killchain-compendium/Exploits/Linux/DirtyPipe.md

16 lines
681 B
Markdown
Raw Normal View History

2022-11-13 22:38:01 +01:00
# CVE-2022-0847
* [Max Kellerman's post](https://dirtypipe.cm4all.com/)
* 5.8 < Vulnerable kernels < 5.10.102
* If a file can be read, it can be written also.
## Usage
* `splice(2)` moves data between files and through pipes without copying between kernel and user adress space
* Anonymous pipes permissions are not checked
* Read only permissions on pages do not matter on a pipe level
* Splice is putting data into the pipe and malicious data afterwards in the same one to overwrite the mem page
* `PIPE_BUF_FLAG_CAN_MERGE` flag has to be activated in order to write back to a file
* Works as long as there is an offset to start of a page in the beginning of the writing