A novel bug dubbed Dirty Pipe (CVE-2022-0847) enables privilege escalation and allows attackers to gain root access by overwriting data in read-only files and SUID binaries. The weakness lies in the faulty handling of pipe buffer flags by Linux Kernel. The name refers to a Linux mechanism of processes’ interaction within the OS, dubbed a pipeline.
The bug is similar to Dirty Cow, also a privilege escalation vulnerability in the Linux Kernel fixed in 2016, with the major difference that the novel one is easier to exploit.
To detect CVE-2022-0847 either by the binary name or through the common offset of “1” being passed with sensitive directories that are targets for privilege escalation, utilize the following threat detection content:
Possible CVE-2022-0847 Dirty Pipe POC Execution (via process_creation)
This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, SentinelOne, Graylog, Regex Grep, RSA NetWitness, Chronicle Security, Microsoft Defender ATP, Securonix, Apache Kafka ksqlDB, Carbon Black, Open Distro, and AWS OpenSearch.
The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Privilege Escalation tactic with Exploitation for Privilege Escalation as the primary technique.
Apart from the Sigma rule above, you can use the YARA rule by our top-tier Threat Bounty developer Kaan Yeniyol:
Detect DirtyPipe Exploitation Tool
To detect Dirty Pipe vulnerability, see the full list of rules available in the Threat Detection Marketplace repository of the SOC Prime platform. Eager to craft your own Sigma rules? Join our Threat Bounty program and get rewarded for your valuable contribution.
View Detections Join Threat Bounty
The past year was not the luckiest one for Linux, with numerous Linux exploits coming to light. A previously undocumented high-profile privilege elevation Linux bug disclosed by IONOS software developer Max Kellermann involves core Linux kernel functionality.
In the released Dirty Pipe PoC exploit, Kellermann shows how to abuse the vulnerability to allow non-privileged users to add an SSH key to the root user’s account. This bug equips unauthorized users with remote access to the server with an SSH window with full root privileges. A list of malicious actions enabled by Dirty Pipe includes the following: granting new account root privileges, scheduling a cron job that runs as a backdoor, tempering with a script or binary used by a privileged service. This highly exploitable vulnerability (CVE-2022-0847) also facilitates hijacking a SUID binary for root shell creation, as well as allowing untrusted users to overwrite data in arbitrary read-only files. According to the current data, devices that run Android OS are affected too.
The CVE-2022-0847 flaw was initially discovered in the Linux kernel version 5.8, persisting for over a year and a half until it was resolved in February, in versions 5.16.11, 5.15.25, and 5.10.102.
As hacks evolve, organizations must adapt. Join SOC Prime’s Detection as Code platform and level up your threat detection capabilities with the power of global cybersecurity expertise. Looking for ways to contribute your own detection content and drive collaborative cyber defense? Join forces with SOC Prime’s crowdsourcing initiative to share your Sigma and YARA rules with the community, contribute to safer cyberspace, and receive recurring rewards for your content!