Explaining Dirty Cow - Computerphile
ฝัง
- เผยแพร่เมื่อ 27 ต.ค. 2016
- Dirty Cow is a serious security flaw. Dr Steve Bagley takes us through the details.
/ computerphile
/ computer_phile
This video was filmed and edited by Sean Riley.
Computer Science at the University of Nottingham: bit.ly/nottscomputer
Computerphile is a sister project to Brady Haran's Numberphile. More at www.bradyharan.com
![[UNCUT] ฝันรักห้วงนิทรา | EP.8 (4/4)](http://i.ytimg.com/vi/RDYJYiDwsj0/mqdefault.jpg)
we just covered linux memory management in my os class yesterday. It's so neat having concrete examples of what you're learning, especially as timely as this is.
I feel like the explanation about memory wasn't concise and well-explained. I didn't follow anything; could just be me though.
Unfortunately virtual memory is one of those things that isn't very easy to deeply understand without having to do it. It was like 4 hours of lecture at university for me before I understood it very well at all. You're probably not going to pick it up in a 10 minute video without any kind of background. And for those that know about virtual memory the video could be summarized by "a race condition in copy-on-write semantics let the user modify a page that the kernel wrote to disk" and was 8 minutes too long.
Memory locations each have a number, like house numbers. A prgram has to read and write to remember things or to modify it self. In stead of multiple programs using [say] location 123 all but the first must be reassigned to a different part of memory. There the second program thinks it is using 123 but it is really using 1123. Its like the entire city thinks it lives on the same house number with only the post office knowing their real house number.
The exception is when two programs are using exactly the same data without ever writing to it. Then they can share the same memory space. At least until one of them modifies it. That is where Copy On Write happens.
ty
swifterik Race condition is when 2 orders are given simultaneously that cant both be resolved.
Say a store has 15 bottles of milk. Joe and Jim are send to the store each with instructions to buy 13 bottles of milk. Now its a race!
One thread is telling the kernel to eat the cake while the other is telling it to put it in the fridge with a cherry on top.
It simply gets confused and ends up doing things the user account didn't have privileges for.
swifterik Other OS do use Copy On Write, as it would be outrageously wasteful of memory to not do so. And other OS face the trouble of race conditions in various circumstances, but as far as I know others do not currently share this specific flaw. In other comments here someone posted a link to the code used to fix the issue in the Linux kernel, and it is likely that other OS already have such code present to guard against such race conditions or solve the problem in their own way.
Many times race conditions are protected against by using things called 'mutexes'. 'Mutex' is just short for 'mutually exclusive' and is a way to guarantee that two blocks of code which have a danger of interfering can never execute at the same time. So if one program reaches a segment (it is normally restricted to cover only a few lines of code) and finds another program is already running code protected by the same mutex, it will just wait for its turn.
I haven't seen others mention yet that the "dirty" part of "dirty CoW" is a common term used when talking about memory. A 'dirty' piece of memory means it has been changed but those changes have not taken effect everywhere they need to yet. For instance if you have some data on disk and in memory at the same time and you change the memory, it can get marked 'dirty' until the data on disk is also changed. This makes it so that other code can know there is an inconsistency.
I don't understand bugs if they're not explained by Tom Scott.
:D
This is great news for everyone with an android phone that no longer gets updates.
That is some dirty thread handling, especially for something so important!!
Nice explaination, I had to find the source after seeing the first on the subject. It is relevant to note that in order for the overwritten (compromised) file to actually execute the root shell, it needs to have the SUID bit set in its file-permissions. Overwriting any old file won't work, but programs such as passwd and sudo are targets because they need the SUID bit to actually work.
You can overwrite /etc/passwd and put a password there. Or change sudoers so that you can run sudo. It's not limited to programs.
When I first heard of Dirty COW, I was /really/ hoping it had something to do with cowsay. I was very disappointed.
Same
Same
I love this channel. Can you all do one on Threading and Coroutines.
It would be awesome if you could explain how they fixed it since it looks like a design weakness more than a simple patcheable bug.
Here's the commit that fixes it git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619
Andriamanitra Nice info, thx mate.
My wild guess - mutex
+Andriamanitra Small changes, but can saved the world.
A mutex would seem like a logical solution but that would be ignoring the intent of the original design (performance-wise, which matters in the kernel). Here's a little known secret: You don't need to lock threads in order to prevent race conditions.
Thanks for the great explanation!
I always find it interesting to see the tractor feed paper that is used when explaining some of the topics discussed in Computerphile. I haven't used that type of paper in decades since I used to get printouts from an IBM 1403 line printer. I sometimes wonder how people find these exploits. Would the features of SELinux be able to prevent taking advantage? I'm thinking the right SELinux rules would restrict what programs/processes could touch the password file.
8:27 For a moment I thought you said "use it to run a .NET", phew.
RIP all older android devices.
and most new ones as well since its the carrier that handles the software updates, and you know how slow they can be.
The exploit does work in the latest version of Android 7.0
linux is security by obscurity.
Linux is open source you dumbass lol. That is the opposite of security by obscurity. You mean it doesn't have a lot of viruses due to a small user base, that is mostly true.
well, kingroot works, does't it?
These videos always start with "There's a new exploit been discovered for Linux", and that's just wrong, this exploit has been known for several years now!
Seegal Galguntijak k
The full explain! 😀👍
Saw first ? Go here 1:13 : Go here 0:00;
+
0xbaadf00d thanks
+
- for using gotos
0xbaadf00d
Error at line 1 character 25:
Unexpected symbol ':'
Expected ';'
I like this guy.
i have a deja-vu!
déjà*
Numberphile and Computerphile can't cut the audio right...
Nice upload!
This is not a reupload.
It is not reupload, yes. He said "upload", not "reupload".
correct :)
Surely the kernel would use a sync lock to stop allowing these two threads from doing this? If what you are describing is correct (and I'm sure it is) then similar cases of COW and writing to the same memory page would occur quite frequently in the normal running of the OS and cause corruption? Thanks for the video.
Fascinating
This one seems to have additional explanation, which was not present in the first upload.
it's fixed in kernel versions 4.8.3, 4.7.9 and 4.4.26 LTS
I didn't really follow how writing to the memory page files lets you write to other files, like the root password file?
Sloppy programming? With no mutex? I agree, if my program wrote something to illegal memory it would crash. Why would the system write that back to disk? It was read only.
+Gummans Gubbe Well yeah exactly. I can see that maybe you can trick the os into writing your stuff to illegal memory via this copy-on-write race condition business, but I don't see how that connects back to overwriting read-only data on disk.
ninjafruitchilled The file isnt read-only to the root user and copy-on-write happens in kernel mode which has the highest privileges.
+Sokar Sure, but what connects the memory to the actual file on disk? Why would reading the file into memory, then buggering around with the memory, result in the file on disk getting altered?
Kernel data structures are what connects the memory to the file. Essentially, the kernel is keeping track of which memory is being used for what. It knows that particular page corresponds to a memory mapped file, and part of the copy-on-write procedure for memory mapped files is to write changes to disk.
So don't go handing out shell users accounts?
Do you think the DirtyCow exploit has anything to do with the Mirai Botnet?
Considering both were discovered within a week of each other...
*One hell of an exploit when paired together.*
And now we have MDC (Mac Dirty Cow) exploit for iPhone !
Watching on a mac kept thinking I was getting emails lol
I love how I find this video the day I upgrade to ubuntu.
I just downloaded mint the other day. Dammit.
For your Mint install, just upgrade your kernel to 4.4.0.45, which is the patched version. You can do it in the Update Manager by clicking View and then Linux Kernels. Install it, reboot, and you're safe.
BirdValiant
You're a sweetie.
that Aussie Floyd on your screen?
stop getting emails while u make videos ur confusing my brain haha
Or turn your phone off / on silent when you're shooting a video!
I don't actually feel very strongly about this
+
Meh, just use non-standard sounds. What bugs me even more is when someone gets a skype message in a video while watching from my computer. When the message is real, causes me to stop what I am doing, just to find out it is some person I don't care about's birthday, that is even more irritating.
You cant control when emails are delivered to you so saying "stop getting emails while..." is foolish. You can control when you receive them by switching off the device/computer receiving them so you would have looked less of a fool by telling him to turn off his device or notifications while making the video :P
So the problem would not exist if those operations ran on the same thread. Right?
At first I thought this was a reupload lol.
Oh dear.
I think it's time you deleted the previous video...😐
Why do they have all that old paper?
but what does it do to stop you writing the file if there isnt a race condition. what if you just map it in change it and map it out in one thread.
Recently starting learning Rust, and I sure see by example here why you can't have multiple &mut s! Damn data race
Was this related to Meltdown?
When he changed the password to 'Lemonade' I was in shock - that is my password!
"Lemonade" is approximately the 7592nd most common password.
You should get a new password.
its just for my laptop, its cool
"Install a trojan..." on Linux. Where would you find that?
why re upload
its not reupload
idk, but this one is a few minutes longer.
its not. Watch the video
yeah previous one was just a demo
"Luckily i'm still running Windo...oh wait - a second time." Lol, appended repost.
At the end slate where Steve is jumbling his words or is that its own vid or just an added extra there is no annotation for it
it's outtakes, i assume
What is that sound at 3:07 also comes some time before
Yes.. I watched my phone twice 😂
Phone notification
Why did you upload this for a second time?
It's not a reupload same start but more in this video.
It's a different video. This video explains it, the previous one just showed off what it could do.
ta
The root permission doesn't stay persistently ... The kernel crashes after sometime rendering this kind of useless. Can someone please explain clearly what causes the kernel crash and not let it stay at root? [Ubuntu 16.04 LTS]
What version of the kernel was this fixed in?
3.10.104, 3.16.38, 4.4.26, 4.7.9, 4.8.3
This is tthe fix, btw: git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619
Conenion Thanks, just wondered where the bug was fixed.
Wait, so this is how some Rooting apps work on Android? You just need to have two su.bin files on /system/bin and /system/xbin for it to work (and have a super user too).
I know it's different for Systemless root, but this is for the classical one.
And yes, I know it's done by either manually installing a .zip through recovery or by ADB using a computer, but I'm talking about KingRoot as an example here.
Yes there are some rooting apps for Android now that make use of this method. I'm not sure which ones though, haven't looked into it. However normal Android apps are sandboxed, in which case it doesn't work. So you'd have to exploit a different method to break out of the app sandbox.
Also this won't work anymore once the Android kernel gets updated. In that case you'd have to revert to a different method to root your phone. I'm fairly sure this will always remain possible since Android is based on Linux and you should always be able to gain root access to any Linux device you own, no matter how much Google tries to prevent this from happening.
This guy looks like his age is simultaneously everywhere between 13 and 70. And it makes me feel uncomfortable.
hehe now that you mention it ;)
guys you need to improve the clarity and quality of these videos, get some pictures done beforehand or get some decent paper, not folded, and get the camera on the other side where the hand is not in the way.
Great! Well done! :0!
No code, though :c
You can easily find the code online.
+Bas Groothedde
I know. I even posted a link to it in the demo video, but if it was not self-evident yet, I meant that, unlike the heardbleed video, there was no basic code walkthrough here for most *other* people..
ray I think it's obvious why they wouldn't share this code with a clear explanation or walkthrough. This exploit is painfully accessible
Bas Groothedde
It's no more or less accessible than heartbleed was, and no more difficult for a script kiddie to re-use.
The code walkthrough is simply an explanation of how the code does what it does. Its presence would not make it easier or more difficult to use the exploit, since the only thing you'd need to do is: *1)* already have access to a GNU/Linux system, and *2)* know how to use GCC from the terminal.
I don't think having a code walk-through would somehow make things "worse" for anyone.
ray i think it would, but I don't care about sharing an exploit. Sharing an exploit causes people to learn about it sooner and fix it sooner
Is it just me or was the audio slightly out of sync ?
Love it! - "Well Firewalled" Hehe
Where can I get the cowroot binary?
Jez
THANKS! I love a bit of mischief now and again... >:D
Jesse Talbot
He gave me the source.
So it's a memory exploit? What a surprise.
Someone showed me this exploit on IRC several months ago. Why is it only just going mainstream now?
Sam C I read that Debian patched it.
Worth noting that the kernel bug lifetime is at an average of about 5+ years :D outflux.net/blog/archives/2016/10/20/cve-2016-5195/
agreed, but closed source OSes I could think of has agressive updates. unlike phone, routers, security cameras, iot device FWs where it is almost always a release and forget (can't blame them, got their money already, investors are satisfied, customers come second). so I assume that the fallout is smaller in case of the closed source,because eventually most devices will get patched.
It's a *VERY* old buy, surprised it's taken this long to be exploited then fixed.
It requires to use indirect access to your programme's memory and that is not something you would usually search for when trying to find vulnerabilities.
So does this only effect systems with swap enabled?
No, memory-mapping files is always available.
nitpicking , a page size is not always 4kb
Is "sudo swapoff" as stop gap until there are patches available?
I knew not using a swap partition would pay off one day!
No, from the video it sounds like it's memory mapped files, a somewhat related but seperate concept which I'm pretty confident you cannot disable. Linux uses mmap to load shared libraries into memory, for example.
see: wikipedia.org/wiki/Memory-mapped_file
What I don't understand is how you'd use that to write to an _arbitrary_ file, would you simply load it in memory before executing the exploit?
Hopefully I won't spread any misinformation, but from my understanding from the video, it would have to be loaded in a specific way (mapped into memory using the mmap() function with the MAP_PRIVATE and PROT_WRITE flags set). You can map a read-only file into memory and write to that location in memory just fine, as long as you're not "writing through" to the file. You're writing on your personal copy of the data in memory, not the actual file, so you're not breaking permissions. This is the correct and intended behavior. The danger with this bug is that you can load something you only have permissions to read, but using the exploit you can cause the backing file to be written to, not just "in memory", thereby side-stepping the UNIX permissions model. But it would have to be a file you have READ access to, otherwise you couldn't map it in the first place.
Pan gaway Thanks for the explanation! I have a better understanding of this now.
So basically lack of coordination
For those of you who think that this is still working:
probably it is if you didn't upgrade in 2 weeks.
I did a video on how to upgrade your kernel in debian based systems, go check it out.
#totallynotspam
Siri needs to shutup...
Update your system... I have something that works. My HWE is supported until April 2017 and you want me to upgrade?
There is a reason I have almost no downtime.
SO what can happen? Change my root password? That will be detected, I then have to restore from backup. Naah. This is of course serious, and it will be addressed. I understand the 10 year wait as discussed in the first video.
i wonder if this also means you can change set the suid flag on files (^:
Many security issues aren't merely about the infected machine, or gaining access to the local user's information - they involve the entire ecosystem. Botnets are responsible for spam, spyware, fraud, DoS and DDoS attacks, etc.
Looks like missing mutex or semaphore.
No
git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619
So much wrong in comments & video.See the official Linux Foundation correspondence on the topic, please.
You must stop using white board pens on paper. That sound is atrocious.
i can't remember enough about android. would this work for android os? kinda sucks how to keep android os up to date you need to buy a new device. not for sure. i have only really used a smart phone for about 3 months now.
+Death OfTime it does work on Android as well... still you could try a custom ROM
FlyTech Videos
i've heard of custom firmware for other hardware. I'd never heard of custom firmware for phones though.
Is it a easy google? or is there a specific search string that will bring up better results?
not even for sure where to check how secure my phone might be eve. kinda new to the whole smart phone stuff.
There are many different Operating Systems (OSs). Linux, Windows, Mac OSX, Android (for smartphones), OSX-for-iphones-etc., Windows Phone, Firefox OS etc. Each has different versions, or flavours, it depends on the OS. Each is compatbile with different hardware. Browsers are software situtated within an OS. We have many different browsers, such as Chrome, Firefox, Edge. These can have different versions for different OSs e.g. Chrome on Windows on a desktop computer is different from Chrome on a mobile device. The main OS for smartphones is Android. Some people have modified the core OS firmware, creating custom firmware.
+Death OfTime Just search for Custom Roms and you'll find some for most Android devices out there. Usually Cyanogenmod etc. offer more recent versions than the manufacturer.
The installation process can be a bit complicated though. It depends on the device, some smartphones can be flashed very easily, some are even blocking this stuff.
Noface this is the most useless comment ive ever seen
I'm making all my passwords 'lemonade' now :D:D
I couldn't get it, what was that meant to be, he said "Lemonade" but he wasn't typing anything just blank Enter or a Space whatever that was. I am not a Comp. Sci. geek so, can you tell me what is this "Lemonade" password?
Tech&Math it was only a joke. he said something about using 'lemonade' as a password and I thought it was hilarious :D
+Tech&Math it's a safety feature, when you type a password on a shell nothing shows up on screen
ok but what i'm really asking is that he said this "Lemonade" word two times, so I thought he actually mean something by that word which he might have supposed that Geeks will pick that out by themselves...
Tech&Math I see what you mean. I don't think there is any special significance to the word.
3:09
Damn notifications stop paging me I'm watching youtube!
What vm software
Maybe mute your phone when recording a video 0.o
Even android?
I don't get it - why shouldn't I be able to access any files I want to on my machine?
The point is this is not your machine. It allows you to get access to root shell when you only know the password for a user with limited permissions. At least that's what I understand from this.
Why would you try to hack your own machine?
If you are asking why normally users are not root users on a system that is because then you can make sure people don't change important things by mistake.
Jon Warghed
Yes I realise that, but that hasn't been made clear in the video - if the machine in question is available to multiple users then clearly this is an IT administration issue.
The point I am making is that this is clearly NOT an issue for the vast majority of Linux installations.
The ASSUMPTION that it IS an issue is clearly one may erroneously make if one only has the limited outlook of a University academic.
And also because you can mess them even by a mistake?
It could potentially allow any malicious program to gain root without permission.
Generally running a program with limited user permissions should be relatively safe, but this could allow any program to gain root permissions, allowing it to do virtually anything on the system, without prompts or warnings, and hide the fact that it did so.
Mac: touch test.txt
Terminal
:)
Aaand it's been patched.
So basically, would this be exploitable to give root priviliegies to an app run in Android?
Because that seems like kind of a big deal these days... =p
Edgewalker001 Then I can delete Hangouts? Sign me up!
shud rename the video 2 explaining ye mum XD
Uh oh. Well, I will have to use a chroot jail to run untrusted programs from now on :(
unless you update your os m8
Use a VM. Breaking out of a chroot is childs play.
JK - I have a patched version of v4.8 - dirty cow won't hurt me.
How to fix dirty cow not found? Cmd
What about android ?
How to root with me:
1. Open command prompt
2. Type in "sudo passwd root"
Done.
Windows > Linux
Kopuz people sell little USB dongles to hack into windows Linux is so much better as an OS
Windows > Linux = Best bait to catch the autistics ;)~, of course my original statement is False.
oh man, i was going to rage so bad on you, lol
If Windows ever goes open source it will be patch-day every day for a couple of years, haha