![]() Other variants of the exploit released allow for the creation of a SUID shell backdoor by overwriting a binary that has SUID permissions (superuser capabilities) giving the user a root shell and complete control. Many of the exploit POCs observed so far target the /etc/passwd file to overwrite and provide the users with elevated root privileges. The splice (“page splicing”) syscall is then used to merge the pages (the pipe page and target file page) leading to the new data being added to a target file bypassing the read-only permissions.Draining the page cache of data but retaining the PIPE_BUF_FLAG_CAN_MERGE flag and replacing the data with the new data they want to overwrite a read-only file with.Filling the pipe’s page cache with arbitrary data in order to set the PIPE_BUF_FLAG_CAN_MERGE flag.Howerver, if the page cache is emptied completely this flag remains (lack of initialization) which is where the problem lies. This must be set in order for a page cache to be merged and is only set when the pipe page becomes full. The flag we referenced in the summary is the PIPE_BUF_FLAG_CAN_MERGE flag. Page splicing is used to merge data between different pipe pages in memory without having to rewrite the data. ![]() The exploitation of this vulnerability utilizes a process called “page splicing”. Pipes are managed by the CPU in memory and their data is referred to as a “page”. The output of one process can become the input of another using a “pipe” to forward that data between. Pipes are an interprocess communication mechanism represented as a file within Linux that can receive input data and provide an output for that data. Given the specific nature of this vulnerability, detection can be quite difficult. This could then be used to write to pages within the page cache behind read-only files, allowing for privilege escalation. The vulnerability can be exploited due to a flaw in the new pipe buffer structure where a flag member lacked proper initialization and could then contain a stale value. What is Elastic doing about it?Įlastic is releasing detection logic and Auditd rules that can be used to detect exploitation of this vulnerability. With many POC’s already released, this vulnerability can be easily exploited to gain root-level privileges by, for instance, rewriting sensitive files like “/etc/passwd” or hijacking a SUID root binary (like sudo) via injection of malicious code. This vulnerability impacts Linux kernels 5.8 and later until any version before 5.16.11, 5.15.25, and 5.10.102. What is Dirty Pipe (CVE-2022-0847)?ĬVE-2022-0847 is a Linux local privilege escalation vulnerability, discovered by security researcher Max Kellermann that takes advantage of the way the Linux kernel manages page files and named pipes allowing for the overwriting of data in read-only files. Its broad scope (any user-readable file and affected Linux versions) along with its evolving nature (the SUID shell backdoor exploit) make CVE-2022-0847 especially dangerous for administrators of systems that are potentially vulnerable. ![]() ![]() Dirty Pipe is a local privilege escalation vulnerability that is easily exploitable with a handful of working exploit POCs already available. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |