"A race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka "Dirty COW."" [1]
Any system using Linux kernel 2.x through to 4.x before 4.8.3.
The script included must be compiled and run on a vulnerable system in order to work. The system that I have used to execute this is Ubuntu 12.04 LTS. This guide will assume that you know how to set-up a virtual machine. This is the safest method in which to test this exploit, do not deploy a production system using a vulnerable version of Linux!
- VirtualBox or VMWare.
- Vulnerable version of Linux, Download this (1.7GB) VM to avoid setting everything up. Otherwise Ubuntu 12.04 will work fine.
- GCC Compiler (Install using
sudo apt-get install gcc
) - Any file editor (gedit should already be installed)
- Administrator permissions (to create initial root file)
- Download the pre-packaged VM mentioned above.
- Double click on the
.ova
file to begin importing to your preferred virtualization provider. - Start the Virtual Machine and wait for it to boot.
- The VM should auto login, if not the password is
admin
.
From here, you should be working from inside the VM.
- Download or copy the contents of this script to a file.
- Ensure the file has the
.c
extension - In the terminal, navigate to the folder in which the script is contained using
cd
. - Compile the script using the following:
gcc -pthread dirtyc0w.c -o dirtyc0w
- You will now have an executable file called dirtyc0w, we will use this later.
- Change to
su
usingsudo su
. - Create a file using
touch root_file
. - Open the file with an editor and write anything to it, remember to save.
- Exit
su
usingexit
. - Check that you cannot write to the file without
sudo
:echo "this is a test" > root_file
- Now execute the exploit by running the script and passing the file and the string you wish to write:
./dirtyc0w root_file "I should not be able to write here!"
- Now check that the file has been written to:
cat root_file
- You should be able to see the string overwritten from the start of the file.
The best patch for a vulnerable system is to simply update to a newer version of the Linux kernel. Obviously this is not always possible, and thus there must be patches applied by the vendor. As for how the bug is patched, Linus Torvalds submitted a commit in an attempt to fix the race condition, which is shown below:
[2] Figure 1. Git commit showing the patched code.
If the issue is not patched by the vendor, or you cannot upgrade to a newer version of the Linux kernel, the only option is to compile the version of Linux that you need, with the fix applied manually. Building the Linux kernel is a whole job in itself, so we will not being demonstrating that here.
This fix worked to remedy the orignal vulnerability, but consequently it introducted a different vulnerability, albeit not as dangerous as the first, called CVE-2017-1000405.