Attackers can Exploit Dirty Pipe Linux Vulnerability to Overwrite Data

The vulnerability has been fixed in Linux versions 5.16.11, 5.15.25, and 5.10.102, and patches will be released soon.

Researcher Max Kellermann has shared details of a new Linux kernel vulnerability that lets attackers overwrite data in arbitrary read-only files. The vulnerability is similar to the Dirty Cow vulnerability discovered back in 2016, but the difference is that it is easier to exploit.

Details of the Flaw

Kellermann stated that he discovered the bug last year and regarded it as a critical vulnerability that allows root-level access to Linux-based systems. It is dubbed Dirty Pipe because it impacts the Linux pipeline, which initiates inter-process communications.

Reportedly, the flaw allows privilege escalation through which remote attackers can perform a wide range of malicious activities on the compromised system. Officially tracked as CVE-2022-0847, Dirty Pipe affects Linux Kernel 5.8 and later versions and impacts Linux on Android devices.

More Linux Security News

1. Beware- FontOnLake Rootkit Malware Attacking Linux Systems
2. Chinese hackers using RedXOR backdoor against Linux systems
3. HolesWarm crypto malware hits unpatched Linux, Windows servers
4. Multi-platform SysJoker backdoor hits Windows, macOS & Linux Devices
5. New Linux kernel memory corruption bug causes full system compromise

How to Exploit Dirty Pipe?

In a blog post, Kellermann explained how this vulnerability could be exploited. An attacker has to create a pipe and insert arbitrary data so that the PIPE_BUF_FLAG_CAN_MERGE flag is set in all ring entries.

Then the attacker will splice data from the targeted file into the pipe before the target offset. It is a smooth ride afterward as the attacker can write arbitrary data into the pipe, which will overwrite the cached file page rather than creating a new anonymous struct pipe_buffer since the flag is already set.

To make this vulnerability more interesting, it not only works without write permissions, it also works with immutable files, on read-only btrfs snapshots, and on read-only mounts (including CD-ROM mounts). That is because the page cache is always writable (by the kernel), and writing to a pipe never checks any permissions.

Kellermann

Likely Limitations

In theory, it seems easy to exploit Dirty Pipe to overwrite files on a device, gain elevated privileges, and laterally move inside networks to execute arbitrary codes, extract sensitive data, and hijack devices.

However, the flaw has its limitations. The bug can be exploited if the attacker has read permissions and the offset isn’t on a page boundary. Moreover, they cannot resize the file, and the write cannot cross a page boundary as well.

The vulnerability has been fixed in Linux versions 5.16.11, 5.15.25, and 5.10.102, and patches will be released soon.