On Oct 25, 2016 06:59, "William Roberts" <bill.c.roberts@gmail.com> wrote:
>
> On Oct 25, 2016 06:48, "William Roberts" <bill.c.roberts@gmail.com> wrote:
> >
> > On Oct 25, 2016 06:42, "teroz" <terence.namusonge@gmail.com> wrote:
> > >
> > > Hey William
> > > exploit is run as a normal user and privilege escalates to a root shell
> > >
> >
> > Look under the covers. Dirty cow allows arbitrary file modification, so somewhere it's likely executing some setuid root thing that it modifies. Take a peak with strace.
>
> Sorry too early in the morning for me, this doesn't require setuid modification, just a file owned by root looking at the source:
>
> https://github.com/dirtycow/dirtycow.github.io/blob/master/dirtyc0w.c

No, I was right before, the comments t in the header of that is just a sample run showing write to something that's readonly. You would want to write to a readonly setuid or something else on the system to get an actual root UID code execution, like a library loaded into a root process.

I'll shut up now, and go get coffee to be productive.

>
>
> >
> > https://www.google.com/amp/www.theregister.co.uk/AMP/2016/10/21/linux_privilege_escalation_hole/
> >
> > > On Tue, 25 Oct 2016 at 15:09 William Roberts <bill.c.roberts@gmail.com> wrote:
> > >>
> > >> On Oct 25, 2016 05:12, "teroz" <terence.namusonge@gmail.com> wrote:
> > >> >
> > >> > I used one of the dirtycow root exploits on Fedora24 configured with 30-pci-dss-v31.rules. I was expecting an ANOM_ROOT_TRANS record but didn't get one. What triggers an ANOM_ROOT_TRANS record? What then is the best way to trivially audit for a successful privilege escalation?
> > >> >
> > >>
> > >> I would imagine that if it's hijacking an already root or setuid binary, you won't see anything. As far as that record goes, I have no idea, I'll let an auditing expert answer that question.
> > >> >
> > >> >
> > >> >
> > >>
> > >>
> > >> >
> > >> > --
> > >> > Linux-audit mailing list
> > >> > Linux-audit@redhat.com
> > >> > https://www.redhat.com/mailman/listinfo/linux-audit