Analysis of “DirtyCow” Kernel Exploit
- On October 20, 2016, Ars Technica published an article about a serious kernel-level Linux exploit which allows for local privilege escalation attacks.
- Red Hat Product Security has identified this exploit being used in the wild and addressed the apparent vulnerability caused by this exploit. Other Linux distribution operating systems are also in the process of patching the exploit, which is known as “DirtyCow.”
- Flashpoint has identified three different Proofs of Concept (POCs) of exploiting this vulnerability that are available in open sources.
- Flashpoint strongly recommends patching affected systems.
On October 20, 2016, Ars Technica posted an article detailing a serious kernel-level exploit, which has existed in the Linux kernel for the last nine years. While local privilege escalation attacks are not new, an exploit that existed for an extended period of time is of critical concern.
For grading the seriousness of an exploit, two things are typically considered: the ease of use to deploy; and whether the exploit is being actively exploited. Red Hat Product Security is aware of this exploit being used in the wild, which raises the priority level of patching the exploit. Other Linux distributions appear to be following suit and are addressing the exploit called “DirtyCow.”
At the time of writing, Flashpoint has identified three different Proofs of Concept (POCs) of exploiting this vulnerability that are available in open sources.
- The “dirtyc0w” exploit can be used to allow write access to files which are typically marked read-only.
- “Cowroot” will escalate privileges to root.
- “Dirtycow-mem” will allow for root access by patching libc’s getuid (which returns the real user ID of the calling process), and envoking su (superuser command).
By analyzing the exploit that allows root access, it is apparent that DirtyCow leverages a race condition to abuse process priority execution in order to enable root access. By downloading and compiling the source code on a testing system, analysts observed that the exploit is able to spawn a root terminal process in a matter of seconds. “Cowroot” does this by exploiting a race condition, and if the exploit is successful, /usr/sbin/passwrd is overwritten with shellcode that executes bash.
When tested, Cowroot can cause the system to hang.
Dirtycow-mem uses the same exploit, but gains root access privileges using a different method. Dirtycow-mem patches libc’s getuid call, then calls su, quickly allowing for root access. It is worth noting that the exploit crashes with a kernel panic within a few minutes.
While the Cowroot and Dirtycow-mem exploits appear to crash the kernel, it is only a matter of time before exploit developers find a more elegant way to control the crash and exploit. Since Cowroot replaces the /usr/bin/passwd file, attackers could replace it with a malicious file, enable malware into the shellcode portion, and execute it. Flashpoint strongly recommends patching affected systems.