Jump to content
DuTy^

LINUX PRIVILEDGE ESCALADATION -DIRTY COW-

Recommended Posts

A nine-year-old critical vulnerability has been discovered in virtually all versions of the Linux operating system and is actively being exploited in the wild.

Dubbed "Dirty COW," the Linux kernel security flaw (CVE-2016-5195) is a mere privilege-escalation vulnerability, but researchers are taking it extremely seriously due to many reasons.

First, it's very easy to develop exploits that work reliably. Secondly, the Dirty COW flaw exists in a section of the Linux kernel, which is a part of virtually every distro of the open-source operating system, including RedHat, Debian, and Ubuntu, released for almost a decade.

And most importantly, the researchers have discovered attack code that indicates the Dirty COW vulnerability is being actively exploited in the wild.

Dirty COW potentially allows any installed malicious app to gain administrative (root-level) access to a device and completely hijack it.
 
 
 
Lucrez deocamdata, dar dupa ce obtin root imi da un kernel panic la un interval de 15-30 secunde
 
 
Android Poc
Link to comment
Share on other sites

  • Active Members

Cu toate ca a aparut acum 10 ani, bug-ul a fost fixed pe 18 octombrie anul asta.

 

Pe scurt, pentru cei interesati, cateva informatii utile:

 

- exploitul nu se poate executa remote (trebuie sa poti executa comenzile pe sistem); Pentru a putea folosi remote acest exploit e nevoie de alta vulnerabilitate care sa va dea acces la sistemul tinta.

 

Exemplu simplu prin care se poate exploata (nu remote): un web shell.

 

Presupunem ca un server ruleaza o aplicatie web care are o vulnerabilitate ce ne permite sa uploadam un web shell ^aka sa executam comenzi de sistem. In principiu, aceste comenzi sunt executate ca si low-privileged user (cateodata numit www-data sau ceva asemanator)

 

Cu acest exploit poti sa faci overwrite la /etc/passwd pentru a da fisierului www-data UID-ul 0 => privilegii de root. Am incercat asta pe o masina virtuala si totusi nu a mers. In cazul asta, poti seta UID-ul unui user la 0, insa va trebui sa va relogati dupa (nu e chiar o optiune pentru ca avem doar un web shell).

 

Cateva limitari ale exploitului: 

 

- poti face overwrite doar la byte existenti (nu ai cum sa adaugi ceva intr-un fisier).

- eu unul nu am putut scrie mai mult de 4 kb intr-un fisier.

 

Apropo, a mai fost postat de @Silviu aici.

 

Edited by MrGrj
  • Upvote 2
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...