• Perspective
Published on 29 April 2022

Dirty-Pipe: The light at the end of the tunnel

Introduction

On 07 March 2022, security researcher Max Kellermann disclosed a new vulnerability affecting the Linux kernel, dubbed "Dirty-Pipe" (CVE-2022-0847). This vulnerability, by its name, refers to the famous "Dirty Cow" vulnerability of 2016 which also affected the Linux kernel.

What is Dirty-Pipe

Dirty-Pipe (CVE-2022-0847) est une vulnérabilité locale d'élévation de privilèges dans le noyau Linux qui permet à un utilisateur local de contourner toutes les permissions de fichiers. Par conséquent, via cette vulnérabilité, un utilisateur non privilégié peut potentiellement :

  • Arbitrarily modify and/or overwrite read-only files
  • Have a high-privilege shell

The vulnerability affects Linux kernels that are above version 5.8.

How it works

The vulnerability stems from a faulty management of the Unix "Pipe" allowing an attacker to overwrite system files with arbitrary data and thus modify sensitive files, especially those containing passwords.

To illustrate, the Pipe is a "tube" with a read end and a write end. One can therefore process a piece of data, then write it into the pipe in order to have it read by another process.

Since a picture is worth a thousand words, here is an example in which a message is "piped" into a command that replaces one word with another:

The Pipe takes the output of one process and writes it to the input of another process. But the important thing is that there is a pipe flag called "PIPE_BUF_FLAG_CAN_MERGE". When set, it notifies the kernel that changes that are written to the cache page should be written back to the source file.

In order to operate Dirty-Pipe, the user simply needs to have read permission on the file they wish to overwrite:

  • The exploit first reads the target file so that it is cached.
  • It then creates a pipe with the PIPE_BUF_FLAG_CAN_MERGE flag set.
  • The exploit uses the splice() system call to point the pipe to the cache location where the desired file data is located.
  • Arbitrary data is written to the pipe. This data overwrites the cached file page and because
  • PIPE_BUF_FLAG_CAN_MERGE is set, this same data eventually overwrites the file on disk.

"Mischief done."

Use

There are many public exploits for this vulnerability based mainly on the following two methodologies:

  • Modify/overwrite read-only files
  • Bypassing the rights to use executables

How to protect yourself

There is no remedy other than updating the kernel.

The vulnerability has been patched for Linux kernels in :

  • 5.16.11
  • 5.15.25
  • 5.10.102

Conclusion

On a fallible Linux kernel, Dirty-Pipe allows you to root with childlike ease. Therefore, if you have not already done so, it is strongly recommended that you upgrade Linux to one of the versions 5.16.11, 5.15.25, 5.10.102 or later.

References

https://dirtypipe.cm4all.com/

https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits/

https://www.it-connect.fr/dirty-pipe-une-faille-critique-qui-touche-le-noyau-linux/

https://www.silicon.fr/dirty-pipe-faille-linux-critique-433686.html/

https://www.hackthebox.com/blog/Dirty-Pipe-Explained-CVE-2022-0847/

https://github.com/torvalds/linux/commit/f6dd975583bd8ce088400648fd9819e4691c8958

https://www.youtube.com/watch?v=NHcCgPtibw8

Article rédigé par
La Minute Cyber