󰅡收起

Yu1u Security Club

25
十月

CVE-2016-5195 Linux本地提权漏洞 dirtycow

作者: 雨路
分类: 漏洞信息
发布时间: 2016-10-25 15:57

这个漏洞的年龄高达9岁,可以说是发布了linux内核版本,这个漏洞就已经存在了。这个漏洞在2016年10月18号被修复,也就是前几天,但是要真正修复还是要等到下一次新版本发布,那么这个是什么意思呢,意思就是你还是可以利用这个漏洞去干什么的。

它为什么有这么大的危害,它到底是怎么实现的,该漏洞具体为,Linux内核的内存子系统在处理写入时复制(copy-on-write, COW)时产生了竞争条件(race condition)。恶意用户可利用此漏洞,来获取高权限,对只读内存映射进行写访问。(A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings.)竞争条件,指的是任务执行顺序异常,可导致应用崩溃,或令攻击者有机可乘,进一步执行其他代码。利用这一漏洞,攻击者可在其目标系统提升权限,甚至可能获得root权限。根据官方发布的补丁信息,这个问题可以追溯到2007年发布的Linux内核。现在还没有任何证据表明,2007年后是否有黑客利用了这个漏洞。不过安全专家Phil Oester称发现一名攻击者利用该漏洞部署攻击,并向Red Hat通报了最近的攻击事件。

这个漏洞是在10月18号被Phil Oester提交,被Linux的创始人Linus亲自修复。10月20号,漏洞的发现者Phil Oester将漏洞的部分细节提交到github上。当天朋友圈就被这个漏洞刷屏了,毕竟是几乎是通杀全版本linux的本地提权的神洞,这种漏洞还是很少见的。

官方github放出的POC已经可以实现向任意可读文件写任意内容,所以有了这POC基本上也就可以拿到rootshell了。比如我们可以写/etc/passwd,修改相应用户的UID来达到提权的目的,我们还可以通过写一些带S位的root owned的binary程序的代码,使其执行execve(binsh)等等,方法还是有很多的。

https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs

FAQ

What is the CVE-2016-5195?

CVE-2016-5195 is the official reference to this bug. CVE (Common Vulnerabilities and Exposures) is the Standard for Information Security Vulnerability Names maintained by MITRE.

Why is it called the Dirty COW bug?

A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.” (RH)

What makes the Dirty COW bug unique?

In fact, all the boring normal bugs are _way_ more important, just because there’s a lot more of them. I don’t think some spectacular security hole should be glorified or cared about as being any more “special” than a random spectacular crash due to bad locking.

Anyone sharing or have details about the “in the wild exploit“?

An exploit using this technique has been found in the wild from an HTTP packet capture according toPhil Oester.

How do I use this document?

This FAQ provides answers to some of the most frequently asked questions regarding the Dirty COW vulnerability. This is a living document and will be updated regularly at https://dirtycow.ninja.

Am I affected by the bug?

Nope.

Can my antivirus detect or block this attack?

Although the attack can happen in different layers, antivirus signatures that detect Dirty COW could be developed. Due to the attack complexity, differentiating between legitimate use and attack cannot be done easily, but the attack may be detected by comparing the size of the binary against the size of the original binary. This implies that antivirus can be programmed to detect the attack but not to block it unless binaries are blocked altogether.

Is this an OpenSSL bug?

No.

Where can I find more information?

Red Hat. Debian. Ubuntu. SUSE.

How can Linux be fixed?

Even though the actual code fix may appear trivial, the Linux team is the expert in fixing it properly so the fixed version or newer should be used. If this is not possible software developers can recompile Linux with the fix applied.

How do I uninstall Linux?

Please follow these instructions.

Can I detect if someone has exploited this against me?

Exploitation of this bug does not leave any trace of anything abnormal happening to the logs.

Has this been exploited in the wild?

Maybe. Maybe not. We don’t know. Security community should deploy honeypots that entrap attackers and to alert about exploitation attempts.

Who found the Dirty COW vulnerability?

Phil Oester

What’s with the stupid (logo|website|twitter|github account)?

It would have been fantastic to eschew this ridiculousness, because we all make fun of branded vulnerabilities too, but this was not the right time to make that stand. So we created a website, an online shop, a twitter account, and used a logo that a professional designer created.

What can be done to prevent this from happening in future?

The security community, we included, must learn to find these inevitable human mistakes sooner. Please support the development effort of software you trust your privacy to. Donate money to the FreeBSD project.

Is there a bright side to all this?

For those service providers who are affected, this is a good opportunity to upgrade security strength of the systems used. A lot of software gets updates which otherwise would have not been urgent. Although this is painful for the security community, we can rest assured that infrastructure of the cyber criminals and their secrets have been exposed as well.

本文出自 Yu1u Security Club ,转载时请注明出处及相应链接。

本文永久链接: https://www.yu1u.org/post/280.html

发表评论

电子邮件地址不会被公开。 必填项已用*标注