Earlier today a video was posted by @Fire30_ on Twitter showing the new Dirty Pipe Linux kernel vulnerability to root Android on a Galaxy S22 and Pixel 6 Pro, both of which appear to be running the latest security patches. In any case, root access was achieved with a minimum of fuss in less than a minute, opening the door to both an easy rooting method that enthusiasts might enjoy and a whole host of scary security concerns.
In case you haven’t been following the latest news, a new kernel-level vulnerability called Dirty Pipe was recently discovered. It’s complicated, but the very short version is that software on newer versions of the Linux kernel can achieve privilege escalation (i.e. gain root access, among other things) because the kernel handles reading and writing data in “pipes” by a bug , which allows you to write data to a target file when you shouldn’t be able to. Done right, this can be used to run any code – a fancy way of saying that an app or piece of software can do basically anything it wants, within other technical constraints, including reading things referenced it shouldn’t have access, and performing operations it shouldn’t have access to should require permissions it doesn’t have. The issue affects devices running Linux kernel version 5.8 and later, including Android.
Fixes have already been released in the Linux kernel, with Android expected to fix the issue in an upcoming monthly patch level. So far, we haven’t heard of the exploit being actively used in the wild, but that’s likely to change.
The video posted on Twitter shows both a Samsung Galaxy S22 and a Google Pixel 6 Pro achieving a root shell thanks to the Dirty Pipe exploit, even putting the phones in a permissive SELinux state. This all serves as a demonstration of the damage it could do. Root-level access is almost a free pass for apps, and when SELinux is set to an allowable mode, many of an Android device‘s most important security features are disabled. Essentially, it’s just complete “ownership,” as the ancient tech slang puts it.
Speaking to a security researcher, I was told that the impact of the vulnerability might still depend on other mitigating factors, as well as the simple software requirements that require a very recent kernel version. The vast majority of Android devices are currently running older versions of the Linux kernel that would not be affected.
Finally, although the video shows an external device accessing a root shell, I was told that the exploit can almost certainly take place entirely on the device in an entirely app-based method based on what was shown. Enthusiasts might rave about this, as it’s a mechanism to get seemingly non-permanent root on Samsung phones, right through the company’s less-than-hardened Knox security. And even without modifying the system for permanent rooting (which would trigger other detection methods and cause other problems), an app could simply wait for a boot broadcast and achieve non-persistent root at that point. Of course, an app could also exploit all of this for more nefarious purposes.
Malicious app with root access can have serious impact as it can steal your files, pictures, messages and other data which maybe belongs to even worse actions. Without getting bogged down in all the applications, this is a very serious and fatal vulnerability.
Again, we are not aware of any active in-the-wild use of the vulnerability, and only a small subset of recently released devices should be affected. If you are concerned, check your current kernel version (usually in settings -> About, listed in “Software information” on Samsung phones, “Android version” on Pixels). If the kernel version listed is below 5.8, the exploit probably won’t work on your phone.
Google Play may be able to update Protect to reduce the likelihood that you will install an app (either official or from unknown sources) that contains the exploit. We reached out to Google for more information, but the company didn’t immediately respond to our questions on the matter. In the meantime, if you have a phone that may be affected, it might be wise to install apps from approved sources in the meantime.
It’s more than a Netflix machine
About the author