{"id":2575,"date":"2022-03-15T13:00:00","date_gmt":"2022-03-15T19:00:00","guid":{"rendered":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/?p=2575"},"modified":"2022-03-15T12:30:40","modified_gmt":"2022-03-15T18:30:40","slug":"linux-dirty-pipe-vulnerability-raises-concern-among-security-experts","status":"publish","type":"post","link":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/2022\/03\/15\/linux-dirty-pipe-vulnerability-raises-concern-among-security-experts\/","title":{"rendered":"Linux “Dirty Pipe” Vulnerability Raises Concern Among Security Experts"},"content":{"rendered":"\n

While file permissions are extremely crucial to the security of Linux systems, a vulnerability has recently been discovered which allows users to bypass these permissions and escalate privileges. A vulnerability called CVE-2022-0847<\/a> (nicknamed \u201cDirty Pipe\u201d) allows people to write to read-only files and fill them with arbitrary information. This can allow someone to completely takeover a system with access to sensitive linux root files. This vulnerability affects Linux versions 5.8 and above.<\/p>\n\n\n\n

Max Kellerman, a software developer at IONOS discovered this vulnerability after one of his customers raised concerns about file corruption. Specific files that were downloaded by the customer could not be decompressed which led to this important finding. Apparently, the pipe buffer structure was not properly initialized which led to this kind of file corruption.<\/p>\n\n\n\n

What is a Pipe?<\/h3>\n\n\n\n

In Linux, a pipe is a mechanism that allows for processes on a computer to communicate with each other. It allows users to conveniently send the output of a process into the input of another process. An example of this in the terminal is as follows:<\/p>\n\n\n\n

\"\"
The above commands demonstrate how pipes are used in the terminal. The | symbol is used to create a pipe between two processes.<\/figcaption><\/figure>\n\n\n\n

In the above image, the command \u201ccat hello.txt\u201d returns all the contents of the file \u201chello.txt\u201d. The command \u201ccat hello.txt | head -3\u201d feeds the output of the \u201ccat hello.txt\u201d process into the \u201chead -3\u201d process which returns then the first 3 lines of the input it is given.<\/p>\n\n\n\n

How Does the Exploit Work?<\/h3>\n\n\n\n

There following are the steps used to exploit this vulnerability:<\/p>\n\n\n\n

  1. Open a pipe<\/li>
  2. Fill pipe with arbitrary data<\/li>
  3. Clear the pipe (this allows for data in the pipe to be merged with other data)<\/li>
  4. Feed in data from the target file into the pipe<\/li>
  5. Write some data into the pipe<\/li><\/ol>\n\n\n\n

    As a result of following these steps, the system incorrectly overwrites the cached copy of the target file with data in the pipe. Max Kellermann has written about this in more detail here<\/a>.<\/p>\n\n\n\n

    How can this vulnerability be exploited?<\/h3>\n\n\n\n

    The following are examples of exploits:<\/p>\n\n\n\n