Dirty COW (CVE-2016–5195): a 0-day local privilege escalation vulnerability in the Linux kernel…
Any user can become root in less than 5 seconds!
Exploitation of this bug does not leave any trace of anything abnormal happening to the logs.
So you can not detect if someone has exploited this against your server.
From official page:
A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings.
- An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.
- This flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set.
How to determine if your system is vulnerable
For RHEL/CentOS Linux, use the following script:
$ wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh
$ bash rh-cve-2016-5195_1.sh
For all other distro you can try the POC, that rewrites a file owned by root:
Run it first as root:
$ sudo -s
# echo this is not a test > foo
Then run this as normal user:
$ gcc -lpthread dirtyc0w.c -o dirtyc0w
$ ./dirtyc0w foo m00000000000000000
$ cat foo
How to fix?
Simply update your linux distribution! 🙂
$ sudo yum update
$ sudo reboot
sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade