A Linux exploit dubbed Dirty Pipe allows local users to gain root privileges through a publicly available exploit. The vulnerability was discovered by security researcher Max Kellermann and submitted to the Linux kernel team on February 20, 2022, with the vulnerability number CVE-2022-0847. The vulnerability allows unprivileged users to inject and overwrite data in read-only files, including running SUID processes as root. At present, POC and EXP have been disclosed, and the risk is relatively high.
It is worth noting that this is a vulnerability that has been exploited by hackers, and Max Kellermann discovered this vulnerability while helping his customers troubleshoot web server logs. The vulnerability is somewhat similar to the Dirty Cow vulnerability that appeared in 2016, hence the name Dirty Pipe.
As part of the principal disclosure, Max Kellermann has provided the vulnerability PoC for research. Local users can inject their own data into sensitive read-only files, remove restrictions or modify configurations for elevated privileges.
In the proof of concept, the researchers used this vulnerability to modify the /etc/passwd file. After modification, the password of the root user will disappear directly, and then ordinary users can use the su root command to gain access to the root account, and then they can do whatever they want.
Another researcher found that using the /usr/bin/su command to remove the root shell in /tmp/sh makes it easier to gain root privileges, which can do very serious harm either way.
The Linux Kernel team has fixed the CVE-2022-0847 vulnerability in version 5.16.11/5.15.25/5.10.102. The problem is that a large number of Linux servers are not currently upgraded and therefore still use the kernel version affected by the vulnerability. It is worth noting that although this vulnerability is easier to exploit than Dirty Cows vulnerability, it is only a matter of time before it is exploited by hackers on a large scale.
So in any case, please upgrade the Linux kernel immediately to completely fix this vulnerability. After the PoC is now announced, the hackers are estimated to have begun to exploit.
In addition, this vulnerability even affects the Android system, and it is estimated that subsequent malware will exploit this vulnerability to gain root privileges. But the Android kernel update is not easy, and the only thing users can do is not to install software of unknown origin.