Saturday 12 November 2016

Dirty Cow and Slackware


Dirty cow, or CVE-2016-5195 is a formidable exploit. It works in most Linux versions including Android. Here is a news article for easier reading.

I downloaded the exploit here and followed the instructions in dirtyc0w.c:

####################### dirtyc0w.c #######################
$ sudo -s
# echo this is not a test > foo
# chmod 0404 foo
$ ls -lah foo
-r-----r-- 1 root root 19 Oct 20 15:23 foo
$ cat foo
this is not a test
$ gcc -pthread dirtyc0w.c -o dirtyc0w
$ ./dirtyc0w foo m00000000000000000
mmap 56123000
madvise 0
procselfmem 1800000000
$ cat foo
m00000000000000000
####################### dirtyc0w.c #######################

The program compile was no trouble:

~/dirtycow/dirtycow.github.io-master$gcc -pthread dirtyc0w.c -o dirtyc0w

Setting up for the exploit. Use your root account:

/home/heong/dirtycow/dirtycow.github.io-master$echo 'This is not a test' > foo
/home/heong/dirtycow/dirtycow.github.io-master$chmod 0404 foo
/home/heong/dirtycow/dirtycow.github.io-master$ls -lah foo
-r-----r-- 1 root root 19 Nov 13 12:46 foo
/home/heong/dirtycow/dirtycow.github.io-master$cat foo
This is not a test
/home/heong/dirtycow/dirtycow.github.io-master$exit
exit
~/dirtycow/dirtycow.github.io-master$cat foo
This is not a test

And the attack worked, when run as non-root user:

~/dirtycow/dirtycow.github.io-master$./dirtyc0w foo youdirtycow
mmap 7fd267f8f000

madvise 0

procselfmem 1100000000

~/dirtycow/dirtycow.github.io-master$cat foo
youdirtycow a test

Even worse, it worked on my current Linux kernel in use, 4.6.2. This called for a new kernel. The newest stable kernel was 4.8.7 

$rm /usr/src/linux
$ln -s /home/heong/Linux/linux-4.8.7 /usr/src/linux
$cd /usr/src/linux
/usr/src/linux$cp -ap /home/heong/Linux/linux-4.6.2/.config .
/usr/src/linux$make oldconfig
/usr/src/linux$make -j20 bzImage
/usr/src/linux$make -j20 modules
/usr/src/linux$make modules_install

Now copy the new kernel to the boot directory to be loaded:
/usr/src/linux$cp .config /boot/config
/usr/src/linux$cp System.map /boot/
/usr/src/linux$cp -a arch/x86/boot/bzImage /boot/
/usr/src/linux$liloconfig

Reboot the laptop:
/usr/src/linux$reboot

Again setting up for test as root:

/home/heong/dirtycow/dirtycow.github.io-master$echo 'This is not a test' > foo
/home/heong/dirtycow/dirtycow.github.io-master$chmod 0404 foo
/home/heong/dirtycow/dirtycow.github.io-master$exit
exit
~/dirtycow/dirtycow.github.io-master$cat foo
This is not a test
~/dirtycow/dirtycow.github.io-master$ls -lah foo
-r-----r-- 1 heong users 19 Nov 13 15:21 foo

Now Dirty Cow is rebuffed:

~/dirtycow/dirtycow.github.io-master$./dirtyc0w foo thishadbetterwork
mmap 7f695f9c7000

madvise 0

procselfmem 1700000000

~/dirtycow/dirtycow.github.io-master$cat foo
This is not a test

Now I only have to upgrade every Linux computer I own ... :7(

Monday 20 June 2016

Building Docker for Slackware 14.1

I was learning Docker; and  a quick way to get started was to use Ubuntu to install and run Docker. Since I already had Slackware installed, I had to install Ubuntu into a Qemu/KVM virtual machine.

And it worked well while I was at home with my Acer AspireF15 tethered to the Internet gateway via copper LAN. This is because I have yet to figure out how to get qemu running over my WiFi connection. When travelling, I needed to have my AspireF15 host Docker directly. This meant a Slackware installation of Docker, which is not directly supported.

A good place to look would be the SlackBuild docker repository. It requires you to install the Google Go language first. It is really quite simple. You download the two zipfiles and unpack them:

tar -xvpf google-go-lang.tar.gz

This generates a sub-directory google-go-lang. Just go in there, and copy the other zipfile (go1.4.3.src.tar.gz) over. Then log in as root, and run the SlackBuild:

./google-go-lang.SlackBuild

It should generate a tgz file like this one:

/tmp/google-go-lang-1.4.3-x86_64-1_SBo.tgz

And you just install it in your Slackware 14.1 thus:

upgradepkg --install-new /tmp/google-go-lang-1.4.3-x86_64-1_SBo.tgz

Now for Docker proper and you might have guessed:
tar -xvpf docker.tar.gz
cp -a ../docker-1.8.2.tar.gz .
./docker.SlackBuild
upgradepkg --install-new /tmp/docker-1.8.2-x86_64-1_SBo.tgzhttps://hub.docker.com/

You start Docker with the script rc.docker:
/etc/rc.d/rc.docker start

And it responds with:
starting docker ...

You then test docker with (first make sure you are connected to the Internet):
docker run hello-world

I would expect docker to barf, and if you looked in its log file:
 cat /var/log/docker.log

You might get something like:

time="2016-06-13T17:54:15.002086000+08:00" level=fatal msg="Error starting daemon: error initializing graphdriver: Error running DeviceCreate (CreatePool) dm_task_run failed"

This is because Slackware 14.1 uses the 3.10.17 Linux kernel, and you need a recent kernel to run Docker. I went for the latest stable version of Linux, 4.6.2 as even 4.4.13 in the current version of Slackware was not good enough.

So all we need is to recompile the latest kernel, which should be a doddle in Slackware. Warning: the following steps can result in a non-bootable computer. If done on a smartphone or tablet it can brick your device. 

Download your kernel from www.kernel.org into your /usr/src/ directory. Unpack it the usual way:
   
tar -xvpf linux-4.6.2.tar.xz

Remove the symbolic link to your old kernel:
rm -r linux

And set the new version:

ln -s /home/heong/Linux/linux-4.6.2 linux
https://hub.docker.com/https://hub.docker.com/

Now you need your Slackware DVD's kernel config file (mind the '.' in config):

mount -t iso9660 /dev/dvd /mnt/dvd
cp /mnt/dvd/kernels/huge.s linux/.config

Now jump into your linux directory:
cd linux/
make oldconfig

A whole bunch of options comes up. You are encouraged to read through them, but it is quite safe to use the default settings. After 20 years of Slackware kernel compiles, I usually hold down the 'Enter' key until the program finishes.

The for the big moment:
make -j 10 bzImage

And when that succeeds,
make -j 10 modules

Further,
make modules_install
https://hub.docker.com/
Now you need to tell the Slackware loader to use the new kernel.

cp .config /boot/config
cp System.map /boot/
cp -a arch/x86/boot/bzImage /boot/

Next you edit /etc/lilo.conf and add the following lines at the bottom:
image = /boot/bzImage
root = /dev/sda3
label = docker
read-only

Save and exit, and run liloconfig:

liloconfig

Be sure to select 'expert  Use expert lilo.conf setup menu', and later, the 'Recycle  Reinstall LILO using the existing lilo.conf'

When that finishes, unmount the Slackware dvd:
umount /mnt/dvd

Pop it out of the dvd tray, and reboot your computer. At the boot screen, select your new kernel 'docker'. Log in as root, and re-run the Docker script:

/etc/rc.d/rc.docker start

Test your docker:
docker run hello-world

Which should now reply:

Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
f9d83caeda74: Pull complete 
2cc48731dfff: Pull complete 
Digest: sha256:ff215bfe287b986dba232bc82892d636b0e1b1c1ae42f779202caced61f6376b
Status: Downloaded newer image for hello-world:latest

Hello from Docker.
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker Hub account:
 https://hub.docker.com

For more examples and ideas, visit:
 https://docs.docker.com/engine/userguide/

Happy slacking, and see you around the docker hub.

Thursday 16 June 2016

Defenestrating Acer Laptops

I have been buying Acer laptops/notebooks for personal use for some 10 years now. They are not the most robust laptops around, but hey, they are cheap and cheerful, especially if you defenestrate them. While it is possible to buy them without Windows pre-loaded, the higher-spec ones usually come with Windows.

The first thing to do is to re-size the main Windows partition. I use gparted (warning - back up your partition before you do this - you may wipe the partition - personally, I get excited at the thought of doing irreparable damage to Windows). Next I load in a Linux distribution. I have been using Slackware since 1996, and while I have tried some of the others over the years(Red Hat, Debian, Ubuntu, and especially pre-Novell SuSE), Slackware remains my favorite.

You the boot up with the Slackware 14.1 dvd (I used the 14.1-current, meaning unstable version of 9 June 2016) , and follow the instructions.

On the Acer Aspire F15 the touchpad 'right-click' no longer seems to work. This is because it has been changed to 'two finger double tap'. If at first the touchpad appears unresponsive, try the key sequence Fn-F7. You might also need to set the touchpad on legacy mode in the laptop BIOS.

I had mine upgraded to 16GB DRAM, and it passed its torture test: Google chromium browser Slackbuild, which it did in less than 24 hours.

AspireF15 ran a 1080p Full HD (Sistar's 'Give It to Me' on youtube is a convenient test) right out of the box with no trouble. It's CPU also supports VT-x which improves Qemu performance when running desktop applications. Windows looks alot more harmless when secured in a Qemu virtual machine sandbox, doesn't it?

AspireF15 running Slackware 14.1 current with KDE, and mplayer & qemu in the foreground