Dirty COW
   HOME

TheInfoList



OR:

Dirty COW (''Dirty copy-on-write'') is a computer security vulnerability of the
Linux kernel The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel. It was originally authored in 1991 by Linus Torvalds for his i386-based PC, and it was soon adopted as the kernel for the GNU ope ...
that affected all Linux-based operating systems, including Android devices, that used older versions of the Linux kernel created before 2018. It is a local
privilege escalation Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The re ...
bug that exploits a
race condition A race condition or race hazard is the condition of an electronics, software, or other system where the system's substantive behavior is dependent on the sequence or timing of other uncontrollable events. It becomes a bug when one or more of t ...
in the implementation of the
copy-on-write Copy-on-write (COW), sometimes referred to as implicit sharing or shadowing, is a resource-management technique used in computer programming to efficiently implement a "duplicate" or "copy" operation on modifiable resources. If a resource is dupl ...
mechanism in the kernel's memory-management subsystem. Computers and devices that still use the older kernels remain vulnerable. The vulnerability was discovered by Phil Oester. Because of the race condition, with the right timing, a local attacker can exploit the copy-on-write mechanism to turn a read-only mapping of a file into a writable mapping. Although it is a local
privilege escalation Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The re ...
, remote attackers can use it in conjunction with other exploits that allow remote execution of non-privileged code to achieve remote
root access In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of t ...
on a computer. The attack itself does not leave traces in the system log. The vulnerability has the
Common Vulnerabilities and Exposures The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. The United States' National Cybersecurity FFRDC, operated by The MITRE Corporation, maintai ...
designation . Dirty Cow was one of the first security issues transparently fixed in Ubuntu by the Canonical Live Patch service. It has been demonstrated that the vulnerability can be utilized to
root In vascular plants, the roots are the organs of a plant that are modified to provide anchorage for the plant and take in water and nutrients into the plant body, which allows plants to grow taller and faster. They are most often below the sur ...
any Android device up to (and excluding) Android version 7 (Nougat).


History

The vulnerability has existed in the Linux kernel since version 2.6.22 released in September 2007, and there is information about it being actively exploited at least since October 2016. The vulnerability has been patched in Linux kernel versions 4.8.3, 4.7.9, 4.4.26 and newer. The patch produced in 2016 did not fully address the issue and a revised patch was released on November 27, 2017, before public dissemination of the vulnerability.


Applications

The Dirty COW vulnerability has many perceived use cases including proven examples, such as obtaining root permissions in Android devices, as well as several speculated implementations. There are many binaries used in Linux which are read-only, and can only be modified or written to by a user of higher permissions, such as the root. When privileges are escalated, whether by genuine or malicious means – such as by using the Dirty COW exploit – the user can modify usually unmodifiable binaries and files. If a malicious individual could use the Dirty COW vulnerability to escalate their permissions, they could change a file, such as /bin/bash, so that it performs additional, unexpected functions, such as a keylogger. When a user starts a program which has been infected, they will inadvertently allow the malicious code to run. If the exploit targets a program which is run with root privileges, the exploit will have those same privileges.


Remedies and recourse

At the dawn of its discovery, anyone using a machine running Linux was susceptible to the exploit. The exploit has no preventative work around, the only cure is a patch or running a newer version which is not vulnerable anymore.
Linus Torvalds Linus Benedict Torvalds ( , ; born 28 December 1969) is a Finnish software engineer who is the creator and, historically, the lead developer of the Linux kernel, used by Linux distributions and other operating systems such as Android. He also c ...
committed a patch on October 18, 2016, acknowledging that it was an old vulnerability he had attempted to fix eleven years ago. Some distributors provide patches, such as
Canonical The adjective canonical is applied in many contexts to mean "according to the canon" the standard, rule or primary source that is accepted as authoritative for the body of knowledge or literature in that context. In mathematics, "canonical example ...
, who provided a live patch. In the absence of a patch, there are a few mitigation technologies including SystemTap, and very little security from
SELinux Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). SELinux is a set of kernel modifications and user-space ...
or
AppArmor AppArmor ("Application Armor") is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the ...
. Antivirus software has the potential to detect elevated permissions attacks, but it cannot prevent the attack. When given the opportunity, the safest route is to upgrade the Linux kernel to the following versions:


References


External links


CVE-2016-5195
at
Red Hat Red Hat, Inc. is an American software company that provides open source software products to enterprises. Founded in 1993, Red Hat has its corporate headquarters in Raleigh, North Carolina, with other offices worldwide. Red Hat has become ass ...

CVE-2016-5195
at
SUSE SUSE ( , ) is a German-based multinational open-source software company that develops and sells Linux products to business customers. Founded in 1992, it was the first company to market Linux for enterprise. It is the developer of SUSE Linux Ent ...
{{Hacking in the 2010s 2016 in computing Internet security Software bugs Linux Privilege escalation exploits