Data was disclosed about the vulnerability of local privilege escalation in Linux, called Dirty Pipe. A PoC exploit has also been published for a problem that poses a threat to almost all distributions.
Vulnerability with identifier CVE-2022-0847 (7.8 points on the CVSS scale) appeared in the kernel version 5.8 (even on devices running Android) and was recently fixed in versions 5.16.11, 5.15.25 and 5.10.102. The problem was discovered last spring by researcher Max Kellermann. According to the expert, the vulnerability is almost similar to another high-profile problem, Dirty COW (CVE-2016-5195), which was fixed back in 2016.Essentially, Dirty Pipe allows an unprivileged user to embed and overwrite data in read-only files, including SUID processes running as root. Kellerman noticed the bug when he was looking for the cause of corruption in the web server access logs of one of the clients.
In addition to describing the problem in detail, Kellerman also published a PoC exploit that allows local users to inject their own data into confidential read-only files by removing restrictions or changing the configuration in such a way as to provide themselves with wider access than they should.
For example, using this exploit, a researcher known as Phith0n demonstrated how PoC can be used to change the /etc/passwd file so that the root user does not have a password.
A slightly tweaked exploit has also been submitted by BLASTY, and it makes getting root privileges even easier by modifying the /usr/bin/su command to drop the root shell to /tmp/sh and then execute the script.
Although the bug has already been fixed in Linux kernel versions 5.16.11, 5.15.25 and 5.10.102, many servers continue to use outdated kernel versions, and this poses a serious danger to them. In addition, due to the ease of obtaining root privileges using published exploits, it is expected that hackers will take advantage of the bug very soon. Even the Dirty COW problem was previously widely used by criminals, although it was noticeably more difficult to exploit.
Let me remind you that we wrote PwnKit bug in Polkit code threatens major Linux distributions, and also that Privilege escalation vulnerability found in snap-confine.