Skip to main content

Privesc With DirtyCow Exploitation

ยท 2 min read
Ryan Achmad
Ryan Achmad
soc & sysadmin

DirtyCOW Privilege Escalation (CVE-2016-5195)

DirtyCOW is a privilege escalation vulnerability found in the Linux kernel 2.6.22 < 3.9. This vulnerability allows an unprivileged user to overwrite files that should only be accessible by root, including /etc/passwd, granting them root access to the system.

๐Ÿ“Œ How Does This Exploit Work?โ€‹

This exploit uses DirtyCOW's ptrace_pokedata "pokemon" method to modify the /etc/passwd entry. The process works as follows:

  1. Creates a backup of /etc/passwd at /tmp/passwd.bak.
  2. Overwrites the root entry with a new one that allows login without a password.
  3. Runs the exploit to gain root access.
  4. After use, restores the original /etc/passwd file.

๐Ÿ”ง How to Use This Exploitโ€‹

โš ๏ธ WARNING:
Using this exploit without authorization may be illegal. Ensure that you only use it in a testing environment or with explicit permission.

  1. Compile the exploit:

    gcc -pthread dirty.c -o dirty -lcrypt

  2. Run the exploit with a new password:

    ./dirty

    or

    ./dirty my-new-password

  3. Don't forget to restore /etc/passwd after execution.

    mv /tmp/passwd.bak /etc/passwd

๐Ÿ” About CVE-2016-5195โ€‹

CVE-2016-5195 is a vulnerability in the Linux memory subsystem related to copy-on-write (COW). This bug allows an unprivileged process to write to read-only memory mappings, effectively escalating its privileges.

Why is it called DirtyCOW?
Because the bug exploits a copy-on-write (COW) race condition, allowing memory modifications without proper permission checks.

Who discovered this bug?
It was discovered by Phil Oester, who detected the exploit in the wild through an intercepted HTTP packet.

๐Ÿ”’ Is My System Vulnerable?โ€‹

  • If your system is running an unpatched kernel (before October 2016), it is likely still vulnerable.
  • Best solution: Update your Linux kernel to a patched version.

๐Ÿ› ๏ธ How to Fix Itโ€‹

  • Update the Linux kernel using your distribution's package manager (Ubuntu, Debian, Red Hat, etc.).
  • If updating is not possible, apply available hotfix patches for temporary mitigation.

๐Ÿ“š References & More Informationโ€‹