Dirty Pipe - Privilege Escalation via Arbitrary File Write

What is the Dirty Pipe Priv-Esc Vulnerability?

A new Linux Kernel vulnerability was discovered recently that allows a low-privilege user to escalate privileges to root. The issue is tracked as CVE-2022-0847 and affects all major Linux distributions using Kernel 5.8 and newer. It has a CVSSv3 score of 7.8 (High). According to the author’s blog post, the issue is similar to the well known Dirty C0w vulnerability (CVE-2016-5195), but it’s even easier to exploit.

Exploiting Dirty C0w required abusing a race condition, while Dirty Pipe doesn’t, making it a bit more reliable. The story of how the vulnerability was discovered is very entertaining by itself, especially if you’re a software engineer who encountered one of these elusive, weird bugs in your career. If that’s you, I definitely recommended you read the original post to see how an occasional log corruption lead to discovering this serious vulnerability.

To exploit the vulnerability, you need a pipe you can write to (hence part of the name) and a target file where you can’t. The “dirty” part refers to how Linux handles writes and cache pages. When writing data in Linux, dirty means that the data is stored in the page cache, but needs to be persisted to the underlying storage device first. To execute the attack, one needs to write into the pipe’s memory buffer which will also modify the kernel’s cache page. When that is persisted to storage, the target file is overwritten. Note that the vulnerability applies even if the file is marked as read-only by the operating system (such as CD-ROMs).

Android is affected too, however Google already released a patch on 2022-02-24. The issue was fixed in Kernel versions 5.16.11, 5.15.25 and 5.10.102. Linux distributions are still evaluating impact, but some (like Ubuntu) have started releasing patches, so make sure to upgrade your machines. The original post contains a proof-of-concept exploit, however the security community already released more complex exploits.