CVE-2022-0847-DirtyPipe-Exploit icon indicating copy to clipboard operation
CVE-2022-0847-DirtyPipe-Exploit copied to clipboard

Published 20 hours ago verified publisher icon Arinerron

Not worked

Open pavlinux opened this issue 3 years ago • 7 comments
trafficstars

cve

pavlinux avatar Mar 07 '22 22:03 pavlinux

please post the path(kernel version ,release version..)

steward007 avatar Mar 08 '22 02:03 steward007

Same error as above: uname -a Linux pop-os 5.16.11-76051611-generic #202202230823~1646248261~21.10~2b22243 SMP PREEMPT Wed Mar 2 20: x86_64 x86_64 x86_64 GNU/Linux

cat /etc/os-release NAME="Pop!_OS" VERSION="21.10" ID=pop ID_LIKE="ubuntu debian" PRETTY_NAME="Pop!_OS 21.10" VERSION_ID="21.10" HOME_URL="https://pop.system76.com" SUPPORT_URL="https://support.system76.com" BUG_REPORT_URL="https://github.com/pop-os/pop/issues" PRIVACY_POLICY_URL="https://system76.com/privacy" VERSION_CODENAME=impish UBUNTU_CODENAME=impish LOGO=distributor-logo-pop-os

I see now in article it appears to have been fixed in my kernel version

korang avatar Mar 08 '22 02:03 korang

My Ubuntu 21.10 seems to be good too.

➜  CVE-2022-0847-DirtyPipe-Exploit git:(main) ./compile.sh 

➜  CVE-2022-0847-DirtyPipe-Exploit git:(main) ls
compile.sh  exploit  exploit.c  LICENSE.txt  README.md

➜  CVE-2022-0847-DirtyPipe-Exploit git:(main) ./exploit 
Backing up /etc/passwd to /tmp/passwd.bak ...
Setting root password to "aaron"...
system() function call seems to have failed :(

➜  CVE-2022-0847-DirtyPipe-Exploit git:(main) uname -a
Linux falcon 5.13.0-30-generic #33-Ubuntu SMP Fri Feb 4 17:03:31 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

➜  CVE-2022-0847-DirtyPipe-Exploit git:(main) lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 21.10
Release:	21.10
Codename:	impish

leoheck avatar Mar 08 '22 17:03 leoheck

The original exploit seems to work by replacing the password for the root user with the password "aaron". My bet is if you su root and then type aaron as the password you'll see that you're root. The extra additions tot he original exploit that should be replacing the /etc/passwd with the /tmp/passwd.bak file is not working. This version of the modified exploit does not drop you into a root shell directly when running it. It simply replaces the password for root and requires the user to su to the root account with the"aaron" password.

skollr34p3r avatar Mar 09 '22 22:03 skollr34p3r

Sure. But check the output of my command line when executing the exploit.

➜  CVE-2022-0847-DirtyPipe-Exploit git:(main) ./exploit 
Backing up /etc/passwd to /tmp/passwd.bak ...
Setting root password to "aaron"...
system() function call seems to have failed :(

The /tmp/passwd.bak was created. But it looks like it did not do something well.

Also, I did not post this part, since I tested it before posting this here. But su root with aaron as the password has failed too, unfortunately.

But it is a bit late for me, I guess, at least on my system, since Ubuntu has patched the issue. https://9to5linux.com/canonical-patches-dirty-pipe-vulnerability-in-ubuntu-21-10-and-20-04-lts-update-now

leoheck avatar Mar 09 '22 22:03 leoheck

The original exploit seems to work by replacing the password for the root user with the password "aaron". My bet is if you su root and then type aaron as the password you'll see that you're root. The extra additions tot he original exploit that should be replacing the /etc/passwd with the /tmp/passwd.bak file is not working. This version of the modified exploit does not drop you into a root shell directly when running it. It simply replaces the password for root and requires the user to su to the root account with the"aaron" password.

Yes, so, in some cases, overwrite may not correct worked on some boundary.

kmahyyg avatar Mar 10 '22 01:03 kmahyyg

The array of argv must be terminated by a null pointer.

seamaner avatar Mar 24 '23 08:03 seamaner