A new Linux flaw, known as Dirty Pipe, has been discovered. It allows local users to achieve root capabilities using publicly accessible vulnerabilities. The ‘Dirty Pipe’ weakness was just responsibly revealed by security researcher Max Kellermann, who noted that it affects Linux Kernel 5.8 and subsequent versions, as well as Android devices.
The flaw is dubbed CVE-2022-0847. It enables a non-privileged user to inject and overwrite data in read-only files, including SUID processes running as root. Kellerman found the flaw while investigating a bug that was causing one of his clients’ web server access records to be corrupted. He states that the weakness is comparable to the Dirty COW vulnerability (CVE-2016-5195), which was addressed in 2016.
Kellerman revealed a proof-of-concept (PoC) vulnerability as part of the Dirty Pipe disclosure. It allows local users to inject their data into sensitive read-only files, eliminating limitations or altering settings to offer wider access than they would typically have. For example, security researcher Phith0n demonstrated how they could use the exploit to change the root user’s password in the /etc/passwd file. After this modification, a non-privileged user might simply use the ‘su root’ command to get root account access.
However, security researcher BLASTY released an updated exploit that makes gaining root privileges even easier by patching the /usr/bin/su command to drop a root shell at /tmp/sh and then executing the script. The user gains root privileges after running the command.
Starting on February 20th, 2022, the vulnerability was responsibly revealed to several Linux maintainers, including the Linux kernel security team and the Android Security Team. Even though the defect has been resolved in Linux kernels 5.16.11, 5.15.25, and 5.10.102, many servers continue to use older kernels, making the publication of this vulnerability a major concern for server admins.
Furthermore, due to the ease with which these exploits can be used to gain root privileges, it will only be a matter of time before threat actors start exploiting the vulnerability in their attacks. Malware has previously used the comparable Dirty COW vulnerability, which was more difficult to attack. This flaw is particularly problematic for web hosting companies that give Linux shell access, as well as colleges that frequently provide shell access to multi-user Linux systems.
