Apart from some currently powered down kit I need to remember to fix later (a couple of NUCs running Ubuntu 16.04 LTS, some Raspberry Pis) I've a desktop and a laptop both running Fedora 24.
The goal of this post is to gather the essential information so that you can quickly check if you have the vulnerability and how to patch it.
What is the Dirty COW vulnerability
It's a serious linux kernel flaw, ably described in this excellent blog post "Dirty COW - (CVE-2016-5195) - Docker Container Escape".
This blog post details how to fix the vulnerability on several Operating Systems, this may be all you need but I propose we check before/after if the vulnerability is present.
This page lists several POCs (Proof of Concept) of the exploit.
Trying the dirtyc0w.c POC, raw C code is here.
Create a temporary directory, e.g. /tmp/dirtycow
$ mkdir /tmp/dirtycowCopy/paste that code into a file named dirtyc0w.c
$ cd /tmp/dirtycow
Then follow the instructions" in that file, reproduced here:
Change to the root use and create a test file foo, then exit this root shell.
$ sudo -sNow as a normal user, list the file
# echo this is not a test > foo
# chmod 0404 foo
# exit
Note that this file is readable but no one can write to the file, normally ...
$ ls -lah foo
-r-----r-- 1 root root 19 Oct 20 15:23 foo
$ cat foo
this is not a test
Now we will build and run the dirtyc0w proof of concept as follows:
$ gcc -pthread dirtyc0w.c -o dirtyc0w
$ ./dirtyc0w foo m00000000000000000
mmap 56123000
madvise 0
procselfmem 1800000000
$ cat foo
m00000000000000000
Note that running our executable as a normal user allowed us to exploit this bug and overwrite a file for which we don't have access rights. We're vulnerable ...
Fixing the vulnerability
Well hopefully just performing an OS update, e.g. as described in the same blog post referred to earlier wll fix the problem and this post will not go further except to cover my case, Fedora 24.
In my case I was running an "old" Linux kernel 4.7.6 where this bug report, Bug 1384344, at comment #43 informs us that the fix is available in kernel 4.8.4.
Of course all that's needed on Fedora 24 now is to perform a standard OS update using
sudo dnf update
But dont' forget to reboot !!
Then retry the above vulnerability check - no need to recompile, but you need to regenerate an initial file foo with known contents before running the check.
OK, time to get back to work, it's one of those Saturdays of following the rabbit down the hole ...
No comments:
Post a Comment