Dirty Pipe
| Vulnerability | Affected OS | CVE | CVSS Score | Disclosure Date |
|---|---|---|---|---|
| Dirty Pipe | Linux (kernel versions 5.8 and newer) | CVE-2022-0847 | 7.8 (high) | March 7 2022 |
This exploit was disclosed by Max Kellermann.
DirtyPipe is a local privilege escalation vulnerability, which allows a user to bypass file permission restrictions and write arbitrary data to any file, provided certain conditions are met, the primary one being that the user has to have read permissions to the file.
In order to understand this vulnerability, we need to understand the following concepts:
- pipe
- page
- splice()
Pipe: A pipe is a communication method between two or more processes in which the output of one process can be used as the input for the other. An example of a pipe is ls -la | grep Documents. In this example, the output of the ls command (which is a listing of files and directories) is piped into the grep command which in turn, looks for the string Documents in that input and displays the results on screen. Pipes are unidirectional, with a read end and a write end.
Page: Memory management in Linux makes use of pages. Whether it is to read from a file on the secondary memory (like the hard drive) or to write to it, pages are used. Memory pages are 4 KB in size. Whenever data is read from the secondary memory, it is put into the page cache. Likewise, when data is to be written to the disk, it is placed in the page cache and eventually written to the disk. This setup eliminates the need to expensive read-write operations to the disk. Since main memory is way faster than secondary memory, this scheme helps performance. One point that is of relevance when talking about this vulnerability is the PIPE_BUF_FLAG_CAN_MERGE flag, which indicates whether merging more data into the pipe is allowed or not.
splice(): is a system call (a system call is a way through which a process requests a service from the operating system) which moves data between a file descriptor and a pipe, without copying between kernel address space and user address space. The pipe doesn’t actually contain the data itself, but a reference to the location of the page cache in memory, where the data is stored.
The way this vulnerability is exploited is as follows:
- Read the target file. This will cause the file to be placed in the page cache.
- Create a pipe in a special way so that the PIPE_BUF_FLAG_CAN_MERGE is set.
- Use the splice() system call to make the pipe point to the locations of the page cache where the data is cached.
- Write arbitrary data into the pipe. The data so written will overwrite the cached page file and since the PIPE_BUF_FLAG_CAN_MERGE is set, it overwrites the file on the disk.
Exploit code available on exploit-db.com
The blog post by Max Kellermann about this exploit linked here is a fascinating read.