TowelRoot and Futex

One of the newest exploits to hit takes advantage of a code issue on certain Linux flavored OS's and has a deep reach from server based systems to other devices that operate using the affected versions including certain Android-based devices on the market. This includes the Samsung Galaxy S5, said Ohad Bobrov, vice president of research and development with Lacoon Mobile Security.

futex

The vulnerability, (CVE-2014-3153), was recently disclosed by the hacker Pinkie Pie and recorded in the National Vulnerability Database (NVD) on June 7. The Linux kernel version 3.14.5 and most versions of Android devices could be leveraged by hackers to potentially acquire root access on affected devices. Affected servers can download the latest kernel update that fixes the vulnerability. 

The vulnerability is codenamed TowelRoot after a rooting tool that was released for rooting mobile devices that uses this vulnerability to root most mobile devices on the market. The exploit is still in the infant stage but the hacking community is already buzzing with offers of finished packages to be used on mobiles and servers.

The interesting but not surprising aspect of this exploit is that it was uncovered in 2012 and only because of a rooting challenge did it start to gain speed. The vulnerability in the Linux futex subsystem is a known weakness which, if a server exploit exists, can be used to create a privilege escalation that will result in a total server takeover scenario. In the case of affected mobile devices a similar situation could exist.

 

 

by Jim Atkins

Memphis Web Programming