top of page
  • Manoj Ghimire

The Dirty Pipe Vulnerability


Overview:

A Linux kernel vulnerability known as CVE-2022-0847, termed as Dirty Pipe close to resemblance to another exploit known as Dirty Cow – was discovered lately, however it has likely been present in all Linux kernels since kernel version 5.8 and fixed with the release of version 5.16.11,5.15.25 and 5.10.102


The pipe is like a pipeline, a method for IPC (Interprocess Communication) in Unix implementation. The output of one process can be used as the input of another process.

Figure 1: Pipe to connect two processes


The bug was discovered and reported to the Linux kernel security team by Max Kellermann of CM4all parent company IONOS back in February. Author Max Kellermann <max.kellermann@ionos.com> provides the fix for the bug in linux.git


Kellermann found this vulnerability when he was troubleshooting a series of corrupted files that kept appearing on a customer’s Linux machine. After analysis, he found the pattern of that bug which, is because of the bug in the Linux kernel.


Note: To exploit this vulnerability kernel version 5.8 or above is required which is relatively new as many productions server are not running versions above 5.8


Working:

The primary cause of the issue is an uninitialized variable that allows unprivileged users to overwrite any file contents cached in memory.


According to Kellermann, “Linux kernel will first load the data into the page cache. After it will create a struct pipe_buffer pointing inside the page cache (zero-copy) but unlike anonymous pipe buffers, additional data written to the pipe must not be appended to such a page, because the page is owned by the page cache, not by the pipe. By injecting PIPE_BUF_FLAG_CAN_MERGE into a page cache reference, it became possible to overwrite data in the page cache, simply by writing new data into the pipe prepared in a special way.”

Exploiting:

The following conditions should be matched to make an exploit.

  • Unprivileged users must have read permission.

  • The offset must not be on a page boundary.

  • Write cannot cross a page boundary.

  • The file cannot be resized.


Processes to exploit:

  • Create a pipe.

  • Fill the pipe with arbitrary data (to set the PIPE_BUF_FLAG_CAN_MERGE flag in all ring entries).

  • Drain the pipe (leaving the flag set in all struct pipe_buffer instances on the struct pipe_inode_info ring).

  • Splice data from the target file (opened with O_RDONLY) into the pipe from just before the target offset.

  • Write arbitrary data into the pipe; this data will overwrite the cached file page instead of creating a new anonymous struct pipe_buffer because PIPE_BUF_FLAG_CAN_MERGE is set.


In the below example, this exploit can change the code of a suid root binary to skip its system calls, reverting the binary’s privilege to the user, leads to execute the binary to run with full root privilege. Or the exploit can modify (append, write) commonly used library causing it to execute some additional code. With a simple example being changing the permissions of a shell the attacker copied into /tmp to make it suid root.

Figure: Exploiting screenshot


References:







Contact Us: info@stupa.io

578 views0 comments

Yorumlar


stupa_transparent (1).png
bottom of page