Exploiting DirtyPipe aka CVE-2022-0847 - Linux Privilege Escalation Vulnerability | 15 March 2021


Couple of days ago, a cyber security researcher named Max Kellermann published a a new vulnerability named DirtyPipe with CVE number 2022-0847. This is similar to the DirtyCow vulnerability which was published in 2016.

DirtyPipe is a local privilege escalation vulnerability which affects the Linux kernel starting with version 5.8 and it allows an underprivileged attacker to bypass file permissions, then write arbitrary data to any files in the system where the user has read access. In simple words It is a local privilege escalation vulnerability which allows an adversary to gain root privileges.

PoC


Detailed blog post and PoC from Max Kellerman can be found here: https://dirtypipe.cm4all.com


Affected systems

Popular linux distributions like Ubuntu, Debain, RedHat are affected. Even android systems are vulnerable. Also it is possible that this vulnerablity can be used to break out of containers.

MITRE ATT&CK mapping

If you would like to map it under MITRE ATT&CK matrix -> Privilege escalation then Exploitation for Privilege escalation. Tacticd ID: T1068.

Exploitation

There are many ways to exploit DirtyPipe using the PoC code. For example, we can write new secure shell keys to the root user. OR we could add a new root user to the /etc/passwd file. The demo is based on writing a new user to the etc/passwd file.

1. Modifying/overwriting read only files
This exploit is a proof of concept that was developed by Max Kellermann and has been modified to change the root password in the /etc/passwd file, provides access to an elevated shell.

2. Hijacking SUID binaries
This exploit can be used to inject and overwrite data in read-only SUID process memory that run as root.

Remediation

Most of the major linux distributions have released advisories and patches to mitigate this security issue.


Go back to Adversary Tactics