• Dirtyc0w Exploit
• Contents
• What is it?
• What systems are effected?
• Usage
  • Requirements
  • Importing the VM
  • Compiling the file
  • Executing the exploit
• Patch

"A race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka "Dirty COW."" [1]

Any system using Linux kernel 2.x through to 4.x before 4.8.3.

The script included must be compiled and run on a vulnerable system in order to work. The system that I have used to execute this is Ubuntu 12.04 LTS. This guide will assume that you know how to set-up a virtual machine. This is the safest method in which to test this exploit, do not deploy a production system using a vulnerable version of Linux!

• VirtualBox or VMWare.
• Vulnerable version of Linux, Download this (1.7GB) VM to avoid setting everything up. Otherwise Ubuntu 12.04 will work fine.
• GCC Compiler (Install using sudo apt-get install gcc)
• Any file editor (gedit should already be installed)
• Administrator permissions (to create initial root file)

1. Download the pre-packaged VM mentioned above.
2. Double click on the .ova file to begin importing to your preferred virtualization provider.
3. Start the Virtual Machine and wait for it to boot.
4. The VM should auto login, if not the password is admin.

From here, you should be working from inside the VM.

1. Download or copy the contents of this script to a file.
2. Ensure the file has the .c extension
3. In the terminal, navigate to the folder in which the script is contained using cd.
4. Compile the script using the following: gcc -pthread dirtyc0w.c -o dirtyc0w
5. You will now have an executable file called dirtyc0w, we will use this later.

1. Change to su using sudo su.
2. Create a file using touch root_file.
3. Open the file with an editor and write anything to it, remember to save.
4. Exit su using exit.
5. Check that you cannot write to the file without sudo: echo "this is a test" > root_file
6. Now execute the exploit by running the script and passing the file and the string you wish to write: ./dirtyc0w root_file "I should not be able to write here!"
7. Now check that the file has been written to: cat root_file
8. You should be able to see the string overwritten from the start of the file.

The best patch for a vulnerable system is to simply update to a newer version of the Linux kernel. Obviously this is not always possible, and thus there must be patches applied by the vendor. As for how the bug is patched, Linus Torvalds submitted a commit in an attempt to fix the race condition, which is shown below:

[2] Figure 1. Git commit showing the patched code.

If the issue is not patched by the vendor, or you cannot upgrade to a newer version of the Linux kernel, the only option is to compile the version of Linux that you need, with the fix applied manually. Building the Linux kernel is a whole job in itself, so we will not being demonstrating that here.

This fix worked to remedy the orignal vulnerability, but consequently it introducted a different vulnerability, albeit not as dangerous as the first, called CVE-2017-1000405.