Who would have thought that an exploit on Linux would remain unpatched even after 11 whole years? As it seems, this is the case with this threat. It attacks a Linux kernel flaw and offers any user full access to the system within a few seconds.
Phil Oester was the first to notice the security flaw. He has only managed to do so due to his thorough research and extraction of HTTP inbound traffic. After testing it in a sandbox, he was able to realize the size of the threat that has been underlying for over a decade.According to Phil Oester and his quote on V3, its quality as an exploit is outstanding: “The exploit in the wild is trivial to execute, never fails and has probably been around for years – the version I obtained was compiled with gcc 4.8,” and he continued on to stress the related hazards: “An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.”
The exploit is now more popular by the name Dirty Cow. In fact, there has already been an advisory by Red Hat as to the importance of this security flaw. In case you are wondering about the origin of the name, check out the acronym from the same advisory: “A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings.”
All the work that Phil Oester has done towards identifying the security flaw remained without recognition and in fact a new fix wiped it out in 2007.
Even though all these years it has remained dormant, chances are that now it will evolve and change from theory to practice. This is due to the VM technology that has progressed significantly over the past few years. VPM tech has paved the way for such security exploits to thrive.
It is important to point out the fact that antivirus might be able to detect the attack. It just needs the proper programming for it to do so. Still, it cannot block the attack.
The only way to achieve such an outcome would be to block all the binaries at the same time. Otherwise, there is no such thing as blocking the threat with the use of antivirus.
Top/Featured Image: By Deviantart