Researchers from Northwestern University (Zhenpeng Lin | PhD Student,
Yuhang Wu | PhD Student, Xinyu Xing | Associate Professor) disclosed an eight-year-old security vulnerability in the Linux kernel, dubbed DirtyCred, which they defined “as nasty as Dirty Pipe.”
The Dirty Pipe flaw, tracked as CVE-2022-0847, was discovered by the security expert Max Kellermann that explained that it can allow local users to gain root privileges on all major distros.
DirtyCred abuses the heap memory reuse mechanism to escalate privileged.
“DirtyCred is a kernel exploitation concept that swaps unprivileged kernel credentials with privileged ones to escalate privilege. Instead of overwriting any critical data fields on kernel heap, DirtyCred abuses the heap memory reuse mechanism to get privileged. Although the concept is simple, it is effective.” reads the advisory published by the experts.
The DirtyCred issue exploits an unknown vulnerability, tracked as CVE-2022-2588, to escalate privileges. The CVE-2022-2588 flaw is use-after-free issue that resides in route4_change in the net/sched/cls_route.c filter implementation in the Linux kernel. The vulnerability allows a local, privileged attacker to crash the system, potentially leading to a local privilege escalation.
The experts explained that the exploits written with DirtyCred would work with different kernels and architectures.
“In this talk, we present a novel exploitation method pushing the dirty pipe to the next level. To be specific, given a vulnerability with a double-free ability, we will demonstrate that our exploitation method could obtain the dirty-pipe-like ability to overwrite an arbitrary file to escalate privilege. Exploits utilizing our method inherit the advantage of the dirty pipe that the code would work on any version of the kernel affected without modification.” reads the description of the talk that the researchers presented at the recent BlackHat 2022 hacking conference. “We argue that our new exploitation method is not only more general than the dirty pipe but also more powerful. First, rather than tying to a specific vulnerability, this exploitation method allows any vulnerabilities with double-free ability to demonstrate dirty-pipe-like ability. Second, while it is like the dirty pipe that could bypass all the kernel protections, our exploitation method could even demonstrate the ability to escape the container actively that dirty pipe is not capable of.”
Below is the comparison between DirtyCred and Dirty Pipe issues.
Experts also provided two VMs for testing CVE-2021-4154.
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, Linux DirtyCred flaw)