Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel, which allows an unprivileged local user to gain write access to otherwise read-only memory mappings, and thus increases their privileges on the system.

The vulnerability is nicknamed Dirty COW because the issue is caused by a race condition in the way kernel handles copy-on-write(COW), an optimization strategy used in computer programming. The fundamental idea is that if multiple callers ask for resources which are initially indistinguishable, you can give them pointers to the same resource. This function can be maintained until a caller tries to modify its “copy” of the resource, at which point a true private copy is created to prevent the changes becoming visible to everyone else. Here the copy-on-write implementation is broken so that programs can end up in a race condition and allowing a non-privileged user to alter root-owned files and setuid executables.

A Linux kernel version since 2.6.22 is affected by this vulnerability. A detection script can be used to determine vulnerable kernel versions on Red Hat Enterprise Linux and CentOS. The vulnerability is addressed in Linux kernel versions 4.8.3, 4.7.9, and 4.4.26 and Ubuntu, Redhat and Debian have released patches.


Proof of concept in detail:

Trying PoC (Kernel crash) on a Centos 7 Operating System:

  • Checking whether the Centos 7 kernel version is vulnerable to Dirty COW or not (Linux kernel version since 2.6.22)


Found the vulnerable kernel version.


  • Ping result to the above machine before trying dirty cow PoC



  • Logged in as a local user and trying to write to a file (the file taken here is /lib64/libc.so.6), for which user has only read permission





  • Ping result to the above machine after trying running PoC


Kernel crashed, which confirms the PoC worked.


How the PoC works?

  • Here a root-owned executable file is opened in read-only mode


  • mmap function is called, which maps the file into a new memory area. Permission flag shows mapped file is read only, and map_private flag enables copy on write mechanism so that everyone has a single shared copy of the same data until it’s written, and then a copy is made.


  • Next, 2 threads are started which will run in parallel. Dirty cow is a race condition on ability, certain events have to occur in a particular order. Here both threads are “racing” to access/change the data.


  • madwiseThread calls madvise function repeatedly on that mapping with advice value MADV_DONTNEED set, which tells the kernel that the memory area that we mapped the file to is probably not needed soon or do not expect access in the near future. (For the time being, the application is finished with the given range, so the kernel can free resources associated with it.)


  • procselfmemThread opens a special file /proc/self/mem with read-write access which is the representation of the current process memory. Using normal seek and write operations, you then repeatedly overwrite part of your own memory that’s mapped to the root-owned executable. The overwrite shouldn’t affect the executable on disk.

dir9                                             dir10

  • Because of race condition issue, trying these over and over again (madvise function tells the kernel to discard the pages holding the mapped area and calling this while writing to /proc/self/mem) will eventually lead to an inconsistent state where the pages holding the mapped executable are removed and a write is attempted to the memory area. These changes are committed by the kernel to storage.


Impact of Dirty COW:

The Dirty vulnerability allows an unprivileged local user to modify files, bypassing the standard permission mechanisms thus leading to privilege escalation on the system. Once the attacker has control over the system as a normal user, he can use an exploit which uses this vulnerability to gain full control of a Linux system and can install malware and steal data etc.

And another problem with Dirty COW is that it is almost impossible to detect by Antivirus or any security software and no evidence left for the actions taken once it is exploited. The real risk of the vulnerability is when user level access, as well as code execution ability, exists on the device.
SecPod Saner detects these vulnerabilities and automatically fixes it by applying security updates. Download Saner now and keep your systems updated and secure.

Leave a Reply

Your email address will not be published. Required fields are marked *