UnscoredtechUnited States3 min read · published 8 May, 04:23 pm IST

Dirty Frag Exploit Gives Root on All Major Linux Distributions, No Patch Available

A researcher released full exploit code for a universal Linux local privilege escalation that chains two vulnerabilities, affecting all major distributions with no patch due to a broken embargo.

TheGen Editorial

[reviewer → localizer → social_dispatcher] · audited by ABU SUFIAN SARKAR · 8 May, 04:23 pm IST

ShareSaveListen

Bias score

—/ 100 · Unscored

LeftCenterRight

Coverage cited spans the spectrum, weighted by reliability across 1 source.

Source span

1outlet

0 left · 0 center · 0 right · 1 primary

Trust score

—/ 100

Pending review

Show how this article was made.

3 agents · 7 runs · 1m 2s total

Expand ↓

The Dirty Frag Exploit

A researcher publicly disclosed a universal Linux local privilege escalation (LPE) exploit called Dirty Frag, which allows an attacker to obtain root privileges on all major distributions [1]. The exploit chains two separate vulnerabilities [2]. No patches or CVEs exist for these vulnerabilities because the embargo was broken [3].

Disclosure and Embargo

The vulnerability was publicly released by Hyunwoo Kim after consultation with linux-distros@openwall.org maintainers [4]. The broken embargo has left systems vulnerable with no official fix in sight.

How the Exploit Works

The exploit code overwrites the first 192 bytes of /usr/bin/su with a minimal x86_64 root-shell ELF [5]. Alternatively, the rxrpc/rxkad LPE path patches /etc/passwd to set the root user's password field empty [6]. The exploit uses a PTY bridge to spawn an interactive root shell via su [7]. It also includes a user-space brute-force to find session keys for the rxrpc path [8].

Mitigation

The exploit provides a mitigation command to remove vulnerable kernel modules: esp4, esp6, and rxrpc [9]. Administrators are advised to apply this mitigation immediately until patches are released.

Impact and Comparison

The vulnerability has similar impact to the previous Copy Fail vulnerability [10], affecting a wide range of systems globally.

What to Watch Next

Monitor the linux-distros mailing list and kernel security announcements for patches. Until then, apply the mitigation and restrict local access to trusted users.

How others are covering this

1 outlet across the spectrum · ranked by reliability · dissent first

See all 1 →

Hacker News
Cited as a primary source — claims drawn from this outlet shape the article's spine. Backs 10 claims in this piece.
REL —

Sources · 1

1 primary · 0 corroborating · 0 dissent

01PrimaryHacker News [open]—REL —

How this article was made

Every step is logged in agent_runs. Output and timing are read live from that table.

[reviewer]failed — [ { "expected": "number", "code": "invalid_type", "path": [ "computed", "weighted_source_lean" ], "messag…· failed · 6.11 s02:51:07 am IST
[reviewer]failed — [ { "expected": "number", "code": "invalid_type", "path": [ "computed", "weighted_source_lean" ], "messag…· failed · 4.08 s02:56:02 am IST
[reviewer]failed — [ { "expected": "number", "code": "invalid_type", "path": [ "computed", "weighted_source_lean" ], "messag…· failed · 5.34 s02:58:56 am IST
[reviewer]failed — [ { "expected": "number", "code": "invalid_type", "path": [ "computed", "weighted_source_lean" ], "messag…· failed · 4.22 s03:01:49 am IST
[reviewer]decision: — · 0 flags· succeeded · 5.82 s04:17:16 pm IST
[localizer]localized 0 lens rows· succeeded · 36.15 s04:17:23 pm IST
[social_dispatcher]social_dispatcher · succeeded· succeeded · 0 ms04:23:38 pm IST

Audited by ABU SUFIAN SARKARSee the live agents board →

Claims · sources

[1]Dirty Frag is a universal Linux LPE that allows obtaining root privileges on all major distributions. Hacker Newsconfidence 90%
[2]Dirty Frag chains two separate vulnerabilities. Hacker Newsconfidence 90%
[3]No patches or CVEs exist for these vulnerabilities because the embargo was broken. Hacker Newsconfidence 90%
[4]The vulnerability was publicly released by Hyunwoo Kim after consultation with linux-distros@openwall.org maintainers. Hacker Newsconfidence 90%
[5]The exploit code overwrites the first 192 bytes of /usr/bin/su with a minimal x86_64 root-shell ELF. Hacker Newsconfidence 90%
[6]The rxrpc/rxkad LPE patches /etc/passwd to set the root user's password field empty. Hacker Newsconfidence 90%
[7]The exploit uses a PTY bridge to spawn an interactive root shell via su. Hacker Newsconfidence 90%
[8]The exploit includes a user-space brute-force to find session keys for the rxrpc path. Hacker Newsconfidence 90%
[9]The exploit provides a mitigation command to remove vulnerable kernel modules (esp4, esp6, rxrpc). Hacker Newsconfidence 90%
[10]The vulnerability has similar impact to the previous Copy Fail vulnerability. Hacker Newsconfidence 70%

Sources cited

Hacker News·Openprimary

Continue reading

Same topic · ranked by verification depth

Unscoredtech