DuTy^ Posted October 24, 2016 Report Posted October 24, 2016 A nine-year-old critical vulnerability has been discovered in virtually all versions of the Linux operating system and is actively being exploited in the wild. Dubbed "Dirty COW," the Linux kernel security flaw (CVE-2016-5195) is a mere privilege-escalation vulnerability, but researchers are taking it extremely seriously due to many reasons. First, it's very easy to develop exploits that work reliably. Secondly, the Dirty COW flaw exists in a section of the Linux kernel, which is a part of virtually every distro of the open-source operating system, including RedHat, Debian, and Ubuntu, released for almost a decade. And most importantly, the researchers have discovered attack code that indicates the Dirty COW vulnerability is being actively exploited in the wild. Dirty COW potentially allows any installed malicious app to gain administrative (root-level) access to a device and completely hijack it. http://thehackernews.com/2016/10/linux-kernel-exploit.html Lucrez deocamdata, dar dupa ce obtin root imi da un kernel panic la un interval de 15-30 secunde https://github.com/dirtycow/dirtycow.github.io/blob/master/dirtyc0w.c Android Poc https://github.com/timwr/CVE-2016-5195 Quote
Active Members MrGrj Posted October 24, 2016 Active Members Report Posted October 24, 2016 (edited) Cu toate ca a aparut acum 10 ani, bug-ul a fost fixed pe 18 octombrie anul asta. Pe scurt, pentru cei interesati, cateva informatii utile: - exploitul nu se poate executa remote (trebuie sa poti executa comenzile pe sistem); Pentru a putea folosi remote acest exploit e nevoie de alta vulnerabilitate care sa va dea acces la sistemul tinta. Exemplu simplu prin care se poate exploata (nu remote): un web shell. Presupunem ca un server ruleaza o aplicatie web care are o vulnerabilitate ce ne permite sa uploadam un web shell ^aka sa executam comenzi de sistem. In principiu, aceste comenzi sunt executate ca si low-privileged user (cateodata numit www-data sau ceva asemanator) Cu acest exploit poti sa faci overwrite la /etc/passwd pentru a da fisierului www-data UID-ul 0 => privilegii de root. Am incercat asta pe o masina virtuala si totusi nu a mers. In cazul asta, poti seta UID-ul unui user la 0, insa va trebui sa va relogati dupa (nu e chiar o optiune pentru ca avem doar un web shell). Cateva limitari ale exploitului: - poti face overwrite doar la byte existenti (nu ai cum sa adaugi ceva intr-un fisier). - eu unul nu am putut scrie mai mult de 4 kb intr-un fisier. Apropo, a mai fost postat de @Silviu aici. Edited October 24, 2016 by MrGrj 2 Quote
aelius Posted October 24, 2016 Report Posted October 24, 2016 Install grsec, configure acl, rbac. Fuck memory map. 2 Quote
