The Dirty Pipe Linux vulnerability – CVE-2022-0847 – was discovered by Max Kellermann, developer at IONOS subsidiary CM4all in April 2021, but it took him a few more months to find out what is actually happening.
Kellermann explained that the vulnerability affects Linux kernel 5.8 and later versions, but has been fixed in Linux 5.16.11, 5.15.25 and 5.10.102.
“It all started a year ago with a support ticket about corrupt files. A customer complained that the access logs he downloaded could not be decompressed. And sure enough, there was a corrupted log file on one of the log servers; it could be decompressed, but gzip reported a CRC error. I couldn’t figure out why it was corrupt, but I assumed the nightly split process had crashed, leaving a corrupted file. I corrected the CRC value of the file manually, closed the ticket and soon forgot about the problem,” says Kellermann.
“Months later, this happened again and again. Each time the content of the file looked correct, only the CRC value at the end of the file was wrong. Now that several files were corrupted, I was able to dig deeper and found a surprising type of corruption. A pattern emerged.”
Kellermann went on to show how he discovered the problem and how someone could potentially exploit it. He initially assumed that the flaw could only be exploited while a privileged process is writing the file, and that timing matters.
However, he later found out that it is possible to overwrite the page cache “in (almost) any place with any data” even without writes and without time restrictions.
To exploit the vulnerability, the attacker must have read permissions, the offset must not be on a page boundary, write access must not cross a page boundary, and the file must not be resized.
“To exploit this vulnerability, you must: create a pipe, fill the pipe with arbitrary data (to set the PIPE_BUF_FLAG_CAN_MERGE flag in all ring entries), flush the pipe (setting the flag in all struct pipe_buffer instances to the struct pipe_inode_info- ring remains set), splice data from the target file (opened with O_RDONLY) into the pipe just before the target offset [und] write arbitrary data to the pipe,” he explained.
“This data will overwrite the cached file page instead of creating a new anonymous struct pipe_buffer because PIPE_BUF_FLAG_CAN_MERGE is set. To make this vulnerability even more interesting, not only does it work without write permissions, but also on immutable files, on read-only btrfs snapshots and on read-only mounts (including CD-ROM mounts). This is because the page cache is always writable (by the kernel), and writing to a pipe never checks any permissions.”
He also shared his own proof-of-concept exploit. The bug report, exploit, and patch were submitted by Kellermann to the Linux kernel security team on February 20th. The error was on thePixel 6 reproduced and a bug report has been sent to the -Security team sent.
Linux released fixes (5.16.11, 5.15.25, 5.10.102) on February 23rd and Google integrated Kellermann’s fix into the Android kernel on February 24th. Kellermann and other experts compared the vulnerability to CVE-2016-5195 “Dirty Cow,” but said it was even easier to exploit.
Mike Parkin, Vulcan Cyber’s senior technical marketing engineer, said that any exploit that allows root access to a Linux system is problematic. “An attacker who gains root access gains full control over the target system and can use that control to access other systems. The mitigating factor with this vulnerability is that it requires local access, which reduces the risk somewhat,” Parkin said.
“Escalation of privileges to root (POSIX family) or admin (Windows) is often an attacker’s first priority when gaining access to a system, as it gives them full control over the target system and its position on other victims can expand. This has not changed in a long time and is unlikely to change in the foreseeable future.
Shweta Khare, Cybersecurity Evangelist at Delinea, pointed out that several Windows kernel, DNS server RCE and-High severity vulnerabilities have made headlines as they allow attackers to gain elevated local system or administrator privileges.
Operating system flaws and application-level vulnerabilities like these can allow attackers to elevate their privileges, move sideways on the network, execute arbitrary code, and take over devices entirely, Khare said.