logo

Cautious: A New Exploitation Method! No Pipe but as Nasty as Dirty Pipe

Conference:  Black Hat USA 2022

2022-08-11

Summary

The presentation introduces a new exploitation method called 'The Requiem' which swaps kernel credentials to escalate privileges. It is a generic and effective method that can bypass CFI and work across different kernel versions and architectures. The presentation also discusses the importance of data-only attacks and the need for mitigations to protect data-only integrity.
  • The Requiem is a generic and effective exploitation method that swaps kernel credentials to escalate privileges
  • It can bypass CFI and work across different kernel versions and architectures
  • Data-only attacks are powerful and can write universal exploits without dealing with CFI and ROP
  • Mitigations in Linux kernel mostly focus on protecting control flow integrity, but there is a need for mitigations to protect data-only integrity
  • The Requiem can actively escape from containers, which is not possible with Dirty Pipe
Kernel credentials are properties that carry privileged information in the kernel. Task credentials are used to examine user privilege for unprivileged and privileged users. Open file credentials are used to check access information to a file. The presentation explains how The Requiem and Dirty Pipe work and how they differ in their capabilities. The presenter also highlights the importance of protecting data-only integrity and the need for mitigations to address this issue.

Abstract

Dirty pipe is the name given to the CVE-2022-0847 vulnerability, present in Linux kernel versions 5.8 and later. It is considered a very serious vulnerability found in the Linux kernel recently partially because it gives a bad actor the ability to escalate privilege but more importantly, its exploitation has no headache in dealing with kernel address randomization and pointer integrity check. With this capability, the exploit built on top of the dirty pipe could be easily used for all versions of kernel affected without even modification.While dirty pile is powerful, its exploitability is closely tied to the capability of the CVE-2022-0847 vulnerability which abuses the Linux kernel pipe mechanism to inject data to arbitrary files. For other vulnerabilities without such a pipe-abusive power, the exploitation is still hard to follow the dirty pipe journey and thus brings the same level of security implication. In this talk, we present a novel exploitation method pushing the dirty pipe to the next level. To be specific, given a vulnerability with a double-free ability, we will demonstrate that our exploitation method could obtain the dirty-pipe-like ability to overwrite an arbitrary file to escalate privilege. Exploits utilizing our method inherit the advantage of the dirty pipe that the code would work on any version of the kernel affected without modification. We argue that our new exploitation method is not only more general than the dirty pipe but also more powerful. First, rather than tying to a specific vulnerability, this exploitation method allows any vulnerabilities with double-free ability to demonstrate dirty-pipe-like ability. Second, while it is like the dirty pipe that could bypass all the kernel protections, our exploitation method could even demonstrate the ability to escape the container actively that dirty pipe is not capable of.Along with this talk, we will demonstrate how our exploitation method works using real world vulnerabilities. Specifically, we will demonstrate privilege escalation on Linux and Android. Last but not least, we will demonstrate how to achieve container escape on CentOS. We will release our exploitation details and all of our exploits demonstrated in this talk. To the best of our knowledge, our exploitation is the first general method that helps develop a universal exploit to different versions of kernel and different architectures. It greatly unloads the burden of exploit migration across versions and architectures. Since our exploitation is general and powerful, it also imposes a great challenge to the existing kernel defense architecture.

Materials:

Tags: