Dity Pipe is a major flaw that allows attackers to elevate least-privileged accounts to the maximum level (root) by exploiting the way the kernel uses pipes to pass data. Attackers can use it to modify system files and inject arbitrary code that gets executed as root on vulnerable machines.<\/p>\n\n\n\n
Lin’s team discovered a path to swap Linux Kernel credentials on systems vulnerable to a previously reported vulnerability (CVE-2021-4154<\/a>) and a new one (CVE-2022-2588<\/a>), and they expect to add more compatible CVEs in the future. A public POC (proof of concept) is available on GitHub<\/a> offering an effective defense against the attack.<\/p>\n\n\n\n The researchers described their approach as a generic method that can apply to containers<\/a> (unlike Dirty Pipe) and Android, and \u201cempower different bugs to be Dirty-Pipe-liked.\u201d Indeed, the generated exploit \u201ccan work on different kernels and ARCH without code change.\u201d<\/p>\n\n\n\n Also read: CI\/CD Pipeline is Major Software Supply Chain Risk: Black Hat Researchers<\/a><\/p>\n\n\n\n Lin published a demo<\/a> on Twitter that demonstrates how the approach can be used to elevate a low-privileged user on two different systems, such as Centos 8 and Ubuntu, using the same exploit code: Behind the scene, the attack is a kernel heap corruption. Because privileged credentials<\/a> are not isolated from unprivileged ones, an attacker may attempt to swap them.<\/p>\n\n\n\n There are two main types of kernel credentials<\/a>:<\/p>\n\n\n\n To simplify that, let\u2019s say the kernel uses two types of objects: \u201cstruct cred\u201d and \u201cstruct file.\u201d These objects are stored in dedicated caches. The first one holds task credentials, which is information about privileges, capabilities and permissions of processes.<\/p>\n\n\n\n Any attack that manages to alter such data can result in a privilege escalation. What Dirty cred does is freeing an in-use unprivileged credential to allocate a privileged one in the freed memory slot and ultimately operate as a privileged user:<\/p>\n\n\n\n The attack is not perfect, though, as it has to wait for a privileged user to allocate task credentials, but it should be possible to trigger processes with root SUIDs, for example.<\/p>\n\n\n\n The approach is quite the same with open file credentials and struct file objects. The attack frees a file after permission checks but before file writing to disk, which should allow the attacker to allocate a read-only file object in the memory slot and operate as a privileged user: The final step that aims to stabilize the file exploit is not the easiest to achieve. The swap has to happen between permission checks and writing to disk, which represents a very narrow time window.<\/p>\n\n\n\n The researchers highlighted several solutions that consist of a pause in the kernel execution (e.g., FUSE, file lock) to extend that time window.<\/p>\n\n\n\n See the Best Privileged Access Management (PAM) Software<\/a><\/p>\n\n\n\n It should be noted that the POC is still in progress, even if it\u2019s already working in specific conditions, such as a specific vulnerability. CVE-2021-4154<\/a> has been patched in the Linux kernel, but the researchers indicate that \u201cthe exploit works on most Centos 8 kernels higher than linux-4.18.0-305.el8 and most buntu 20 kernels higher than 5.4.0-87.98 and 5.11.0-37.41.”<\/p>\n\n\n\n Because objects are isolated according to their type and not their privileges, the researchers recommend isolating privileged credentials from unprivileged ones using virtual memory to prevent cross cache attacks.<\/p>\n\n\n\n The patch is available on GitHub<\/a> and consists of isolating task cred using vmalloc<\/a> (virtually contiguous memory).<\/p>\n\n\n\n Read next: Best Zero Trust Security Solutions<\/a><\/p>\n\n\nHow Dirty Cred Works<\/strong><\/h2>\n\n\n\n
![](\"https:\/\/lh5.googleusercontent.com\/NlCSXgPKojq_t4L4Bg1qA7N3-66QN0zuAEWdsEZpi3ywTK-3s52jBauJW5n_PJyu-EfL48w8ErQvErFmlOI9aY9zn96nUsYyKhHjx3cyNi_xHIw-X8w9IBm1QIsX9BeFn-2wPlwqZcaV_Jovtg_Wjw\")
![](\"https:\/\/lh4.googleusercontent.com\/dZ0SvaQlX4q4tukTga3XNoXDqgxCq2bpKTZqaaLufZaQedFI46uG6ZBQJL31Lj9B6_1HsOBBzzGNySOSt3KsIVv0jgxRQ5bT93UMlYRrm1CzoKGTXOLQADPW7-CI77IWEMAiES5JssyBhHkIwl-oUw\")
![](\"https:\/\/lh6.googleusercontent.com\/JE3nNhl143HBJ_ySkJoie4O6DSMay8KTGGh-xwVaXgdzzo_L6CnFF6zZBGWHRlUNeyxJ9MuvE5Lo805XayiTodp4DGyi2EhwAt_toj1QucaV7cu22ozpTYN-ki2LtotJDxzXwrNmjr48aT0YStLtRg\")
How to Protect Against Dirty Cred Attacks<\/strong><\/h2>\n\n\n\n