/dirtypipe-ebpf_detection

An eBPF detection program for CVE-2022-0847

Primary LanguageCApache License 2.0Apache-2.0

dirtypipe-ebpf_detection -- Dirtypipe detection tool

This program was made to detect Dirty Pipe exploitation attempts thanks to eBPF. It also monitors nonvulnerable kernels and docker containers.

🛫 If you want more details on how it works please read the blog post ! 🛬

How does it works?

Default execution:

sudo ./bin/dirtypipe_detection

Debug mode:

Show libbpf logs on execution

sudo ./bin/dirtypipe_detection --debug

Daemon mode:

Run program as daemon and send alerts over syslog

sudo ./bin/dirtypipe_detection --daemon

How to build?

Debian

sudo apt install git make pkg-config libelf-dev clang-11 libc6-dev-i386 bpftool -y
git clone https://github.com/airbus-cert/dirtypipe-ebpf_detection
cd ./dirtypipe-ebpf_detection/src/
make

Ubuntu

sudo apt install git make pkg-config libelf-dev clang-11 libc6-dev-i386 linux-tools-common linux-tools-$(uname -r) -y
git clone https://github.com/airbus-cert/dirtypipe-ebpf_detection
cd ./dirtypipe-ebpf_detection/src/
make

Credits and References

Read the original blog on Dirtypipe from max.kellermann@ionos.com

Read an interesting strategy from Datadog team