One of the strongest points of the Linux kernel has primarily been its open source nature, which allows stakeholders to fork, modify and redistribute it in a way that suits their particular needs. But this very advantage of being open source acts like a double-edged sword when it comes to the existence of unpatched security vulnerabilities and corresponding exploitable scenarios. While developers and big name OEMs are hard at work enhancing the overall security of the Linux ecosystem (which also includes Android), new vulnerabilities and exploits keep popping up and slipping under the radar. The mistake this time seems to be quite serious, unfortunately.
The newest bad fish in the pond was discovered by security researcher Max Kellermann. Nicknamed Dirty Pipe, the vulnerability allows overwriting data in arbitrary read-only files. Although it has already been patched in the mainline Linux kernel, the bug could potentially be weaponized in the form of a privilege-escalation exploit on every device out there running Linux kernel version 5.8 or newer. It also means that a bunch of newly released Android smartphones, such as the Samsung Galaxy S22 and the Google Pixel 6 are vulnerable as well, until each device receives the appropriate kernel patch from the respective OEM.
The origin of Dirty Pipe
Kellermann stumbled upon the anomaly back in April 2021, but it took him another few months to come up with a proof-of-concept exploit. Formally cataloged as CVE-2022-0847, the vulnerability allows a non-privileged user to inject and overwrite data in read-only files, including SUID processes that run as root. The colloquial moniker seems to be a play on the infamous Dirty Cow bug and a Linux mechanism called pipeline for inter-process message passing, since the latter is used during the exploitation routine.
— BLASTY (@bl4sty) March 7, 2022
How serious is Dirty Pipe for Android users?
Due to the fact that Linux kernel version 5.8 (or above) has only been an Android option since Android 12, legacy devices aren’t affected. However, smartphones based on the Qualcomm Snapdragon 8 Gen 1, MediaTek Dimensity 8000 and Dimensity 9000, Samsung Exynos 2200, and the Google Tensor SoC are vulnerable to the Dirty Pipe flaw because of their launch kernel builds.
— Gab̴̯̚i̶̳̇ C̵̯͖̈͗͒͐i̷͖̘̭͑̈͊r̷͙̞̽͛̿ľ̸̢i̴̧̱͓̅ĝ̵͇͍͕̙ (@hookgab) March 7, 2022
Keep in mind that Dirty Pipe in itself is not an exploit, but rather a vulnerability. However, this vulnerability allows for modifying a binary used by a privileged service or creating a new user account with root privileges. By exploiting this vulnerability, a malicious user space process can technically have unfettered root access on a victim’s device.
What has Google done so far to combat Dirty Pipe?
According to Kellermann, Google merged his bug fix with the Android kernel last month, just after it was fixed with the release of Linux kernel versions 5.16.11, 5.15.25, and 5.10.102. Having said that, we will probably need to wait a bit before OEMs start rolling out Android updates containing the fix. Google’s in-house Pixel 6, for example, is still vulnerable, but power users can mitigate the flaw by installing an aftermarket patched custom kernel as a fallback option.
In case you´re using a Pixel 6/Pro, your device is affected by the “Dirty Pipe” exploit discovered by Max Kellermann.
An excellent write up can be found at:https://t.co/92r7hhmXzD
Just released an update to my custom Pixel 6/Pro kernel, which includes the fix for this exploit.
— Mile (@mile_freak07) March 8, 2022
Though the chances of missing something incredibly serious are lowered by having more eyes auditing the code, the emergence of Dirty Pipe among other kinds of exploits (re-)establishes the truth that we’re all still human and are bound to make a mistake. Fragmentation is often at the core of the issue here, as a lot of these exploits are patched up in newer kernel releases, but unfortunately, will never be deployed across many existing devices.
A very large part of the blame here lies on OEM apathy, and such scenarios are very much unlikely to change anytime soon, especially in the entry-level smartphone market. We at XDA generally welcome the ability for users to acquire root access, but we do not celebrate the existence of root exploits such as this, especially one which is potentially dangerous to end-users.