The vulnerability, a variety known as a race condition, was found in the way Linux memory handles a duplication technique called copy on write. Untrusted users can exploit it to gain highly privileged write-access rights to memory mappings that would normally be read-only.
17 Comments
Tomi Engdahl says:
“Most serious” Linux privilege-escalation bug ever is under active exploit (updated)
Lurking in the kernel for nine years, flaw gives untrusted users unfettered root access.
http://arstechnica.com/security/2016/10/most-serious-linux-privilege-escalation-bug-ever-is-under-active-exploit/
A serious vulnerability that has been present for nine years in virtually all versions of the Linux operating system is under active exploit, according to researchers who are advising users to install a patch as soon as possible.
While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers are taking it extremely seriously. For one thing, it’s not hard to develop exploits that work reliably. For another, the flaw is located in a section of the Linux kernel that’s a part of virtually every distribution of the open-source OS released for almost a decade. What’s more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild.
“It’s probably the most serious Linux local privilege escalation ever,” Dan Rosenberg, a senior researcher at Azimuth Security, told Ars. “The nature of the vulnerability lends itself to extremely reliable exploitation. This vulnerability has been present for nine years, which is an extremely long period of time.”
The underlying bug was patched this week by the maintainers of the official Linux kernel. Downstream distributors are in the process of releasing updates that incorporate the fix. Red Hat has classified the vulnerability as “important.”
[PATCH 3.10 16/16] mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
https://lkml.org/lkml/2016/10/19/860
Tomi Engdahl says:
Dirty COW Linux vulnerability – what you need to know
Offal bug found in Linux.
https://www.grahamcluley.com/dirty-cow-linux-vulnerability-need-know/
But why Dirty COW?
According to the researchers who found the flaw, and created a website to share information about it:
“A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.”
Essentially it means that – if the vulnerability is left unpatched – if a local user can read a file, they can also write to it. Ouch!
So this is a privilege escalation vulnerability, rather than a potentially more dangerous code execution vulnerability?
Right. But don’t let that thought lure you into resting on your laurels, as researchers claim they have found an in-the-wild exploit using the vulnerability.
Okay. Is this a new vulnerability?
Umm.. unfortunately not. Although it has only recently been uncovered, it appears that the flaw has been present in the Linux kernel for going on nine years.
I run Red Hat / Debian / Ubuntu. Where can I find out more about what I should be doing.
That’s easy.
Redhat on CVE-2016-5195.
Debian on CVE-2016-5195.
Ubuntu on CVE-2016-5195.
Tomi Engdahl says:
Dirty COW explained: Get a moooo-ve on and patch Linux root hole
Widespread flaw can be easily exploited to hijack PCs, servers, gizmos, phones
http://www.theregister.co.uk/2016/10/21/linux_privilege_escalation_hole/
atch your Linux-powered systems, phones and gadgets as soon as possible, if you can, to kill off a kernel-level flaw affecting nearly every distro of the open-source operating system.
Dubbed Dirty COW, the privilege-escalation vulnerability potentially allows any installed application, or malicious code smuggled onto a box, to gain root-level access and completely hijack the device.
The programming bug gets its name from the copy-on-write mechanism in the Linux kernel; the implementation is so broken, programs can set up a race condition to tamper with what should be a read-only root-owned executable mapped into memory. The changes are then committed to storage, allowing a non-privileged user to alter root-owned files and setuid executables – and at this point, it’s game over.
While the flaw is not by itself a gravely serious or uncommon condition – Microsoft fixes priv-esc bugs in Windows practically every month – this vulnerability could prove particularly troublesome: it has been present in the Linux kernel since version 2.6.22 in 2007, and it is very easy to reliably exploit. We’re told it is also present in Android, which is powered by the Linux kernel.
Crucially, exploit code to gain administrative control of devices is being used in the wild against internet-facing systems. And a version is now available to infosec professionals. A non-complete proof-of-concept version can be found here that tampers with a file that only root should be able to edit.
According to a website dedicated to Dirty COW, a patch for the Linux kernel has been developed, and major vendors including Red Hat, Debian and Ubuntu have already released fixes for their respective Linux flavors.
The vulnerability, designated CVE-2016-5195, was discovered by security researcher Phil Oester. At least one exploit targeting the flaw has been found in the wild.
The fix – which changes just two lines and introduces a single-line inlined function – sets a flag that signals a CoW operation has occurred, preventing the underlying page holding the executable from being unlocked and written to.
https://github.com/dirtycow/dirtycow.github.io/blob/master/dirtyc0w.c
Tomi Engdahl says:
Linux Kernel Zero-Day CVE-2016-5195 Patched After Being Deployed in Live Attacks
Dirty COW flaw existed in Linux kernel for 9 years
Read more: http://news.softpedia.com/news/linux-kernel-zero-day-cve-2016-5195-patched-after-being-deployed-in-live-attacks-509494.shtml#ixzz4NhdJuqHL
Tomi Engdahl says:
CVE-2016-5195
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195
Tomi Engdahl says:
“Dirty COW” Linux Kernel Exploit Seen in the Wild
http://www.securityweek.com/dirty-cow-linux-kernel-flaw-exploit-seen-wild
A new Linux kernel vulnerability disclosed on Wednesday allows an unprivileged local attacker to escalate their privileges on a targeted system. Red Hat said it was aware of an exploit in the wild.
The vulnerability, discovered by Phil Oester, was sarcastically dubbed by some people “Dirty COW” due to the fact that it’s caused by a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings.
The security hole, tracked as CVE-2016-5195, allows local attackers to escalate their privileges on the targeted system by modifying existing setuid files, Red Had said in its advisory.
“An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system,” the company explained.
Red Hat, which classified the flaw as “important,”
An increasing number of vulnerabilities have been branded since the discovery of Heartbleed. While some believe that branding a flaw could have a positive impact, others are concerned that branding even low-risk issues could lead to companies ignoring the vulnerabilities that really matter.
The people who created the Dirty COW website, logo and Twitter account have admitted that this vulnerability is not as serious as others and they claim to have branded it to make fun of branded flaws. They even created a shop that sells “Dirty COW” mugs and t-shirts for thousands of dollars.
Tomi Engdahl says:
Linux exploit gives any user full access in five seconds
The bug was first spotted by Linus Torvalds 11 years ago, but never patched.
https://www.engadget.com/2016/10/24/linux-exploit-gives-any-user-full-access-in-five-seconds/
If you need another reason to be paranoid about network security, a serious exploit that attacks a nine-year-old Linux kernel flaw is now in the wild. The researcher who found it, Phil Oester, told V3 that the attack is “trivial to execute, never fails and has probably been around for years.” Because of its complexity, he was only able to detect it because he had been “capturing all inbound HTTP traffic and was able to extract the exploit and test it out in a sandbox,” Oester said.
The kernel flaw (CVE-2016-5195) is an 11-year-old bug that Linus Tovalds himself tried to patch once. His work, unfortunately, was undone by another fix several years later, so Oester figures it’s been around since 2007. The problem is that the Linux kernel’s memory system can break during certain memory operations, according to Red Hat. “An unprivileged local user could use this flaw to gain write access … and thus increase their privileges on the system.”
In other words, it can be used to get root server access, which is a terrible thing for the internet. Though it’s primarily an attack for users that already have an account on a server, it could potentially be exploited on a Linux machine that lets you execute a file — something that’s common for online servers.
Torvalds points out that the race condition flaw used to be “purely theoretical,” but is now easier to trigger thanks to improved VM tech.
Tomi Engdahl says:
Linux fresh bug also works on Android
Last week reported a decade linux kernel code involved in the bug, which has been used for a long time. It is about the vulnerability in CVE-2016-5195. Its discoverers named the problem of “dirty a cow” (Dirty COW). Now, the security firm Sophos reports that the vulnerability is also included in Android.
It is not very critical vulnerability based on the user’s point of view. It does not allow malicious code to perform themselves, but allow elevation of privilege, ie the so-called. escalation.
Since the bottom of the Android Linux kernel, the problem is also included in all Android mobile phones that have not been updated to the latest kernel version. This must currently apply to all Andrdoi-smart phones.
Sophos according to the vulnerability of Android means that an attacker can get the applications to open the root-level privileges
Source: http://etn.fi/index.php?option=com_content&view=article&id=5287:linuxin-tuore-bugi-toimii-myos-androidissa&catid=13&Itemid=101
Tomi Engdahl says:
Linux exploit gives any user full access in five seconds
The bug was first spotted by Linus Torvalds 11 years ago, but never patched.
https://www.engadget.com/2016/10/24/linux-exploit-gives-any-user-full-access-in-five-seconds/
Tomi Engdahl says:
Docker user? Haven’t patched Dirty COW yet? Got bad news for you
Repeat after me, containerization isn’t protection, it’s a management feature
http://www.theregister.co.uk/2016/11/01/docker_user_havent_patched_dirty_cow_yet_bad_news/
Here’s another reason to pay attention to patching your Linux systems against the Dirty COW vulnerability: it can be used to escape Docker containers.
That news comes from Paranoid Software’s Gabriel Lawrence, who describes the escape here.
Dirty COW is a race condition in Linux arising from how Copy-On-Write (the COW in the name) is handled by the kernel’s memory subsystem’s use of private mappings.
Lawrence writes: “more interesting to me than a local privilege escalation, this is a bug in the Linux kernel, containers such as Docker won’t save us.”
Dirty COW – (CVE-2016-5195) – Docker Container Escape
https://blog.paranoidsoftware.com/dirty-cow-cve-2016-5195-docker-container-escape/
Tomi Engdahl says:
Containers Can’t Fence Dirty COW Vulnerability
http://www.securityweek.com/containers-cant-fence-dirty-cow-vulnerability
The Dirty COW vulnerability in the Linux kernel that was revealed late last month can’t be mitigated with the help of containers, security researchers have discovered.
The flaw (CVE-2016-5195) relies on a race condition in the kernel, between the operation that performs writes to copy-on-write (COW) memory mappings, and the one that continuously disposes of that memory. When the race condition appears, the kernel might end up writing data to read-only memory mapping, instead of making a private copy first.
Proof of concept (POC) exploit codes that leverage the vulnerability have already started to emerge, including some targeted at Android devices. These POCs revealed that one can write to read-only files, and that root access could be achieved, and even how to break out of a container.
Aqua’s Sagie Dulce explains that even users with root privileges shouldn’t have write access to a mapped read-only volume in a container, let alone a non-root user. However, Dirty COW makes it possible for data on the host to be manipulated from within the container.
Dirty COW Vulnerability: Impact on Containers
http://blog.aquasec.com/dirty-cow-vulnerability-impact-on-containers
There has been plenty of buzz lately regarding an old-new privilege escalation vulnerability, adorably named “Dirty COW” after the Copy-On-Write memory protection in the Linux kernel. The whole thing started roughly eleven years ago, when a kernel developer left a race condition issue opened: “This is an ancient bug that was actually attempted to be fixed once (badly) by me eleven years ago”. The bug was eventually committed on October 18th 2016, and was quickly reported a day later as CVE-2016-5195. Shortly after, many public proof-of-concept codes popped up, demonstrating how one can write to readonly files, gain root access or even break out of a container.
In the wild, many proof-of-concept exploit codes have begun to pop up. They offer various flavors of privilege escalation techniques, such as patching an SUID file, writing shellcode to shared objects in memory etc. To be able to perform the exploit, the process must access its memory. It does so by either calling ptrace (which requires the SYS_PTRACE capability) or by opening its own memory like a “file” via /proc/self/mem. Because the SYS_PTRACE approach is less usable in containers (this capability is not added to containers by default), we will focus on the /proc/self/mem POCs and see if they pose any threat in containerized environments.
Tomi Engdahl says:
Google Washes Dirty COW From Android
http://www.securityweek.com/google-washes-dirty-cow-android
Google’s Android Security Bulletin for November 2016 patched a total of 83 vulnerabilities in the operating system, one of which was the Dirty COW flaw in Linux kernel that was disclosed a few weeks back.
Tracked as CVE-2016-5195, the bug was found to impact Android devices as well, and security researchers even published exploit codes to prove that. The Dirty COW vulnerability could be exploited to gain root access on affected Android products, and all devices running a Linux kernel higher than 2.6.22 are believed to be affected by the issue, especially with many of them not being patched in due time.
Only a few weeks after the flaw was publicly disclosed, Google released a patch for it as part of the Android Security Bulletin for November 2016, which came out on Monday. According to Google, the vulnerability is resolved on devices running the security patch level of 2016-11-06, which was the third security patch level in the new set of updates.
In its advisory, Google described the vulnerability as an elevation of privilege vulnerability in the kernel memory subsystem, explaining that it could be leveraged by a local malicious application to execute arbitrary code within the context of the kernel. The bug was rated Critical because it could lead to a local permanent device compromise, supposedly requiring a reflash of the operating system to repair the device.
Tomi Engdahl says:
Google “kind of fixed” dirty cow
In October, reported a decade linux kernel code involved in the bug, which has been used for a long time. The problem also touched on Android and Google – now indicates the position at Dirty Dirty Cow COW) vulnerability.
Since the bottom of the Android Linux kernel, the problem was also included in all Android mobile phones that have not been updated to the latest kernel version. This was the most Andrdoid-smart phones.
On Monday, Google announced the launch of the latest version of Android. 7.1.1-release, came with more than 50 security patch, which Google will be critical to eleven. One of the adjustments relates specifically to Dirty Cow
Of course, the correction does not protect against most of the Android devices. The vast majority of smartphones works in older versions of Android.
Source: http://etn.fi/index.php?option=com_content&view=article&id=5538:google-tavallaan-paikkasi-likaisen-lehman&catid=13&Itemid=101
Tomi Engdahl says:
Researchers Devise New Dirty COW Attack Against Android
http://www.securityweek.com/researchers-devise-new-dirty-cow-attack-against-android
A newly discovered attack that abuses the Dirty COW vulnerability in the Linux kernel can be leveraged to write malicious code directly into processes, Trend Micro security researchers say.
Tracked as CVE-2016-5195 and discovered by Phil Oester, Dirty COW allows a local, unprivileged attacker to escalate their privileges by modifying existing setuid files. The flaw gets its name from relying on a race condition in the kernel between the operation that writes to copy-on-write (COW) memory mappings and the one that clears that memory, and it can even escape containers.
Found in Linux kernel, the vulnerability was expected to impact Android as well, and it didn’t take long before security researchers discovered that it would allow an attacker to gain root access targeted devices. Google already rolled out a fix for Nexus and Pixel products, and all Android devices running a security patch level of 2016-11-06 are safe from Dirty COW.
Now, Trend Micro researchers say that Dirty COW can be triggered in a manner that is different from existing attacks and which allows for malicious code to be directly written into processes.
“Once run, Dirty COW is exploited to steal information and change system settings (in this case, get the phone’s location, turn on Bluetooth and the Wi-Fi hotspot). It is also used to silently install an app onto the device, even if it is set not to accept apps from sources outside the Google Play store,” the security researchers explain.
Proof of Concept of New Dirty Cow Attack
https://www.youtube.com/watch?v=gupelQZrcow
This video demonstrates a new variant of the already known Dirty Cow attack. An app is able to turn on/off Bluetooth, Internet sharing, as well as download and install a separate app.
Tomi Engdahl says:
Hacker Holiday Havoc
http://www.securityweek.com/hacker-holiday-havoc
It’s that time of year again…when consumers, retailers and manufacturers need to understand and be alert to the latest cyber attacks that threaten to dampen the spirit and excitement of the holidays. This year we’re seeing two twists on some tried and true tactics that are cause for concern among the online gaming industry and retailers.
Gaming industry and DDoS
The use of botnets comprised of compromised IoT devices (cameras, DVRs, routers or other internet-connected hardware) is not a new development. But the recently discovered Mirai malware involved in attacks that targeted Krebs on Security, the French Internet Service Provider OVH, DynDNS and a mobile telecommunications provider in Liberia, have been some of the largest distributed denial of service (DDoS) attacks measured to date.
These attacks highlight the inherent vulnerability of basing network infrastructure around centralized DNS providers and the potential power of large IoT botnets to enable low capability actors to launch high impact attacks. Mirai spreads by scanning for IoT devices operating Telnet – a network protocol that allows a user on one computer to log onto another computer that is part of the same network – and then uses the default credentials in an attempt to brute-force access to the device.
Here are a few tips for how the gaming industry can protect itself and its customers:
• Change access credentials for devices and implement complex passwords.
• Evaluate your dependence on DNS, specifically for your most critical domains, and investigate the use of multiple DNS providers.
• Develop a DDoS process and review monitoring capabilities; to minimize downtime it is important to quickly identify the attack, characterize the attack traffic and take the appropriate action.
• Consider disabling all remote access to devices and perform administrative tasks internally – instead of Telnet, FTP and HTTP, use SSH, SFTP and HTTPS.
FastPOS malware aimed at retailers
POS malware is clearly under active development. To prevent and mitigate damage from such attacks retailers can:
• Conduct audits, penetration testing, assessments and red teaming exercises to understand your risk posture and attack surface.
• Consider PoS systems and networks as vital extensions of your enterprise environments; the technology that is used to protect the enterprise should be leveraged on PoS systems and networks where possible and, if not possible, comparable alternates should be sought out.
• Adopt technologies that are becoming more commonplace, such as chip and pin.
• Share intelligence with peers, for example in the form of an ISAC, for the betterment of the industry.
Tomi Engdahl says:
Dirty Cow vulnerability discovered in Android malware campaign for the first time
http://www.zdnet.com/article/dirty-cow-vulnerability-discovered-in-android-malware-campaign-for-the-first-time/
The bug has been found in malware designed to root and install backdoors into Android handsets.
For the first time, threat actors have added the Dirty Cow Android exploit to malware designed to compromise devices running on the mobile platform.
On Monday, researchers from Trend Micro said the vulnerability, traced as CVE-2016-5195, has been discovered in a malware sample of ZNIU — detected as AndroidOS_ZNIU — and this is the first malware sample to contain an exploit for the flaw.
Dirty Cow was publicly disclosed back in 2016. The vulnerability has been present in the kernel and Linux distributions for years and permits attackers to escalate to root privileges through a race condition bug, gain access to read-only memory, and permit remote attacks.
“Dirty COW attacks on Android has been silent since its discovery, perhaps because it took attackers some time to build a stable exploit for major devices,” the company said.
In a blog post, Trend Micro researchers Jason Gu, Veo Zhang, and Seven Shen said ZNIU was present in at least 40 countries last month, with the majority of victims found in China and India.
Individuals in the US, Japan, Canada, and Germany, among others, have also been targeted.
ZNIU: First Android Malware to Exploit Dirty COW Vulnerability
Posted on:September 25, 2017 at 5:00 am
Posted in:Bad Sites, Malware, Mobile, Vulnerabilities
Author: Mobile Threat Response Team
By Jason Gu, Veo Zhang, and Seven Shen
http://blog.trendmicro.com/trendlabs-security-intelligence/zniu-first-android-malware-exploit-dirty-cow-vulnerability/
Tomi Engdahl says:
Patch of Dirty COW Vulnerability Incomplete, Researchers Claim
http://www.securityweek.com/patch-dirty-cow-vulnerability-incomplete-researchers-claim
The “Dirty COW” vulnerability (CVE-2016–5195) discovered last year in Linux was incompletely patched, Bindecy researchers say.
The vulnerability was found to be caused by a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings. Discovered by Phil Oester, the bug could allow an unprivileged local attacker to escalate their privileges on a targeted system.
The vulnerability was found to impact Android as well, and could even escape containers. Soon after Google released a patch for the vulnerability, however, new attacks exploiting Dirty COW on Android were devised.
The most recent malware family to exploit the issue was observed in September of this year.
Although Dirty COW was one of the most hyped and branded vulnerabilities published, with every Linux version from the last decade affected, including Android, being vulnerable, the patch released for it stirred far little interest, Bindecy says. Because of that, over a year has passed since the patch was released, and no one noticed it was incomplete.
The original vulnerability impacted the get_user_pages function
the bug would allow writing to the read-only privileged version of a page.
The fix for the vulnerability doesn’t reduce the requested permissions.
The problem, the security researchers say, is that the patch “assumes that the read-only privileged copy of a page will never have a PTE pointing to it with the dirty bit on.”
“Huge Dirty COW” (CVE-2017–1000405)
The incomplete Dirty COW patch
https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0