Posts: 80
Rademes
Joined: 26 Dec 2016
#1
I am sure, you have heard about
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://en.wikipedia.org/wiki/Dirty_COW"
linktext was:"DirtyCOW"
====================================
vulnerability, which allows to obtain root privileges in 5 seconds.
So I wonder, why this critical vulnerability still has not been fixed in antiX-16?
After full update, I was able to get root privileges today, using this vulnerability!

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://files.inbox.lv/ticket/5b3c91dcb300cb8d3216d5f74d52a65de5eb88f2/DirtyCOW_Vulnerability.mp4"
linktext was:"https://files.inbox.lv/ticket/5b3c91dcb ... bility.mp4"
====================================


========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://files.inbox.lv/ticket/f54054ef86f1cd9cfbc43b635fee32285db4edc1/DirtyCOW_Vulnerability_2.mp4"
linktext was:"https://files.inbox.lv/ticket/f54054ef8 ... lity_2.mp4"
====================================

This vulnerability has been actively exploited at least since October 2016, so I think, it should be fixed as soon as possible!

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://arstechnica.com/security/2016/10/most-serious-linux-privilege-escalation-bug-ever-is-under-active-exploit/"
linktext was:"https://arstechnica.com/security/2016/1 ... e-exploit/"
====================================
Last edited by Rademes on 03 Feb 2017, 16:20, edited 2 times in total.
anticapitalista
Posts: 5,955
Site Admin
Joined: 11 Sep 2007
#2
IT HAS BEEN FIXED! MONTHS AGO!

post48785.html?hilit=dirty%20cow#p48785
Posts: 80
Rademes
Joined: 26 Dec 2016
#3
If it has been fixed, then how could I exploit it and get root privileges, as shown in my videos?
The exploit has changed my /etc/passwd file without root access rights, and now I can become root at any time by entering a password"dirtyCowFun" despite the fact, that root account is locked on my PC.

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://files.inbox.lv/ticket/f68438b05434ffef7a2310feff8e9301e2e7d7c7/passwd"
linktext was:"https://files.inbox.lv/ticket/f68438b05 ... 7c7/passwd"
====================================
anticapitalista
Posts: 5,955
Site Admin
Joined: 11 Sep 2007
#4
Did you upgrade the kernel?
Posts: 521
Shay
Joined: 20 Apr 2015
#5
post the output of

Code: Select all

 inxi -F 
Posts: 80
Rademes
Joined: 26 Dec 2016
#6
anticapitalista wrote:Did you upgrade the kernel?
I perform sudo apt-get update && sudo apt-get dist-upgrade almost every day. Does kernel upgrade should be done another way in antiX?
My system info:
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://s19.postimg.org/8hkpej6pv/System_Information_1.png"
linktext was:"https://s19.postimg.org/8hkpej6pv/Syste ... tion_1.png"
====================================

And exploit:
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://s19.postimg.org/ptl1zz077/Dirty_COW_exploit.png"
linktext was:"https://s19.postimg.org/ptl1zz077/Dirty_COW_exploit.png"
====================================
anticapitalista
Posts: 5,955
Site Admin
Joined: 11 Sep 2007
#7
Give me the *exact* steps to see if I can reproduce it. Where did you get the CVS dirtycow code from?
Posts: 80
Rademes
Joined: 26 Dec 2016
#8
I get it from here:
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://github.com/gbonacini/CVE-2016-5195"
linktext was:"https://github.com/gbonacini/CVE-2016-5195"
====================================

I downloaded ZIP archive, extracted it, then followed included installation instructions:
1. Compile the program: make
2. Start the program:
./dcow
or
./dcow -s # Automatically open a root shell and restore the passwd file.
./dcow -s -n # Automatically open a root shell but doesn't restore the passwd file.
Online help:
./dcow -h

Very simple.

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://www.exploit-db.com/exploits/40847/"
linktext was:"https://www.exploit-db.com/exploits/40847/"
====================================
anticapitalista
Posts: 5,955
Site Admin
Joined: 11 Sep 2007
#9
It seems that the linux-image on antiX-16 for 64 bit version does not auto-upgrade with apt-get dist-upgrade.
So try this

apt-get install --reinstall linux-headers-4.4.10-antix.1-amd64-smp linux-image-4.4.10-antix.1-amd64-smp
Posts: 80
Rademes
Joined: 26 Dec 2016
#10
anticapitalista wrote:It seems that the linux-image on antiX-16 for 64 bit version does not auto-upgrade with apt-get dist-upgrade.
So try this

apt-get install --reinstall linux-headers-4.4.10-antix.1-amd64-smp linux-image-4.4.10-antix.1-amd64-smp
Yes, after kernel upgrade this exploit does not working any more.

========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://s19.postimg.org/99ryrh0ar/Exploit_Failed_1.png"
linktext was:"https://s19.postimg.org/99ryrh0ar/Exploit_Failed_1.png"
====================================


========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://s19.postimg.org/e9pezf5xf/Exploit_Failed_2.png"
linktext was:"https://s19.postimg.org/e9pezf5xf/Exploit_Failed_2.png"
====================================

Still, kernel updates should be available using apt-get dist-upgrade, because it is critical for systems security to have most recent updated kernels.
Please make possible to auto-upgrade kernels using apt-get dist-upgrade on 64 bit versions too.

P.S. I am very impressed, how fast support is carried out here! Great job!
anticapitalista
Posts: 5,955
Site Admin
Joined: 11 Sep 2007
#11
Firstly thanks for posting the issue that I thought we had actually fixed back in early December.

It was actually fixed since the kernel in the repo that replaced the compromised one is actually there, but obviously there was some flaw with the new 64 bit kernel auto-upgrading. The headers auto-upgrade, but not the linux-image deb.
32 bit version has NO issue at all. Auto-upgrade via apt-get dist-upgrade works as it should.

All antiX-16.1 images are totally safe from this COW vulnerability.
Posts: 1,062
Dave
Joined: 20 Jan 2010
#12
So if all is good with the test program it will only show

Code: Select all

:~/Downloads/CVE-2016-5195-master
$ ./dcow -s
Running ...
?

Never seems to go further than this on the system I tested it on... which I had upgraded the kernel a while back after the exploit patching at the time.

EDIT: __{{emoticon}}__ never mind, I was to impatient. I had thought it would be near instantaneous being said that the exploit took 5s; However after over 5 minutes of running... it says failed __{{emoticon}}__
anticapitalista
Posts: 5,955
Site Admin
Joined: 11 Sep 2007
#13
I thought the same at first. A vulnerable kernel (the one shipped on the antiX-16 iso) gives a negative result very quickly. Positives you have to wait for!
Posts: 98
ile
Joined: 29 Jan 2016
#14
hello Rademes
thank you for raising the kernel issue of antiX16.
Machine here on sid repository. following of apt-get instructions to --reinstall the 4.4.10 kernel packages is not availble. with message Could not download. Having picked a alternate kernel now must ask this question: is this 4.9.6-antix-sid.1-amd64-smp suitably beyond the vulnerability? Is machine running antiX16 after dist-upgrade and switch to this 4.9kernel healthy and safe?

Code: Select all

System:    Host: tubb Kernel: 4.9.6-antix-sid.1-amd64-smp x86_64 (64 bit gcc: 6.3.0)
           Desktop: Fluxbox 1.3.5 dm: slim Distro: antiX-16_x64-full Berta Cáceres 26 June 2016
Machine:   Device: desktop Mobo: ASUSTeK model: P5L8L-SE v: Rev 1.xx BIOS: American Megatrends v: 0201 date: 10/09/2007
CPU:       Single core Intel Pentium 4 (-HT-) speed: 3399 MHz (max)
Graphics:  Card: Intel 82945G/GZ Integrated Graphics Controller bus-ID: 00:02.0 chip-ID: 8086:2772
           Display Server: X.Org 1.19.1 driver: intel Resolution: 1920x1080@60.00hz
           GLX Renderer: Mesa DRI Intel 945G GLX Version: 2.1 Mesa 13.0.4 Direct Rendering: Yes
Network:   Card: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
           driver: r8169 v: 2.3LK-NAPI port: e800 bus-ID: 02:00.0 chip-ID: 10ec:8168
Drives:    HDD Total Size: 164.7GB (4.6% used)
Repos:     Active apt sources in file: /etc/apt/sources.list.d/antix.list
           deb http://iso.mxrepo.com/antix/sid/ sid main nosystemd
           Active apt sources in file: /etc/apt/sources.list.d/debian.list
           deb http://ftp.us.debian.org/debian/ unstable main contrib non-free
Info:      Processes: 127 Uptime: 5 min Memory: 172.6/1995.6MB
           Init: SysVinit v: 2.88 runlevel: 5 default: 5 Gcc sys: 6.3.0 alt: 4.9
           Client: Shell (bash 4.4.111 running in python2) inxi: 2.3.8 
Posts: 80
Rademes
Joined: 26 Dec 2016
#15
As I found, the easiest way to check, whether you are vulnerable or not is to compile and execute this exploit example:
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://github.com/gbonacini/CVE-2016-5195"
linktext was:"https://github.com/gbonacini/CVE-2016-5195"
====================================

If you have result like
========= SCRAPER REMOVED AN EMBEDDED LINK HERE ===========
url was:"https://s19.postimg.org/ptl1zz077/Dirty_COW_exploit.png"
linktext was:"this"
====================================
, then you are vulnerable.