A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. All the information we have so far is included in this page.

The bug has existed since around 2.6.22 (released in 2007) and was fixed on Oct 18, 2016.

Source: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails

I had a number of servers to quickly test for this exploit, so I wanted to make an incredibly easy script to test the exploit quickly. Thanks to the guys at Red Packet Security for posting the following article: https://www.redpacketsecurity.com/testing-dirty-cow-cve-2016-5195/

I used this as a reference to create a simple, single command you can run to determine whether or not your server is exploitable by Dirty COW. This is very much a simple script and I’ve not rigorously tested it’s results, so please do comment with any feedback or suggestions.

To determine if you’re vulnerable to Dirty COW run the following command as root on your server. You must have GCC installed before running the script.

Contents of the dirtycow.sh script are as follows:

By no means am I a bash expert, but it’s much easier to run this single command than multiple as the original article details.

The script creates a couple of files whilst running, dirtycow_test, dirtyc0w & dirtyc0w.c. These are all removed once the script has ran successfully.

Output:

The script will either report one of the two following messages:

or

If you get the worrying message saying your server is exploitable please contact your host and ask them to complete the various steps to ensure the security of your server. If you’re a sysadmin please go to the https://dirtycow.ninja page to find out more information on how to fix the issue.

Ubuntu:

We’ve tested this script on Ubuntu, with a vulnerable kernel the script reports correctly. Once we upgraded the kernel the script reported the vulnerability was no longer present.

CentOS:

CentOS have released the following script which checks the currently installed kernel version, then reports whether or not the server is vulnerable. These two scripts do not appear to align on whether or not the server is exploitable.

You can run the script using the following:

Dave Macaulay
Dave Macaulay
I'm an enthusiastic, slightly eccentric Magento developer who bores with the idea of another basic brief.