiting to be found. It's basically intrinsic to how programming works. You can isolate and prevent individual cases but nothing will ever really prevent a user who already has access to a system from escalating privileges.
You can't architect your way around this if your entire service is built on shared tenants
yep these are all over on every system, on windows you can just delete the keychain file and gain access to everything
@@gg-gn3re If you can do that, you already are admin ... 😹
@@LordNementon no you aren't. You boot into another OS and delete it, dummy. you can't do this on windows login.
@@gg-gn3re If you assume your bootloader isn't protected and you do not use disk encryption, yeah maybe.
Let's say, you already are admin of the hardware in that case 🙃
Whenever a bug is patched, it's also patched for LTS versions used by Ubuntu and Debian for instance
A bug in the linux kernel? I'm shocked. Shocked!
Sarcasm, right?
super interesting, 🤔
so wait. 2 basic questions.
in which kernel will this be fixed? 6.0 ? or was it fixed in 5.19, earlier?
also what are the prerequisites for this? physical access to the machine? or already compromised via other trojan?
Thanks.
"Remember that time we did the updates to OPEN VMS?
Wasn't that version 4.4?
Yeah, we broke our own security and OPEN VMS turned into:
WIDE OPEN VMS!"
It usually is not Linux itself but, the fact that those addons and plugins all made by random people who think they're edgy, then introduce a vulnerability. Of course they left a ton of them. The problem is, of course, if it's a vulnerability in a 'widely used' component. You're giving total nobodies ability to make these things most of the time, even when talking about the more popular linux distros. There's likely even more than Windows at this point, considering they started actually trying to secure things, probably after Windows XP. Even then it's still useful to have exploits like this imo because I'd rather be able to mod my kernel or do what I want.
For example, I wanted to make a new exploit for fun. Within 3 days I found a way to exploit the NVidia Driver (latest/current ones).. You can then shut down any antivirus or access any game process without even trying because it just accesses most of them already. No one even knows and it's completely private how their drivers work. Maybe a few have recently released more about dxgkrnl vulnerabilities, but, those can be easily found now because of that. Now there's like 3 other things you can hook down the line from that, including the driver itself.
Have you reported the exploit?
@@Cookiekeks this, nvidia probably has a bounty for this sort of thing
@@Cookiekeks this person is simply daydreaming about things
another defcon another look into 10 year old vulnerabilities.
DO not click on the sussy YT link from Hope. They spam it to multiple people.
@@jokroast6912 good job looking like a bot
@@TheGhostFart good job looking like a bot
@@TheGhostFart right on m8. Im out here tho. Warning people
Defcon run the world. We are all just lucky to coexist with them.
Hey Mental, Can you do a video about android degoogled roms (like arrowos, havocos etc. Because calyx or graphene or lineage is not supported for some phones. [like mine] )
Also great video.
I'll be safe, I use hannah Montana linux
I can just hear the seytonic music playing in the background and it wont stop 😔
Nice
Hello, thank you for the good explanation, does the attack you conducted correspond to an insider attack or an attacker with remote access?
Wouldn't corpos limit low level pissons to a short list (or protected directory) of pre-authorized programs anyway on company server hardware? Besides that, it blows my mind that Linux lets you access/modify pages of memory allocated by other users without permissions or segmentation faults. Would modern computers really suffer that much of a performance loss if the kernel checked when unprivileged users attempted to read/write to a memory address that had previously been freed by them?
could this help with being able to installing degoogled OS on all android devices?
I dont think you can install custom roms using this vulnerability. I think you can just root your phone even with a locked bootloader unless this vulnerability can also spits out the keys required to unlock it, but I doubt they stored it in the firmware....
monolithic vs microkernels, given enough complexity - or enough utility, macrokernels will always have exploits
Why would a micro kernel be less prone to implementation bugs? I can see some benefits to micro kernels, such as not everything sharing same memory… but implementation bugs where affected functionally is all contained in same subsystem? E.g. making cgroups into its own subsystem wouldn’t help preventing this bug?
@@randomgeocacher privelage escalation
"Use after free" Oh god no, I can hear the Rust developers stampeding over the hills to proclaim their superiority once again.
they're here
This could actually be useful for android
like imagine this, what if someone made a file explorer that used this exploit to allow writing files anywhere without needing to root the phone! would be incredible
Might as well just root your phone once and do that whenever.
@@SpongeBlaster rooting my phone means resetting my phone, which would cause me lots of trouble
bad idea. Once you start modifying files outside of /data, on the next reboot your bootloader will just say "no" and you'll have a nice brick. Things like checksums exist for a reason my man.
@@PvtAnonymous Aw :/
nitpick: man 2 write
Very interesting video though and well presented. Thank you!
Good thing I run Qubes OS on my neighbors PC with VNC
Kenny I know this sounds weird but in regards to you rice how did you get firefox and a couple other applications to actually follow your window theme. Also are you still using CINNXP or are you using something newer.
I am still running ZorinOS because of an older video but i decided to install the cinnamon desktop environment on a whim just cause. Could we see a video about your current rice? thanks kenny.
Some random server running Ubuntu 18.04 without any update: 💀
I let out a small chuckle when I heard "use after free". Who would have thunk it.
Time to break out the Leapfrog OS
Looking forward to a good fix.
Bout to get 5 TB of mega storage
Bout to take it from you.
cool
You should take a look at Plan 9 & 9front
Gotta make my own OS now
Hey Mental, yesterday Telegram officially became a spooky proprietary platform. I think it could be a good topic for a video, and really useful info to your audience.
I can link you all the information I've gathered, via email, Matrix, or whatever.
how do you get to the screen that shows you all the processes??
how can we use or modify this code for android??? i have a samsung a54, and the thing is locked down tight...anyone have any idea how to use this on an adroid device with user/terminal access? maybe modify the exploit code for sudo access or a root group? this would be an AWESOME way for TONS of phone modders to root their devices before the phone gets patched! lets come up with something!
hmm, i compiled this on my arch desktop as well as a raspberry pi running aarch64, and i get the same error:
"fsconfig: Invalid argument
[-] failed to write, retry..."
i have tried a few ways to execute dirtycred on android so far (copying dirtycred to phone and tried running using adb and also tried as different user through termux user). both of those ways didnt work, either the user has no access to the directory, or the user has access but no execute permissions.
i did try like so: /storage (and other accessible mounts have 'noexec' set on the mounts, so cant execute dirtycred through adb. i tried has termux user on the phone, but that user has no access to /storage at all, it seems jailed or chrooted into the '/data/data/com.termux/files/home' directory,
also, there is no user/password in passwd/shadow on android, so would have to find a way to add a new user or to give access to existing user to a privileged group....or some other way?
Thoughts on Louis Rossman joining FUTO? He's now sort of making the kind of videos you make
this attack might also work in some form on old BSD systems
since the ps4 is running linux freebsd to be intact will this exploit work on it?
i'm glad that linux is (probably) going to get rust support, so less of these memory errors happen.
Interesting is it exploitable inside docker? and to what extent.
So would this be a gateway to root for android 12 devices and below?
I love privilege escalation vulnerabilities! I can root my Huawei phone😁
so casual with it @ 4:25
Hell to pay
i don’t think that’s good
gonna have to agree with you here
ratio bot
yeah it ain't looking good chief
Do not click on the sussy YT link from Hope. They are sending it to multiple people.
@@jokroast6912 Stop wasting your time. You spend 30 seconds to type a comment and the bot sends out millions in a second. Besides, people on this channel know what bots are.
Ouch
I am completely a beginner when it comes to computers/ linux, so I have one question: how does a hacker even get the chance to use this security problem on your personal computer?
Do you have to download malware?
The biggest risk is to servers running critical applications to business, infrastructure, etc. compared to one's personal computer. But to address the essence of your question, they'd first have to penetrate the system they're targeting--be that from targeted phishing, exploiting a vulnerable process running on a server's open port, brute forcing login credentials, etc.
@@ThisCanNotBTheFuture damn.... not good. Thanks for the info.
if you are a web developer you install and execute all kind of crap.
Difference between local and remote exploit. This is a local one. Like the examples he gave in the video, this is an issue with e.g. rogue employees.
And there's possibly no way of screening all those people. Take a 1st level support guy, for example. Easy to get in and if the whole infrastructure is Linux, you start with exploiting the system you're allowed to work on. You gain root on that and then go from there. There's almost always some ssh key or config with a password lying around that gives you access to another system. Rinse and repeat...
But mind you, this isn't financial advice - or so.
This is used after they’re in your system. So either they are in physical possession of your computer or you download malware that creates a back door they can remote into.
when your virtual machine WM is programmed to look like WinXP...
If it works on Android then all devices that are bootloader locked is able to be rooted, right?
You'd have to re-run it on every boot since this still wouldn't give you a way to modify the system image.
I'm convinced that soon companies are going to come up with some serious air-gap security solutions. At least they should. It seems most just keep to the "Everyone in the company uses the same network!" model, which always results in lulz.
I feel privileged writing these comments.
2:55 LMAOOOOO
US and Chinese definitely mad about this one.
I'm starting to think that the kernel is full of privilege escalation exploits. A new one seems to be found every other month. :|
Uh, yes. Why do you think the alphabet agencies and major corporations ALL are fighting to be the “best contributors” to Linux. Linux glows
@@ghost-user559 Ever used Mach or Hurd? How would you rate them?
4:28 my inner rustacean thought "this wouldn't have happened if the entire Linux kernel was written in Rust", because of a meme by STEMgamer that mentioned "use after free"
True, a rusty linux kernel woul be amazing
@@peternrdstrm no it wouldn’t. Rust as a systems programming language isn’t even memory safe, you have to use unsafe.
@@Hellohiq10 yeah, but the unsafe parts are very clearly marked, and if you make a safe api for that, then you only need to audit the unsafe parts when you have some memory errors