leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
Files
5a808e358387eb38083374c3131cb67b3fb9e2a2
SKELETONKEY/modules/dirty_pipe_cve_2022_0847/MODULE.md
T
leviathan 1552a3bfcb Phase 2 (partial): Dirty Pipe DETECT-ONLY module + core/kernel_range 
- core/kernel_range.{c,h}: branch-aware patched-version comparison.
  Every future module needs 'is the host kernel in the affected
  range?'; centralized here. Models stable-branch backports
  (e.g. 5.10.102, 5.15.25) so a 5.15.20 host correctly reports
  VULNERABLE while a 5.15.50 host reports OK.

- modules/dirty_pipe_cve_2022_0847/ (promoted out of _stubs):
  - iamroot_modules.{c,h}: dirty_pipe module exposing detect() that
    parses /proc/version and compares against the four known patched
    branches (5.10.102, 5.15.25, 5.16.11, 5.17+ inherited). Returns
    IAMROOT_OK / IAMROOT_VULNERABLE / IAMROOT_TEST_ERROR with stderr
    hints in human-readable scan mode.
  - exploit() returns IAMROOT_PRECOND_FAIL with a 'not yet
    implemented' message; landing the actual exploit needs Phase 1.5
    extraction of passwd/su helpers into core/.
  - detect/auditd.rules: splice() syscall + passwd/shadow file watches
  - detect/sigma.yml: non-root modification of /etc/passwd|shadow|sudoers

- iamroot.c main() calls iamroot_register_dirty_pipe() alongside
  the copy_fail_family registration.

- Makefile gains the dirty_pipe family as a separate object set.

Verified end-to-end on kctf-mgr (kernel 6.12.86): build clean, 6
modules in --list, --scan correctly reports dirty_pipe as patched,
JSON output ingest-ready.
2026-05-16 19:51:47 -04:00

1.4 KiB
Raw Blame History

Dirty Pipe — CVE-2022-0847

PLANNED module. See ../../ROADMAP.md Phase 2.

Summary

Pipe-buffer PIPE_BUF_FLAG_CAN_MERGE was incorrectly inherited by copy_page_to_iter_pipe() and push_pipe() paths, allowing an unprivileged user to write into the page cache of any file readable by them.

Affected kernels

  • ≤ 5.16.11
  • ≤ 5.15.25 LTS
  • ≤ 5.10.102 LTS

Upstream patch

9d2231c5d74e13b2a0546fee6737ee4446017903 ("lib/iov_iter: initialize "flags" in new pipe_buffer")

Why this module is here

Even in 2026, many production deployments still run vulnerable kernels (RHEL 7/8, older Ubuntu LTS, embedded). Bundling Dirty Pipe makes IAMROOT useful as a "historical sweep" tool on long-tail systems.

Implementation plan

  • C exploit ported from public PoCs (credit upstream authors in NOTICE.md when implemented)
  • detect(): kernel version check + /proc/version parse + test for fixed-version backports
  • exploit(): writes iamroot::0:0:dirtypipe:/:/bin/bash into /etc/passwd, then su iamroot — same shape as copy_fail's backdoor mode
  • Detection rules: auditd on splice() calls + pipe write patterns, filesystem audit on /etc/passwd modification by non-root

Not started yet

Pick this up after Phase 1 (module-interface refactor of the copy_fail family) so this module can use the standard iamroot_module shape from the start.

Reference in New Issue View Git Blame Copy Permalink