Dirty Pipe Linux flaw allows gaining root privileges on major distros

Dirty Pipe is a Linux vulnerability, tracked as CVE-2022-0847, that can allow local users to gain root privileges on all major distros.

Security expert Max Kellermann discovered a Linux flaw, dubbed Dirty Pipe and tracked as CVE-2022-0847, that can allow local users to gain root privileges on all major distros.

The vulnerability affects Linux Kernel 5.8 and later versions.

The CVE-2022-0847 vulnerability allows overwriting data in arbitrary read-only files, which could lead to privilege escalation because unprivileged processes can inject code into root processes.

Kellerman explained that the flaw is similar to CVE-2016-5195, aka Dirty Cow, and is more dangerous because it is easier to exploit.

In a blog post, the researcher explained that he discovered the flaw while investigating corrupt access log files for one of its customers.

Kellerman published technical details about the Dirty Pipe flaw along with a proof-of-concept (PoC) exploit that allows local users to overwrite any file contents in the page cache, even if the file is not permitted to be written, immutable or on a read-only mount.

BleepingComputer reported a tweet published by the security researcher Phith0n who explained that it is possible to use the exploit to modify the /etc/passwd file to set the root user without a password. Using this trick a non-privileged user could execute the command ‘su root’ to gain access to the root account.

The researcher Phith0n also published an updated version of the exploit that allows gaining root privileges by overwriting a SUID program like ./exp /usr/bin/su to drop a root shell at /tmp/sh and then executing the script.

Below is the timeline for this vulnerability:

Timeline

2021-04-29: first support ticket about file corruption
2022-02-19: file corruption problem identified as Linux kernel bug, which turned out to be an exploitable vulnerability
2022-02-20: bug report, exploit and patch sent to the Linux kernel security team
2022-02-21: bug reproduced on Google Pixel 6; bug report sent to the Android Security Team
2022-02-21: patch sent to LKML (without vulnerability details) as suggested by Linus Torvalds, Willy Tarreau and Al Viro
2022-02-23: Linux stable releases with my bug fix (5.16.11, 5.15.25, 5.10.102)
2022-02-24: Google merges my bug fix into the Android kernel
2022-02-28: notified the linux-distros mailing list
2022-03-07: public disclosure

Servers running outdated kernel versions are exposed to attacks exploiting this flaw.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Linux)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.