A brand new Linux kernel exploitation referred to as Grimy Cred used to be printed finally week’s Black Hat safety convention.
The flaw which is recognized as CVE-2022-0847 has been came upon through Zhenpeng Lin, a PhD Scholar, and his workforce, who attempted to take advantage of the Linux kernel just like the notorious Grimy Pipe vulnerability however with other approaches.
DirtyCred is a kernel exploitation idea that swaps unprivileged kernel credentials with privileged ones to escalate privilege. As an alternative of overwriting any crucial information fields at the kernel heap, DirtyCred abuses the heap reminiscence reuse mechanism to get privileged. It overwrites any recordsdata with learn permission affecting kernel model 5.8 or upper.
Lin’s workforce came upon a trail to switch Linux Kernel credentials on techniques prone to a up to now reported vulnerability (CVE-2021-4154) and a brand new one (CVE-2022-2588), they usually be expecting so as to add extra suitable CVEs sooner or later. A public POC (evidence of thought) is to be had on GitHub providing an efficient protection in opposition to the assault.
The researchers described their assault situation as a generic approach that may follow to packing containers and Android. The workforce describes the method as easy and strong because it does not want to handle KASLR and CFI.
Running of Grimy Cred
Lin revealed a demo on Twitter that demonstrates how the method can be utilized to lift a low-privileged person on two other techniques, comparable to Centos 8 and Ubuntu, the use of the similar exploit code:
Protection Towards DirtyCred
It will have to be famous that the POC continues to be in development, even supposing it’s already operating in explicit stipulations, comparable to a particular vulnerability. CVE-2021-4154 has been patched within the Linux kernel, however the researchers point out that “the exploit works on maximum Centos 8 kernels upper than Linux-4.18.0-305.el8 and maximum ubuntu 20 kernels upper than 5.4.0-87.98 and 5.11.0-37.41.”
As a result of gadgets are remoted in step with their kind and no longer their privileges, the researchers counsel setting apart privileged credentials from unprivileged ones the use of digital reminiscence to stop cross-cache assaults.