Dirty Pipe, one of the most serious vulnerabilities in years in Linux

Recently the news was released on the net of the discovery of a new vulnerability in Linux which is listed as "High Severity" which affects all kernels since version 5.8, as well as derivatives, including Android.

Known as Dirty Pipe allows data to be overwritten in read-only files and can lead to escalation of privileges by injecting code into the "root" processes.

Although it has already been patched into the mainline Linux kernel, the bug could be weaponized in the form of a privilege escalation exploit on all devices running Linux kernel version 5.8 or later.

It also means that a bunch of newly released Android smartphones, like the Samsung Galaxy S22 and Google Pixel 6, are also vulnerable, until each device receives the appropriate kernel patch from the respective OEM.

About Dirty Pipe

The vulnerability was revealed by security researcher Max Kellerman and cataloged as (CVE-2022-0847), it took a few months to find a proof-of-concept exploit.

The vulnerability allows an unprivileged user to inject and overwrite data in read-only files, including SUID processes running as root. The colloquial nickname seems to be a play on the infamous bug Dirty Cow and a Linux mechanism called pipelining for interprocess message passing, since the latter is used during the exploit routine.

It all started a year ago with a support ticket related to corrupted files. A customer complained that downloaded access logs could not be unpacked. And indeed, there was a corrupt log file on one of the log servers; it could be uncompressed, but gzip reported a CRC error. I couldn't explain why it was corrupt, but I assumed the nightly split process had crashed and produced a corrupt file. I manually corrected the CRC of the file, closed the ticket, and soon forgot about the problem.

After months of analysis, the researcher eventually discovered that the corrupted client files were the result of a bug in the Linux kernel. He found a way to exploit Dirty Pipe to allow anyone with an account, including less privileged "nobody" accounts, to add an SSH key to the root user account.

To trigger the vulnerability, Kellerman shared his proof of concept, the attacker must have read permissions. Also, scrolling must not be on a page boundary, writing cannot cross a page boundary, and the file cannot be resized.

To exploit this vulnerability, you must: create a pipe, fill the pipe with arbitrary data (by setting the PIPE_BUF_FLAG_CAN_MERGE flag on all entries in the ring), empty the pipe (leaving the flag set on all instances of the pipe_buffer structure in the structure of the pipe_inode_info ring), merge the data from the target file (opened with O_RDONLY) into the pipe just before the target offset, and write arbitrary data to the pipe.

Dirty Pipe also affects any version of Android based on one of the vulnerable versions of the Linux kernel. Because Android is so fragmented, affected device models cannot be tracked uniformly.

According to Kellerman, Google merged its bug fix with the Android kernel last month, right after it was fixed with the release of Linux kernel versions 5.16.11, 5.15.25 and 5.10.102.

Having said that, we'll probably have to wait a bit before OEMs start rolling out Android updates containing the fix. Google's Pixel 6, for example, is still vulnerable, but advanced users can mitigate the flaw by installing a custom patched aftermarket kernel as an alternative option.

Linux kernel developers released fixes (5.16.11, 5.15.25, 5.10.102) on February 23, while Google patched the Android kernel on February 24. Kellermann and other experts compared the vulnerability to CVE-2016-5195 “Dirty Cow” and they said it's even easier to exploit.

Finally, if you are interested in knowing more about it, you can consult the details In the following link.


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published.

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.