 |
| The Official Dirty COW Logo |
Halloween Special: The Dirty COW
It's more than likely that you have already heard about the Dirty COW vulnerability. In this post, I will give you complete information about this topic you won't find anywhere. This is Halloween Special!!!
Dirty COW is a serious computer security vulnerability in the Linux kernel. The GNU/Linux operating system is considered to be the most secure operating system, and indeed it is. But the Dirty COW vulnerability can kill all that security in about 5 seconds. It can be used to gain root access to the computer by just running a single line, non-interactive, and a very small program.
Bonus: Dirty COW can be used to easily root all Android devices up to Android 7.
History of Dirty COW
Dirty COW has been around for around a decade; it has been lurking in the Linux kernel since version 2.6.22 which was released about nine years ago (September 2007). Fortunately, it became popular only in the late 2016 and has been under active exploitation since October. Unfortunately, all major distros have patched the bug (ah, I mean fortunately).
There is some sort of evidence which suggests that the bug was known to Linus Torvalds, the creator of Linux, but fixing the problem broke something else and the very serious problem was ignored.
By the way, it is called Dirty because it really is dirty and COW because it has to do with the kernel's copy-on-write mechanism. See below to understand it completely even if you are a Windows user.
How it works?
To understand Dirty COW, you first need to understand how the Linux kernel manages memory. (Relax, it is very simple).
The kernel doesn't manipulate the physical memory directly, instead it manipulates what is called virtual memory (for efficiency reasons).
Every program is alloted its own memory by the operating system. Suppose in memory cell A a program, P, has stored the bits 111 and another program, Q, wants to store the same data (111). Instead of providing the other program (Q) with another cell of memory, the Linux kernel gives it the same cell as used by the first program (memory cell A). Now, suppose if Q wants to change 111 to 100. The kernel will make a copy of memory cell A, call it B, and will make Q point to B with data 100. Now P and Q have different data in different memory cells. This technique is known as Copy-on-Write or COW for short.
Another thing you need to understand is the race condition. A race condition is an abnormal condition which is caused because two or more processes of a program which are supposed to behave properly mutually don't behave properly, like the last one happens before the first one, etc.
One last thing you need to understand is actually the Dirty COW bug. This bug shows up when a program with multiple processes causes a race condition over and over again.
In this paragraph, I will finally explain how the Dirty COW exploit works. A process opens a read-only root file, the filed gets loaded in the virtual memory. Another process opens the same file. The first process advices the kernel that the file is no longer needed while the other process tries to write to a copy of it (not the original one, as it can't). This occurs very rapidly and repeats in a loop till the bug has been exploited. The kernel, due to the bug, writes to the original file on the disk. The file written could be an executable which could be modified to give root access to a normal user. This can be very, very dirty!
How to protect yourself?
1. Disconnect from all the networks, as there are some exploits which can allow any user on the same network to run non-root commands on your node.
2. Update the kernel.
3. If everything else fails, get the latest kernel from kernel.org and compile it manually.
How to exploit it?
Note: This post is intended to be used for educational purpose only. Be sure that you have the permission of the owner of the computer you will be trying to exploit. I highly discourage the use of this post in criminal activity.
cowroot is the name of the program which let's you do it. Just click on the link and see if you can get anything done. Again, I demand that this information may not be used for malicious purpose.
I hope that you liked the post. Please drop a line to encourage the author to write more. If you have any advice, suggestions, questions, just tell me in the comments.
No comments:
Post a Comment