The Dirty Pipe Vulnerability (CVE-2022–0847) gives Unprivileged Users Root Access

What is “Dirty Pipe?”

The Basics

Details

#include <unistd.h>
#include <stdio.h>
void main() {
while (1) {
write(1, "pew\n", 4);
sleep(2); }
}
./pew > outfeed.txt
#define _GNU_SOURCE
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
void main() {
while (1) {
splice(0, 0, 1, 0, 2, 0);
write(1, "wep\n", 4);
sleep(1); }
}
./wep < outfeed.txt | cat > /dev/null

Exploitation

  • the attacker needs to have read permissions
  • the writable offset must not be on a page boundary
  • the write cannot cross a page boundary and,
  • the file cannot be resized.
  • First, initialize a pipe.
  • Then we populate the pipe with arbitrary content and then clear it. This step is necessary to set the PIPE_BUF_FLAG_CAN_MERGE flag.
  • Once done, we splice() data from the target file into the pipe just before the offset.
  • Finally, we overwrite the cached file page with write().

Publicly Known Exploits

Impact

Mitigation

Conclusion

Reference

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
TutorialBoy

TutorialBoy

Our mission is to get you into information security. We'll introduce you to penetration testing and Red Teaming. We cover network testing, Active Directory.