Full Report
Continuing to walk down Linux Kernel exploitation lane. This time around with an unanticipated topic: DirtyPipe as it actually nicely fits the series as an example.
Analysis Summary
Due to the nature of the input article, which focuses on comparing and explaining **CVE-2016-5195 (DirtyCow)** and introduces **CVE-2022-0847 (DirtyPipe)** but only briefly mentions DirtyPipe's existence without providing its full details, severity, or specific patch information, this summary will focus primarily on the details available for **CVE-2016-5195** as it is the core topic of the provided text. Information regarding CVE-2022-0847 will be summarized based *only* on what is present in the text provided.
# Vulnerability: Linux Kernel Copy-On-Write (COW) Race Condition (DirtyCow)
## CVE Details
- CVE ID: CVE-2016-5195 (DirtyCow)
- CVSS Score: Not explicitly provided in the text for CVE-2016-5195.
- CWE: Race Condition (related to memory subsystem/COW breakage)
## Affected Systems
- Products: Linux Kernel (All systems affected by the specific race condition).
- Versions: Systems running kernels where the fix detailed in commit `19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619` was not applied (the bug existed for over a decade prior to disclosure).
- Configurations: Likely affects systems where memory management features scaled up, making a previously theoretical race condition triggerable.
## Vulnerability Description
CVE-2016-5195 (DirtyCow) was a race condition vulnerability in the Linux kernel's memory subsystem pertaining to the **copy-on-write (COW)** mechanism managing **private read-only memory mappings**.
The vulnerability allowed an attacker to potentially gain write access to read-only memory mappings. In the context of the provided Proof-of-Concept (PoC), this could be used to overwrite executable file contents in memory, which could then potentially lead to privilege escalation or arbitrary file modification if targeted correctly (e.g., modifying `/proc/self/mem` or a target file). The bug stemmed from an improperly fixed and later reactivated theoretical race condition that became practical due to increased system scalability.
The PoC utilizes two threads racing: one attempting to trigger the race via `madvise(MADV_DONTNEED)` and the other attempting to write, often targeting `/proc/self/mem` (though this specific write vector was noted as not working out-of-the-box on RHEL 5/6).
## Exploitation
- Status: Implied high interest, with a "very detailed PoC" available and reference to an "in the wild exploit."
- Complexity: Medium (Requires setup with race conditions and specific system calls).
- Attack Vector: Local (Requires local access to execute the PoC).
## Impact (Inferred from description of COW flaw)
- Confidentiality: High (Potential unauthorized reading/modifying private memory).
- Integrity: High (Ability to modify potentially sensitive files or memory regions).
- Availability: Medium (Kernel panic possible during exploitation attempts, though likely not the primary goal).
## Remediation
### Patches
The relevant fix is detailed in the following kernel commit: `19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619`.
*Note: No specific patched kernel versions were detailed in the source text, only the commit hash.*
### Workarounds
No specific workarounds were detailed in the source text.
## Detection
- Detection methods based on the provided text rely on identifying the execution of the race condition techniques used in the PoC (e.g., concurrent `madvise(MADV_DONTNEED)` and write operations against read-only mapped memory).
- Indicators of compromise (IOCs) would involve abnormal write patterns against memory segments or successful privilege escalation following the exploitation window.
## References
- Original PoC: `https://github.com/dirtycow/dirtycow.github.io/blob/master/dirtyc0w.c`
- Primary Kernel Fix: `https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619`
- Vendor Advisory Example: `https://access.redhat.com/security/vulnerabilities/2706661`
***
### Note on CVE-2022-0847 (DirtyPipe)
The article mentions CVE-2022-0847 (DirtyPipe) as a topic of discussion and notes it had a detailed PoC, but it provides **NO** specific technical details, severity scores, affected versions, or patch information for this CVE.