While file permissions are extremely crucial to the security of Linux systems, a vulnerability has recently been discovered which allows users to bypass these permissions and escalate privileges. A vulnerability called CVE-2022-0847 (nicknamed “Dirty Pipe”) allows people to write to read-only files and fill them with arbitrary information. This can allow someone to completely takeover a system with access to sensitive linux root files. This vulnerability affects Linux versions 5.8 and above.
Max Kellerman, a software developer at IONOS discovered this vulnerability after one of his customers raised concerns about file corruption. Specific files that were downloaded by the customer could not be decompressed which led to this important finding. Apparently, the pipe buffer structure was not properly initialized which led to this kind of file corruption.
What is a Pipe?
In Linux, a pipe is a mechanism that allows for processes on a computer to communicate with each other. It allows users to conveniently send the output of a process into the input of another process. An example of this in the terminal is as follows:
In the above image, the command “cat hello.txt” returns all the contents of the file “hello.txt”. The command “cat hello.txt | head -3” feeds the output of the “cat hello.txt” process into the “head -3” process which returns then the first 3 lines of the input it is given.
How Does the Exploit Work?
There following are the steps used to exploit this vulnerability:
- Open a pipe
- Fill pipe with arbitrary data
- Clear the pipe (this allows for data in the pipe to be merged with other data)
- Feed in data from the target file into the pipe
- Write some data into the pipe
As a result of following these steps, the system incorrectly overwrites the cached copy of the target file with data in the pipe. Max Kellermann has written about this in more detail here.
How can this vulnerability be exploited?
The following are examples of exploits:
- Overwriting crucial system files such as /etc/passwd to remove the password of the root user
- Adding ssh keys allowing for remote access to a system
- Overwriting and executing binaries to tamper with the system
Effect on Smartphones
Since the android operating system is built on top of a Linux kernel, there are many questions being raised regarding the security of Android smartphones. Fortunately, most Android devices use older kernel versions not affected by Dirty Pipe. This vulnerability has been patched for versions 5.16.11, 5.15.25, and 5.10.102. Google has merged the fixes into the Android kernel however, this does not secure all its devices. The devices likely to be affected are the ones that use Android 12 up. This means that new phones such as the Google Pixel 6 series and Samsung Galaxy S22 are at high risk. For users to stay well informed, it is important to find out about the Linux kernel that their device is using. This can be done by going to Settings > About phone > Android/Software version > Kernel version. IPhone users will be unaffected by this vulnerability as the OS is not built on a Linux kernel.
References
- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/03/linux-dirty-pipe-vulnerability-gives-unprivileged-users-root-access/
- https://redhuntlabs.com/blog/the-dirty-pipe-vulnerability.html
- https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.androidauthority.com%2Fsamsung-galaxy-s22-vs-google-pixel-6-3103491%2F&psig=AOvVaw0hhkO4k7Cy75Gih82XVKFl&ust=1647452312997000&source=images&cd=vfe&ved=0CAgQjRxqFwoTCJCigqLUyPYCFQAAAAAdAAAAABAD
- https://thehackernews.com/2022/03/researchers-warn-of-linux-kernel-dirty.html
- https://9to5google.com/2022/03/14/dirty-pipe-major-exploit-android-12-pixel-6-galaxy-s22/
Crazy to see an exploit like this honestly. After I had taken the Operating Systems course I truly realized and appreciated how useful piping is when developing via Linux. An exploit like this definitely has the potential to cause a lot of damage. I’m interested to see how this will advance in the future in terms of the exploit/a possible solution.
This was an informative post. I was unaware of what piping is before I read this post. It is scary to see how the vulnerability you mentioned can be exploited. This can surely cause a lot of damage. I like the last part in which you have mentioned about the effect on the smartphones.
Considering how widely linux is used in industrial applications as well as on smartphones like you mentioned, a vulnerability like this could be catastrophic and maybe even render many servers from large corporations compromised. I’m surprised more people aren’t talking about this since the threat level of this vulnerability sounds like it’s on the same level as the apache log4j vulnerability from a few months ago. I appreciate the insightful article you’ve written and found reading it really enjoyable!
Informative post! It was interesting to learn about how piping worked, and how the vulnerability in it can be utilized in such a way. It’s good that Android was so fast on getting it patched, cause it is worrying to think what could’ve been done with that going unnoticed for another few months. I personally don’t have an Android, but I’m sure all the Android users reading this would be thankful for the instructions on how to tell what version of the kernel it is running, and if they would or wouldn’t be affected. Hopefully all other users of this version of Linux have gotten a patch for it just as fast.
Great topic , i learned in this course about file permissions and operating systems , and these attacks are really dangerous , because being able to write to read only files is really a crazy idea .
Good Job !
Good Post! It is interesting and rather surprising to see that a vulnerability was found at such a basic level. When looking at the potential damage that could be caused by such a vulnerability, I’m glad that this has been patched. You mentioned that using this exploit, an attacker could have the password file of the root user corrupted and have outside ssh keys added into the system. This combination of exploits is rather scary, as it potentially denies the root user access to their own system, while simultaneously granting system access to any one of the attacker’s accomplices, effectively gaining total control of the system. All done using a basic system vulnerability. I think that it is a very good thing that this exploit has been found and removed.
Great post! You did a really great job at explaining what this vulnerability is and how it can be exploited! I am always surprised when vulnerabilities like this are found in systems that are so widely and frequently used, and just how much they can be exploited. I do not have an android phone, but I am glad that this vulnerability was patched. I liked how you explained how people that do have these phones can check which Linux kernel is being used, so users are able to stay well informed!
Glad I do not have Android. In all seriousness, this seems to be a huge vulnerability that could cause a lot of damage if not patched. I’m lucky that I do not really use Linux Kernel based operating systems other than the school’s computer science servers. There will never not be bugs or vulnerabilities in a program, they are extremely hard to find and thankfully this vulnerability was found before too much damage happened. When you mentioned that his name was Max Kellerman I thought you were talking about the NBA show host until I googled it.
It was an interesting post to read! I believe that dirty pipe can allow local users to gain root privileges on all major distros.In addition, it allows overwriting data in arbitrary read-only files, which could lead to privilege escalation because unprivileged processes can inject code into root processes. It allows attackers to carry out a variety of destructive acts. Overall, I was glad to read that post!!
Good read, I wonder if this dirty pipe is a sort of malicious code injection since it seems to act that way. Glad to see that it was patched since I am a user of an older android phone and I wouldn’t want someone dirty piping my phone. I do wonder how many Linux computers will be affected since there are many distros of Linux does this pipe affect all of them? Im glad I read this post since in class we learned that sometimes newer isn’t better and this is a prime example of it as this bug affects new versions of Linux.