Ubuntu: Determine system vulnerability for Dirty COW CVE-2016-5195

ubuntuThe Dirty COW vulnerability affects the kernel of most base Ubuntu versions.  Especially when running an Ubutu HWE stack, it can be a bit confusing to determine if your kernel and Ubuntu version are affected.

If you need to validate patching, then you can use a simple C program to exercise this read-only write vulnerability and check your system.

Note that you should be extremely diligent when running any executable on your system, especially one that exercises a known vulnerability.  If you do not trust the source code, the hosting company, or the author of that code it should never be run.

For myself, after manually looking at the C source code in dirtyc0w.c and then verifying it did not have any long lines that may be hiding malicious expressions, I felt comfortable running it on a throwaway virtual machine that I disconnected from its virtual NIC.


The first step is to download the simple C program that will exercise the vulnerability.  Visit the github secure site first with your browser to determine the size and content you expect from dirtyc0w.c, https://github.com/dirtycow/dirtycow.github.io

It can be downloaded directly to your Ubuntu system using wget as shown below, or copied manually.

wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c

Validate Locally

Once downloaded, verify the local file size, and open the dirtyc0w.c file to make sure it is exactly what you expect.


Assuming you have gcc (c compiler) installed, then you need to compile, making sure to include the pthread library.  This will create an executable named ‘dirtyc0w’

gcc -pthread dirtyc0w.c -o dirtyc0w

Run vulnerability check

This vulnerability is centered around escalated privileges due to copy-on-write handling.  The vulnerability test program will attempt to modify a file that should be modifiable only with root access.

So as root, create a file that no regular user should be able to modify:

# echo a regular user should NOT be able to change this > foo
# chmod 0404 foo

Now, as a normal user again, run the program and have it try to change the contents of the file:

./dirtyc0w foo m00000000000000000

It will take several minutes to run, and you’ll see output like below as you wait:

mmap 56123000
madvise 0
procselfmem 1800000000

When it does complete, check the contents of ‘foo’ again.

cat foo

If your regular user was able to modify the contents to ‘m00000000000000000’, then the vulnerability still exists on your Ubuntu system.