[cross-posted from http://reyammer.blogspot.com/2013/06/what-fork-how-to-immediately-block-any.html]
What if an unprivileged Android app could lock, instantaneously, any Android device out there? What if such an app exists and is also really simple to implement?
A few months ago, Antonio and I stumbled upon a paper titled Would You Mind Forking This Process? A Denial of Service attack on Android. In this paper, the authors describe a vulnerability they discovered related to Android’s Zygote that could be exploited by mounting a DoS (Denial-of-Service) attack: this resulted in the target device becoming completely unresponsive after a minute or so. Without going too much into the details, the vulnerability was due to the world-writable permission access to the Zygote’s socket, from which Zygote itself listens for “requests to fork new processes”. With this technique, they were able to make Zygote fork a high number of processes, and that was enough to block the device.
Their work got a lot of coverage and the vulnerability they found (CVE-2011-3918) has been considered as critical (CVSS score of 7.8). Eventually, even Google acknowledged the bug by committing a fix.
At that point, Antonio asked me “how about a fork-bomb? Would that work?”. To our surprise, the answer to that question is: yes, definitively yes!
We found that the most simple implementation of a fork bomb is able to instantaneously block any Android device we have tested it on, regardless of the phone/OS version.
Up to now, we verified that our exploit works on Google’s flagship device (Nexus 4 with Android 4.2.2) and on the following other ones:
- Nexus 4 – Android 4.2.1
- Nexus S – Android 4.2.1 (Cyanogen mod 10.1)
- Galaxy Nexus – Android 4.2.2 (Cyanogen mod 10.1.0-RC5)
- Galaxy Nexus – Android 4.1.1
- Galaxy Nexus – Android 4.0.4
- Samsung Galaxy Tab 10.1 – Android 3.1
- Motorola Backflip – Android 2.3.7 (Cyanogen mod 7)
- Emulator running Android – Android 4.1.2
We immediately contacted the Android security team (on Feb 7th, 2013), and received a response shortly after: in their opinion, this does not constitute a security issue, because it is just a local DoS and the user can somehow regain control of his device (by rebooting the phone).
We found their answer quite interesting. In fact, we believe that our exploit is strictly more powerful that the previously disclosed one, as in this case the device blocks immediately, and not after a minute or so. Also, the impact that such an issue might have is much higher, as there does not seem to be an easy patch to fix this problem. This naturally raised some questions: did Google patch that vulnerability only because it was a simple fix? Or maybe the patch was supposed to fix a different more serious (undisclosed) bug? As we have not heard anything back (we sent our last email to them on Feb 10th, 2013), we have no idea. In any case, we are surely not the first ones to come up with a local DoS attack (for example, check this nice trick from DexLab), but it seems that Google just does not care that much about this.
We think that local DoS is really bad (at least bad enough to commit a fix, especially when it’s simple). First, this violates one of the core principle on the Android design: no application, by default, should have the permission to perform any operation that would adversely impact other applications, the operating system, or the user. Second, what if the attack starts during the night, when the user is relying on his phone for the alarm clock? That would be quite unfortunate. And what if our nasty app starts at every boot, making the device completely unusable from the beginning? Now, if you are one of those few guys who reads a blog post like this, you probably know your way around to delete the annoying app, but what if you are not?
That being said, our uber simple forkbomb app is available on github at: https://github.com/reyammer/android-forkbomb. Feel free to try it out, but be ready to pull out your battery :-)