Dirty COW – Security Risk or White Hat Delight?

Recently, a 9 year old bug has been discovered in the core of the Linux framework. Affecting every Linux PC and any device that runs off Linux based software (including Android phones), this root hole is about as wide spread as a Day Zero bug can be. But what is it and more importantly, what can be done with it? Here, we take a look at what Dirty COW is, the implications and a few applications, as well as potential bug patches.

What is Dirty COW?

Probably one of the most common questions as soon as this exploit was revealed was “What is Dirty COW? And why on earth is it called that?” Well, to answer one is to answer the other. Dirty COW is an exploit that plays with a core flaw in a race condition within the Linux Kernel Virtual-to-Physical memory subsystem to break down the security around the Copy-On-Write (hence, COW) and allow for root access. To make matters worse, nearly anyone who can access a network can use this exploit without any real evidence of anything abnormal happening.

Now that was a lot of technical jargon, so let’s break that down. First off, what is a race condition? Race conditions are used by a lot of computer programs to help make calculations or functions significantly faster, as well as allowing for multiple programs to access the same core files without causing issues (or in this case, access to memory). The primary method that race conditions allow for is more or less an ordered “turn” system, where steps can be completed by one program, then another thousands of times per second.

For Dirty COW, this race condition more or less hijacked by two simultaneous system threads. The first thread consistently tells the computer within the race condition that the memory being stored in the computer in specific areas is no longer in use, and the physical memory can be cleaned, writing the virtual memory back out to the main disk. In the subsequent thread, the newly freed memory slot is ascertained, and new data can be written. These threads can overlap, and thus allow for the user to get access to the newly written memory and all included permissions therein (kernel level root access, which to Windows Users would be Developer or Admin level privileges).

This procedure of writing out to memory and copying down data in the same slot is called Copy-On-Write, and is more or less a manipulation of a normal Linux function to allow for access. With how this exploit works out of the way, let’s look at some ramifications of what it can do.

What Can Dirty Cow Do?

First of all, Dirty Cow on its own isn’t exactly malicious. It’s much like a door to a house. If you don’t own the house, and the owner wasn’t expecting company, it’s likely a bad idea to open it up like you own the place. However, if you do own the home (or have admin/root privileges) there is nothing inherently malicious about opening the door. Dirty Cow is not a virus, nor a Trojan, nor a worm. That being said, it is an unlocked door, and one that can allow of these things and more into your system. Two of the biggest threats this exploit poses is the ability to form a bot-net, and potential identity theft.

While Linux Servers and PCs are getting most the attention from this exploit, nearly every Android phone produced is vulnerable to Dirty Cow as well.
While Linux Servers and PCs are getting most the attention from this exploit, nearly every Android phone produced is vulnerable to Dirty Cow as well.

Bot-nets in short are groups of computers that have been turned “zombie” by the use of malicious code, and all work together on a single project. One of the most common uses of these hordes is to overwhelm a website or network and flood the systems to the point that no in or out-bound traffic may occur outside of the wall of information coming from that PC group. Dirty Cow offers hackers the ability to quickly gain root access to multiple PCs (if in an automated script, a number above 100,000 isn’t outside the realm of reason) and the ability to plant such malicious code deep into the system without any real notification to the user.

Similarly, identity theft via keylogger or Trojan are also very possible, and can have severe personal ramifications. Using the root access provided, hackers can easily install software that can record and send every key stroke and login (banks, Facebook, you name it) to a desired location that can be later used or sold off for the use of others. Likewise, Trojans can perform these duties, but can also have the capacity to take down entire networks if so designed.

Now, this does not mean that every application of Dirty Cow is exactly terrifying. For example, there is some evidence of Android enthusiasts have been using this exploit to circumvent otherwise secure Operating System controls put into place by other groups to allow for additional functionality. While this is a potentially treacherous avenue of exploration, there is a chance that new tools and methods can be developed to make easier ways to unlock bootloaders or gain deep access.

What Can I Do To Keep Myself Safe From Dirty Cow?

When dealing with security flaws of this nature, especially when dealing with PCs or Servers that carry important info, the adage "Patch what you can, unplug what you can't" may be well heeded.
When dealing with security flaws of this nature, especially when dealing with PCs or Servers that carry important info, the adage “Patch what you can, unplug what you can’t” may be well heeded.

Many people have for legitimate reasons been concerned over the security flaw Dirty Cow presents, as well as the influx of hackers using this exploit as more press is written about it. So, how can we ease these fears and continue our day to day activities? In short, patch it. Recent updates to most Linux distributions more or less secure the vulnerable sites of the system to make it much harder to access. To update your system, open up your terminal and enter in:

sudo apt-get upgrade

This will give you a list of updates, simply click the y key and enter afterwards to get the latest security patches.

For Android, the process has yet to be properly developed. Likely in the newest upcoming patch (Android Nougat 7.0.2) there will be a security update to handle this threat. In general, the best advice right now is to keep your phone off of unsecure Wi-Fi connections and not plug in your smartphone to any unknown PC device.

With Linux being the backbone of the “Internet of Things”, we will almost certainly see similar updates to everything from TVs to Phones to Thermostats to Wi-Fi routers, though dates per manufacturers are unsure at best. As it stands, it is recommended that users of all devices even remotely associated with Linux Kernel be more vigilante in terms of their personal and financial security, and apply new security update patches immediately when available.