The new Dirty COW Linux Kernel Exploit already used in attacks in the wild

Experts disclosed a new Linux kernel vulnerability dubbed Dirty COW that could be exploited by an unprivileged local attacker to escalate privileges.

The security expert Phil Oester discovered in the Linux kernel a new flaw, dubbed ‘Dirty COW‘ that could be exploited by a local attacker to escalate privileges.

The name “Dirty COW” is due to the fact that it’s triggered by a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings.

According to the security advisory published by Red Had, the vulnerability, tracked as CVE-2016-5195, allows local attackers to modify existing setuid files.

“A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.” states the Red Had security advisory.

“This could be abused by an attacker to modify existing setuid files with instructions to elevate privileges. An exploit using this technique has been found in the wild.”

Red Hat also confirmed that attackers are using an exploit leveraging the Dirty COW in the wild.

The good news is that a solution to the issue is already available and Linux distributions have started releasing updates.

There is also a curious aspect of the Dirty COW, researchers that discovered it launched a sort of marketing operation around the issue, created a website, a logo and a Twitter account. They are also running a shop that sells “Dirty COW” mugs and t-shirts.

Let me close with one of the questions in the FAQ session of the website:

Can my antivirus detect or block this attack?

“Although the attack can happen in different layers, antivirus signatures that detect Dirty COW could be developed. Due to the attack complexity, differentiating between legitimate use and attack cannot be done easily, but the attack may be detected by comparing the size of the binary against the size of the original binary. This implies that antivirus can be programmed to detect the attack but not to block it unless binaries are blocked altogether.”

The researchers also published the exploit code on GitHub.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Linux, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.