"Dirty Frag" exploit gets root on most Linux systems released after 2017

dead [he/him]@hexbear.net · edit-2 19 days ago

"Dirty Frag" exploit gets root on most Linux systems released after 2017

gramxi [they/them]@hexbear.net · 19 days ago

The modules used by the exploit (esp4, esp6, rxrpc) might not be installed on your system

roberto [any]@hexbear.net · 19 days ago

They are:

[user@shithouse:/tmp/dirtyfrag] > lsmod | grep -E '(esp|rxrpc)'
esp6                   28672  0
rxrpc                 258048  0
ip6_udp_tunnel         16384  1 rxrpc
udp_tunnel             20480  1 rxrpc
esp4                   28672  0

[user@shithouse:/tmp/dirtyfrag] > zgrep -Ei '(rxrpc|inet.?_esp)' /proc/config.gz 
CONFIG_INET_ESP=m
CONFIG_INET_ESP_OFFLOAD=m
CONFIG_INET_ESPINTCP=y
CONFIG_INET6_ESP=m
CONFIG_INET6_ESP_OFFLOAD=m
CONFIG_INET6_ESPINTCP=y
CONFIG_AF_RXRPC=m
# CONFIG_AF_RXRPC_IPV6 is not set
# CONFIG_AF_RXRPC_INJECT_LOSS is not set
# CONFIG_AF_RXRPC_DEBUG is not set

gramxi [they/them]@hexbear.net · 18 days ago

kungen@feddit.nu · 18 days ago

What distro? Check dmesg, it’s probably AppArmor blocking unprivileged_userns.

roberto [any]@hexbear.net · 18 days ago

Void.

Kernel log has only these two messages from when the modules were loaded, none after that:

[12660744.186643] Initializing XFRM netlink socket
[12660751.925450] NET: Registered PF_RXRPC protocol family

No apparmor:

CONFIG_LSM="landlock,yama,loadpin,safesetid,integrity"

[user@shithouse:~] > aa-enabled
No - disabled at boot.

Isn’t half of the exploit intended to work around apparmor?