Dirty-Pipe: The light at the end of the tunnel
On 07 March 2022, security researcher Max Kellermann disclosed a new vulnerability affecting the Linux kernel, dubbed "Dirty-Pipe" (CVE-2022-0847). This vulnerability, by its name, refers to the famous "Dirty Cow" vulnerability of 2016 which also affected the Linux kernel.
What is Dirty-Pipe
Dirty-Pipe (CVE-2022-0847) est une vulnérabilité locale d'élévation de privilèges dans le noyau Linux qui permet à un utilisateur local de contourner toutes les permissions de fichiers. Par conséquent, via cette vulnérabilité, un utilisateur non privilégié peut potentiellement :
- Arbitrarily modify and/or overwrite read-only files
- Have a high-privilege shell
The vulnerability affects Linux kernels that are above version 5.8.
How it works
The vulnerability stems from a faulty management of the Unix "Pipe" allowing an attacker to overwrite system files with arbitrary data and thus modify sensitive files, especially those containing passwords.
To illustrate, the Pipe is a "tube" with a read end and a write end. One can therefore process a piece of data, then write it into the pipe in order to have it read by another process.
Since a picture is worth a thousand words, here is an example in which a message is "piped" into a command that replaces one word with another:
The Pipe takes the output of one process and writes it to the input of another process. But the important thing is that there is a pipe flag called "PIPE_BUF_FLAG_CAN_MERGE". When set, it notifies the kernel that changes that are written to the cache page should be written back to the source file.
In order to operate Dirty-Pipe, the user simply needs to have read permission on the file they wish to overwrite:
- The exploit first reads the target file so that it is cached.
- It then creates a pipe with the PIPE_BUF_FLAG_CAN_MERGE flag set.
- The exploit uses the splice() system call to point the pipe to the cache location where the desired file data is located.
- Arbitrary data is written to the pipe. This data overwrites the cached file page and because
- PIPE_BUF_FLAG_CAN_MERGE is set, this same data eventually overwrites the file on disk.
There are many public exploits for this vulnerability based mainly on the following two methodologies:
- Modify/overwrite read-only files
- Bypassing the rights to use executables
How to protect yourself
There is no remedy other than updating the kernel.
The vulnerability has been patched for Linux kernels in :
On a fallible Linux kernel, Dirty-Pipe allows you to root with childlike ease. Therefore, if you have not already done so, it is strongly recommended that you upgrade Linux to one of the versions 5.16.11, 5.15.25, 5.10.102 or later.