Cybercrime

From malware and botnets to the latest cybercriminal schemes, check out what today’s black hat hackers are up to.

Blog > Cybercrime > Analysis of “DirtyCow” Kernel Exploit

Analysis of “DirtyCow” Kernel Exploit

Hacktivism

Key Takeaways

  • On October 20, 2016, Ars Technica published an article about a serious kernel-level Linux exploit which allows for local privilege escalation attacks.
  • Red Hat Product Security has identified this exploit being used in the wild and addressed the apparent vulnerability caused by this exploit. Other Linux distribution operating systems are also in the process of patching the exploit, which is known as “DirtyCow.”
  • Flashpoint has identified three different Proofs of Concept (POCs) of exploiting this vulnerability that are available in open sources.
  • Flashpoint strongly recommends patching affected systems.

 

Background

On October 20, 2016, Ars Technica posted an article detailing a serious kernel-level exploit, which has existed in the Linux kernel for the last nine years. While local privilege escalation attacks are not new, an exploit that existed for an extended period of time is of critical concern.

For grading the seriousness of an exploit, two things are typically considered: the ease of use to deploy; and whether the exploit is being actively exploited. Red Hat Product Security is aware of this exploit being used in the wild, which raises the priority level of patching the exploit. Other Linux distributions appear to be following suit and are addressing the exploit called “DirtyCow.”

Exploit Analysis

At the time of writing, Flashpoint has identified three different Proofs of Concept (POCs) of exploiting this vulnerability that are available in open sources.

  • The “dirtyc0w” exploit can be used to allow write access to files which are typically marked read-only.
  • “Cowroot” will escalate privileges to root.
  • “Dirtycow-mem” will allow for root access by patching libc’s getuid (which returns the real user ID of the calling process), and envoking su (superuser command).

 

By analyzing the exploit that allows root access, it is apparent that DirtyCow leverages a race condition to abuse process priority execution in order to enable root access. By downloading and compiling the source code on a testing system, analysts observed that the exploit is able to spawn a root terminal process in a matter of seconds. “Cowroot” does this by exploiting a race condition, and if the exploit is successful, /usr/sbin/passwrd is overwritten with shellcode that executes bash.

Image 1: Shellcode being used to execute bash

Image 1: Shellcode being used to execute bash

Image 2: Screenshot of Cowroot exploit

Image 2: Screenshot of Cowroot exploit

When tested, Cowroot can cause the system to hang.

Dirtycow-mem uses the same exploit, but gains root access privileges using a different method. Dirtycow-mem patches libc’s getuid call, then calls su, quickly allowing for root access. It is worth noting that the exploit crashes with a kernel panic within a few minutes.

Image 3: Dirtycow-mem being used to exploit a system

Image 3: Dirtycow-mem being used to exploit a system

While the Cowroot and Dirtycow-mem exploits appear to crash the kernel, it is only a matter of time before exploit developers find a more elegant way to control the crash and exploit. Since Cowroot replaces the /usr/bin/passwd file, attackers could replace it with a malicious file, enable malware into the shellcode portion, and execute it. Flashpoint strongly recommends patching affected systems.

Sources

  • hxxp://arstechnica[.]com/security/2016/10/most-serious-linux-privilege-escalation-bug-ever-is-under-active-exploit
  • hxxps://access[.]redhat[.]com/security/vulnerabilities/2706661
  • hxxp://dirtycow[.]ninja
  • hxxps://github[.]com/dirtycow/dirtycow[.]github[.]io/wiki/PoCs
  • hxxps://gist[.]github[.]com/rverton/e9d4ff65d703a9084e85fa9df083c679
  • hxxps://gist[.]github[.]com/scumjr/17d91f20f73157c722ba2aea702985d2
  • hxxps://bugzilla[.]redhat[.]com/show_bug[.]cgi?id=1384344#c13

About the author: Ronnie Tokazowski

Ronnie Tokazowski is a Senior Malware Analyst at Flashpoint who specializes in APT, crimeware, and cryptanalysis. When he’s not cooking, he’s reversing new strains of malware and breaking different malware protocols in order to understand how they work.