<p dir="ltr">The particular POC we examined required the ability to read a setuid binary (normally 4755 permissions, so allowed), write to the disk (/tmp would do), and the ability to execute non-privileged system calls (madvise, open, mmap, etc.).</p>
<p dir="ltr">The POC wrote arbitrary code to a file system cache page (normally mapped R/O, copy on write, into a process). Instead of being COW, due to a race condition, the cache page itself was overwritten. Now when the polluted cache page belonging to the setuid binary is run, it runs the attacker provided code... With the elevated privileges.</p>
<p dir="ltr">There are probably other ways to take advantage of the vulnerability, so don't believe restrictions of any or all of the above form defense.</p>
<div class="gmail_extra"><br><div class="gmail_quote">On Oct 21, 2016 4:56 PM, "Alex Fraser" <<a href="mailto:beatnic@comcast.net">beatnic@comcast.net</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<font size="+1"><font face="Comic Sans MS">That sounds like a cover
story. Could this exploit be used to gain access to Linus
servers running Apache?<br>
<br>
BTW a DDOS attack made the news at noon on WUSA (old channel
9). They said it was large and affected the East Coast of the United
Snakes.<br>
<br>
<br>
RICHARD BARTH wrote on 10/21/2016 5:57 PM:
<blockquote type="cite">
<p><span style="color:rgb(51,51,51);font-family:helvetica,arial,sans-serif;font-size:12pt;background-color:transparent">According to one review I
read, it was discovered some years ago and a fix prepared.</span><br>
</p>
<p><span style="color:rgb(51,51,51);font-family:helvetica,arial,sans-serif;font-size:12pt;background-color:transparent">It was dropped, though,
because the fix caused problems with one of the IBM
machines</span></p>
<p><span style="color:rgb(51,51,51);font-family:helvetica,arial,sans-serif;font-size:12pt;background-color:transparent">the software was commonly
run on, and the bug wasn't considered to be a big one at </span></p>
<p><span style="color:rgb(51,51,51);font-family:helvetica,arial,sans-serif;font-size:12pt;background-color:transparent">the time.</span></p>
<p><span style="color:rgb(51,51,51);font-family:helvetica,arial,sans-serif;font-size:12pt;background-color:transparent"><br>
</span></p>
<p><span style="color:rgb(51,51,51);font-family:helvetica,arial,sans-serif;font-size:12pt;background-color:transparent">Dick</span></p>
<blockquote type="cite">On October 21, 2016 at 5:46 PM Jason
Wright <a class="m_1438062152134849848moz-txt-link-rfc2396E" href="mailto:jason@thought.net" target="_blank"><jason@thought.net></a> wrote:<br>
<br>
<p>A friend and I spent some time looking at a proof of
concept exploit of this vulnerability this afternoon.
Nasty... Essentially it provides a pivot from unprivileged
user to root by allowing the corruption of a cached page
that is supposed to be read only (copy on write). It's
pretty clever and because it doesn't corrupt the file on
disk, not easily traceable.</p>
<p>--Jason Wright</p>
<div class="m_1438062152134849848ox-522fb6bcfb-gmail_extra"><br>
<div class="m_1438062152134849848ox-522fb6bcfb-gmail_quote">On Oct 21, 2016
2:20 PM, "RICHARD BARTH" <<a href="mailto:w3hwn@comcast.net" target="_blank"><a class="m_1438062152134849848moz-txt-link-abbreviated" href="mailto:w3hwn@comcast.net" target="_blank">w3hwn@comcast.net</a></a>>
wrote:<br>
<blockquote>
<div>
<p><br>
</p>
<blockquote type="cite">---------- Original Message
----------<br>
From: US-CERT <<a href="mailto:US-CERT@ncas.us-cert.gov" target="_blank"><a class="m_1438062152134849848moz-txt-link-abbreviated" href="mailto:US-CERT@ncas.us-cert.gov" target="_blank">US-CERT@ncas.us-cert.gov</a></a>><br>
To: <a href="mailto:w3hwn@arrl.net" target="_blank">w3hwn@arrl.net</a><br>
Date: October 21, 2016 at 2:20 PM<br>
Subject: Linux Kernel Vulnerability<br>
<br>
<table style="border-collapse:collapse" class="m_1438062152134849848ox-522fb6bcfb-m_2238678406295053627mce-item-table m_1438062152134849848mce-item-table" align="center" border="0" cellpadding="0" cellspacing="0" width="700">
<tbody>
<tr>
<td style="padding:0px">
<p><img src="cid:part4.01020305.00050807@comcast.net" alt="U.S. Department of Homeland
Security US-CERT" style="width:700px;height:100px" height="100" width="700"></p>
<p>National Cyber Awareness System:</p>
<p> </p>
<div class="m_1438062152134849848ox-522fb6bcfb-m_2238678406295053627ox-b484f92f20-rss_item" style="margin-bottom:2em">
<div class="m_1438062152134849848ox-522fb6bcfb-m_2238678406295053627ox-b484f92f20-rss_title" style="font-weight:bold;font-size:120%;margin:0 0 0.3em;padding:0"><a href="https://www.us-cert.gov/ncas/current-activity/2016/10/21/Linux-Kernel-Vulnerability" target="_blank">Linux Kernel
Vulnerability</a></div>
<div class="m_1438062152134849848ox-522fb6bcfb-m_2238678406295053627ox-b484f92f20-rss_pub_date" style="font-size:90%;font-style:italic;color:#666666;margin:0 0 0.3em;padding:0">10/21/2016 12:50
PM EDT</div>
<br>
<div class="m_1438062152134849848ox-522fb6bcfb-m_2238678406295053627ox-b484f92f20-rss_description" style="margin:0 0 0.3em;padding:0">Original
release date: October 21, 2016<br>
<p>US-CERT is aware of a Linux kernel
vulnerability known as Dirty COW
(CVE-2016-5195). Exploitation of
this vulnerability may allow an
attacker to take control of an
affected system.</p>
<p>US-CERT recommends that users and
administrators review the <a href="https://access.redhat.com/security/cve/cve-2016-5195" target="_blank">Red Hat CVE
Database</a>, the <a href="http://people.canonical.com/%7Eubuntu-security/cve/2016/CVE-2016-5195.html" target="_blank">Canoical Ubuntu
CVE Tracker</a>, and <a href="https://www.kb.cert.org/vuls/id/243144" target="_blank">CERT Vulnerability
Note VU#243144</a> for additional
details, and refer to their Linux or
Unix-based OS vendors for
appropriate patches.</p>
<hr>
<p>This product is provided subject to
this <a href="http://www.us-cert.gov/privacy/notification" target="_blank">Notification</a>
and this <a href="http://www.us-cert.gov/privacy/" target="_blank">Privacy & Use</a>
policy.</p>
</div>
</div>
<hr>
<table style="border-collapse:collapse;width:100%" class="m_1438062152134849848ox-522fb6bcfb-m_2238678406295053627mce-item-table m_1438062152134849848mce-item-table" border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="padding:0px;color:#757575;font-size:10px;font-family:Arial" height="60" width="89%">A copy of this
publication is available at <a href="https://www.us-cert.gov" target="_blank"><a class="m_1438062152134849848moz-txt-link-abbreviated" href="http://www.us-cert.gov" target="_blank">www.us-cert.gov</a></a>.
If you need help or have
questions, please send an email to
<a href="mailto:info@us-cert.gov" target="_blank">info@us-cert.gov</a>.
Do not reply to this message since
this email was sent from a
notification-only address that is
not monitored. To ensure you
receive future US-CERT products,
please add <a href="mailto:US-CERT@ncas.us-cert.gov" target="_blank"><a class="m_1438062152134849848moz-txt-link-abbreviated" href="mailto:US-CERT@ncas.us-cert.gov" target="_blank">US-CERT@ncas.us-cert.gov</a></a>
to your address book.</td>
</tr>
</tbody>
</table>
<table style="border-collapse:collapse;width:400px" class="m_1438062152134849848ox-522fb6bcfb-m_2238678406295053627mce-item-table m_1438062152134849848mce-item-table" border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="padding:0px;color:#666666;font-family:Arial,sans-serif;font-size:12px" height="24" valign="bottom">OTHER
RESOURCES:</td>
</tr>
<tr>
<td style="padding:0px;color:#666666;font-family:Arial,sans-serif;font-size:12px" height="24" valign="middle"><a href="http://www.us-cert.gov/contact-us/" target="_blank">Contact Us</a>
| <a href="http://www.us-cert.gov/security-publications" target="_blank">Security
Publications</a> | <a href="http://www.us-cert.gov/ncas" target="_blank">Alerts and Tips</a>
| <a href="http://www.us-cert.gov/related-resources" target="_blank">Related
Resources</a></td>
</tr>
</tbody>
</table>
<table style="border-collapse:collapse;width:150px" class="m_1438062152134849848ox-522fb6bcfb-m_2238678406295053627mce-item-table m_1438062152134849848mce-item-table" border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="padding:0px;color:#666666;font-family:Arial,sans-serif;font-size:12px" colspan="7" height="24" valign="bottom">STAY CONNECTED:</td>
</tr>
<tr>
<td style="padding:0px" width="41"><a href="http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new" target="_blank"><img src="cid:part18.08060906.03030100@comcast.net" alt="Sign up for email
updates" style="width:25px;height:25px" border="0" height="25" width="25"></a></td>
</tr>
</tbody>
</table>
<p style="color:#666666;font-family:Arial,sans-serif;font-size:12px">SUBSCRIBER
SERVICES:<br>
<a href="http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true" target="_blank">Manage Preferences</a> | <a href="https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.b03cc84c90ac58ffb6e970add416fb2d&destination=w3hwn%40arrl.net" target="_blank">Unsubscribe</a> |<wbr> <a href="https://subscriberhelp.govdelivery.com/" target="_blank">Help</a></p>
<hr>
<table style="border-collapse:collapse;width:100%" class="m_1438062152134849848ox-522fb6bcfb-m_2238678406295053627mce-item-table m_1438062152134849848mce-item-table" border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="padding:0px;color:#757575;font-size:10px;font-family:Arial" width="89%">This
email was sent to <a href="mailto:w3hwn@arrl.net" target="_blank"><a class="m_1438062152134849848moz-txt-link-abbreviated" href="mailto:w3hwn@arrl.net" target="_blank">w3hwn@arrl.net</a></a>
using GovDelivery, on behalf of:
United States Computer Emergency
Readiness Team (US-CERT) · 245
Murray Lane SW Bldg 410 ·
Washington, DC 20598 · <a>(888) 282-0870</a></td>
<td style="padding:0px" align="right" width="11%"><a href="http://www.govdelivery.com/portals/powered-by" target="_blank"><img src="cid:part25.08000201.01020306@comcast.net" alt="Powered by GovDelivery" style="width:115px;height:35px" border="0" height="35" width="115"></a></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<br>
______________________________<wbr>_________________<br>
Tacos mailing list<br>
<a href="mailto:Tacos@amrad.org" target="_blank">Tacos@amrad.org</a><br>
<a href="https://lists.amrad.org/mailman/listinfo/tacos" target="_blank"><a class="m_1438062152134849848moz-txt-link-freetext" href="https://lists.amrad.org/" target="_blank">https://lists.amrad.org/</a>mailma<wbr>n/listinfo/tacos</a><br>
<br>
</blockquote>
</div>
</div>
______________________________<wbr>_________________<br>
Tacos mailing list<br>
<a class="m_1438062152134849848moz-txt-link-abbreviated" href="mailto:Tacos@amrad.org" target="_blank">Tacos@amrad.org</a><br>
<a class="m_1438062152134849848moz-txt-link-freetext" href="https://lists.amrad.org/mailman/listinfo/tacos" target="_blank">https://lists.amrad.org/<wbr>mailman/listinfo/tacos</a><br>
</blockquote>
<br>
<fieldset class="m_1438062152134849848mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
Tacos mailing list
<a class="m_1438062152134849848moz-txt-link-abbreviated" href="mailto:Tacos@amrad.org" target="_blank">Tacos@amrad.org</a>
<a class="m_1438062152134849848moz-txt-link-freetext" href="https://lists.amrad.org/mailman/listinfo/tacos" target="_blank">https://lists.amrad.org/<wbr>mailman/listinfo/tacos</a>
</pre>
</blockquote>
<br>
<br>
</font></font>
<pre class="m_1438062152134849848moz-signature" cols="72">--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<wbr>~~~~~~~~~~~~~~~~~~
No electrons were harmed in the creation of this message
------------------------------<wbr>--------------------------
~~~******************* Alex Fraser *******************~~~
------------------------------<wbr>--------------------------
[[[[[[~~^^^#___=>>>```/\/\**O*<wbr>*/\/\```<<<=___#^^^~~]]]]]]
</pre>
</div>
<br>______________________________<wbr>_________________<br>
Tacos mailing list<br>
<a href="mailto:Tacos@amrad.org">Tacos@amrad.org</a><br>
<a href="https://lists.amrad.org/mailman/listinfo/tacos" rel="noreferrer" target="_blank">https://lists.amrad.org/<wbr>mailman/listinfo/tacos</a><br>
<br></blockquote></div></div>