Dirty pipe is the name given to the CVE-2022-0847 vulnerability, present in Linux kernel versions 5.8 and later. It is considered a very serious vulnerability found in the Linux kernel recently partially because it gives a bad actor the ability to escalate privilege but more importantly, its exploitation has no headache in dealing with kernel address randomization and pointer integrity check. With this capability, the exploit built on top of the dirty pipe could be easily used for all versions of kernel affected without even modification.
While dirty pile is powerful, its exploitability is closely tied to the capability of the CVE-2022-0847 vulnerability which abuses the Linux kernel pipe mechanism to inject data to arbitrary files. For other vulnerabilities without such a pipe-abusive power, the exploitation is still hard to follow the dirty pipe journey and thus brings the same level of security implication.
In this talk, we present a novel exploitation method pushing the dirty pipe to the next level. To be specific, given a vulnerability with a double-free ability, we will demonstrate that our exploitation method could obtain the dirty-pipe-like ability to overwrite an arbitrary file to escalate privilege. Exploits utilizing our method inherit the advantage of the dirty pipe that the code would work on any version of the kernel affected without modification. We argue that our new exploitation method is not only more general than the dirty pipe but also more powerful. First, rather than tying to a specific vulnerability, this exploitation method allows any vulnerabilities with double-free ability to demonstrate dirty-pipe-like ability. Second, while it is like the dirty pipe that could bypass all the kernel protections, our exploitation method could even demonstrate the ability to escape the container actively that dirty pipe is not capable of.
Along with this talk, we will demonstrate how our exploitation method works using real world vulnerabilities. Specifically, we will demonstrate privilege escalation on Linux and Android. Last but not least, we will demonstrate how to achieve container escape on CentOS. We will release our exploitation details and all of our exploits demonstrated in this talk. To the best of our knowledge, our exploitation is the first general method that helps develop a universal exploit to different versions of kernel and different architectures. It greatly unloads the burden of exploit migration across versions and architectures. Since our exploitation is general and powerful, it also imposes a great challenge to the existing kernel defense architecture.