The vulnerability was revealed by security researcher Max Kellerman. Properly named CVE-2022-0847, Dirty Pipe is similar to the 2016 Dirty COW vulnerability that targeted the copy-on-write (COW) mechanism in the Linux kernel memory subsystem. It turned a read-only map into a writable map and could be combined with other exploits to gain root access. As a reminder, in 2016, researchers demonstrated how to exploit Dirty COW to unbrick (root – perform a privilege escalation) any Android phone, regardless of the version of the mobile OS.
Eleven months later, researchers unearthed 1,200 Android apps on third-party marketplaces that maliciously exploited the flaw to achieve this. Dirty Pipe, on the other hand, is easier to exploit. Proofs of concept were provided by several people such as kernel developer Binni Shah, quickly concocted and posted on Twitter. Meanwhile, security researcher Phith0n improved the process to leave the root account without a password. It should be noted that the name “Dirty Pipe” is meant to both signal similarities to Dirty COW and provide clues to the origins of the new vulnerability.
“Pipe” refers to a pipeline, a Linux mechanism that allows an OS process to send data to another process. It is a one-way interprocess communication tool, the first writing of which allocates one page (4 KB) of memory to it. If you use “splice()” to add data from a file to the pipe, it is written to a page cache, and from there you can overwrite the cache by writing new, properly prepared data to the pipe. In Linux, “dirty” means that a page is waiting to be written to disk, and the page cache does not write to disk if a page is not dirty.
Overwriting its data does not make a page dirty, so it remains in the memory cache, and your properly prepared operational data can be sent there. Writing to a pipe does not check for permissions, so anyone can do it, potentially allowing a privilege escalation that disappears on reboot, because it was never written to disk. Kellerman – who works for website builder CM4all, a subsidiary of a company called Ionos – discovered the vulnerability after coming across a series of corrupt files that constantly appeared on a client’s Linux machine.
After months of analysis, the researcher finally discovered that the corrupt client files were the result of a bug in the Linux kernel. He found a way to exploit Dirty Pipe to allow anyone with an account – including less privileged “nobody” accounts – to add an SSH key to the root user’s account. With this key, the attacker can remotely access the server with an SSH window with all the privileges of the root user. Other researchers quickly showed that the unauthorized creation of an SSH key was just one of many possible malicious actions.
For example, Dirty Pipe can be used to hijack a SUID binary to create a root shell, while unauthorized users can also exploit it to overwrite data in read-only files. Other malicious actions allowed by Dirty Pipe include creating a cron job (a tool for scheduling regular tasks on Unix-like systems) that runs as a backdoor, adding a new user account in /etc/passwd + /etc/shadow (giving the new account root privileges), or modifying a script or binary used by a privileged service.
That’s about as bad as it gets for a local kernel vulnerability. Just like Dirty Cow, there’s virtually no way to mitigate it, and it involves core Linux kernel functionality, said Brad Spengler, president of Open Source Security. The vulnerability first appeared in Linux kernel version 5.8, which was released in August 2020. Kellerman sent a bug report (and patch) to the Linux kernel security team in February, and patches were released three days later. The vulnerability has been fixed in Linux 5.16.11, 5.15.25, and 5.10.102.
Dirty Pipe also affects any version of Android based on one of the vulnerable Linux kernel versions. Since Android is so fragmented, the affected device models cannot be tracked uniformly. The latest Android version for the Pixel 6 and Samsung Galaxy S22, for example, is 5.10.43, which means the devices are vulnerable. A Pixel 4 running Android 12, meanwhile, works with version 4.14, which is unaffected. Android users can check which kernel version their device is using by going to “Settings > About phone > Android version”.
Google added the patch to the Android kernel a few days after Kellerman’s report. The Dirty Pipe vulnerability is extremely serious in that it allows an attacker to overwrite – temporarily or permanently – files on the system that they should not be able to modify. Attackers can use this to alter the behavior of privileged processes, effectively gaining the ability to execute arbitrary code with extended system privileges,” wrote Christoph Hebeisen, head of security research at mobile security provider Lookout.
According to experts, a mitigating factor is that the kernel version that introduced the vulnerability, 5.8, is relatively recent. Many production servers do not use version 5.8. Moreover, the year 2022 has already seen another high-severity Linux vulnerability. It’s PwnKit, a privilege escalation bug that was discovered in January after hiding in the Linux kernel for 12 years. It too is trivial to exploit and opens the door to many forms of malevolence.
However, they agree that Dirty Pipe’s ease of exploitation coupled with the near limitless things hackers can do with it make it the most critical privilege escalation vulnerability to hit Linux since 2016’s Dirty Cow. Given that there are already armed exploits floating around on Twitter, it’s already too late for people who had existing untrusted users on their system. Anyone with an affected kernel version (>= 5.8) should apply the patch as soon as possible, Spengler recommends.
Source: Max Kellerman
And you ?
What is your opinion on the subject?
What do you think of the variety of malicious actions that Dirty Pipe allows you to perform?
Do you think you have been the victim of one of the malicious actions that Dirty Pipe allows? If so, share your experience.
See as well
Linux kernel vulnerability exposes memory and causes data leaks, as discussions continue on Rust support for Linux kernel development
Researchers secretly tried to add vulnerabilities to the Linux kernel and ended up getting banned
It’s possible to root Android phones based on the Dirty Cow flaw that plagued Linux for 9 years
12-year-old bug in polkit allows gaining root privileges on major GNU/Linux distros, Ubuntu and Red Hat have already released fixes