SECURITY: LINUX Dirty Frag Root Access Kernel Vulnerability
Image from Dirty Frag's GitHub1
DISCLAIMER: I cannot validate the owner of the GitHub repo. Should you decide to perform any of the code provided in this blog post, you do so at your own risk. Information provided in this post is provided for free and as-is.
Shorty after the announcement of the Copy-Fail vulnerability2, South Korean security researcher, Hyunwoo Kim3 announced Dirty Frag vulnerability. In the Tom's Hardware article covering this story bit_user, a commenter, mentions, "This is a local exploit... In the thread about the Copy Fail exploit folks got the impression the vulnerability directly enabled a remote attacker to gain root access, which it didn't". Another commenter, ThisIsMe expressed differentiating sentiments, "It’s not limited to local only. It can be remotely executed by any user that has remote access to the Linux device... This could also affect systems that have other software running on them with possible vulnerabilities that let you execute code within its context... However, this will affect many devices and enterprise Linux environments."4 The Dirty Frag GitHub describes1:
"Dirty Frag is a case that extends the bug class to which Dirty Pipe and Copy Fail belong. Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high."
Gif from Dirty Frag's GitHub1 showing the vulnerability.
Linux distributions that have been tested and known to have the vulnerability include1:
- Ubuntu 24.04.4: 6.17.0-23-generic
- RHEL 10.1: 6.12.0-124.49.1.el10_1.x86_64
- openSUSE Tumbleweed: 7.0.2-1-default
- CentOS Stream 10: 6.12.0-224.el10.x86_64
- AlmaLinux 10: 6.12.0-124.52.3.el10_1.x86_64
- Fedora 44: 6.19.14-300.fc44.x86_64
- ...
CAUTION
CAUTION: PERFORMING THE CODE EXECUTIONS IS AT YOUR OWN RISK.
Due to no embargo, a patch is currently not available. There is only a recommended mitigation available to disable the esp4, esp6 and rxrpc modules4 with sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true" provided on GitHub1.
Here is quick anatomy of the script5:
sh -c: Reads and executes the text enclosed in the double quotes" "as a script.printf: Similiar toechoprints the text to stdout.install: "Install - copy files and set attributes. This install program copies files (often just compiled) into destination locations you choose."esp4|esp6|rxrpc: These are the modules.rmmod: Remove module(s)./bin/false: Do nothing unsuccessfully.\n: Create a new line.>: Write to or write over starting at the beginning of the file.2>: Output tostderr./dev/null: It is the black hole./etc/modprobe.d/: This is the configuration directory for themodprobedaemon.dirtyfrag.conf: The created (new) config file that you create in themodprobedaemon config directory.;: Sequentially perform the next action (script) regardless if the previous fails.echo 3: Prints3to stdout./proc/sys/vm/drop_caches;: System process, virtual memory, drop caches... where the dirty data is managed.true: Do nothing successfully, exit status code with success.
Here is a cleaner view of the script, divided into a more readable format:
"
printf '
install esp4 /bin/false \n
install esp6' /bin/false \n
install rxrpc /bin/false \n' >
/etc/modprobe.d/dirtyfrag.conf;
rmmod esp4 esp6 rxrpc 2> /dev/null;
echo 3 > /proc/sys/vm/drop_caches; true
"
This is how I read what the script does:
- Execute bash script with provided text.
- Prevent interaction when
installingesp4,esp6, andrxrpcthat's written to thedirtyfrag.confconfig file located in themodprobedaemon. - Remove the
esp4,esp6, andrxrpcmodules and process through standard error and send it to the black hole. - Free page cache6 and do nothing successfully.
Bonus tip: You can also check installed mods with lsmod.
2026v.0.1.0
Comments
Post a Comment