CVE-2022-0847 PoC — Linux kernel 安全漏洞

Source

Associated Vulnerability

Description

An eBPF detection program for CVE-2022-0847

Readme

# dirtypipe-ebpf_detection -- Dirtypipe detection tool

This program was made to detect Dirty Pipe exploitation attempts thanks to eBPF. It also monitors nonvulnerable kernels and docker containers.

![](/.images/088d790795eb65a66c268d61039feeea5455bae6.gif)

:flight_departure: If you want more details on how it works please read the [blog](https://skyblue.team/posts/dirtypipe-ebpf-detection/) post ! :flight_arrival:

## How does it works?

**Default execution:**

```bash
sudo ./bin/dirtypipe_detection
```

**Debug mode:**

> Show libbpf logs on execution

```bash
sudo ./bin/dirtypipe_detection --debug
```

**Daemon mode:**

> Run program as daemon and send alerts over syslog

```bash
sudo ./bin/dirtypipe_detection --daemon
```

## How to build?

### Debian

```bash
sudo apt install git make pkg-config libelf-dev clang-11 libc6-dev-i386 bpftool -y
git clone https://github.com/airbus-cert/dirtypipe-ebpf_detection
cd ./dirtypipe-ebpf_detection/src/
make
```

### Ubuntu

```bash
sudo apt install git make pkg-config libelf-dev clang-11 libc6-dev-i386 linux-tools-common linux-tools-$(uname -r) -y
git clone https://github.com/airbus-cert/dirtypipe-ebpf_detection
cd ./dirtypipe-ebpf_detection/src/
make
```

## Credits and References

Read the original [blog](https://dirtypipe.cm4all.com/) on Dirtypipe from max.kellermann@ionos.com

Read an interesting strategy from [Datadog](https://www.datadoghq.com/blog/dirty-pipe-vulnerability-overview-and-remediation/) team

File Snapshot

 [4.0K]  /data/pocs/d8d899c0e9b8bd1092f5df5e17fb11fe38f18940
├── [4.0K]  libbpf
├── [9.9K]  LICENSE
├── [1.4K]  README.md
└── [4.0K]  src
    ├── [4.0K]  bin
    ├── [4.6K]  dirtypipe_detection.bpf.c
    ├── [ 21K]  dirtypipe_detection.c
    ├── [ 595]  dirtypipe_detection_event.h
    ├── [2.6K]  Makefile
    └── [2.6M]  vmlinux.h

3 directories, 7 files

Remarks