DirtyCred : CVE-2022-2588
- A vulnerability in the Linux kernel that allows data to be overwritten in arbitrary read-only files. Since unprivileged processes can inject code into parent processes, this vulnerability can lead to privilege escalation.
- DirtyCred is a kernel exploit concept that exploits the heap memory reuse mechanism to obtain high privilege.
- This vulnerability is similar to the DirtyPipe vulnerability (CVE-2022-0847) impacting Linux kernel versions 5.8 and later.
The attack includes 3 steps:
1. Free an in-use unprivileged
credential
2. Allocate privileged
credentials in the free memory slot by triggering a privileged userspace
process such as su, mount, or sshd
3. Operate as a privileged user
Exploit in action:
1.
Login to the vulnerable machine and check the kernel
version “uname -a” {The exploit works on most Centos 8 kernels higher than
linux-4.18.0-305.el8 and most ubuntu 20 kernels higher than 5.4.0-87.98 and
5.11.0-37.41}
2.
Check the current user id and /etc/passwd file, note that the current user doesn’t have write permission to /etc/passwd file
3. In your Linux system copy and save the exp.c exploit code provided here
$nano exp.c
4. Compile the c file using gcc
$gcc exp.c -o dirtycred -lpthread
5. Run the exploit and wait for it to complete
$./dirtycred
6. Now, check the /etc/passwd file again and note that the password file is modified (some text is added, and root account details are modified), indicating that the attack was successful
Reference:
https://www.esecurityplanet.com/threats/linux-exploit-dirty-cred/
https://github.com/Markakd/DirtyCred
Thanks for reading 😊
Feel free to point out any mistakes or let me know if there is anything I should add 😊
Keep Learning, Keep growing 😊
Comments
Post a Comment