Unfortunately virtual memory is one of those things that isn't very easy to deeply understand without having to do it. It was like 4 hours of lecture at university for me before I understood it very well at all. You're probably not going to pick it up in a 10 minute video without any kind of background. And for those that know about virtual memory the video could be summarized by "a race condition in copy-on-write semantics let the user modify a page that the kernel wrote to disk" and was 8 minutes too long.

Memory locations each have a number, like house numbers. A prgram has to read and write to remember things or to modify it self. In stead of multiple programs using [say] location 123 all but the first must be reassigned to a different part of memory. There the second program thinks it is using 123 but it is really using 1123. Its like the entire city thinks it lives on the same house number with only the post office knowing their real house number. The exception is when two programs are using exactly the same data without ever writing to it. Then they can share the same memory space. At least until one of them modifies it. That is where Copy On Write happens.

ty

swifterik Race condition is when 2 orders are given simultaneously that cant both be resolved. Say a store has 15 bottles of milk. Joe and Jim are send to the store each with instructions to buy 13 bottles of milk. Now its a race! One thread is telling the kernel to eat the cake while the other is telling it to put it in the fridge with a cherry on top. It simply gets confused and ends up doing things the user account didn't have privileges for.

swifterik Other OS do use Copy On Write, as it would be outrageously wasteful of memory to not do so. And other OS face the trouble of race conditions in various circumstances, but as far as I know others do not currently share this specific flaw. In other comments here someone posted a link to the code used to fix the issue in the Linux kernel, and it is likely that other OS already have such code present to guard against such race conditions or solve the problem in their own way. Many times race conditions are protected against by using things called 'mutexes'. 'Mutex' is just short for 'mutually exclusive' and is a way to guarantee that two blocks of code which have a danger of interfering can never execute at the same time. So if one program reaches a segment (it is normally restricted to cover only a few lines of code) and finds another program is already running code protected by the same mutex, it will just wait for its turn. I haven't seen others mention yet that the "dirty" part of "dirty CoW" is a common term used when talking about memory. A 'dirty' piece of memory means it has been changed but those changes have not taken effect everywhere they need to yet. For instance if you have some data on disk and in memory at the same time and you change the memory, it can get marked 'dirty' until the data on disk is also changed. This makes it so that other code can know there is an inconsistency.

:D

Here's the commit that fixes it git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619

Andriamanitra Nice info, thx mate.

My wild guess - mutex

+Andriamanitra Small changes, but can saved the world.

A mutex would seem like a logical solution but that would be ignoring the intent of the original design (performance-wise, which matters in the kernel). Here's a little known secret: You don't need to lock threads in order to prevent race conditions.

You can overwrite /etc/passwd and put a password there. Or change sudoers so that you can run sudo. It's not limited to programs.

Same

Same

Sloppy programming? With no mutex? I agree, if my program wrote something to illegal memory it would crash. Why would the system write that back to disk? It was read only.

+Gummans Gubbe Well yeah exactly. I can see that maybe you can trick the os into writing your stuff to illegal memory via this copy-on-write race condition business, but I don't see how that connects back to overwriting read-only data on disk.

ninjafruitchilled The file isnt read-only to the root user and copy-on-write happens in kernel mode which has the highest privileges.

+Sokar Sure, but what connects the memory to the actual file on disk? Why would reading the file into memory, then buggering around with the memory, result in the file on disk getting altered?

Kernel data structures are what connects the memory to the file. Essentially, the kernel is keeping track of which memory is being used for what. It knows that particular page corresponds to a memory mapped file, and part of the copy-on-write procedure for memory mapped files is to write changes to disk.

Seegal Galguntijak k

and most new ones as well since its the carrier that handles the software updates, and you know how slow they can be.

The exploit does work in the latest version of Android 7.0

linux is security by obscurity.

Linux is open source you dumbass lol. That is the opposite of security by obscurity. You mean it doesn't have a lot of viruses due to a small user base, that is mostly true.

well, kingroot works, does't it?

Or turn your phone off / on silent when you're shooting a video!

I don't actually feel very strongly about this

+

Meh, just use non-standard sounds. What bugs me even more is when someone gets a skype message in a video while watching from my computer. When the message is real, causes me to stop what I am doing, just to find out it is some person I don't care about's birthday, that is even more irritating.

You cant control when emails are delivered to you so saying "stop getting emails while..." is foolish. You can control when you receive them by switching off the device/computer receiving them so you would have looked less of a fool by telling him to turn off his device or notifications while making the video :P

déjà*

hehe now that you mention it ;)

+

0xbaadf00d thanks

+

- for using gotos

0xbaadf00d Error at line 1 character 25: Unexpected symbol ':' Expected ';'

Jez THANKS! I love a bit of mischief now and again... >:D

Jesse Talbot He gave me the source.

Yes.. I watched my phone twice 😂

Phone notification

its not reupload

idk, but this one is a few minutes longer.

its not. Watch the video

yeah previous one was just a demo

I just downloaded mint the other day. Dammit.

For your Mint install, just upgrade your kernel to 4.4.0.45, which is the patched version. You can do it in the Update Manager by clicking View and then Linux Kernels. Install it, reboot, and you're safe.

BirdValiant You're a sweetie.

it's outtakes, i assume

3.10.104, 3.16.38, 4.4.26, 4.7.9, 4.8.3 This is tthe fix, btw: git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619

Conenion Thanks, just wondered where the bug was fixed.

Yes there are some rooting apps for Android now that make use of this method. I'm not sure which ones though, haven't looked into it. However normal Android apps are sandboxed, in which case it doesn't work. So you'd have to exploit a different method to break out of the app sandbox. Also this won't work anymore once the Android kernel gets updated. In that case you'd have to revert to a different method to root your phone. I'm fairly sure this will always remain possible since Android is based on Linux and you should always be able to gain root access to any Linux device you own, no matter how much Google tries to prevent this from happening.

No, memory-mapping files is always available.

I knew not using a swap partition would pay off one day!

No, from the video it sounds like it's memory mapped files, a somewhat related but seperate concept which I'm pretty confident you cannot disable. Linux uses mmap to load shared libraries into memory, for example. see: wikipedia.org/wiki/Memory-mapped_file

What I don't understand is how you'd use that to write to an _arbitrary_ file, would you simply load it in memory before executing the exploit?

Hopefully I won't spread any misinformation, but from my understanding from the video, it would have to be loaded in a specific way (mapped into memory using the mmap() function with the MAP_PRIVATE and PROT_WRITE flags set). You can map a read-only file into memory and write to that location in memory just fine, as long as you're not "writing through" to the file. You're writing on your personal copy of the data in memory, not the actual file, so you're not breaking permissions. This is the correct and intended behavior. The danger with this bug is that you can load something you only have permissions to read, but using the exploit you can cause the backing file to be written to, not just "in memory", thereby side-stepping the UNIX permissions model. But it would have to be a file you have READ access to, otherwise you couldn't map it in the first place.

Pan gaway Thanks for the explanation! I have a better understanding of this now.

This is not a reupload.

It is not reupload, yes. He said "upload", not "reupload".

correct :)

SO what can happen? Change my root password? That will be detected, I then have to restore from backup. Naah. This is of course serious, and it will be addressed. I understand the 10 year wait as discussed in the first video.

i wonder if this also means you can change set the suid flag on files (^:

Many security issues aren't merely about the infected machine, or gaining access to the local user's information - they involve the entire ecosystem. Botnets are responsible for spam, spyware, fraud, DoS and DDoS attacks, etc.

Sam C I read that Debian patched it.

Worth noting that the kernel bug lifetime is at an average of about 5+ years :D outflux.net/blog/archives/2016/10/20/cve-2016-5195/

agreed, but closed source OSes I could think of has agressive updates. unlike phone, routers, security cameras, iot device FWs where it is almost always a release and forget (can't blame them, got their money already, investors are satisfied, customers come second). so I assume that the fallout is smaller in case of the closed source,because eventually most devices will get patched.

The point is this is not your machine. It allows you to get access to root shell when you only know the password for a user with limited permissions. At least that's what I understand from this.

Why would you try to hack your own machine? If you are asking why normally users are not root users on a system that is because then you can make sure people don't change important things by mistake.

Jon Warghed Yes I realise that, but that hasn't been made clear in the video - if the machine in question is available to multiple users then clearly this is an IT administration issue. The point I am making is that this is clearly NOT an issue for the vast majority of Linux installations. The ASSUMPTION that it IS an issue is clearly one may erroneously make if one only has the limited outlook of a University academic.

And also because you can mess them even by a mistake?

It could potentially allow any malicious program to gain root without permission. Generally running a program with limited user permissions should be relatively safe, but this could allow any program to gain root permissions, allowing it to do virtually anything on the system, without prompts or warnings, and hide the fact that it did so.

+Death OfTime it does work on Android as well... still you could try a custom ROM

FlyTech Videos i've heard of custom firmware for other hardware. I'd never heard of custom firmware for phones though. Is it a easy google? or is there a specific search string that will bring up better results? not even for sure where to check how secure my phone might be eve. kinda new to the whole smart phone stuff.

There are many different Operating Systems (OSs). Linux, Windows, Mac OSX, Android (for smartphones), OSX-for-iphones-etc., Windows Phone, Firefox OS etc. Each has different versions, or flavours, it depends on the OS. Each is compatbile with different hardware. Browsers are software situtated within an OS. We have many different browsers, such as Chrome, Firefox, Edge. These can have different versions for different OSs e.g. Chrome on Windows on a desktop computer is different from Chrome on a mobile device. The main OS for smartphones is Android. Some people have modified the core OS firmware, creating custom firmware.

+Death OfTime Just search for Custom Roms and you'll find some for most Android devices out there. Usually Cyanogenmod etc. offer more recent versions than the manufacturer. The installation process can be a bit complicated though. It depends on the device, some smartphones can be flashed very easily, some are even blocking this stuff.

Noface this is the most useless comment ive ever seen

It's not a reupload same start but more in this video.

It's a different video. This video explains it, the previous one just showed off what it could do.

ta

No git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619

"Lemonade" is approximately the 7592nd most common password.

You should get a new password.

its just for my laptop, its cool

You can easily find the code online.

+Bas Groothedde I know. I even posted a link to it in the demo video, but if it was not self-evident yet, I meant that, unlike the heardbleed video, there was no basic code walkthrough here for most *other* people..

ray I think it's obvious why they wouldn't share this code with a clear explanation or walkthrough. This exploit is painfully accessible

Bas Groothedde It's no more or less accessible than heartbleed was, and no more difficult for a script kiddie to re-use. The code walkthrough is simply an explanation of how the code does what it does. Its presence would not make it easier or more difficult to use the exploit, since the only thing you'd need to do is: *1)* already have access to a GNU/Linux system, and *2)* know how to use GCC from the terminal. I don't think having a code walk-through would somehow make things "worse" for anyone.

ray i think it would, but I don't care about sharing an exploit. Sharing an exploit causes people to learn about it sooner and fix it sooner

Edgewalker001 Then I can delete Hangouts? Sign me up!

It requires to use indirect access to your programme's memory and that is not something you would usually search for when trying to find vulnerabilities.

I couldn't get it, what was that meant to be, he said "Lemonade" but he wasn't typing anything just blank Enter or a Space whatever that was. I am not a Comp. Sci. geek so, can you tell me what is this "Lemonade" password?

Tech&Math it was only a joke. he said something about using 'lemonade' as a password and I thought it was hilarious :D

+Tech&Math it's a safety feature, when you type a password on a shell nothing shows up on screen

ok but what i'm really asking is that he said this "Lemonade" word two times, so I thought he actually mean something by that word which he might have supposed that Geeks will pick that out by themselves...

Tech&Math I see what you mean. I don't think there is any special significance to the word.

unless you update your os m8

Use a VM. Breaking out of a chroot is childs play.

JK - I have a patched version of v4.8 - dirty cow won't hurt me.

Kopuz people sell little USB dongles to hack into windows Linux is so much better as an OS

Windows > Linux = Best bait to catch the autistics ;)~, of course my original statement is False.

oh man, i was going to rage so bad on you, lol

If Windows ever goes open source it will be patch-day every day for a couple of years, haha