Dirty COW

Dirty COW
CVE identifier(s)	CVE-2016-5195
Discoverer	Phil Oester
Affected software	Linux kernel (<4.8.3)

Last updated February 13, 2024

Dirty COW (Dirty copy-on-write) is a computer security vulnerability of the Linux kernel that affected all Linux-based operating systems, including Android devices, that used older versions of the Linux kernel created before 2018. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem. Computers and devices that still use the older kernels remain vulnerable.

The vulnerability was discovered by Phil Oester.^[1]^[2] Because of the race condition, with the right timing, a local attacker can exploit the copy-on-write mechanism to turn a read-only mapping of a file into a writable mapping. Although it is a local privilege escalation, remote attackers can use it in conjunction with other exploits that allow remote execution of non-privileged code to achieve remote root access on a computer.^[1] The attack itself does not leave traces in the system log.^[2]

The vulnerability has the Common Vulnerabilities and Exposures designation CVE - 2016-5195.^[3] Dirty Cow was one of the first security issues transparently fixed in Ubuntu by the Canonical Live Patch service.^[4]

It has been demonstrated that the vulnerability can be utilized to root any Android device up to (and excluding) Android version 7 (Nougat).^[5]

History

The vulnerability has existed in the Linux kernel since version 2.6.22 released in September 2007, and there is information about it being actively exploited at least since October 2016.^[2] The vulnerability has been patched in Linux kernel versions 4.8.3, 4.7.9, 4.4.26 and newer.

The patch produced in 2016 did not fully address the issue and a revised patch was released on November 27, 2017, before public dissemination of the vulnerability. ^[6]

Applications

The Dirty COW vulnerability has many perceived use cases including proven examples, such as obtaining root permissions in Android devices, as well as several speculated implementations. There are many binaries used in Linux which are read-only, and can only be modified or written to by a user of higher permissions, such as the root. When privileges are escalated, whether by genuine or malicious means – such as by using the Dirty COW exploit – the user can modify usually unmodifiable binaries and files. If a malicious individual could use the Dirty COW vulnerability to escalate their permissions, they could change a file, such as /bin/bash , so that it performs additional, unexpected functions, such as a keylogger. When a user starts a program which has been infected, they will inadvertently allow the malicious code to run. If the exploit targets a program which is run with root privileges, the exploit will have those same privileges.

Remedies and recourse

At the dawn of its discovery, anyone using a machine running Linux was susceptible to the exploit. The exploit has no preventative work around, the only cure is a patch or running a newer version which is not vulnerable anymore. Linus Torvalds committed a patch on October 18, 2016, acknowledging that it was an old vulnerability he had attempted to fix eleven years prior.^[7] Some distributors provide patches, such as Canonical, who provided a live patch. In the absence of a patch, there are a few mitigation technologies including SystemTap, and very little security from SELinux or AppArmor. Antivirus software has the potential to detect elevated permissions attacks, but it cannot prevent the attack.^[8] When given the opportunity, the safest route is to upgrade the Linux kernel to the following versions:^[9]^[10]

Earliest kernel version fixed	Linux distribution that uses this
3.2.0-113.155	Ubuntu 12.04 LTS
3.13.0-100.147	Ubuntu 14.04 LTS (Linux Mint 17.1)
3.16.36-1+deb8u2	Debian 8
4.4.0-45.66	Ubuntu 16.04 LTS
4.8.0-26.28	Ubuntu 16.10
3.10.0-327.36.3	RHEL 7, CentOS 7
2.6.32-642.6.2	RHEL 6, CentOS 6
2.6.18-416	RHEL 5, CentOS 5
3.0.101-84.1	SLES 11 SP4
3.12.60-52.57.1	SLES 12 GA LTSS
3.12.62-60.64.8.2	SLES 12 SP1

Related Research Articles

A Linux distribution is an operating system made from a software collection that includes the Linux kernel and often a package management system. Linux users usually obtain their operating system by downloading one of the Linux distributions, which are available for a wide variety of systems ranging from embedded devices and personal computers to powerful supercomputers.

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

Uncontrolled format string is a type of code injection vulnerability discovered around 1989 that can be used in security exploits. Originally thought harmless, format string exploits can be used to crash a program or to execute harmful code. The problem stems from the use of unchecked user input as the format string parameter in certain C functions that perform formatting, such as printf . A malicious user may use the %s and %x format tokens, among others, to print data from the call stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf and similar functions to write the number of bytes formatted to an address stored on the stack.

In computing, a futex is a kernel system call that programmers can use to implement basic locking, or as a building block for higher-level locking abstractions such as semaphores and POSIX mutexes or condition variables.

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in software or hardware allowing arbitrary code execution. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. The ability to trigger arbitrary code execution over a network is often referred to as remote code execution (RCE).

Przemysław Frasunek is a "white hat" hacker from Poland. He has been a frequent Bugtraq poster since late in the 1990s, noted for one of the first published successful software exploits for the format string bug class of attacks, just after the first exploit of the person using nickname tf8. Until that time the vulnerability was thought harmless. He serves as the CEO of Redge Technologies.

<span class="mw-page-title-main">Polkit</span> Component of UNIX systems

Polkit is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones. Polkit allows a level of control of centralized system policy. It is developed and maintained by David Zeuthen from Red Hat and hosted by the freedesktop.org project. It is published as free software under the terms of version 2 of the GNU Lesser General Public License.

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.

Rooting is the process by which users of Android devices can attain privileged control over various subsystems of the device, usually smartphones. Because Android is based on a modified version of the Linux kernel, rooting an Android device gives similar access to administrative (superuser) permissions as on Linux or any other Unix-like operating system such as FreeBSD or macOS.

perf is a performance analyzing tool in Linux, available from Linux kernel version 2.6.31 in 2009. Userspace controlling utility, named perf, is accessed from the command line and provides a number of subcommands; it is capable of statistical profiling of the entire system.

The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of modern Intel motherboards.

<span class="mw-page-title-main">Shellshock (software bug)</span> Security bug in the Unix Bash shell discovered in 2014

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

Stagefright is the name given to a group of software bugs that affect versions from 2.2 "Froyo" up until 5.1.1 "Lollipop" of the Android operating system exposing an estimated 950 million devices at the time. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim's device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesn't have to do anything to 'accept' exploits using the bug; it happens in the background. A phone number is the only information needed to carry out the attack.

KRACK is a replay attack on the Wi-Fi Protected Access protocol that secures Wi-Fi connections. It was discovered in 2016 by the Belgian researchers Mathy Vanhoef and Frank Piessens of the University of Leuven. Vanhoef's research group published details of the attack in October 2017. By repeatedly resetting the nonce transmitted in the third step of the WPA2 handshake, an attacker can gradually match encrypted packets seen before and learn the full keychain used to encrypt the traffic.

Meltdown is one of the two original transient execution CPU vulnerabilities. Meltdown affects Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.

Rafay Baloch is a Pakistani ethical hacker and security researcher known for his discovery of vulnerabilities on the Android operating system. He has been featured and known by both national and international media and publications like Forbes, BBC, The Wall Street Journal, and The Express Tribune. He has been listed among the "Top 5 Ethical Hackers of 2014" by CheckMarx. Subsequently he was listed as one of "The 15 Most Successful Ethical Hackers WorldWide" and among "Top 25 Threat Seekers" by SCmagazine. Baloch has also been added in TechJuice 25 under 25 list for the year 2016 and got 13th rank in the list of high achievers. Reflectiz, a cyber security company, released the list of "Top-21 Cybersecurity Experts You Must Follow on Twitter in 2021" recognizing Rafay Baloch as the top influencer. On 23 March 2022, ISPR recognized Rafay Baloch's contribution in the field of Cyber Security with Pride for Pakistan award.

The Microarchitectural Data Sampling (MDS) vulnerabilities are a set of weaknesses in Intel x86 microprocessors that use hyper-threading, and leak data across protection boundaries that are architecturally supposed to be secure. The attacks exploiting the vulnerabilities have been labeled Fallout, RIDL, ZombieLoad., and ZombieLoad 2.

SWAPGS, also known as Spectre variant 1, is a computer security vulnerability that utilizes the branch prediction used in modern microprocessors. Most processors use a form of speculative execution, this feature allows the processors to make educated guesses about the instructions that will most likely need to be executed in the near future. This speculation can leave traces in the cache, which attackers use to extract data using a timing attack, similar to side-channel exploitation of Spectre.

References

1 2 Goodin, Dan (2016-10-20). ""Most serious" Linux privilege-escalation bug ever is under active exploit (updated)". Ars Technica. Retrieved 2016-10-21.
1 2 3 Vaughan-Nichols, Steven J. "The Dirty Cow Linux bug: A silly name for a serious problem". ZDNet. Retrieved 2016-10-21.
↑ "Kernel Local Privilege Escalation - CVE-2016-5195 - Red Hat Customer Portal". access.redhat.com. Retrieved 2016-10-21.
↑ "LSN-0012-1 Linux kernel vulnerability". Ubuntu Security mailing list. October 20, 2016.
↑ "Android phones rooted by "most serious" Linux escalation bug ever". Ars Technica. October 24, 2016.
↑ Chirgwin, Richard (December 4, 2017). "Dirty COW redux: Linux devs patch botched patch for 2016 mess". The Register.
↑ "mm: remove gup_flags FOLL_WRITE games from __get_user_pages()". Linux kernel source tree. October 18, 2016.
↑ "How Bad is Dirty COW?". The Linux Foundation. October 24, 2016.
↑ Hazel Virdó (October 31, 2016). "How To Protect Your Server Against the Dirty COW Linux Vulnerability". DigitalOcean. Retrieved December 29, 2016.
↑ "CVE-2016-5195: kernel: local privilege escalation using MAP_PRIVATE (Dirty COW). | Support | SUSE". www.suse.com. Retrieved 2020-01-22.

External links

CVE-2016-5195 at Red Hat
CVE-2016-5195 at SUSE

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[ars-1] 1 2 Goodin, Dan (2016-10-20). ""Most serious" Linux privilege-escalation bug ever is under active exploit (updated)". Ars Technica. Retrieved 2016-10-21.

[:0-2] 1 2 3 Vaughan-Nichols, Steven J. "The Dirty Cow Linux bug: A silly name for a serious problem". ZDNet. Retrieved 2016-10-21.

[3] "Kernel Local Privilege Escalation - CVE-2016-5195 - Red Hat Customer Portal". access.redhat.com. Retrieved 2016-10-21.

[4] "LSN-0012-1 Linux kernel vulnerability". Ubuntu Security mailing list. October 20, 2016.

[5] "Android phones rooted by "most serious" Linux escalation bug ever". Ars Technica. October 24, 2016.

[6] Chirgwin, Richard (December 4, 2017). "Dirty COW redux: Linux devs patch botched patch for 2016 mess". The Register.

[7] "mm: remove gup_flags FOLL_WRITE games from __get_user_pages()". Linux kernel source tree. October 18, 2016.

[8] "How Bad is Dirty COW?". The Linux Foundation. October 24, 2016.

[9] Hazel Virdó (October 31, 2016). "How To Protect Your Server Against the Dirty COW Linux Vulnerability". DigitalOcean. Retrieved December 29, 2016.

[10] "CVE-2016-5195: kernel: local privilege escalation using MAP_PRIVATE (Dirty COW). | Support | SUSE". www.suse.com. Retrieved 2020-01-22.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]