A Linux vulnerability that affects all kernels since 5.8, including Android, has been disclosed by security researcher Max Kellerman (opens in new tab). Known as Dirty Pipe, it allows the overwriting of data in read-only files and can lead to privilege escalation via the injection of code into root processes.
The Dirty Pipe Vulnerability : Allows Write Access with Root Privileges (affects all Linux machines running kernel version since 5.8) : https://t.co/lsQhB0Zifs PoC : https://t.co/3zVlNRYpHWMarch 8, 2022
Properly referred to as CVE-2022-0847, Dirty Pipe is similar to 2016’s Dirty COW (opens in new tab) vulnerability that targeted the copy-on-write (COW) mechanism in the Linux kernel’s memory subsystem. It turned a read-only mapping into a writable one and could be combined with other exploits to achieve root access.
Dirty Pipe, by contrast, is easier to exploit, with proofs of concept such as that by kernel developer Binni Shah (opens in new tab) quickly concocted and posted on Twitter, while security researcher Phith0n (opens in new tab) improved the process to leave the root account without a password.
The ‘pipe’ part of the name refers to a tool for unidirectional inter-process communication, the first write to which allocates a page (4kb) of memory to it. If you use splice() to append data from a file to the pipe, it gets written to a page cache, and from there, you can overwrite the cache just by writing new data, properly prepared, to the pipe.
In Linux, ‘dirty’ means a page is waiting for a disk write, and the page cache doesn’t write to disk unless a page is dirty. Overwriting its data doesn’t make a page dirty, so it stays in the memory cache, and your properly prepared exploit data can be piped to it. Writing to a pipe doesn’t check permissions, so anyone can do it, potentially allowing an escalation of privileges that vanishes on reboot because it was never written to disk.
“To make this vulnerability more interesting,” writes Kellerman, “it not only works without write permissions, it also works with immutable files, on read-only btrfs snapshots and on read-only mounts (including CD-ROM mounts). That is because the page cache is always writable (by the kernel), and writing to a pipe never checks any permissions.”
Kellerman discovered the vulnerability after investigating a bug that was corrupting web server access logs for a customer. While simple to exploit, the vulnerability requires physical access to the machine being rooted, making it harder to deploy than those delivered over networks or via malware.
In February, Kellerman sent a bug report (and patch) to the Linux kernel security team, and fixes were issued three days later. Google added the fix to the Android kernel at about the same time. The vulnerability has been fixed in Linux 5.16.11, 5.15.25, and 5.10.102.