Skip to content

Scripted Linux Privilege Escalation for the CVE-2022-0847 "Dirty Pipe" vulnerability

Notifications You must be signed in to change notification settings

rexpository/linux-privilege-escalation

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Linux Privilege Escalation

Bash script to check and exploit the CVE-2022-0847 Linux "Dirty Pipe" vulnerability

About this Proof of Concept

This script allows an unprivileged user on a vulnerable system to do the following:

  • Modify/overwrite read-only files like /etc/passwd.
  • Obtain an elevated shell

This repo contains 2 exploits:

Exploit 1:

Replaces the root password with the password "piped" and backups the original /etc/passwd file under /tmp/passwd.bak. Then, the exploit provides you with access to an elevated root shell and restores the original passwd file when you exit the shell.

Exploit 2:

Injects and overwrites data in read-only SUID process memory that run as root.

Usage

Clone this repository and change working directory

git clone https://github.com/rexpository/linux-privilege-escalation.git
cd linux-privilege-escalation

Check if the current target system is vulnerable

./check.sh

Install GCC to compile the exploit

sudo apt-get install gcc

Compile and run the bashscript to automate the compilation of both exploits

chmod +x compile.sh
./compile.sh

Run your desired exploit binary

./exploit-1

or

./exploit-2 /usr/bin/sudo

Technical Details

This vulnerability resides in the pipe tool used for unidirectional communication between processes, hence the name "Dirty Pipe".

An unprivileged local user could exploit this vulnerability to overwrite supposedly read-only files in the Linux kernel and as such, escalate their privileges on the system.

This vulnerabilty occurs due to the usage of partially uninitialized memory of the pipe buffer structure during its construction. A lack of zero initialization of the new structures's member results in a stale value of flags, which can be abused by anattacker to gain write acces to pages in the cache even if they originally were marked with a read-only attribute.

Mitigations

To ensure that your infrastructure is protected against this and similar threats:

  • Apply all relevant security updates once they are available. To patch CVE-2022-0847, update your Linux systems to version 5.16.11, 5.15.25, and 5.10.102 or newer.
  • Use a security solution that provides patch management and endpoint protection.
  • Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors.

Credits

About

Scripted Linux Privilege Escalation for the CVE-2022-0847 "Dirty Pipe" vulnerability

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published