Security researchers are warning of a critical new vulnerability that could give root-level access to Linux systems, enabling remote attackers to perform a range of malicious actions.
The “Dirty Pipe” bug (CVE-2022-0847) is similar to the notorious Dirty Cow vulnerability discovered in 2016 but even easier to exploit, according to Max Kellermann, the researcher who found it last year.
The “pipe” in the moniker refers to the Linux pipeline, a mechanism for inter-process communication.
“To exploit this vulnerability, you need to: create a pipe; fill the pipe with arbitrary data (to set the PIPE_BUF_FLAG_CAN_MERGE flag in all ring entries); drain the pipe (leaving the flag set in all struct pipe_buffer instances on the struct pipe_inode_info ring); splice data from the target file (opened with O_RDONLY) into the pipe from just before the target offset; write arbitrary data into the pipe. This data will overwrite the cached file page instead of creating a new anomyous struct pipe_buffer because PIPE_BUF_FLAG_CAN_MERGE is set,” Kellermann explained.
“To make this vulnerability more interesting, it not only works without write permissions, it also works with immutable files, on read-only btrfs snapshots and on read-only mounts (including CD-ROM mounts). That is because the page cache is always writable (by the kernel), and writing to a pipe never checks any permissions.”
In effect, the vulnerability could allow attackers to overwrite files on a system, elevate privileges, move laterally inside networks and execute arbitrary code to hijack devices.
However, there are limitations. The attacker must have read permissions, and the “offset” must not be on a page boundary. Also, the write cannot cross a page boundary, and the file cannot be resized.
CVE-2022-0847 has been fixed in Linux 5.16.11, 5.15.25, and 5.10.102, with patches coming soon for major distributions.
“Any exploit that gives root level access to a Linux system is problematic. An attacker that gains root gains full control over the target system and may be able to leverage that control to reach other systems. The mitigating factor with this vulnerability is that it requires local access, which slightly lowers the risk,” said Vulcan Cyber senior technical engineer Mike Parkin.
“Escalating privileges to root (POSIX family) or admin (Windows) is often an attacker’s first priority when they gain access to a system, as it gives them full control of the target and can help them extend their foothold to other victims. That hasn’t changed for ages and is unlikely to change in the foreseeable future.”