文档章节

OS: 脏牛(Dirty COW)漏洞:Linux 内核通杀提权漏洞 (CVE-2016-5195)

七侠镇莫小贝
 七侠镇莫小贝
发布于 2017/04/13 13:16
字数 826
阅读 48
收藏 0

注意,编译漏洞利用程序时:

gcc -lpthread dirtyc0w.c -o dirtyc0w

在Ubuntu 15.10下实际测试,需要改为:

gcc -pthread dirtyc0w.c -o dirtyc0w


gcc dirtyc0w.c -o dirtyc0w -lpthread

才能正常编译。


其他漏洞利用代码:

https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs



http://www.tuicool.com/articles/Rjiy2ma

How To Patch and Protect Linux Kernel Zero Day Local Privilege Escalation Vulnerability CVE...

A very serious security problem has been found in the Linux kernel. A 0-day local privilege escalation vulnerability has existed for eleven years since 2005. This bug affects all sort of of Android or Linux kernel to escalate privileges. Any user can become root in less than 5 seconds. The bug has existed since Linux kernel version 2.6.22+. How do I fix this problem?

This bug is named as Dirty COW

(CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel. Exploitation of this bug does not leave any trace of anything abnormal happening to the logs. So you can not detect if someone has exploited this against your server.

What is CVE-2016-5195 bug?

From the project :

A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.

A nasty bug for sure. Any local users can write to any file they can read, and present since at least Linux kernel version 2.6.22.Linus Torvalds explained :

This is an ancient bug that was actually attempted to be fixed once (badly) by me eleven years ago in commit 4ceb5db9757a (“Fix get_user_pages() race for write access”) but that was then undone due to problems on s390 by commit f33ea7f404e5 (“fix get_user_pages bug”).

In the meantime, the s390 situation has long been fixed, and we can now fix it by checking the pte_dirty() bit properly (and do it better). The s390 dirty bit was implemented in abf09bed3cce (“s390/mm: implement software dirty bits”) which made it into v3.9. Earlier kernels will have to look at the page state itself.

Also, the VM has become more scalable, and what used a purely theoretical race back then has become easier to trigger.

To fix it, we introduce a new internal FOLL_COW flag to mark the “yes, we already did a COW” rather than play racy games with FOLL_WRITE that is very fundamental, and then use the pte dirty flag to validate that the FOLL_COW flag is still valid.

A list of affected Linux distros (including VMs and containers that share the same kernel)

  1. Red Hat Enterprise Linux 7.x
  2. Red Hat Enterprise Linux 6.x
  3. Red Hat Enterprise Linux 5.x
  4. CentOS Linux 7.x
  5. CentOS Linux 6.x
  6. CentOS Linux 5.x
  7. Debian Linux wheezy
  8. Debian Linux jessie
  9. Debian Linux stretch
  10. Debian Linux sid
  11. Ubuntu Linux precise (LTS 12.04)
  12. Ubuntu Linux trusty
  13. Ubuntu Linux xenial (LTS 16.04)
  14. Ubuntu Linux yakkety
  15. Ubuntu Linux vivid/ubuntu-core
  16. SUSE Linux Enterprise 11 and 12.

How do I fix CVE-2016-5195 on Linux?

Type the commands as per your Linux distro. You need to reboot the box . Before you apply patch, note down your current kernel version:

$ uname -a
$ uname -mrs

Sample outputs:

Linux 3.13.0-95-generic x86_64

Debian or Ubuntu Linux

$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade

Reboot the server:

$ sudo reboot

Related: Ubuntu Linux users can hotfix this Linux kernel bug without rebooting the server .

RHEL / CentOS Linux 5.x/6.x/7.x

$ sudo yum update
$ sudo reboot

RHEL / CentOS Linux 4.x

$ sudo up2date -u
$ sudo reboot

Suse Enterprise Linux or Opensuse Linux

To apply all needed patches to the system type:

# zypper patch
# reboot

Verification

You need to make sure your version number has changed:

$ uname -a
$ uname -r
$ uname -mrs

Determine if your system is vulnerable

For RHEL/CentOS Linux, use the following script:

$ wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh
$ bash rh-cve-2016-5195_1.sh

For all other distro try PoC (proof of concept exploit code)

Grab the PoC:

$ wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c

Run it as follows. First be root:

$ sudo -s
# echo this is not a test > foo

Run it as normal user:

$ gcc -lpthread dirtyc0w.c -o dirtyc0w
$ ./dirtyc0w foo m00000000000000000
mmap 56123000
madvise 0
procselfmem 1800000000
$ cat foo
m00000000000000000

References:

Share this tutorial on:
分享

本文转载自:http://blog.csdn.net/kimqcn4/article/details/52909175

七侠镇莫小贝
粉丝 3
博文 92
码字总数 5648
作品 0
海淀
QA/测试工程师
私信 提问
Linux 严重提权漏洞正被利用

编号为CVE-2016-5195的Linux提权漏洞正被利用。Linux Kernel维护者已经释出了补丁修复该漏洞,而Linux发行版也正在释出更新。 该漏洞又称为 Dirty COW。 Dirty COW 是一个特权升级漏洞,可以...

局长
2016/10/22
4.1K
12
腾讯云关于 Linux 系统“脏牛”漏洞的修复通告

昨日,我们发布了一条 Linux 严重提权漏洞正被利用的新闻。今日,腾讯云在其官方论坛公布了关于 Linux 系统“脏牛”漏洞的修复通告。内容如下: 近日Linux官方爆出了“脏牛”漏洞(代号:Dir...

局长
2016/10/23
9.1K
15
“脏牛”内核漏洞修复补丁存在缺陷 “大脏牛”漏洞来袭

Bindecy研究人员指出,去年在Linux系统中发现的“脏奶牛”漏洞(CVE-2016-5195)并未得到完全修复。 不完整的“脏奶牛”修复补丁 “脏奶牛”漏洞源自Linux内核中的内存子系统在处理私有只读内...

局长
2017/12/04
2.1K
4
Linux:条件竞争漏洞导致内核提权

HardenedLinux 写道 : ”一个在Linux内核内存子系统当中处理COW(copy-on-write)的条件竞争bug打破了只读内存的映射的设置进而可以提升权限,这让攻击者可以欺骗系统修改可读的用户空间代码然...

达尔文
2016/10/21
3.7K
8
新型 Linux 病毒,脚本超 1000 行,功能复杂

俄罗斯杀毒软件公司 Dr.Web 近日公开了一个被称为 Linux.BtcMine.174 的新型木马,相比传统恶意 Linux 病毒,它更加复杂,同时也包含了大量恶意功能。 该木马是一个包含 1000 多行代码的 sh...

h4cd
2018/11/25
13.9K
27

没有更多内容

加载失败,请刷新页面

加载更多

rime设置为默认简体

转载 https://github.com/ModerRAS/ModerRAS.github.io/blob/master/_posts/2018-11-07-rime%E8%AE%BE%E7%BD%AE%E4%B8%BA%E9%BB%98%E8%AE%A4%E7%AE%80%E4%BD%93.md 写在开始 我的Arch Linux上......

zhenruyan
今天
5
0
简述TCP的流量控制与拥塞控制

1. TCP流量控制 流量控制就是让发送方的发送速率不要太快,要让接收方来的及接收。 原理是通过确认报文中窗口字段来控制发送方的发送速率,发送方的发送窗口大小不能超过接收方给出窗口大小。...

鏡花水月
今天
10
0
OSChina 周日乱弹 —— 别问,问就是没空

Osc乱弹歌单(2019)请戳(这里) 【今日歌曲】 @tom_tdhzz :#今日歌曲推荐# 分享容祖儿/彭羚的单曲《心淡》: 《心淡》- 容祖儿/彭羚 手机党少年们想听歌,请使劲儿戳(这里) @wqp0010 :周...

小小编辑
今天
1K
11
golang微服务框架go-micro 入门笔记2.1 micro工具之micro api

micro api micro 功能非常强大,本文将详细阐述micro api 命令行的功能 重要的事情说3次 本文全部代码https://idea.techidea8.com/open/idea.shtml?id=6 本文全部代码https://idea.techidea8....

非正式解决方案
今天
5
0
Spring Context 你真的懂了吗

今天介绍一下大家常见的一个单词 context 应该怎么去理解,正确的理解它有助于我们学习 spring 以及计算机系统中的其他知识。 1. context 是什么 我们经常在编程中见到 context 这个单词,当...

Java知其所以然
昨天
9
0

没有更多内容

加载失败,请刷新页面

加载更多

返回顶部
顶部