Row hammer root method? (Now Dirty Cow)

[LaughingCarrot]

Found this on the LG G4 subreddit. Could someone that understands this topic a bit more take a look at this? Seems to be a new exploit.
http://arstechnica.com/security/201...tflips-to-root-android-phones-is-now-a-thing/

 

[hecksagon]

Ram is made up of cells in a grid-like pattern inside of a chip. If you know the particular memory location of a specific piece of software you can access the rows above and below with certain patterns of memory accesses and writes. This causes specific bits in the target memory location to change their contents. If the software at that target location happens to handle privilege escalation... This does not rely on buggy software but underlying properties of the ram itself. Some mitigating strategies include address space layout randomization and full encryption of ram. ECC ram can also help with this if you use the error detection abilities to cause an instant device reset.

 

[CygnusBlack]

There's an app to check if you're vulnerable to the Hammer bug.
Devs stated that they've rooted the G4 exploiting it... So... Is there hope for bootloader locked devices after all?

 

[LaughingCarrot]

Now I'm a bit pessimistic about this mainly due to the fact that there have been several exploits since MM which didn't really help our situation. The only difference here is they've claimed that they were able to root our specific device using this method which is promising I suppose.

 

[Gold_Phenix]

Some budy red about dirty cow bug in Linux kernel?

Wysłane z mojego LG-H815 przy użyciu Tapatalka

 

[tmihai20]

This actually seems very, very good news. I will try to get my hands on an apk and try it.

 

[CygnusBlack]

Link to the apk:
https://vvdveen.com/drammer/drammer.apk

 

[phonexpert_alex]

It doesn't do anything.

 

[tmihai20]

It does not do anything YET. The researchers said that they did not release the exploit and are not so inclined to do so. I got a warning about the apk being malicious. Maybe someone will create an app in good faith that will only root out phones.

 

[phonexpert_alex]

It does not do anything YET. The researchers said that they did not release the exploit and are not so inclined to do so. I got a warning about the apk being malicious. Maybe someone will create an app in good faith that will only root out phones.

EN: It was a statement. I know that it does nothing. It is just a test. It doesn't root your phone.
RO: Era o afirmatie. Doar intaream ideea ca e un test si ca nu ajuta cu nimic in cazul de fata (si anume la root).

 

[LaughingCarrot]

Yeah the app is simply to find out which phones are vulnerable.

 

[th3y]

I want to use Drammer to root my phone. Where can I download the exploit code?

You cannot. We decided to not (yet) release the exploit. We did open source our templating code, however.


So, maybe we need to wait until November Security Patch Release.

 

[phonexpert_alex]

Yeah the app is simply to find out which phones are vulnerable.

Exactly. Actually I ran it on my g4 and returned that it is not even exploitable

 

[tmihai20]

I think it takes some time, especially with the 3 GB of RAM. That slider is not very, very useful. I use the more aggressive approach and it killed the app itself. They said they ran it on a G4 and some other phones.

 

[niftium]

Dirty Cow, on the other hand, sounds a lot quicker. Looking forward to it.

 

[poog]

Hopefully.

 

[tmihai20]

I think we just got the first dirty cow exploit for Android. This developer used it to root a V20 with Nougat https://github.com/jcadduono/android_external_dirtycow

 

[Engelm]

I think we just got the first dirty cow exploit for Android. This developer used it to root a V20 with Nougat https://github.com/jcadduono/android_external_dirtycow

I have to add that he has an unlocked bootloader.
But of course, it gives us more Hope

 

[LaughingCarrot]

I think we just got the first dirty cow exploit for Android. This developer used it to root a V20 with Nougat https://github.com/jcadduono/android_external_dirtycow

Yeah that method involved unlocking the bootloader so it's a little different. We need some sort of systemless root.

 

[lordsolrac2]

Any release on the row hammer exploit yet? :1 We need more researchers u.u