This article was last updated 8 years ago

DressCode / linux

Network security researchers have discovered a serious vulnerability that exploits a nine-year old kernel flaw called ‘Dirty COW’. This flaw is said to have existed since the inception of the operating system but is now under active exploitation. Thus, researchers are advising virtually all Linux users to install a update patch as soon as possible.

The vulnerability was first uncovered by security researcher Phil Oester who reported the same to V3 saying that “the exploit in the wild is trivial to execute, never fails and has probably been around for years.” It is said to take less than five seconds to gain access and modify root files we don’t inherently have write access to. If this vulnerability is not addressed right this moment, it will certainly become more widely-used in the near future, says Oester.

He further adds that the exploit has been present in the Linux operating system since 2007, but he was able to stumble upon and uncover this bug while examining a server that had been attacked using a similar exploit. He then stated that he had started capturing all inbound HTTP traffic and was able to extract the exploit and test it out in a sandbox.

This vulnerability i.e CVE-2016-5195, much like every other serious exploit, allows the user to perform a local privilege escalation and gain root access to the system. Once you gain access to root, you can not only read but also modify and write in those on-disk files(or binaries) which were earlier inaccessible without these rights. And since one can so easily write inside any root file, we can just leave an exploit code in network files and access the system remotely whenever I wish to.

This unprivileged access to gain write access to otherwise read-only memory mappings is the reason this exploit has been christened ‘Dirty COW’. RedHat has classified the exploit as ‘important’ and warned it users to patch the same with an update right away. It has further described the naming as,

A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write [COW] breakage of private read-only memory mappings.

This security flaw has been dubbed ancient by the creator of Linux kernel Linus Torvalds himself. In a git commit, he says the following,

This is an ancient bug that was actually attempted to be fixed once (badly) by me eleven years ago in commit but that was then undone due to problems on s390. In the meantime, the s390 situation has long been fixed, and we can now fix it by checking the pte_dirty() bit properly.

And before public disclosure of this vulnerability, the maintainers of the official Linux kernel have already patched the underlying bug this week. They’re currently handing it over to Downstream distributors so they can release updates incorporating the fix.

This is a rare condition vulnerability which is still present on all systems and servers using a Linux kernel, which are still likely to be prone to malicious attacks. It is advised, yet again, to update your PC as soon as the latest security update is made available to you.

You can watch this video to not only know more about this exploit, but also to see a live proof of concept being executed on a Linux system affected with the vulnerability.

2 comments
  1. I have worked in IT for nearly three decades and every time a Mac enthusiast or Linux devotee told me their systems were hack proof I just nodded and changed the topic. No system is hack proof, and if you think yours is, you are deluding yourself. For years Microsoft has borne the brunt of being accused as being weak on security when in fact they were just the biggest which meant the most targeted. That’s not to say that MS didn’t have it’s problems, but the idea that Apple and Linux were impervious bastions of techno-security was, at best, laughable, at worst dangerously ignorant. They were simply too small to pay any attention to. Now that both have become competitive we’re seeing their vulnerabilities (which have always existed) starting to be exposed.

    1. Well…

      if you have worked in IT you will surely know what the term “Local vulnerability” means: You need access to the machine first. And most probably you will need a compiler too…

      These are BTW the sort of vulnerabilities patched in Windows at a monthly basis, just that we give it for granted and the people at MS don’t care too much, becuase… well, they are local ;)

      And “too small…” is a wrong statement: Google has always run on Linux and it’s rather old, the same as Akamai and other huge players. ACtually: Linux has been the backbone of the internet itself for quite a few decades already. IT is not only about desktop systems and workstation ;)

      I patched the bug on my workstation in something like 2 minutes including a restart, BTW.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.