Pipes are an interprocess communication mechanism represented as a file within Linux that can receive input data and provide an output for that data. The output of one process can become the input of another using a “pipe” to forward that data between.

Pipes are managed by the CPU in memory and their data is referred to as a “page”.

The exploitation of this vulnerability utilizes a process called “page splicing”. Page splicing is used to merge data between different pipe pages in memory without having to rewrite the data.

The flag we referenced in the summary is the PIPE_BUF_FLAG_CAN_MERGE flag. This must be set in order for a page cache to be merged and is only set when the pipe page becomes full. Howerver, if the page cache is emptied completely this flag remains (lack of initialization) which is where the problem lies.

The exploit functions generally by:

Opening a new pipe
Filling the pipe’s page cache with arbitrary data in order to set the PIPE_BUF_FLAG_CAN_MERGE flag
Draining the page cache of data but retaining the PIPE_BUF_FLAG_CAN_MERGE flag and replacing the data with the new data they want to overwrite a read-only file with
The splice (“page splicing”) syscall is then used to merge the pages (the pipe page and target file page) leading to the new data being added to a target file bypassing the read-only permissions

Many of the exploit POCs observed so far target the /etc/passwd file to overwrite and provide the users with elevated root privileges. Other variants of the exploit released allow for the creation of a SUID shell backdoor by overwriting a binary that has SUID permissions (superuser capabilities) giving the user a root shell and complete control.

We anticipate that adversaries and researchers will develop a multitude of other exploitation chains with this particular vulnerability.

Enterprise Search

Observability

Security

Elastic Cloud

Elastic (ELK) Stack

Elastic 8.4 veröffentlicht

Elastic Stack upgraden

Dokumentation

ElasticON Global 2021

Wir stellen ein

Bessere digitale Erlebnisse für Ihre Kunden

Weiterentwicklung des DevOps-Lebenszyklus

Grenzenlose Security

Öffentlicher Sektor

Finanzdienstleistungen

Telekommunikation

Gesundheitswesen

Technologie

Einzelhandel und E-Commerce

Medien und Entertainment

Fertigung und Automobilindustrie

Cybersicherheitslösungen für eine Welt voller Risiken

Enterprise Search

Observability

Security

Kundenerfolg

Dokumentation

Kontaktaufnahme

Audi Business Innovation

Mayr-Melnhof Group

Jaguar Land Rover

Dokumentation

Blogs

Schulung

Events

Community

Consulting

Messbarer Erfolg durch Elastic Enterprise Search

Erste Schritte mit Elasticsearch

Observability-Engineer-Schulung

Über Elastic

Karriere

Presse

Partner

Investor Relations

Elastic Excellence Awards

Warum genau jetzt die richtige Zeit ist, wichtige Datenbanken in die Cloud zu verlagern

Enterprise Search

Observability

Security

Elastic Cloud

Elastic (ELK) Stack

Elastic 8.4 veröffentlicht

Elastic Stack upgraden

Dokumentation

ElasticON Global 2021

Wir stellen ein

Bessere digitale Erlebnisse für Ihre Kunden

Weiterentwicklung des DevOps-Lebenszyklus

Grenzenlose Security

Öffentlicher Sektor

Finanzdienstleistungen

Telekommunikation

Gesundheitswesen

Technologie

Einzelhandel und E-Commerce

Medien und Entertainment

Fertigung und Automobilindustrie

Enterprise Search

Observability

Security

Kundenerfolg

Dokumentation

Kontaktaufnahme

Audi Business Innovation

Mayr-Melnhof Group

Jaguar Land Rover

Dokumentation

Blogs

Schulung