Security researchers Max Kellermann has disclosed a Linux vulnerability called ‘DirtyPipe’ that allows local users to gain root privileges using publicly available exploits. The vulnerability affects Linux Kernel 5.8 and later, including Android devices.
The bug was discovered when Kellermann tracked a bug corrupting web server access logs for one of his customers. Dirty Pipe allows a non-root user to inject and overwrite data in read-only files, including the SUID processes that run as root.
Kellermann has stated that this bug, currently tracked as CVE-2022-0847, is similar to the Dirty COW vulnerability (CVE-2016-5195), fixed back in 2016.
Security researchers giving POCs and exploits
As part of his disclosure, Kellermann released a proof-of-concept exploit allowing local users to inject their data into important read-only files, which can either remove restrictions or modify configurations to provide root access.
Security researcher Phiton illustrated how the exploit could be used to modify the / etc / passwd file, a read-only file responsible for storing passwords for Linux users, so that the root user doesn’t have a password at all, allowing anyone to log in as root.
Security researcher Blasty released an even easier exploit. This exploit patches the / usr/ bin / su command to drop a root shell at / tmp / sh and then executes a script. Once executed, the running user gains root privileges.
Kellerman had sent a bug report, exploit and patch to the Linux kernel security team on February 20 and the Android security team the following day after reproducing it on a Google Pixel 6. Patched releases (5.16.11, 5.15.25, 5.10.102), including his bug fix, were released on February 23. So unless you’re running an older version of Linux, you’re safe from the exploit.