New Linux Exploit ‘Dirty Cred’ Revealed at Black Hat

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

A new Linux kernel exploitation called Dirty Cred was revealed at last week’s Black Hat security conference.

Zhenpeng Lin, a PhD student, and a team of researchers worked on an alternative approach to the infamous Dirty Pipe vulnerability that affected Linux kernel versions 8 and later.

Dity Pipe is a major flaw that allows attackers to elevate least-privileged accounts to the maximum level (root) by exploiting the way the kernel uses pipes to pass data. Attackers can use it to modify system files and inject arbitrary code that gets executed as root on vulnerable machines.

Lin’s team discovered a path to swap Linux Kernel credentials on systems vulnerable to a previously reported vulnerability (CVE-2021-4154) and a new one (CVE-2022-2588), and they expect to add more compatible CVEs in the future. A public POC (proof of concept) is available on GitHub offering an effective defense against the attack.

The researchers described their approach as a generic method that can apply to containers (unlike Dirty Pipe) and Android, and “empower different bugs to be Dirty-Pipe-liked.” Indeed, the generated exploit “can work on different kernels and ARCH without code change.”

Also read: CI/CD Pipeline is Major Software Supply Chain Risk: Black Hat Researchers

How Dirty Cred Works

Lin published a demo on Twitter that demonstrates how the approach can be used to elevate a low-privileged user on two different systems, such as Centos 8 and Ubuntu, using the same exploit code:

Behind the scene, the attack is a kernel heap corruption. Because privileged credentials are not isolated from unprivileged ones, an attacker may attempt to swap them.

There are two main types of kernel credentials:

  • task credentials
  • open file credentials

To simplify that, let’s say the kernel uses two types of objects: “struct cred” and “struct file.” These objects are stored in dedicated caches. The first one holds task credentials, which is information about privileges, capabilities and permissions of processes.

Any attack that manages to alter such data can result in a privilege escalation. What Dirty cred does is freeing an in-use unprivileged credential to allocate a privileged one in the freed memory slot and ultimately operate as a privileged user:

The attack is not perfect, though, as it has to wait for a privileged user to allocate task credentials, but it should be possible to trigger processes with root SUIDs, for example.

The approach is quite the same with open file credentials and struct file objects. The attack frees a file after permission checks but before file writing to disk, which should allow the attacker to allocate a read-only file object in the memory slot and operate as a privileged user:

The final step that aims to stabilize the file exploit is not the easiest to achieve. The swap has to happen between permission checks and writing to disk, which represents a very narrow time window.

The researchers highlighted several solutions that consist of a pause in the kernel execution (e.g., FUSE, file lock) to extend that time window.

See the Best Privileged Access Management (PAM) Software

How to Protect Against Dirty Cred Attacks

It should be noted that the POC is still in progress, even if it’s already working in specific conditions, such as a specific vulnerability. CVE-2021-4154 has been patched in the Linux kernel, but the researchers indicate that “the exploit works on most Centos 8 kernels higher than linux-4.18.0-305.el8 and most buntu 20 kernels higher than 5.4.0-87.98 and 5.11.0-37.41.”

Because objects are isolated according to their type and not their privileges, the researchers recommend isolating privileged credentials from unprivileged ones using virtual memory to prevent cross cache attacks.

The patch is available on GitHub and consists of isolating task cred using vmalloc (virtually contiguous memory).

Read next: Best Zero Trust Security Solutions

Julien Maury Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

This field is required This field is required

Get the free Cybersecurity newsletter

Strengthen your organization’s IT security defenses with the latest news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

This field is required This field is required