Linux has yet another very serious vulnerability that allows untrusted users to easily execute code capable of performing a host of malicious actions, including installing backdoors, creating unauthorized user accounts, and modification of scripts or binaries used by privileged services or applications.
Dirty Pipe, as the vulnerability was named, is among the most serious Linux threats to be disclosed since 2016. That was the year another very serious and easy to exploit Linux flaw (called Dirty Cow) was revealed then that it was being used to hack into a researcher’s server. In 2016, researchers demonstrated how to exploit Dirty Cow to root any Android phone, regardless of mobile OS version. Eleven months later, researchers discovered 1,200 Android apps on third-party marketplaces that maliciously exploited the flaw to do just that.
When no one becomes almighty
The name Dirty Pipe is intended both to point out similarities to Dirty Cow and to provide clues to the origins of the new vulnerability. “Pipe” refers to a pipeline, a Linux mechanism that allows an operating system process to send data to another process. Essentially, a pipeline consists of two or more processes that are chained together so that the output text of one process (stdout) is passed directly as input (stdin) to the next.
Tracked as CVE-2022-0847, the vulnerability was revealed when a researcher from website builder CM4all was troubleshooting a series of corrupt files that kept appearing on a customer’s Linux machine. After months of analysis, the researcher finally discovered that the corrupt client files were the result of a bug in the Linux kernel.
The researcher – Max Kellermann of CM4all parent company Ionos – finally figured out how to weaponize the vulnerability to allow anyone with an account – including less privileged “person” accounts – to add an SSH key to the account of the root user. With this, the untrusted user could remotely access the server with an SSH window that has full root privileges.
Other researchers quickly showed that the unauthorized creation of an SSH key was just one of many malicious actions an attacker could take when exploiting the vulnerability. This programfor example, hijacks a SUID binary to create a root shell, while this one allows untrusted users to overwrite data in read-only files:
Other malicious actions enabled by Dirty Pipe include creating a Scheduled task which runs as a backdoor, by adding a new user account to /etc/passwd + /etc/shadow (giving the new account root privileges) or by modifying a script or binary used by a privileged service.
“That’s about as bad as it gets for a local kernel vulnerability,” Brad Spengler, president of Open Source Security, wrote in an email. “Just like Dirty Cow, there’s virtually no way to mitigate it, and it involves core Linux kernel functionality.”
The vulnerability first appeared in the Linux kernel version 5.8which was released in August 2020. The vulnerability persisted until last month, when it was fixed with the release of versions 5.16.11, 5.15.25 and 5.10.102. Virtually all Linux distributions are affected.
Throw a key in Android
Dirty Pipe also afflicts any version of Android based on one of the vulnerable Linux kernel versions. Since Android is so fragmented, the affected device models cannot be tracked uniformly. The latest Android version for the Pixel 6 and Samsung Galaxy S22, for example, runs 5.10.43, which means they’re vulnerable. A Pixel 4 on Android 12, meanwhile, is running 4.14, which is unaffected. Android users can check the kernel version their device is using by going to Settings > About phone > Android version.
“The Dirty Pipe vulnerability is extremely serious in that it allows an attacker to temporarily or permanently overwrite files on the system that they should not be able to modify,” wrote Christoph Hebeisen, research lead at security at mobile security provider Lookout. E-mail. “Attackers can use it to modify the behavior of privileged processes, thereby gaining the ability to execute arbitrary code with extended system privileges.”
The Lookout researcher said the vulnerability can be exploited on Android handsets via a malicious app that elevates its privileges, which by default are supposed to be limited. Another avenue of attack, he said, is to use a different exploit to gain limited code execution (for example, with the system rights of a legitimate app that gets hacked) and combine it with Dirty Pipe so that the code gains unhindered root.
Although Kellermann said that Google merged its bug fix with the Android kernel in February, there is no indication that Android builds based on a vulnerable Linux kernel version will be fixed. Users should assume that any device running a version of Android based on a vulnerable Linux kernel version is susceptible to Dirty Pipe.