Earlier today, a video was posted on Twitter by @Fire30_, showing off the new Dirty Pipe Linux kernel vulnerability to get root in Android on a Galaxy S22 and Pixel 6 Pro, both seemingly running the latest security patches. In each case, root access was achieved in less than a minute with a minimum of fuss, opening the door for both an easy root method enthusiasts might enjoy, and a whole lot of scary security concerns.
If you haven’t followed along with the recent news, a new kernel-level vulnerability was recently discovered called Dirty Pipe. It’s complicated, but the very short version is that software on recent versions of the Linux Kernel can achieve a privilege escalation (i.e., get root access, among other things) because of how the kernel handles reading and writing data in “pipes,” with a bug allowing you to write data to a target file when you shouldn’t actually be able to. Done correctly, this can be used for the execution of arbitrary code — a fancy way of saying an app or piece of software can do basically anything it wants within other technical limitations, including reading things it shouldn’t have access to and performing operations that should require permissions it doesn’t have. The issue affects devices running Linux kernels version 5.8 and later, including Android.
Fixes have already been released in the Linux kernel, with Android expected to address the issue in an upcoming monthly patch level. To date, we haven’t heard of the exploit being actively used in the wild, but that is likely to change.
The video, published to Twitter, shows both a Samsung Galaxy S22 and a Google Pixel 6 Pro achieving a root shell courtesy of the Dirty Pipe exploit, even flipping the phones over into a permissive SELinux state. This all serves as a demonstration of the damage it could do. Root-level access is nearly a carte blanche for apps, and when SELinux is set to a permissive mode, many of an Android device’s key security features are disabled. In essence, it’s just about fully “owned,” as the antique tech slang goes.
Speaking to a security researcher, I’m told that the impact of the vulnerability may still depend on other mitigating factors as well as the simple software requirements of needing a very recent kernel version. The vast majority of Android devices right now are running older versions of the Linux kernel that wouldn’t be affected.
Lastly, although the video illustrates an external device accessing a root shell, I’m told the exploit is almost certainly capable of happening entirely on-device in a fully app-based method, based on what’s been shown. Enthusiasts might be salivating here since it’s a mechanism to get seemingly non-permanent root on Samsung phones, right through the company’s less-than-hardened Knox security. And even without modifying the system for permanent root (which would trigger other detection methods and have other issues), an app could simply wait for a boot broadcast and achieve non-persistent root at that time. Of course, an app could also take advantage of all this for more nefarious purposes.
A malicious app with root access can have a severe impact, with the ability to steal your files, pictures, messages, and other data, potentially among even worse actions. Without getting too bogged down in all the applications, this is a very serious and severe vulnerability.
Again, we aren’t aware of any active in-the-wild use of the vulnerability yet, and only a small subset of very recently released devices should be affected. If you’re worried, check your current kernel version (usually in Settings -> About, listed in “software information” on Samsung phones, “Android version” on Pixels). If the listed kernel version is below 5.8, the exploit likely won’t work on your phone.
It may be possible for Google to update Play Protect to reduce the chances that you install an app (either officially or sideloading from unknown sources) that includes the exploit. We’ve reached out to Google for more information, but the company did not immediately respond to our questions on the subject. In the meantime, if you’ve got a phone that might be affected, it may be wise to stick to installing apps from approved sources in the meantime.
Seems to happen on phones with a notch or punch hole camera
About The Author