"I told you to clean the Pipe!" - Dirty Pipe vulnerability has the potential to smudge people using Linux and Linux derivitives (including android)

[Lightwreather]

Summary

Linux has yet another high-severity vulnerability that makes it easy for untrusted users to execute code capable of carrying out a host of malicious actions including installing backdoors, creating unauthorized user accounts, and modifying scripts or binaries used by privileged services or apps.

Dirty Pipe, as the vulnerability has been named, is among the most serious Linux threats to be disclosed since 2016, the year another high-severity and easy-to-exploit Linux flaw (named Dirty Cow) came to light as it was being used to hack a researcher's server.

 

Quotes

Quote

Tracked as CVE-2022-0847, the vulnerability came to light when a researcher for website builder CM4all was troubleshooting a series of corrupted files that kept appearing on a customer's Linux machine. After months of analysis, the researcher finally found that the customer's corrupted files were the result of a bug in the Linux kernel.

The researcher—Max Kellermann of CM4all parent company Ionos—eventually figured out how to weaponize the vulnerability to allow anyone with an account—including least privileged "nobody" accounts—to add an SSH key to the root user's account. With that, the untrusted user could remotely access the server with an SSH window that has full root privileges.

Other researchers quickly showed that the unauthorized creation of an SSH key was only one of many malicious actions an attacker can take when exploiting the vulnerability. This program, for instance, hijacks an SUID binary to create a root shell, while this one allows untrusted users to overwrite data in read-only files

Other malicious actions enabled by Dirty Pipe include creating a cron job that runs as a backdoor, adding a new user account to /etc/passwd + /etc/shadow (giving the new account root privileges), or modifying a script or binary used by a privileged service.

"It's about as severe as it gets for a local kernel vulnerability," Brad Spengler, president of Open Source Security, wrote in an email. "Just like Dirty Cow, there's essentially no way to mitigate it, and it involves core Linux kernel functionality."

The vulnerability first appeared in Linux kernel version 5.8, which was released in August 2020. The vulnerability persisted until last month, when it was fixed with the release of versions 5.16.11, 5.15.25 and 5.10.102. Virtually all distributions of Linux are affected.

Dirty Pipe also afflicts any release of Android that's based on one of the vulnerable Linux kernel versions. Since Android is so fragmented, affected device models can't be tracked in a uniform basis. The latest version of Android for the Pixel 6 and the Samsung Galaxy S22, for instance, run 5.10.43, meaning they're vulnerable. A Pixel 4 on Android 12, meanwhile, runs 4.14, which is unaffected. Android users can check which kernel version their device uses by going to Settings > About phone > Android version.

"The Dirty Pipe vulnerability is extremely serious in that it allows an attacker to overwrite—temporarily or permanently—files on the system they should not be able to change," Christoph Hebeisen, head of security research at mobile security provider Lookout, wrote in an email. "Attackers can use this to change the behavior of privileged processes, effectively gaining the capability to execute arbitrary code with extensive system privileges."

The Lookout researcher said the vulnerability can be exploited on Android handsets through a malicious app that elevates its privileges, which by default are supposed to be limited. Another avenue of attack, he said, is to use a different exploit to gain limited code execution (for example, with the system rights of a legitimate app that's hacked) and combine it with Dirty Pipe so the code gains unfettered root.

While Kellermann said that Google merged his bug fix with the Android kernel in February, there are no indications Android versions based on a vulnerable release of the Linux kernel are fixed. Users should assume that any device running a version of Android based on a vulnerable version of the Linux kernel is susceptible to Dirty Pipe. Google representatives didn't respond to an email seeking comment.

 

 

How it works:

Quote

When using splice to funnel data into a pipeline, "the kernel will first load the data into the page cache," Kellermann explained. "Then it will create a struct pipe_buffer pointing inside the page cache (zero-copy), but unlike anonymous pipe buffers, additional data written to the pipe must not be appended to such a page, because the page is owned by the page cache, not by the pipe. By injecting PIPE_BUF_FLAG_CAN_MERGE into a page cache reference, it became possible to overwrite data in the page cache, simply by writing new data into the pipe prepared in a special way."

The researcher said the steps required are:

• Create a pipe.
• Fill the pipe with arbitrary data (to set the PIPE_BUF_FLAG_CAN_MERGE flag in all ring entries).
• Drain the pipe (leaving the flag set in all struct pipe_buffer instances on the pipe_inode_info ring).
• Splice data from the target file (opened with <code">O_RDONLY) into the pipe from just before the target offset.
• Write arbitrary data into the pipe; this data will overwrite the cached file page instead of creating a new anonymous struct pipe_buffer because PIPE_BUF_FLAG_CAN_MERGE is set.

 

My thoughts

Well, this is nuts. More Exploits! Wooo! This is really bad simply due to the sheer number of devices possibly affected, and I'm not talking about servers. This might be further exacerbated by the general unwillingness of Android phone manufacturers to provide updates to their device. The good news in this case is that this affects a relatively new kernel version (5.8 and above) and so is limited to Android 12 (I think, not too sure. Someone correct me if I'm wrong). Still pretty big. Linux servers also running kernels 5.8 and above should update to a version that provides the needed bug fixes and patches. Same goes of the desktop users as well. From what I can tell this shouldn't affect the steamdeck due it running an arch based distro with a newer kernel, but I'm not too sure. Panic aside, this is probably going to affect android user the most due to this exploit requiring a user account and therefore android apps might make use of it. There isn't much we can do about it to mitigate it apart from updating, so uh yea.

 

Sources

ArsTechnica

[strajk-]

I would be more concerned if there wasn't a fix, it will be pushed and installed automatically without anyone that runs a Linux Distro realizing it, unless you're the type of enduser that runs all updates manually, including security updates.

Same from Android, wouldn't surprise me if one of the 3 security updates I received over the past month for my S21 Ultra was for this...

For those that don't, well, there is a new pipe to exploit for rooting =)

[mr moose]

2 minutes ago, strajk- said:

I would be more concerned if there wasn't a fix, it will be pushed and installed automatically without anyone that runs a Linux Distro realizing it, unless you're the type of enduser that runs all updates manually, including security updates.

Same from Android, wouldn't surprise me if one of the 3 security updates I received over the past month for my S21 Ultra was for this...

For those that don't, well, there is a new pipe to exploit for rooting

The problem for android is that we don't know how many manufacturers push security updates to their devices.   We know that about 40% of current android devices are running 10 or older.  It's a good bet that more than 50% aren't even on 12 let alone get security updates at all.

[strajk-]

10 minutes ago, mr moose said:

The problem for android is that we don't know how many manufacturers push security updates to their devices.   We know that about 40% of current android devices are running 10 or older.  It's a good bet that more than 50% aren't even on 12 let alone get security updates at all.

Sure, regarding this particular vulnerability they have nothing to worry though, since Android runs LTS Versions of the Linux kernel, only recently did they start using 5.X onwards, Android 10 phones should be fine, and I doubt that those inside the 1-2 year release cycle won't get an update for it, I even got updates for my Essential Phone long past they open sourced it due to a vulnerability. 

[mr moose]

15 minutes ago, strajk- said:

Sure, regarding this particular vulnerability they have nothing to worry though, since Android runs LTS Versions of the Linux kernel, only recently did they start using 5.X onwards, Android 10 phones should be fine, and I doubt that those inside the 1-2 year release cycle won't get an update for it, I even got updates for my Essential Phone long past they open sourced it due to a vulnerability. 

So only half the android users have to worry if their manufacturers are actually doing proper security updates?  yay!

[strajk-]

11 minutes ago, mr moose said:

So only half the android users have to worry if their manufacturers are actually doing proper security updates?  yay!

Don't like it? Root it.

[mr moose]

4 minutes ago, strajk- said:

Don't like it? Root it.

I'm sure all those non tech savvy people who don't know nor care for the difference between a kernel and a rotting donut would be just thrilled with finding their $500 phone is a security hole they have to learn how to root to fix. 

 

EDIT: Also that argument would be like a welder on a forum telling consumers if they don't like how vulnerable their car is due to a weak chassis they could learn to weld instead of expecting the manufacturer to fix it. 

 

 

[Rauten]

I have this nagging feeling in the back of my neck...

Like, for some reason, we might start seeing a heck of a lot more Linux exploits on the wild.

Not sure why, though... *cough steam deck cough*

6 minutes ago, strajk- said:

Don't like it? Root it.

Or demand manufacturers to provide proper bloody software upgrades and patching?

[jagdtigger]

19 minutes ago, mr moose said:

So only half the android users have to worry if their manufacturers are actually doing proper security updates?  yay!

This is why im refusing to buy a phone that has a locked bootloader....

[strajk-]

Just now, mr moose said:

I'm sure all those non tech savvy people who don't know nor care for the difference between a kernel and a rotting donut would be just thrilled with finding their $500 phone is a security hole they have to learn how to root to fix. 

 

 

Yeah yeah, so you want what? Legislation to update all prior versions for 20+ years? Good luck with that.

Also being on 12 doesn't mean it's more secure, disanalagous point really, and this exploit is even an example of that.

It's your choice into what ecosystem you buy into, your money, do your own research.

[strajk-]

2 minutes ago, Rauten said:

I have this nagging feeling in the back of my neck...

Like, for some reason, we might start seeing a heck of a lot more Linux exploits on the wild.

Not sure why, though... *cough steam deck cough*

Or demand manufacturers to provide proper bloody software upgrades and patching?

They do that, for 2 years, some even longer.

You have free choice what brand you pick, the beauty of the free market to get one that fits your flavor and criteria of """proper""".

 

What you want is free access to the bootloader in order to use a rom that will be updated past support by the community, no company in the world will do what you ask for unless enterprise is involved, something proprietary always runs out of their support pipeline.

[leadeater]

39 minutes ago, strajk- said:

Also being on 12 doesn't mean it's more secure, disanalagous point really, and this exploit is even an example of that.

It's your choice into what ecosystem you buy into, your money, do your own research.

The issue is all those on 12 that may not get the update, not the old stuff that isn't vulnerable to this specifically anyway. And yes it should be legislated, absolutely yes.

 

"It's just software" is a dying or should already be dead excuse now. A lot of software is just too important or no different to physical consumer goods already legislated. Free pass has to go.

[strajk-]

8 minutes ago, leadeater said:

The issue is all those on 12 that may not get the update, not the old stuff that isn't vulnerable to this specifically anyway. And yes it should be legislated, absolutely yes.

 

"It's just software" is a dying or should already be dead excuse now. A lot of software is just too important or no different to physical consumer goods already legislated. Free pass has to go.

Pipedream, will never happen.

The only realistic approach is legislation to unlock the bootloader after support for the product expired with the pretext of labeling it Abandonware or have it unlocked from the getgo.

 

Google is very strict in regards to updates, last time I checked you had to support software updates and security updates for a minimum of 2-3 years, if you want longer go Pixel, want even longer go Apple, the market lets you pick and choose.

[leadeater]

3 minutes ago, strajk- said:

Pipedream, will never happen.

The only realistic approach is legislation to unlock the bootloader after support for the product expired with the pretext of labeling it Abandonware or have it unlocked from the getgo.

Hardly a pipedream, car makers said they would never be legislated and didn't need to because they could regulate themselves. Not happening soon isn't the same as never.

 

Literally all you have to do is legislate consumer protection laws to cover smart phones, establish an accepted expected life span of product then require security patching for that period. It's not cumbersome or hard and is what is already done on many things like kitchen appliances.

[Sauron]

2 hours ago, J-from-Nucleon said:

This is really bad simply due to the sheer number of devices possibly affected, and I'm not talking about servers.

 

As far as I can tell you need to already have access to the machine to do this, meaning it will only really be relevant on servers.

[strajk-]

18 minutes ago, leadeater said:

Hardly a pipedream, car makers said they would never be legislated and didn't need to because they could regulate themselves. Not happening soon isn't the same as never.

Car makers have to supply a set amount of years car parts which is a different period of time in each country, Europe it's 10 years, in France you even have access to a repairability index to see how flexible it is to repair a product.

 

This is not analgous, what you should be comparing this to is situations like Samsung with their exploding batteries, and guess what happened? Recalls, which you can still do to this date, same in cars, good example are airbag recall lists, and guess what, it's not the manufacturer supplying it, you have to go a third party to get it replaced.

 

What should be provided is the tools to fix the issue, not updates for an arbitrary amount of time you think is right, Google already has very strict guidelines in regards to that, I just looked it up, 3 years, so everyone on 12 will get that update which makes your previous point moot.

 

What we need is mandatory unlocked bootloaders to fix it ourselves or have a third party do it, either after support runs out or from the start like I already mentioned before, what you want is nothing but a pipedream, if you want 6 years support go Apple, just lookup what company suits best for your needs, and once it completely runs out do something with the unlocked bootloader in case you don't want to replace your phone which would require legislation. 

[leadeater]

1 minute ago, strajk- said:

This is not analgous, what you should be comparing this to is situations like Samsung with their exploding batteries, and guess what happened? Recalls, which you can still do to this date, same in cars, good example are airbag recall lists, and guess what, it's not the manufacturer supplying it, you have to go a third party to get it replaced.

Recalls are not for known ongoing maintenance, that's entirely wrong. You don't recall cars over worn tires or needing an oil change.

 

While different situations for sure, does not make similar legislation not applicable at all.

[leadeater]

4 minutes ago, strajk- said:

What we need is mandatory unlocked bootloaders to fix it ourselves or have a third party do it

Nope because all you're doing is introducing the privledge few, that's not a consumer protection solution. Self repair and services comes AFTER product support not during. During is the issue, what is the "during" period and what is the obligation during it. Neither are established and need to be.

[strajk-]

6 minutes ago, leadeater said:

Recalls are not for known ongoing maintenance, that's entirely wrong. You don't recall cars over worn tires or needing an oil change.

 

While different situations for sure, does not make similar legislation not applicable at all.

Yes because you can fore sure receive free ongoing maintenance for cars after 3 years, again, not comparable. Most limit it to a year or 100k km...

Same applies to phone manufacturers, they support it for a limited amount of time...

[strajk-]

3 minutes ago, leadeater said:

Nope because all you're doing is introducing the privledge few, that's not a consumer protection solution. Self repair and services comes AFTER product support not during. During is the issue, what is the "during" period and what is the obligation during it. Neither are established and need to be.

Go ahead and point me to a single manufacturer that won't support this security fix for 12 then.

[jagdtigger]

10 minutes ago, Sauron said:

As far as I can tell you need to already have access to the machine to do this, meaning it will only really be relevant on servers.

Its a bit too soon to make that assumption, its quite possible with some more digging this can be turned into an exploit that can be used through a browser....

[leadeater]

3 minutes ago, strajk- said:

Yes because you can fore sure receive free ongoing maintenance for cars after 3 years, again, not comparable. Most limit it to a year or 100k km...

Same applies to phone manufacturers, they support it for a limited amount of time...

Did I say no time limits? Also FYI here it's required MINIMUM of 5 years for ALL new cars, most are sold with 8 or 10. No KM limits at all, because our laws do not allow it.

[strajk-]

14 minutes ago, leadeater said:

Did I say no time limits? Also FYI here it's required MINIMUM of 5 years for ALL new cars, most are sold with 8 or 10. No KM limits at all, because our laws do not allow it.

And what did I say? Different in every country.

Guess what Google does? Minimum 3 years else you can get excluded from the program.

Apple 6.

 

You started this off with the worry that some will not be receiving this patch, but that's not a reality, partners WILL supply this kernel update, unless it's a company that has gone defunct and even those sometimes still push updates when a major vulnerability is found, Essential did this.

 

So which manufacturer are we talking about right now? I see so many people worried about the poor users that won't get the update yet so far it's pretty likely everyone affected will be covered...so what is the problem?

[Sauron]

20 minutes ago, jagdtigger said:

Its a bit too soon to make that assumption, its quite possible with some more digging this can be turned into an exploit that can be used through a browser....

Maybe, but in that case updating your browser should be enough. Also it seems unlikely to me since as far as I know browsers don't use pipes much and I see no reason access to them should be provided to a website through the sandbox.

[AlexGoesHigh]

This made look into what kernel my phone is running because yesterday i got updated to android 12.

 

My face when I'm safe from this vulnerability because of old software... (My phone runs on 4.19)