Re: vulnerability in 8.6

To: debian-security@lists.debian.org
Subject: Re: vulnerability in 8.6
From: Richard Waterbeek <richardwbb@versatel.nl>
Date: Thu, 10 Nov 2016 04:20:28 +0100
Message-id: <[🔎] 1478748028.986.9.camel@versatel.nl>
In-reply-to: <[🔎] 20161107160958.GA31232@lorien.valinor.li>
References: <[🔎] CANgUfue3sq+2WE0R9eJPHHobCp0fJz2-5XaB0R1UqnbR7wEqQA@mail.gmail.com> <[🔎] 20161107160958.GA31232@lorien.valinor.li>

Hi Salvatore, Ozgur,

You posted this url; https://www.debian.org/security/2016/dsa-3696

I've been looking in to this exploit, and did what Ozgur found on
Github, and I learned that my system is vulnerable. I had a difference,
which is that dirtyc0w, did overwrite the read-only 'foo' file, but it
hang, and it also did write up to the length of the original content of
that file. So my 'foo' was six bytes long and I attempted to overwrite
with a longer sequence, and it stopped. After seeing this had happened,
I started over with a new 'foo' file, and this time I attempted a
shorter byte sequence and it also hang. From what I've read, it doesn't
seem to hang. 

I'm guessing that overwriting the sudoers file for example would make
the exploiter a rooted user on the exploited system..

But, I have looked for a update and I went to Debian package search and
searched for; 'kernel image 686
pae' [https://packages.debian.org/search?suite=stable&section=all&arch=any&searchon=names&keywords=kernel+image+686+pae]

This gave one result, which is; 'kernel-image-3.16.0-4-686-pae-di' and
written with that, 'Linux kernel binary image for the Debian installer
3.16.36-1+deb8u1: i386'

And I read that I need a '+deb8u2' kernel?

Can someone explain to me what to do next? I have the assumption that a
'apt-get install "name-of-required-kerne-package"' would be sufficient?

If not, can someone point me in the right direction on what to do,
because the link Salvatore posted, it says on that page; 

'For the stable distribution (jessie), these problems have been fixed in
version 3.16.36-1+deb8u2.

We recommend that you upgrade your linux packages.'

-- 
Richard Waterbeek <richardwbb@versatel.nl>

Salvatore Bonaccorso schreef op ma 07-11-2016 om 17:09 [+0100]:
> Hi,
> 
> On Mon, Nov 07, 2016 at 06:54:55PM +0300, Ozgur wrote:
> > Hi all,
> > 
> > I have been reading security articles and I seen a test with Debian Linux
> > vulnerability of kernel. I tested and given a successful exploit.
> > 
> > List a vuln:
> > 
> > https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
> > 
> > My testing:
> > 
> > dirtycow.c (status: success)
> > cowroot.c (status: success)
> > 
> > For example, I have installed Debian and kernel version are as follow:
> > 
> > Linux 3.16.0-4-amd64 (Debian 8.6)
> > 
> > I created a "zoo" file with root privileges and locked a file:
> > 
> > # echo I'm a root > foo
> > # chmod 0404 foo
> > # ls -la foo
> > -r-----r-- 1 root root 11 Nov  7 10:13 foo
> > 
> > then I'm return my user (not root) and I downloaded the exploit script and
> > run it:
> > 
> > $ gcc -pthread dirtyc0w.c -o dirtyc0w
> > $ ./dirtyc0w foo blabla
> > $ cat foo
> > blabla
> > 
> > what is the suggestion on this exploit?
> 
> Have you installed the Kernel update as per the security advisory
> DSA-3696-1? Which kernel image do you have installed, which kernel is
> running?
> 
>  [0] https://www.debian.org/security/2016/dsa-3696
> 
> Regards,
> Salvatore
>

Reply to:

Follow-Ups:
- Re: vulnerability in 8.6
  - From: Vladislav Kurz <vladislav.kurz@webstep.net>
- Re: vulnerability in 8.6
  - From: advocatux <advocatux@gmail.com>

References:
- vulnerability in 8.6
  - From: Ozgur <okaratas@member.fsf.org>
- Re: vulnerability in 8.6
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: DSA-3708-1 mat -- security update (What are MAT users to do)?
Next by Date: Re: DSA-3708-1 mat -- security update (What are MAT users to do)?
Previous by thread: Re: vulnerability in 8.6
Next by thread: Re: vulnerability in 8.6
Index(es):
- Date
- Thread