A new dangerous Linux vulnerability is lurking in unpatched distributions. Called Dirty Pipe and tracked as CVE-2022-0847, the vulnerability is located in the kernel (since version 5.8), creating the possibility for threat actors to overwrite arbitrary data into any read-online files.
This could then enable a complete takeover of exposed systems. Researcher Max Kellermann says Dirty Pipe is similar to the Dirty Cow flaw, disclosed in 2016, but easier to exploit. CVE-2016-5195, also known as Dirty Cow and Kernel Local Privilege Escalation, was found in every Linux distribution released in the past nine years, up to 2016.
How Was Dirty Pipe (CVE-2022-0847) Discovered?
Here’s how Max Kellermann tells the story:
It all started a year ago with a support ticket about corrupt files. A customer complained that the access logs they downloaded could not be decompressed. And indeed, there was a corrupt log file on one of the log servers; it could be decompressed, but gzip reported a CRC error. I could not explain why it was corrupt, but I assumed the nightly split process had crashed and left a corrupt file behind. I fixed the file’s CRC manually, closed the ticket, and soon forgot about the problem.
The situation continued to happen again and again. Every time it happened, the file’s contents would seem correct, with only the CRC at the end of the file wrong. Having several corrupt files at hand enabled the researcher to analyze deeper, thus discovering a surprising pattern of corruption.
Eventually, he discovered a flaw “in the way the ‘flags’ member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values,” as summarized by Red Hat researchers in a separate advisory.
As a result, an unprivileged local user could exploit the flaw to write to pages in the page cache backed by read-only files, creating a privilege escalation condition. The name, Dirty Pipe, derives from pipeline, which in Unix-like computer operating systems iis a mechanism for inter-process communication via message passing. In that sense, a pipeline is a set of processes chained together by their standard streams, so that the output text of each process (stdout) is passed directly as input (stdin) to the next one, according to Wikipedia. https://en.wikipedia.org/wiki/Pipeline_(Unix)
How Can the Dirty Pipe Vulnerability Be Exploited?
Kellermann says that exploiting the CVE-2022-0847 flaw requires the following steps:
1.Create a pipe.
2.Fill the pipe with arbitrary data (to set the PIPE_BUF_FLAG_CAN_MERGE flag in all ring entries).
3.Drain the pipe (leaving the flag set in all struct pipe_buffer instances on the struct pipe_inode_inforing).
4.Splice data from the target file (opened with O_RDONLY) into the pipe from just before the target offset.
5.Write arbitrary data into the pipe; this data will overwrite the cached file page instead of creating a new anomyous struct pipe_buffer because PIPE_BUF_FLAG_CAN_MERGE is set.
This exploitation also works with immutable files on read-only btrfs snapshots and on read-only mounts (including CD-ROM mounts). “That is because the page cache is always writable (by the kernel), and writing to a pipe never checks any permissions,” Kellermann added.
The researcher also created and shared his proof-of-concept code.
The vulnerability has already been patched in Linux versions 5.16.11, 5.15.25, and 5.10.102. Google has also released fixes for the Android kernel on February 24, 2022.
It is noteworthy that yesterday, March 7, we wrote about another severe Linux kernel issue, which could have been abused to escape a container in order to execute arbitrary commands on the host. The vulnerability is tracked as CVE-2022-0492, and was detailed by Palo Alto Unit 42 Networks researchers.