Dirty Frag Explained

追加: 2026-05-16

[00:00:05]Hey, this is 0xdf and today we're talking dirty frag. Just a week after copy fail, another similar Linux priv-esc dropped and this one was much messier. Dirty frag became public before it had a CVE or disclosure had been completed and it kind of caught everyone off guard. It's actually two vulnerabilities that allow for writing into cached memory similar to what copy failed did and that way we can overwrite sensitive files and uh there's multiple ways to get root from there.

[00:00:33]Uh there's a detailed write-up on the vulnerability and a proof of concept.

[00:00:36]So, in this video I'm going to talk about the disclosure issues and how this dropped. Uh I'm going to talk about the vulnerabilities, how they work, at least at a high level. I can't dive too deep into the mess, but there's blog posts for that. And we'll take a look at the author's POC and exactly what it's doing. Uh and then we'll run that on a on a Hack The Box machine and we'll actually show both ways. Um one which one of which is typically blocked on Ubuntu and then we'll enable that and run run it again and see that version as well. Um yeah, should be really interesting. Let's go ahead and dive in.

[00:01:07]So, let's talk first about how this was disclosed. Um from what I can tell, this was meant to be responsibly disclosed.

[00:01:13]The author was working with maintainers to get it patched um when someone else saw the patches and without knowing the process or the conversations or the embargo or how it was being handled, just thought, "Ooh, this could be a security issue." and they wrote a POC and dropped it. And they, you know, they work they did end day research, right?

[00:01:29]So, this all results in the repo at dirtyfrag.io and within that repo, there's a timeline that shows like, you know, April 30th, they're working with the maintainer.

[00:01:41]They start reporting this. And then there's a patch and things are working along and then all of a sudden everything happens on 5/7 where basically April 7th, the this POC went public, everyone can see it and so they work with the maintainers to uh say, "Well, we better do We'll go ahead We'll go ahead and just share." And so, we can see there's actually a post here uh, on the OpenWall uh, mailing list, where the the author here um, says, you know, basically, we the patches and CVEs don't exist yet, but after talking to the Linux distro owners and maintainers, I basically said I'm just going to go ahead and release everything I had because it's out there and we might as well make people aware of it because it's a problem and people you know, people now know this exploit exists. Um, and there's another post uh, this was before actually before that post, where basically the author here sick says, you know, "I didn't know anything that was going on. I just saw these patches and I thought, oh boy, this looks a lot like copy-fail too." And uh, you know, I created copy-fail two electric boogaloo repo and built the exploit against it and I went public with it. And so, like, I was unaware of the Linux distro embargoes. I didn't know of a May 12th disclosure date. I had no access to the original Kim's author, you know, the the original author Kim's uh, write-up or POC. I just uh, saw this and thought, I cool, let's go with it. So, um, I think there's probably some lessons learned here that hopefully the people who do this kind of thing will take in figuring out how to, you know, not expose patches to people who aren't aware of these kinds of timelines, but uh, yeah, I mean, this is one of those places where like uh, maybe no one maybe no one intentionally did bad things, but just uh, you know, the world is scrambling now. So, um, since initial release, um, both of these do have CVEs now. Um, the ESP version has is CVE-2026-43284 and the uh, RXRPC version is CVE-2026-43500.

[00:03:37]Um, the patch for the first one is out.

[00:03:39]The patch for the second one, as of the time of this recording, is not. So, um, protect yourself if you can.

[00:03:46]Uh, all right. I'm going to jump over and talk about how this works.

[00:03:51]Okay, so, this is very similar in shape to copy fail. Basically, we're using splice again. So, we're splicing a page into a kernel crypto path and we're going to have some sort of right where we're not really supposed to be able to write, but because of the way splice copies, it fail it ends up writing to the original page in the cache and it allows us to overwrite a sensitive binary. Um instead of using the AF_ALG from copy fail, um this time we're going to use a couple different options um and again, this is why it's two CVEs instead of one. Um and they're almost like two CVEs for distro coverage. So, um the first one uh 43284 is comes from XFRM ESP. Um it requires cap_net_admin for the registration of this pri- uh feature. Um and so, in Ubuntu 2404, the AppArmor AppArmor is actually configured by default to block what is necessary to get this access um for unprivileged users. So, this first one does not work on Ubuntu 2404. Um the second one uh CVE ending 43500 lives in RXRPC and this one um doesn't need capabilities or namespaces, but it needs the RXRPC kernel module to be loaded um and Ubuntu just happens to build it like load this by default. So, if we if we're locked down for Ubuntu, uh we can use this one. Otherwise, most other Linux distros we can use the first one. And uh the way the POC is written, um the first one, the ESP target, targets SU and actually overwrites the SU binary in memory just like we showed with copy fail. Um and then the RXRPC targets the Etsy password file and basically overwrites the root user so that it has no password and then anyone can become root without a password. Um let's go ahead and we will jump over here and start taking a look at the code itself.

[00:05:50]Um We really will start with main. Uh seems like a nice reasonable place to start.

[00:05:55]Um Do do. Okay, here's the main function down here. It's This thing's over 2,000 lines long, so we're not going to go into all the details, but we'll kind of run through the highlights.

[00:06:03]Um This thing can take in a couple different arguments. Uh force ESP, force RX RPC, and verbose. So basically, uh if either of these are here, it says like just try the one type, don't try both.

[00:06:16]And then verbose says print more. Um if we're already running as root, then we're not going to bother with uh doing anything. We're just going to run bash.

[00:06:25]Um I don't know exactly what corrupt only does, but it gets down here and basically, if we force RX RPC, we're going to call that RX RPC LPE main.

[00:06:34]Otherwise, we're going to call elps SU LPE main. Otherwise, we're going to try at SU LPE main. If it's not patched, we're going to try the other one um and see if it works. And uh Yeah. And then once it's done, if either is patched, we are going to try to get a root PTY and return. Otherwise, we report failure. Um we can take a look at uh I guess we'll take a look at Let's try this one first.

[00:07:01]Um so this one here, the elp SU LPE theme LPE local privilege escalation LPE main, um it's just going to Here we're just checking for a verbose. Um basically, I It's doing a Where Where are my Where's my corrupt? Uh Here, we're just calling corrupt SU over and over again, which is I believe right above here. Yep. Um And again, this is where we can go into the details. We Well, we could look into the details, but I don't think it's super important.

[00:07:29]Basically, we have chunks. We're trying to overwrite um chunks of data with this payload. Um and uh it either succeeds or it fails. Um the other one, see, what's the best way to find that other one? It was uh _main, I think. That Oh, that was it. Uh, how do I go back up in find?

[00:07:50]Boom. Um, this other one is kind of printing some stuff. Um, it's actually using a socket here to get access to this AF_RXRPC uh feature.

[00:08:02]And um, it's a user I mean, it's going into the same thing. Um, but you can see here it's actually checking um, Etsy password and it's modifying Etsy password.

[00:08:11]Um, so I think that's all we're going to need to do there. Um, more interestingly, let's go ahead and apply it to a box. I'm going to pause the video or I'll we'll do a quick transition while I switch to the VM.

[00:08:22]All right, so I've got a shell here as Jonathan, a low privilege user on the Snapped box from Hack The Box. Um, and then I've also got a clean copy of the Dirty Frag repo down here. Uh, we can run you name minus A to just see this is a um, old Well, this hasn't The kernel at least hasn't been updated since March 6th. Um, so we're dealing with an older version that should be vulnerable. And uh, let's see. Oh, we can also check and I'm going to have to look over for some notes here. We can do sysctl uh, well, let's see. It's kernel.apparmor restrict unprivileged user namespace.

[00:09:04]Boom. Okay, so that is set and that is what's going to block us from using the first um, the ESP based exploit. Um, and so we can also check uh, well, yeah, we'll go with that. Um, before we do any exploits, well, uh, is GCC on this box?

[00:09:19]No. Okay, so we'll have to Let's see.

[00:09:21]We'll GCC We're running Ubuntu in both places, so we should be fine here. minus out EXP Cool. Uh, python minus M HTTP server 80.

[00:09:32]Boom. And if we do wget 10 10 14 61 EXP chmod plus X Okay, we've got a runnable exploit. Now, before we run it, there's a few things we can check. Um we know it's going to modify Etsy password and we know it's potentially going to modify SU. Um so, we can do like a sha uh MD5 MD 5 sum user bin SU.

[00:09:57]Uh we can also do actually let's do this all in one line. We can do um xxd user bin SU head and we can do head minus one Etsy password.

[00:10:09]Boom. Okay, so we got a sha of SU. We've got what it looks like in the bytes.

[00:10:14]This is an elf file. There's a bunch of padding and headering headers here and we've got the standard root password line. Awesome. Uh let's run exp with {dash}v so we can see what happens.

[00:10:24]And it is going through. We can actually see um the it it failed oops sorry let's jump up here. We see we didn't it operation not permitted when we're trying to do the SU corruption. So, we failed so then we drop down to the RXRPC exploit. Uh we try all these stages and then boom down here at the end we are root. Um we can uh let's just exit and we will check this again. Um from above uh E1 E5. Do we remember seeing E1 E5? So, SU has not changed. Um you can see this looks basically the same but the root this is subtle but the root line in password has changed. And what has changed is it now has no password. So, before look at um let's see head minus two and Etsy password.

[00:11:11]Um you see there's an X there. Typically there's an X. What the X means is the password is not in this file go check Etsy shadow. Because when Linux systems first started the password was in this world the password hash was in this world readable file which meant any user could see root's password hash and try to crack it. And if there was a weak password boom you're root. Um so, now we move it to Etsy shadow which can't be read by non-root processes but you know the X is what symbolizes to go look there. Well, here we just got an empty password. And an empty password means like boom, SU or Jonathan. Like SU isn't prompting me for a password because it says, "Who am I trying to be? Root." Oh, well, root doesn't have a password, so boom, you're in. And we're in.

[00:11:47]Um I think that's everything I needed to show there. Let's go ahead and clean up, but before we So, we can do clean up is exactly the same as what we did on uh the dirty copy copy copy fail.

[00:12:01]Uh which is to echo three to proc sys VM Oops. Drop caches. Um now, if we drop out of here, we'll see that the uh password file has been re- put back in place. And that's because the password file itself on disk never changed. What changed was the cached version in memory, and then every time we even when we try to read it, you know, that cached version is read from.

[00:12:26]So, before I go back and show that though, I want to try one I'm going to do one sec one more thing. I'm going to set sysctl uh control like that minus W a r armor, yeah. Restrict unprivileged user namespace equals zero.

[00:12:48]Boom. Okay, I think that worked. So, now we're going to exit.

[00:12:51]And if we now uh head See we can do our line here. Um so, we can see none of these these still haven't changed. As expected, but now root has its pointer back to shadow.

[00:13:04]Um cool. Okay, so, we also because we disabled apparmor, now if we do EXP minus V we'll see boom. Okay, SU is it's going for the XU path. It didn't This first line before failed. Um but this time it's actually trying to do it. Uh it wrote, and boom, here we are. Um we are root.

[00:13:23]Um if we exit here, and we do our line we'll see Etsy password hasn't changed.

[00:13:28]The We still have this X here, but now we'll see this this uh MD5 sum completely changed, and we have a bunch more stuff going on here, and this in fact is the shell code. So, we have instead of, you know, it's still an elf, but instead of basically just jumping into the shell code, um we could break this down, but it's the same kind of shell code we looked at in copy fail. Um and uh so now we've overwritten SU in the cache, and if we run SU, we just become root. And even though root still has a password this time, we become root because there is, you know, our we aren't checking the password. We are just running the shell code, which returns bin/sh. Um bin/sh is why we get this weird prompt and not the uh full bash prompt, but anyway. Uh exit exit.

[00:14:10]Um I think that's it. I'm going to go ahead and call it here. Um if you do do this in a pentest, make sure you do the drop.

[00:14:16]I I didn't do it here, but make sure you go ahead and do the drop caches thing after you're done, otherwise in proving this vulnerability, you leave the box in a vulnerable state, which is bad. Um but yeah, that's uh this is another another vulnerability, another thing to go fix.

[00:14:31]Um sorry, IT admins. What a pain. Um but this is this is the world we live in, so.

[00:14:37]Uh thanks for hanging out with me. I really appreciate you uh you watching all the way to the end. It's a great way to support my channel, and uh I'll talk to you next time. Bye.

[00:14:45]>> [music] [music]