Not worked

[pavlinux]

[steward007]

please post the path(kernel version ,release version..)

[korang]

Same error as above:
uname -a
Linux pop-os 5.16.11-76051611-generic #202202230823164624826121.10~2b22243 SMP PREEMPT Wed Mar 2 20: x86_64 x86_64 x86_64 GNU/Linux

cat /etc/os-release
NAME="Pop!_OS"
VERSION="21.10"
ID=pop
ID_LIKE="ubuntu debian"
PRETTY_NAME="Pop!_OS 21.10"
VERSION_ID="21.10"
HOME_URL="https://pop.system76.com"
SUPPORT_URL="https://support.system76.com"
BUG_REPORT_URL="https://github.com/pop-os/pop/issues"
PRIVACY_POLICY_URL="https://system76.com/privacy"
VERSION_CODENAME=impish
UBUNTU_CODENAME=impish
LOGO=distributor-logo-pop-os

I see now in article it appears to have been fixed in my kernel version

[leoheck]

My Ubuntu 21.10 seems to be good too.

➜  CVE-2022-0847-DirtyPipe-Exploit git:(main) ./compile.sh 

➜  CVE-2022-0847-DirtyPipe-Exploit git:(main) ls
compile.sh  exploit  exploit.c  LICENSE.txt  README.md

➜  CVE-2022-0847-DirtyPipe-Exploit git:(main) ./exploit 
Backing up /etc/passwd to /tmp/passwd.bak ...
Setting root password to "aaron"...
system() function call seems to have failed :(

➜  CVE-2022-0847-DirtyPipe-Exploit git:(main) uname -a
Linux falcon 5.13.0-30-generic #33-Ubuntu SMP Fri Feb 4 17:03:31 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

➜  CVE-2022-0847-DirtyPipe-Exploit git:(main) lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 21.10
Release:	21.10
Codename:	impish

[skollr34p3r]

The original exploit seems to work by replacing the password for the root user with the password "aaron". My bet is if you su root and then type aaron as the password you'll see that you're root. The extra additions tot he original exploit that should be replacing the /etc/passwd with the /tmp/passwd.bak file is not working. This version of the modified exploit does not drop you into a root shell directly when running it. It simply replaces the password for root and requires the user to su to the root account with the"aaron" password.

[leoheck]

Sure. But check the output of my command line when executing the exploit.

➜  CVE-2022-0847-DirtyPipe-Exploit git:(main) ./exploit 
Backing up /etc/passwd to /tmp/passwd.bak ...
Setting root password to "aaron"...
system() function call seems to have failed :(

The /tmp/passwd.bak was created. But it looks like it did not do something well.

Also, I did not post this part, since I tested it before posting this here. But su root with aaron as the password has failed too, unfortunately.

But it is a bit late for me, I guess, at least on my system, since Ubuntu has patched the issue.
https://9to5linux.com/canonical-patches-dirty-pipe-vulnerability-in-ubuntu-21-10-and-20-04-lts-update-now

[kmahyyg]

The original exploit seems to work by replacing the password for the root user with the password "aaron". My bet is if you su root and then type aaron as the password you'll see that you're root. The extra additions tot he original exploit that should be replacing the /etc/passwd with the /tmp/passwd.bak file is not working. This version of the modified exploit does not drop you into a root shell directly when running it. It simply replaces the password for root and requires the user to su to the root account with the"aaron" password.

Yes, so, in some cases, overwrite may not correct worked on some boundary.

[seamaner]

The array of argv must be terminated by a null pointer.