A new Linux kernel exploitation called Dirty Cred was revealed at last week’s Black Hat security conference.
The flaw which is identified as CVE-2022-0847 has been discovered by Zhenpeng Lin, a PhD Student, and his team, who tried to exploit the Linux kernel like the infamous Dirty Pipe vulnerability but with different approaches.
DirtyCred is a kernel exploitation concept that swaps unprivileged kernel credentials with privileged ones to escalate privilege. Instead of overwriting any critical data fields on the kernel heap, DirtyCred abuses the heap memory reuse mechanism to get privileged. It overwrites any files with read permission affecting kernel version 5.8 or higher.
Lin’s team discovered a path to swap Linux Kernel credentials on systems vulnerable to a previously reported vulnerability (CVE-2021-4154) and a new one (CVE-2022-2588), and they expect to add more compatible CVEs in the future. A public POC (proof of concept) is available on GitHub offering an effective defense against the attack.
The researchers described their attack scenario as a generic method that can apply to containers and Android. The team describes the approach as simple and powerful as it doesn't need to deal with KASLR and CFI.
Working of Dirty Cred
Lin published a demo on Twitter that demonstrates how the approach can be used to elevate a low-privileged user on two different systems, such as Centos 8 and Ubuntu, using the same exploit code:
Defense Against DirtyCred
It should be noted that the POC is still in progress, even if it’s already working in specific conditions, such as a specific vulnerability. CVE-2021-4154 has been patched in the Linux kernel, but the researchers indicate that “the exploit works on most Centos 8 kernels higher than Linux-4.18.0-305.el8 and most ubuntu 20 kernels higher than 5.4.0-87.98 and 5.11.0-37.41.”
Because objects are isolated according to their type and not their privileges, the researchers recommend isolating privileged credentials from unprivileged ones using virtual memory to prevent cross-cache attacks.