"Dirty Frag" exploit gets root on most Linux systems released after 2017

dead [he/him]@hexbear.net · edit-2 18 days ago

"Dirty Frag" exploit gets root on most Linux systems released after 2017

peeonyou [he/him]@hexbear.net · 18 days ago

oh good, another one

roberto [any]@hexbear.net · 18 days ago

My desktop is immune somehow, with a year old kernel. No idea why.

[user@shithouse:/tmp/dirtyfrag] > uname -a
Linux shithouse 6.1.153_2 #1 SMP PREEMPT_DYNAMIC Tue Sep 30 13:38:47 UTC 2025 x86_64 GNU/Linux
[user@shithouse:/tmp/dirtyfrag] > ./exp
dirtyfrag: failed (rc=3)
[user@shithouse:/tmp/dirtyfrag] > ./exp
dirtyfrag: failed (rc=3)
[user@shithouse:/tmp/dirtyfrag] > ./exp
dirtyfrag: failed (rc=3)
[user@shithouse:/tmp/dirtyfrag] > id
uid=1002(user) gid=200(users) groups=200(users)

gramxi [they/them]@hexbear.net · 18 days ago

The modules used by the exploit (esp4, esp6, rxrpc) might not be installed on your system

roberto [any]@hexbear.net · 18 days ago

They are:

[user@shithouse:/tmp/dirtyfrag] > lsmod | grep -E '(esp|rxrpc)'
esp6                   28672  0
rxrpc                 258048  0
ip6_udp_tunnel         16384  1 rxrpc
udp_tunnel             20480  1 rxrpc
esp4                   28672  0

[user@shithouse:/tmp/dirtyfrag] > zgrep -Ei '(rxrpc|inet.?_esp)' /proc/config.gz 
CONFIG_INET_ESP=m
CONFIG_INET_ESP_OFFLOAD=m
CONFIG_INET_ESPINTCP=y
CONFIG_INET6_ESP=m
CONFIG_INET6_ESP_OFFLOAD=m
CONFIG_INET6_ESPINTCP=y
CONFIG_AF_RXRPC=m
# CONFIG_AF_RXRPC_IPV6 is not set
# CONFIG_AF_RXRPC_INJECT_LOSS is not set
# CONFIG_AF_RXRPC_DEBUG is not set

gramxi [they/them]@hexbear.net · 18 days ago

kungen@feddit.nu · 18 days ago

What distro? Check dmesg, it’s probably AppArmor blocking unprivileged_userns.

roberto [any]@hexbear.net · 18 days ago

Void.

Kernel log has only these two messages from when the modules were loaded, none after that:

[12660744.186643] Initializing XFRM netlink socket
[12660751.925450] NET: Registered PF_RXRPC protocol family

No apparmor:

CONFIG_LSM="landlock,yama,loadpin,safesetid,integrity"

[user@shithouse:~] > aa-enabled
No - disabled at boot.

Isn’t half of the exploit intended to work around apparmor?

PorkrollPosadist [he/him, they/them]@hexbear.net · 18 days ago

Soot [any]@hexbear.net · edit-2 18 days ago

Reminder that though this is a big deal, it’s not something about which most people need to run around with their hair on fire.

This is a root escalation exploit, meaning a malicious actor still needs the ability to get on your system and permission to run the right commands. The major concern is for servers being accessed by unknown people, who may be able to access those commands. Minimal exposure for desktop users.

sodium_nitride [she/her, any]@hexbear.net · 18 days ago

Is arch affected?

(Please god let there be a benefit to using arch I need to justify my time sinking)

Azzu@lemmy.dbzer0.com · edit-2 18 days ago

It is affected. If you have the 7.0.4 kernel from yesterday though, you’re fine, though the linux arch package is still on 7.0.3. linux-cachyos for example is on 7.0.4.

sodium_nitride [she/her, any]@hexbear.net · edit-2 18 days ago

So I guess I have to upgrade the kernel to 7.0.4? Is that possible?

Azzu@lemmy.dbzer0.com · 18 days ago

Just wait until later today or tomorrow and the update will likely be in the core repository, then you can just do a normal update.

sodium_nitride [she/her, any]@hexbear.net · 18 days ago

OK thanks!

Azzu@lemmy.dbzer0.com · 16 days ago

Oh btw you can update now.

sodium_nitride [she/her, any]@hexbear.net · 16 days ago

Ah, thanks for reminding me!

Sickday@kbin.earth · 18 days ago

alpine proving once again it’s the goat