OS: Dirty Cow (Dirty COW) Vulnerability: Linux kernel access to kill right hole (cve-2016-5195) __linux

Note that when compiling a vulnerability exploits a program:

gcc-lpthread dirtyc0w.c-o dirtyc0w

The actual test under Ubuntu 15.10 needs to be changed to:

Gcc-pthread Dirtyc0w.c-o dirtyc0w

Or

GCC dirtyc0w.c-o dirtyc0w -lpthread

To compile correctly.

Other vulnerabilities exploit code:

Https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs

Http://www.tuicool.com/articles/Rjiy2ma
How to Patch and Protect Linux Kernel the Zero day local privilege escalation vulnerability ... Time 2016-10-21 16:21:45 Nixcraft original http://www.cyberciti.biz/faq/ dirtycow-linux-cve-2016-5195-kernel-local-privilege-escalation-vulnerability-fix/Theme Linux Kernel

A very serious security problem has been found in the Linux kernel. A 0-day Local privilege escalation vulnerability has existed for eleven years since 2005. This bug affects all sort of the Android or Linux kernel to escalate privileges. Any user can become root in less than 5 seconds. The bug has existed since Linux kernel version 2.6.22+. How does I fix this problem? This bug is named as Dirty COW

(cve-2016-5195) is a privilege escalation vulnerability in the Linux Kernel. Exploitation of this bug does not leave any trace of anything abnormal happening to the logs. So can don't detect if someone has exploited this against your server. What is cve-2016-5195 bug?

From the project:

A race condition is found in the way the Linux kernel ' s memory subsystem handled the Copy-on-write (COW) Breakage of Priv Ate read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus Increa Se their privileges on the system.

A nasty bug for sure. Any local users can write to any file they can read, and present since at least Linux kernel version 2.6.22.Linus Torvalds explained:

This is a ancient bug that was actually attempted the to being fixed once (badly) by me eleven years ago in commit 4ceb5db9757a ("Fix get_user_pages () Race for write access") but that is then undone due to problems on s390 by commit f33ea7f404e5 ("f IX Get_user_pages Bug ").

In the meantime, the s390 situation has long been fixed, and we can now fix it by checking the Pte_dirty () bit properly (a nd do it better). The s390 dirty bit is implemented in Abf09bed3cce ("S390/mm:implement software Dirty Bits") which made it into v3.9. Earlier kernels'll have to look at the page state itself.

Also, the VM has become more scalable, and what used a purely theoretical race back then has become to easier.

To fix it, we introduce a new internal Foll_cow flag to mark the "Yes, we already did a COW" rather than play racy games W ITH Foll_write is very fundamental, and then with the PTE dirty flag to validate this foll_cow flag is still valid . A List of affected Linux distros (including VMs and containers that share the same) Red hat Enterprise Linux 7.x Red Hat Enterprise Linux 6.x Red Hat Enterprise Linux 5.x CentOS Linux 7.x CentOS Linux 6.x C Entos Linux 5.x Debian linux wheezy Debian linux Jessie Debian linux stretch Debian linux Sid Ubuntu Linux precise (LTS 12 Ubuntu Linux trusty Ubuntu Linux xenial (LTS 16.04) Ubuntu Linux yakkety Ubuntu linux vivid/ubuntu-core SUSE linux En Terprise and 12. How does I fix cve-2016-5195 on Linux?

Type the commands as per your Linux distro. You are need to reboot the box . Before you apply to patch, note down your current kernel version:

$ uname-a
$ uname-mrs

Sample outputs:

Linux 3.13.0-95-generic x86_64

Debian or Ubuntu Linux$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade

Reboot the server: $ sudo Reboot

Related:ubuntu Linux Users can hotfix this Linux kernel bug without rebooting the server. Rhel/centos Linux 5.x/6.x/7.x

$ sudo yum update
$ sudo reboot

Rhel/centos Linux 4.x

$ sudo up2date-u
$ sudo reboot

Suse Enterprise Linux or Opensuse Linux

To apply all needed patches to the system type:

# zypper Patch
# reboot

Verification

You are need to make sure your version number has changed:

$ uname-a
$ uname-r
$ uname-mrs

determine if your system is vulnerable

For Rhel/centos Linux, use the following script:

$ wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh
$ bash rh-cve-2016-5195_1.sh

For the other distro try PoC (proof of concept exploit code)

Grab the PoC: $ wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c

Run it as follows. The IS root:

$ sudo-s
# echo This are not a test > foo

Run it as normal User: $ gcc-lpthread dirtyc0w.c-o dirtyc0w
$./dirtyc0w Foo m00000000000000000
Mmap 56123000
Madvise 0
Procselfmem 1800000000
$ Cat Foo
m00000000000000000 References: Ubuntu linux:cve-2016-5195. Debian linux:cve-2016-5195. Rhel/centos linux:cve-2016-5195. Suse Enterprise linux:cve-2016-5195 (coming soon). Dirtycow. Share This tutorial on: sharing