On Monday, a cybersecurity researcher published details about a Linux vulnerability that allows an attacker to overwrite data in arbitrary read-only files.
A Linux local privilege escalation vulnerability, dubbed Dirty Pipe, was discovered and disclosed along with the experimental exploit code. Vulnerability CVE-2022-0847 appeared in kernel version 5.8 and fixed in versions 5.16.11, 5.15.25 and 5.10.102.
The vulnerability was discovered by Max Kellermann in April 2021, but it took him a few more months to figure out what it could lead to.
“It all started a year ago with contacting the support service about corrupted files. The client complained that he could not unpack the access logs uploaded by him. As it turned out, there was a corrupted log file on one of the servers, it could have been unpacked, but gzip reported a CRC error. The researcher could not figure out the causes of file corruption, and simply manually corrected the CRC of the file, closed the ticket and soon forgot about the problem. However, the problem came up again and again.
Each time the contents of the file were not corrupted, only the checksum did not match. With several corrupted files, Kellerman was able to dig deeper and found a pattern.
Kellerman explained in detail how he discovered the problem and how it could be exploited. Initially, he believed that the vulnerability could only be exploited when a privileged process writes a file.
The end result of exploiting the vulnerability, which Kellermann called Dirty Pipe, is the ability to write arbitrary data to the target file. The attacker must have read permissions, and there are also some other restrictions. But Kellermann said it’s not difficult to exploit the vulnerability. He published an experimental exploit, and other researchers also confirmed the simplicity of the exploit.
On February 20, Kellerman presented details and a fix to the Linux kernel security team. The fixes were released on February 23 for Linux and February 24 for the Android kernel.
«Using Dirty Pipe can allow attackers to gain control of systems and destroy or exfiltrate sensitive data. Given the prevalence of Linux in a highly sensitive infrastructure, the vulnerability needs to be addressed immediately».