Linux has another very serious vulnerability that makes it easy for untrusted users to run code capable of performing a variety of malicious actions, including installing backdoors, creating unauthorized user accounts, and modifying scripts or binaries used by privileged services or apps.
Dirty Pipe, as the vulnerability has been called, is one of the most serious Linux threats revealed since 2016, the year in which another very serious and easily exploitable Linux flaw (called Dirty Cow) was exposed when it was used. to hack into a researcher’s server. Researchers showed in 2016 how to exploit Dirty Cow to root any Android phone, regardless of the mobile operating system version. Eleven months later, researchers discovered 1,200 Android apps in third-party markets that maliciously exploited the flaw to do just that.
When No One Becomes Almighty
The name Dirty Pipe is intended to both signal similarities to Dirty Cow and provide clues as to the origin of the new vulnerability. “Pipe” refers to a pipeline, a Linux mechanism for one OS process to send data to another process. Essentially, a pipeline is two or more processes chained together so that the output text from one process (stdout) is passed directly as input (stdin) to the next.
Tracked as CVE-2022-0847, the vulnerability was exposed when a researcher for website builder CM4all was fixing a series of corrupt files that kept appearing on a client’s Linux machine. After months of analysis, the researcher finally discovered that the client’s corrupted files were the result of a bug in the Linux kernel.
The researcher – Max Kellermann of CM4all parent company Ionos – eventually figured out how the vulnerability could be used as a weapon to allow anyone with an account – including the least privileged “nobody” accounts – to add an SSH key to the user’s account. root user. This allowed the untrusted user to remotely access the server with an SSH window that has full root privileges.
Other researchers quickly showed that the unauthorized creation of an SSH key was just one of many malicious actions an attacker could take when exploiting the vulnerability. For example, this program hijacks a SUID binary to create a root shell, while this allows untrusted users to overwrite data in read-only files:
Other malicious actions enabled by Dirty Pipe include creating a cron task that runs as a backdoor, adding a new user account to /etc/passwd + /etc/shadow (giving the new account root ), or modifying a script or binary used by a privileged service.
“It’s about as serious as it gets for a local kernel vulnerability,” Brad Spengler, president of Open Source Security, wrote in an email. “Like Dirty Cow, there’s essentially no way to reduce it, and it involves the core functionality of the Linux kernel.”
The vulnerability first appeared in Linux kernel version 5.8, which was released in August 2020. The vulnerability persisted until last month when it was fixed with the release of versions 5.16.11, 5.15.25 and 5.10.102. Virtually all distributions of Linux are affected.
Throwing a wrench in Android
Dirty Pipe also affects any version of Android based on any of the vulnerable Linux kernel versions. Because Android is so fragmented, the affected device models cannot be tracked on a unified basis. For example, the latest version of Android for the Pixel 6 and Samsung Galaxy S22 runs 5.10.43, meaning they are vulnerable. A Pixel 4 on Android 12, meanwhile, runs 4.14, which is unaffected. Android users can check which kernel version their device is running by going to Settings > About phone > Android version.
“The Dirty Pipe vulnerability is extremely serious because it allows an attacker to overwrite — temporarily or permanently — files on the system that they shouldn’t be able to modify,” Christoph Hebeisen, chief of security research at mobile security provider Lookout, wrote in a statement. e-mail. “Attackers can use this to change the behavior of privileged processes, effectively giving them the ability to execute arbitrary code with extended system privileges.”
The Lookout researcher said the vulnerability could be exploited on Android handsets through a malicious app that increases privileges, which would be restricted by default. Another attack option, he said, is to use another exploit to get restricted code execution (for example, with the system privileges of a legitimate app that has been hacked) and combine it with Dirty Pipe so that the code gets unfettered root.
While Kellermann said Google merged its bug fix with the Android kernel in February, there’s no indication that Android versions based on a vulnerable release of the Linux kernel have been resolved. Users should assume that any device running a version of Android based on a vulnerable version of the Linux kernel is susceptible to Dirty Pipe. Google representatives did not respond to an email requesting comment.
