High-risk Dirty Pipe Linux bug allows an unprivileged user to overwrite data
Serious bug affects all major Linux distributions, dating back to version 5.8, and Android
A security researcher has disclosed details of a now-patched security vulnerability in Linux kernel that an attacker might take advantage of to write any data into an arbitrary file and elevate privileges as a result.
The bug affects all major Linux distributions, dating back to version 5.8, and Android.
The vulnerability, known as 'Dirty Pipe' and tracked as CVE-2022-0847, allows a non-privileged user to inject and overwrite data in read-only files, according to IONOS software developer Max Kellermann, who discovered the bug in April 2021 while tracking down a vulnerability that was corrupting web server access logs for one of his customers.
The customer complained that they were unable to decompress the access logs that were downloaded.
Kellermann acknowledged the issue and manually corrected it, but the problem recurred on several occasions after that. Kellermann observed that the contents of the file seemed to be accurate every time, yet there was a problem.
After months of analysis, Kellermann was able to identify a "surprising kind of corruption" with a distinct pattern.
He arrived at the conclusion that the customer's corrupted files were the result of a bug in the Linux kernel. Over the next few days, he was able to find out how to weaponise the vulnerability in such a way that anyone with an account would be able to add an SSH key to the root user's account.
With that, an untrusted user may remotely access the server using an SSH window that was granted root privileges.
On February 20, 2022, he sent the Linux kernel security team with the bug report, the exploit, and a fix he had developed.
A bug report was also sent to the Android Security Team after the vulnerability was recreated on a Google Pixel 6.
According to Kellermann, the security weakness first appeared in Linux kernel version 5.8, released in August 2020.
On February 23, 2022, it was finally addressed with the release of versions 5.16.11, 5.15.25 and 5.10.102.
One day later, Google merged Kellermann's patch into the Android kernel.
This vulnerability is considered a high-risk bug by security experts because it allows an attacker to carry out a variety of malicious activities on the system, such as adding SSH keys for remote access, modifying sensitive files like /etc/passwd to remove a root user's password, and even running arbitrary binaries with root privileges.
"A flaw was found in the way the 'flags' member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values," Red Hat explained in an advisory published Monday.
The vulnerability is similar to Dirty Cow (CVE-2016-5195), according to Kellermann and other experts, although it appears to be simpler to attack.
In 2016, a group of researchers showed how to use Dirty Cow to root any Android phone, regardless of the mobile operating system version used.
Later, they found about 1,200 Android apps in third-party stores that deliberately exploited the bug to root any Android device.
Researchers have uncovered numerous high-profile Linux vulnerabilities in the past 12 months.
In January, PwnKit Linux bug was disclosed, which lets an unprivileged user gain full root privileges.
The same month, Linux admins were urged to patch a high-risk, full-disk encryption (FDE) flaw (CVE-2021-4122) impacting Linux Unified Key Setup (LUKS) encryption software and its crytpsetup programme.
In June last year, GitHub security researcher Kevin Backhouse disclosed details of a seven-year-old privilege escalation bug (CVE-2021-3560) that enabled attackers to escalate permissions to the root user.