 | ||
Dirty COW (Dirty copy-on-write) is a computer security vulnerability for the Linux kernel that affects all Linux-based operating systems including Android. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem. The vulnerability was discovered by Phil Oester. Because of the race condition, with the right timing, a local attacker can exploit the copy-on-write mechanism to turn a read-only mapping of a file into a writable mapping. Although it is a local privilege escalation bug, remote attackers can use it in conjunction with other exploits that allow remote execution of non-privileged code to achieve remote root access on a computer. The attack itself does not leave traces in the system log.
Contents
The vulnerability has the CVE designation CVE-2016-5195. The Debian operating system distribution has announced that it has released a patch for the vulnerability. Dirty Cow was one of the first security issues transparently fixed in Ubuntu by the Canonical Live Patch service.
It has been demonstrated that the bug can be utilized to root any Android device up to Android version 7.
History
The bug has been lurking in the Linux kernel since version 2.6.22 released in September 2007, and there is information about been actively exploited at least since October 2016. The bug has been patched in Linux kernel versions 4.8.3, 4.7.9, 4.4.26 and newer.
Applications
The Dirty COW vulnerability has many perceived use cases including proven examples, such as obtaining root permissions in Android devices, as well as several speculated implementations. There are many binaries used in linux which are read-only, and can only be modified or written to by a user of higher permissions, such as the root. When privileges are escalated, whether by genuine or ingenuine means – such as by using the Dirty COW exploit – the user can modify, usually unmodifiable binaries and files. If a malicious individual could use the Dirty COW vulnerability to escalate their permissions, they could change a file, such as /bin/bash, so that it performs an additional, unexpected functions, such as a keylogger. When a standard user uses /bin/bash, they will not know that they are actually providing their passwords and activity to a malicious third-party.
Remedies and recourse
At the dawn of its discovery, anyone using a machine running Linux was susceptible to the exploit. The only perfect cure to this exploit is a patch or running a newer version which is not vulnerable anymore. Linus Torvalds committed a patch on 2016/10/18 acknowledging that it was an old bug he had attempted to fix eleven years ago. Some distributors provide patches, such as Canonical, who provide a live patch. In the absence of a patch, there are a few mitigation technologies including SystemTap, and very little security from SELinux or AppArmor. Antivirus software has the potential to detect elevated permissions attacks, but it cannot prevent the attack. When given the opportunity, the safest route is to upgrade the Linux kernel to the following versions: