On Monday, a cybersecurity researcher released the details of a Linux vulnerability that allows an attacker to overwrite data in arbitrary read-only files.
The vulnerability — CVE-2022-0847 — was discovered by Max Kellermann in April 2021, but it took another few months for him to figure out what was actually happening.
Kellermann explained that the vulnerability affects Linux Kernel 5.8 and later versions but was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.
“It all started a year ago with a support ticket about corrupt files. A customer complained that the access logs they downloaded could not be decompressed. And indeed, there was a corrupt log file on one of the log servers; it could be decompressed, but gzip reported a CRC error. I could not explain why it was corrupt, but I assumed the nightly split process had crashed and left a corrupt file behind. I fixed the file’s CRC manually, closed the ticket, and soon forgot about the problem,” Kellermann said.
“Months later, this happened again and yet again. Every time, the file’s contents looked correct, only the CRC at the end of the file was wrong. Now, with several corrupt files, I was able to dig deeper and found a surprising kind of corruption. A pattern emerged.”
Kellermann went on to show how he discovered the issue and how someone could potentially exploit it. He initially assumed the bug was only exploitable while a privileged process writes the file and that it depended on timing.
But he later found that it is possible to overwrite the page cache even in the absence of writers, with no timing constraints, “at (almost) arbitrary positions with arbitrary data.”
In order to exploit the vulnerability, the attacker needs to have read permissions, the offset must not be on a page boundary, the write cannot cross a page boundary and the file cannot be resized.
“To exploit this vulnerability, you need to: Create a pipe, fill the pipe with arbitrary data (to set the PIPE_BUF_FLAG_CAN_MERGE flag in all ring entries), drain the pipe (leaving the flag set in all struct pipe_buffer instances on the struct pipe_inode_info ring), splice data from the target file (opened with O_RDONLY) into the pipe from just before the target offset [and] write arbitrary data into the pipe,” he explained.
“This data will overwrite the cached file page instead of creating a new anonymous struct pipe_buffer because PIPE_BUF_FLAG_CAN_MERGE is set. To make this vulnerability more interesting, it not only works without write permissions, it also works with immutable files, on read-only btrfs snapshots and on read-only mounts (including CD-ROM mounts). That is because the page cache is always writable (by the kernel), and writing to a pipe never checks any permissions.”
He also shared his own proof-of-concept exploit.
The bug report, exploit, and patch were sent to the Linux kernel security team by Kellermann on February 20. The bug was reproduced on Google Pixel 6 and a bug report was sent to the Android Security Team.
Vulcan Cyber’s Mike Parkin said any exploit that gives root level access to a Linux system is problematic.
“An attacker that gains root gains full control over the target system and may be able to leverage that control to reach other systems. The mitigating factor with this vulnerability is that it requires local access, which slightly lowers the risk,” Parkin said.
“Escalating privileges to root (POSIX family) or Admin (Windows) is often an attacker’s first priority when they gain access to a system, as it gives them full control of the target and can help them extend their foothold to other victims. That hasn’t changed for ages and is unlikely to change in the foreseeable future.”
Shweta Khare, cybersecurity evangelist at Delinea, noted that several Windows kernel, DNS server RCE, and Adobe vulnerabilities of high severity rating have already made news this year because they allow attackers to gain elevated local system or admin privileges.
OS bugs and application-level vulnerabilities like these can allow attackers to elevate privileges, move laterally inside the network, execute arbitrary code, and completely take over devices, Khare said.