Friday, October 28, 2016

Dirty C0w Vulnerability Demo (CVE-2016-5195) - A privilege escalation vulnerability in the Linux Kernel

Mostly I want to present a demo of dirty cow so I am not going to fall in much theory part. Few basic things about dirty cow is mentioned as below.

Why is it called the Dirty COW bug?

"A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system."

Am I affected by the bug?

Yes every Linux kernal is affected with this vulnerability.

Where can I find more information?

Red Hat 

How can Linux be fixed?

Even though the actual code fix may appear trivial, the Linux team is the expert in fixing it properly so the fixed version or newer should be used. If this is not possible software developers can recompile Linux with the fix applied.


Steps 1: Download exploit using 'wget' command.

Steps 2: Make executable of c file.

Steps 3: Below screenshot shows that currently I am logged in as user whose uid is 1001 and he does not have root privileges.

Secret.txt file is created by root user and error 'Permission denied' stats that user chintangurjar has only read privileges and he can not write into that file.

Steps 4: Same happens with ping, as we can not add content in ping binary.

 Step 5: Running exploit using below command.

./dirtyc0w_executable secret.txt "Chintan Gurjar"

Here I am trying to add "Chintan Gurjar" string within existing Secret.txt file's content.

Step 6: Now let us check the content of this Secret.txt file using another tab of the terminal.

You can observe that our string was added into the Secret.txt file with user privileges only. That file actually requires root privileges to write contents.

Consider ping binary where any local or adjacent network attacker can add backdoor of getting root access. Anytime if user runs ping command attacker will get root access without knowing the password of root.

This is seriously a dirty flaw.


No comments: