Researcher uses Dirty Pipe exploit to completely root Pixel 6 Pro and Samsung S22

Stylized illustration of a robot holding a smart tablet.

A researcher successfully used Linux’s critical Dirty Pipe vulnerability to completely root two Android phone models, a Pixel 6 Pro and a Samsung S22, in a hack that demonstrates the power of exploiting the OS flaw recently discovered.

The researcher chose these two handset models for good reason: they are two of the few, if not the only, devices known to run Android version 5.10.43, the only version of Google’s mobile operating system vulnerable to Dirty Pipe. Since the LPE, or Local Privilege Escalation, vulnerability was only introduced with the recently released Linux kernel version 5.8, the universe of exploitable devices, whether mobile, Internet of Things, or servers and desktop computers, is relatively small.

Behold, a reverse shell with root privileges

But for devices that pack affected Linux kernel versions, Dirty Pipe offers hackers, whether benign or malicious, a platform to bypass normal security checks and gain full root control. From there, a malicious app could surreptitiously steal authentication credentials, photos, files, messages, and other sensitive data. As I reported last week, Dirty Pipe is among the most serious Linux threats to be disclosed since 2016, the year another very serious and easy to exploit Linux flaw called Dirty Cow was discovered.

Android uses security mechanisms such as SELinux and sandboxing, which often make exploits difficult, if not impossible. Despite the challenge, successful Android rooting shows that Dirty Pipe is a viable attack vector against vulnerable devices.

“It’s exciting because most Linux kernel vulnerabilities won’t be useful for exploiting Android,” Valentina Palmiotti, senior security researcher at security firm Grapl, said in an interview. The exploit “is notable because there have only been a few public Android LPEs in recent years (compare that to iOS where there have been so many). However, since it only works with kernels 5.8 and above, it’s limited to the two devices we saw in the demo.”

In one video demonstration posted on Twitter, a security researcher who asked to be identified only by his Twitter handle Fire30 runs a custom app he wrote, first on a Pixel 6 Pro and then on a Samsung S22. Within seconds, a reverse shell that grants full root access opens on a computer connected to the same Wi-Fi network. From there, Fire30 has the ability to override most of Android’s built-in security protections.

The resulting root is tethered, which means it cannot survive a reboot. That means hobbyists who want to root their devices so they have features that aren’t normally available would have to perform the procedure every time the phone turns on, an unattractive requirement for many rooting aficionados. Researchers, however, may find the technique more valuable, as it allows them to make diagnoses that otherwise would not be possible.

But perhaps the most interested group will be people trying to install malicious products. As the video shows, attacks can be quick and stealthy. All that is required is local access to the device, usually in the form of a malicious application. Even though the universe of vulnerable devices is relatively small, there is no doubt that Dirty Pipe could be used to completely compromise it.

“This is a highly reliable exploit that will work without customization on all vulnerable systems,” wrote Christoph Hebeisen, head of security research at mobile security provider Lookout, in an email. “This makes it a very attractive exploit for attackers to use. I expect weaponized versions of the exploit to appear and be used as the preferred exploit when a vulnerable device is encountered as the exploit is reliable. be included in rooting tools for users rooting their own devices.”

It also stands to reason that other types of devices running vulnerable versions of Linux can also be easily rooted with Dirty Pipe. On Monday, storage device maker QNAP said some of its NAS devices are affected by the vulnerability and that company engineers are investigating precisely how. Currently, QNAP does not have any mitigations available and recommends users to check and install security updates as soon as they are available.