Kernel Exploits
Dirty Cow!
Enumeration
Enumerate kernel version and google it:
Or, transfer linux-exploit-suggester.sh to the victim machine and run it. If the keyword "dirtycow" is in the output, try it.
Dirty Cow
Dirty Cow is the most commonly used kernel exploit in CTF-like. The downside is that a failed Dirty Cow attack may crash the victim machine. This will be really bad in a real-world pentest scenario.
Quote from the original bug report:
A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.
Suppose we want to use exploit 40616 from Exploit-DB. On the victim machine, change to the /tmp directory:
download it:
Following the instruction, uncomment a payload, and compile it:
Execute the exploit:
Make the shell more stable:
Cheat Code: Ubuntu 16.04 Privesc
Many Linux machines are vulnerable to this kernel exploit, so I call it the "cheat code" in Linux privilege escalation.
This kernel exploit works smoothly for many boxes:
Mitigation
A successful privilege escalation through kernel exploits require the following 5 conditions:
A vulnerable kernel
A working exploit
A way to transfer the exploit to the target
A way to compile the exploit (optional since some exploits can be compiled on the attack machine)
A way to execute the exploit
Condition 1 and 2 are hard to prevent, hence we should focus on condition 3, 4, and 5. The mitigation ideas are:
Prevent transferring the exploit
Do not allow users to use FTP, TFTP, SMB, SCP, wget, and curl
Remove compilation tools
Remove GCC, CC, and other development tools.
Prevent exploit execution
Mount directories such as
/tmpand/homeon a separete non-executable file system.For existing executables, set
chmod 700 <executable>if you don't want the user to execute it.
Last updated