New Linux exploit “Dirty Cred” revealed
Zhenpeng Lin, a PhD student, and other researchers have uncovered a new Linux Kernel exploitation called Dirty Cred. The flaw tracked as CVE-2022-2588 was unveiled at Black Hat security conference last week.
Dirty Cred is a use-after-free bug in route4_change in the net/sched/cls_route.c filter implementation found the Linux kernel. This bug allows a local privileged attacker to crash the system resulting in a local privileged escalation problem.
In order to detect the exploit, Lin worked on an alternative approach to a preciously discovered “Dirty Pipe” vulnerability that was targeted at Linux kernel version 8 and later.
Lin’s team was able to uncover a way to exchange Linux kernel data on systems that are vulnerable to Dirty Pipe and the new Dirty Cred.
The researchers’ generic approach can be applied to containers as opposed to Dirty Pipe and Android, ultimately “enabling various bugs to be Dirty Pipe-like.”
The approach to exploit the vulnerability can be used to elevate a low privileged user on two different systems such as Centos 8 and Ubuntu with similar exploit code.
Since privileged credentials are not isolated from non-privileged credentials, an attacker may attempt to exchange them. In the case of Dirty Cred, data can be modified to ensure privilege escalation by releasing an in-use unprivileged credentials to allocate privileged space in the freed memory slot. This enable attackers operate as a privileged user.
To protect systems from Dirty Cred attacks, researchers recommend isolating privileged credentials from unprivileged credentials and using virtual memory to prevent cross-cache attacks. Also, a patch is already available on GitHub and consist of isolating task cred using vmalloc.
The sources for this piece include an article in esecuritypanel.