Dirty Pipe has the potential to smudge people using Linux and Linux derivatives.
Linux has yet another high-severity vulnerability that makes it easy for untrusted users to execute code capable of carrying out a host of malicious actions, including installing backdoors, creating unauthorized user accounts, and modifying scripts or binaries used by privileged services or apps.
Dirty Pipe, as the vulnerability has been named, is among the most serious Linux threats to be disclosed since 2016, the year another high-severity and easy-to-exploit Linux flaw (named Dirty Cow) came to light as it was being used to hack a researcher's server. Researchers in 2016 demonstrated how to exploit Dirty Cow to root any Android phone, regardless of the mobile OS version. Eleven months later, researchers unearthed 1,200 Android apps in third-party markets that maliciously exploited the flaw to do just that.
When nobody becomes all-powerfulThe name "Dirty Pipe": is meant to both signal similarities to Dirty Cow and provide clues about the new vulnerability's origins. "Pipe" refers to a pipeline, a Linux mechanism for one OS process to send data to another process. In essence, a pipeline is two or more processes that are chained together so that the output text of one process (stdout) is passed directly as input (stdin) to the next one.
Tracked as CVE-2022-0847, the vulnerability came to light when a researcher for website builder CM4all was troubleshooting a series of corrupted files that kept appearing on a customer's Linux machine. After months of analysis, the researcher finally found that the customer's corrupted files were the result of a bug in the Linux kernel.
The researcher—Max Kellermann of CM4all parent company Ionos—eventually figured out how to weaponize the vulnerability to allow anyone with an account—including the least-privileged "nobody" accounts—to add an SSH key to the root user's account. With that, the untrusted user could remotely access the server with an SSH window that has full root privileges.
Enlarge / Comments included with Kellermann's PoC.Other researchers quickly showed that the unauthorized creation of an SSH key was only one of many malicious actions an attacker can take when exploiting the vulnerability. This program, for instance, hijacks a SUID binary to create a root shell, while this one allows untrusted users to overwrite data in read-only files:
Other malicious actions enabled by Dirty Pipe include creating a
cron job that runs as a backdoor, adding a new user account to /etc/passwd + /etc/shadow (giving the new account root privileges), or modifying a script or binary used by a privileged service.
"It's about as severe as it gets for a local kernel vulnerability," Brad Spengler, president of Open Source Security, wrote in an email. "Just like Dirty Cow, there's essentially no way to mitigate it, and it involves core Linux kernel functionality."
The vulnerability first appeared in Linux kernel
version 5.8, which was released in August 2020. The vulnerability persisted until last month when it was
fixed with the release of versions 5.16.11, 5.15.25, and 5.10.102.
Throwing a wrench in AndroidDirty Pipe also afflicts any release of Android-based on one of the vulnerable Linux kernel versions. Since Android is so fragmented, affected device models can't be tracked in a uniform way. The latest version of Android for the Pixel 6 and the Samsung Galaxy S22, for instance, is 5.10.43, meaning the devices are vulnerable. A Pixel 4 on Android 12, meanwhile, runs 4.14, which is unaffected. Android users can check which kernel version their device uses by going to Settings > About phone > Android version.
"The Dirty Pipe vulnerability is extremely serious in that it allows an attacker to overwrite—temporarily or permanently—files on the system they should not be able to change," Christoph Hebeisen, head of security research at mobile security provider Lookout, wrote in an email. "Attackers can use this to change the behavior of privileged processes, effectively gaining the capability to execute arbitrary code with extensive system privileges."
The Lookout researcher said the vulnerability can be exploited on Android handsets through a malicious app that elevates its privileges, which by default are supposed to be limited. Another avenue of attack, he said, is to use a different exploit to gain limited code execution (for example, with the system rights of a legitimate app that is hacked) and combine it with Dirty Pipe so the code gains unfettered root.
While Kellermann said that Google merged his bug fix with the Android kernel in February, there are no indications that Android versions based on a vulnerable release of the Linux kernel are fixed. Users should assume that any device running a version of Android-based on a vulnerable version of the Linux kernel is susceptible to Dirty Pipe. Google representatives didn't respond to an email seeking comment.
Create pipe, Fill pipe, Drainpipe.Dirty Pipe is caused by an uninitialized variable that allows an attacker to overwrite any file contents cached in memory. Dirty Pipe can do this even if the file is not permitted to be written to. The key to Kellermann's discovery of the bug was his use of the Linux function splice to move data from one file to another.
When using splice to funnel data into a pipeline, "the kernel will first load the data into the
page cache," Kellermann explained. "Then it will create a struct pipe_buffer pointing inside the page cache (zero-copy), but unlike anonymous pipe buffers, additional data written to the pipe must not be appended to such a page, because the page is owned by the page cache, not by the pipe. By injecting PIPE_BUF_FLAG_CAN_MERGE into a page cache reference, it became possible to overwrite data in the page cache, simply by writing new data into the pipe prepared in a special way."
The researcher said the steps required are:
• Create a pipe
• Fill the pipe with arbitrary data (to set the PIPE_BUF_FLAG_CAN_MERGE flag in all ring entries)
• Drain the pipe (leaving the flag set in all struct pipe_buffer instances on the pipe_inode_info ring)
• Splice data from the target file (opened with <code">O_RDONLY) into the pipe from just before the
target offset
• Write arbitrary data into the pipe; this data will overwrite the cached file page instead of creating a
new anonymous struct pipe_buffer because PIPE_BUF_FLAG_CAN_MERGE is set
While Dirty Pipe is powerful, there are key requirements for it to work and limitations as far as what it can do. They include:
• The attacker must have read permissions
• The offset can't be on a page boundary, because at least one byte of the page must have been
spliced into the pipe
• The write can't cross a page boundary, because a new anonymous buffer would be created
• The file can't be resized, because the pipe has its own page-fill management and doesn't tell the
page cache how much data has been appended.
Spengler provided additional context and insights. He wrote:
Linux (like other OSes) caches in-memory files used by the system for performance reasons. When you want to make a private modification to some of that cached data, the OS is supposed to fork off a copy of the data for you to make your modification in, otherwise, your modification would not be private and would instead affect anyone else reading or executing that file. Like with Dirty Cow, Dirty Pipe tricked the OS into performing an illegal modification of that cache, affecting all users on the system.
So what an exploit can do is for instance to change the code for a suid root binary (which they have read access to) to skip its system calls which would change its privilege back to the user (which means the binary will unknowingly continue running with full root privileges), or the exploit can modify a commonly used library to cause it to execute some additional code, with a simple example is changing the permissions on a shell the attacker copied into /tmp to make it suid root.
One mitigating factor is that the kernel version that introduced the vulnerability, 5.8, is relatively new. Many production servers aren't running 5.8.
2022 has already seen one other high-severity Linux vulnerability. PwnKit is also a privilege escalation bug that was
discovered in January after lurking in the Linux kernel for 12 years. It too is trivial to exploit and opens the door to numerous forms of malice.
Regardless, make no mistake: The ease of exploiting Dirty Pipe coupled with the near-unlimited things hackers can do with it makes it the most critical privilege escalation vulnerability to hit Linux since 2016's Dirty Cow.
"Given that there are already weaponized exploits floating around on Twitter, it's already too late for people who had existing untrusted users on their system," Spengler said. "Anyone with an affected kernel version (>= 5.
should apply the fix ASAP."
source
