A new Linux kernel exploitation called Dirty Cred was revealed at last week’s Black Hat security conference.
Zhenpeng Lin, a PhD student, and a team of researchers worked on an alternative approach to the infamous Dirty Pipe vulnerability that affected Linux kernel versions 8 and later.
Dity Pipe is a major flaw that allows attackers to elevate least-privileged accounts to the maximum level (root) by exploiting the way the kernel uses pipes to pass data. Attackers can use it to modify system files and inject arbitrary code that gets executed as root on vulnerable machines.
Lin’s team discovered a path to swap Linux Kernel credentials on systems vulnerable to a previously reported vulnerability (CVE-2021-4154) and a new one (CVE-2022-2588), and they expect to add more compatible CVEs in the future. A public POC (proof of concept) is available on GitHub offering an effective defense against the attack.
The researchers described their approach as a generic method that can apply to containers (unlike Dirty Pipe) and Android, and “empower different bugs to be Dirty-Pipe-liked.” Indeed, the generated exploit “can work on different kernels and ARCH without code change.”
How Dirty Cred Works
Lin published a demo on Twitter that demonstrates how the approach can be used to elevate a low-privileged user on two different systems, such as Centos 8 and Ubuntu, using the same exploit code:
Behind the scene, the attack is a kernel heap corruption. Because privileged credentials are not isolated from unprivileged ones, an attacker may attempt to swap them.
There are two main types of kernel credentials:
- task credentials
- open file credentials
To simplify that, let’s say the kernel uses two types of objects: “struct cred” and “struct file.” These objects are stored in dedicated caches. The first one holds task credentials, which is information about privileges, capabilities and permissions of processes.
Any attack that manages to alter such data can result in a privilege escalation. What Dirty cred does is freeing an in-use unprivileged credential to allocate a privileged one in the freed memory slot and ultimately operate as a privileged user:
The attack is not perfect, though, as it has to wait for a privileged user to allocate task credentials, but it should be possible to trigger processes with root SUIDs, for example.
The approach is quite the same with open file credentials and struct file objects. The attack frees a file after permission checks but before file writing to disk, which should allow the attacker to allocate a read-only file object in the memory slot and operate as a privileged user:
The final step that aims to stabilize the file exploit is not the easiest to achieve. The swap has to happen between permission checks and writing to disk, which represents a very narrow time window.
The researchers highlighted several solutions that consist of a pause in the kernel execution (e.g., FUSE, file lock) to extend that time window.
How to Protect Against Dirty Cred Attacks
It should be noted that the POC is still in progress, even if it’s already working in specific conditions, such as a specific vulnerability. CVE-2021-4154 has been patched in the Linux kernel, but the researchers indicate that “the exploit works on most Centos 8 kernels higher than linux-4.18.0-305.el8 and most buntu 20 kernels higher than 5.4.0-87.98 and 5.11.0-37.41.”
Because objects are isolated according to their type and not their privileges, the researchers recommend isolating privileged credentials from unprivileged ones using virtual memory to prevent cross cache attacks.
Read next: Best Zero Trust Security Solutions