In February 2022, Microsoft patched the vulnerability which was first shown in TianfuCup 2021 for escaping Adobe Reader sandbox, assigned CVE-2022-22715. The vulnerability existed in Named Pipe File System nearly 10 years since the AppContainer was born. The vulnerability was called as t “Windows Dirty Pipe“.
In this article, I will share the root cause and exploitation of Windows Dirty Pipe. So let’s start our journey.
Root Cause of Windows Dirty Pipe
The vulnerability existed in Named Pipe File System Driver – npfs.sys, and the issue function is npfs!NpTranslateContainerLocalAlias. When we invoking NtCreateFile with a named pipe path, it will hit the IRP_MJ_CREATE major function of npfs, it called NpFsdCreate.
Check The POC Video
You can Read full technical details Here and can get the POC exploit code on GitHub.
GIPHY App Key not set. Please check settings