DirtyCred : CVE-2022-2588

 


  • A vulnerability in the Linux kernel that allows data to be overwritten in arbitrary read-only files. Since unprivileged processes can inject code into parent processes, this vulnerability can lead to privilege escalation. 

  • DirtyCred is a kernel exploit concept that exploits the heap memory reuse mechanism to obtain high privilege.
  • This vulnerability is similar to the DirtyPipe vulnerability (CVE-2022-0847) impacting Linux kernel versions 5.8 and later.

The attack includes 3 steps:

1.  Free an in-use unprivileged credential

2. Allocate privileged credentials in the free memory slot by triggering a privileged userspace process such as su, mount, or sshd

3. Operate as a privileged user


Exploit in action:

1.     Login to the vulnerable machine and check the kernel version “uname -a” {The exploit works on most Centos 8 kernels higher than linux-4.18.0-305.el8 and most ubuntu 20 kernels higher than 5.4.0-87.98 and 5.11.0-37.41}

2.     Check the current user id and /etc/passwd file, note that the current user doesn’t have  write permission to /etc/passwd file




       3.  In your Linux system copy and save the exp.c exploit code provided here 
             
            $nano exp.c

4.  Compile the c file using gcc

            $gcc exp.c -o dirtycred -lpthread

       
       5.  Run the exploit and wait for it to complete
 
           $./dirtycred


       6. Now, check the /etc/passwd file again and note that the password file is modified (some text is               added, and root account details are modified), indicating that the attack was                                               successful
  

Reference:

https://www.esecurityplanet.com/threats/linux-exploit-dirty-cred/

https://github.com/Markakd/DirtyCred

Thanks for reading ๐Ÿ˜Š

Feel free to point out any mistakes or let me know if there is anything I should add ๐Ÿ˜Š

Keep Learning, Keep growing ๐Ÿ˜Š

Comments

Post a Comment

Popular posts from this blog

SQL Injection – “Let’s dump the database”

Image
  What is SQL injection? ✔ SQL injection is a code injection technique that uses malicious SQL code to access information/data that was not intended to be displayed. It can be used to obtain unauthorized access to the underlying data, structure, and DBMS.  ✔ SQL Injection attacks are one of the oldest, most prevalent, and most dangerous web application vulnerabilities. The OWASP organization lists injections in their OWASP Top 10 2017 document as the number 1 threat to web application security.  ✔ SQL injection vulnerability occurs when the application sends user input to the interpreter without sanitizing it and user input can be used to query database. SQL queries are used to execute commands, such as data retrieval, updates, and record removal. Types Of SQL Injection Attacks : SQL Injection can be classified into three major categories In-band SQL Injection Inferential SQL Injection Out-of-band SQL Injection 1) In-band SQL Injections When the attacker uses the same communication c
Read more

Unrestricted File Uploads

Image
Uploading is the transmission of a file from one computer system to another, usually a larger computer system. For instance, a job portal would allow a user to upload a resume and certificates whereas a banking website would allow a user to upload supporting documentation such as identity, address, and income proof. What is  Unrestricted File Upload ? If the File Upload functionality is not properly designed, this might bring up the danger. An attacker can take advantage of this functionality and upload executable codes in file formats such as PHP file, JavaScript, and exe, which could attack client machines or the network by uploading viruses, worms, or trojan horses.  This is what is known as file upload vulnerability. Types of File Upload Vulnerability : Local file upload vulnerability - A local file upload vulnerability is a vulnerability where an application allows a user to upload a malicious file directly which is then executed. Remote file upload vulnerability - A remote file
Read more