Information has been released regarding an eight-year-old vulnerability in Linux kernel that is as severe as Dirty Pipe. The exploitation method is more general but potent than Dirty Pipe in a manner that could work on any version of the affected kernel.
The DirtyCred vulnerability
Academics from the Northwestern University group have named the disclosed vulnerability as DirtyCred.
Instead of connecting to a specific vulnerability, the exploitation method allows any flaws with double-free ability to demonstrate Dirty Pipe-like ability.
It works the same as Dirty Pipe when it comes to bypassing all the kernel protections. Additionally, this exploitation method could even display the ability to escape the container actively that Dirty Pipe cannot do.
The Dirty Pipe flaw (CVSS score 7.8) affects Linux kernel versions starting from 5.8, while the DirtyCred vulnerability is capable of exploiting different kernels and architectures.
All about the bug exploitation
To exploit this flaw, first, an attacker needs to free an in-use unprivileged credential. Then he allocates privileged credentials in the freed memory slot by privileged user space processes such as su, mount, or sshd to operate as a privileged user.
The security flaw exploitation can be performed with any previously unknown vulnerability (such as CVE-2022-2588) to escalate the privileges.
Instead of overwriting critical data fields on the kernel heap, DirtyCred abuses the heap memory reuse mechanism to get the privilege.
It allows underprivileged processes to write to arbitrary readable files for escalation of privilege.
DirtyCred flaw seems to have serious consequences if exploited by a threat actor. To avoid the threat, researchers suggest isolating privileged credentials from unprivileged ones using virtual memory.