A researcher has successfully used the critical Dirty Pipe vulnerability in Linux to fully root two models of Android phones—a Pixel 6 Pro and Samsung S22—in a hack that demonstrates the power of exploiting the newly discovered OS flaw.
The researcher chose those two handset models for a good reason: They are two of the few—if not the only—devices known to run Android version 5.10.43, the only release of Google’s mobile OS that’s vulnerable to Dirty Pipe. Because the LPE, or local privilege escalation, vulnerability wasn’t introduced until the recently released version 5.8 of the Linux kernel, the universe of exploitable devices—whether mobile, Internet of Things, or servers and desktops—is relatively small.
Behold, a reverse shell with root privileges
But for devices that do package affected Linux kernel versions, Dirty Pipe offers hackers—both benign and malicious—a platform for bypassing normal security controls and gaining full root control. From there, a malicious app could surreptitiously steal authentication credentials, photos, files, messages, and other sensitive data. As I reported last week, Dirty Pipe is among the most serious Linux threats to be disclosed since 2016, the year another high-severity and easy-to-exploit Linux flaw named Dirty Cow came to light.
Android uses security mechanisms such as SELinux and sandboxing, which often make exploits hard, if not impossible. Despite the challenge, the successful Android root shows that Dirty Pipe is a viable attack vector against vulnerable devices.
“It’s exciting because most Linux kernel vulnerabilities are not going to be useful to exploit Android,” Valentina Palmiotti, lead security researcher at security firm Grapl, said in an interview. The exploit “is notable because there have only been a few public Android LPEs in recent years (compare that to iOS where there have been so many). Though because it only works 5.8 kernels and up, it’s limited to the two devices we saw in the demo.”
In a video demonstration published on Twitter, a security researcher who asked to be identified only by his Twitter handle Fire30 runs a custom-built app he wrote, first on a Pixel 6 Pro and then a Samsung S22. Within seconds, a reverse shell that gives full root access opens on a computer connected to the same Wi-Fi network. From there, Fire30 has the ability to override most security protections built into Android.
The root achieved is tethered, meaning it can’t survive a reboot. That means hobbyists who want to root their devices so they have capabilities not normally available would have to perform the procedure each time the phone turns on, a requirement that is unattractive to many rooting aficionados. Researchers, however, may find the technique more valuable, because it allows them to perform diagnostics that otherwise wouldn’t be possible.
But perhaps the group most interested will be people trying to install malicious wares. As the video shows, attacks have the potential to be fast and stealthy. All that’s required is local access to the device, usually in the form of it running a malicious app. Even if the universe of vulnerable devices is relatively small, there’s little doubt Dirty Pipe could be used to thoroughly compromise it.
“This is a highly reliable exploit that will work without customization on all vulnerable systems,” Christoph Hebeisen, head of security research at mobile security provider Lookout, wrote in an email. “This makes it a highly attractive exploit to use for attackers. I expect that weaponized versions of the exploit will appear, and they will be used as a preferred exploit when a vulnerable device is encountered because the exploit is reliable. Also, it may well be included in rooting tools for users rooting their own devices.”
It also stands to reason other types of devices running vulnerable versions of Linux can also be easily rooted with Dirty Pipe. On Monday, storage device maker QNAP said that some of its NAS devices are affected by the vulnerability and company engineers are in the process of investigating precisely how. Currently QNAP has no mitigations available and is recommending users check back and install security updates once they become available.