search

Kernel Exploits

Dirty Cow!

hashtag
Enumeration

Enumerate kernel version and google it:

uname -a

Or, transfer linux-exploit-suggester.sh to the victim machine and run it. If the keyword "dirtycow" is in the output, try it.

hashtag
Dirty Cow

LogoDirty COW (CVE-2016-5195)dirtycow.ninjachevron-right
Dirty Cow

Dirty Cow is the most commonly used kernel exploit in CTF-like. The downside is that a failed Dirty Cow attack may crash the victim machine. This will be really bad in a real-world pentest scenario.

circle-info

Quote from the original bug report:

A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.

Suppose we want to use exploit 40616 from Exploit-DB. On the victim machine, change to the /tmp directory:

download it:

Following the instruction, uncomment a payload, and compile it:

Execute the exploit:

Make the shell more stable:

hashtag
Cheat Code: Ubuntu 16.04 Privesc

circle-info

Many Linux machines are vulnerable to this kernel exploit, so I call it the "cheat code" in Linux privilege escalation.

This kernel exploit works smoothly for many boxes:

LogoLinux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege EscalationExploit Databasechevron-right
Ubuntu 16.04 local privesc

hashtag
Mitigation

A successful privilege escalation through kernel exploits require the following 5 conditions:

  1. A vulnerable kernel

  2. A working exploit

  3. A way to transfer the exploit to the target

  4. A way to compile the exploit (optional since some exploits can be compiled on the attack machine)

  5. A way to execute the exploit

Condition 1 and 2 are hard to prevent, hence we should focus on condition 3, 4, and 5. The mitigation ideas are:

  • Prevent transferring the exploit

    • Do not allow users to use FTP, TFTP, SMB, SCP, wget, and curl

  • Remove compilation tools

    • Remove GCC, CC, and other development tools.

  • Prevent exploit execution

    • Mount directories such as /tmp and /home on a separete non-executable file system.

    • For existing executables, set chmod 700 <executable> if you don't want the user to execute it.

PreviousAutomated ToolsNextPasswords and File Permissions

Last updated