Dirty Frag: Universal Linux LPE Exploit Drops Root on All Distros

Dirty Frag: Universal Linux LPE Explained

A new Linux local privilege escalation (LPE) vulnerability, dubbed "Dirty Frag," has hit the wild. It gives any unprivileged user immediate root access on all major distributions. Think of it as the spiritual successor to the infamous Dirty Pipe and Copy Fail bugs.

The Bugs

Dirty Frag chains two separate kernel vulnerabilities:

1. ESP (Encapsulating Security Payload) module: A flaw in the IPsec ESP handling allows out-of-bounds write via crafted ESP packets.
2. rxrpc (AF_RXRPC) module: Another bug that, when combined with the ESP exploit, enables arbitrary kernel memory corruption.

Both bugs reside in kernel modules that are loaded by default on most distributions. The exploit uses the ESP module to trigger a heap overflow, then leverages the rxrpc module to escalate privileges and overwrite a setuid binary (like /usr/bin/su) with a minimal root shell ELF.

The Exploit in Action

The public exploit code is concise—about 192 bytes of shellcode. It creates a user namespace and network namespace, sets up a fake IPsec security association (SA) with extended sequence numbers (ESN), and then sends a crafted UDP-encapsulated ESP packet. This triggers the vulnerability, allowing the attacker to write arbitrary data to an arbitrary file offset. The exploit targets /usr/bin/su and overwrites its first 192 bytes with a custom ELF that runs setuid(0); setgid(0); execve("/bin/sh"). Running su then spawns a root shell.

No Patches Available

Here's the critical part: the embargo was broken. The researcher, Hyunwoo Kim, disclosed the vulnerability after consultation with the linux-distros mailing list maintainers, but no CVEs or patches exist yet for any distribution. The official advisory includes a mitigation command:

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"

This blacklists the vulnerable modules and unloads them if currently loaded. However, this may break IPsec functionality and AF_RXRPC-dependent services (e.g., some network filesystems).

Technical Deep Dive

For those who want the gory details: the ESP vulnerability (commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4) is an out-of-bounds write in the xfrm subsystem when handling UDP encapsulation with ESN. The rxrpc bug (lore.kernel.org link) provides a way to trigger the write at a controlled offset. The exploit uses vmsplice and splice to move file data into a pipe, then sends it as part of a malicious ESP packet. The kernel's ESP processing writes the packet's payload (including the pipe data) to a kernel buffer that overlaps with the target file's page cache.

What You Should Do Now

1. Apply the mitigation immediately on all production systems. Run the modprobe blacklist command.
2. Monitor for distribution patches. Major vendors like Red Hat, Ubuntu, and Debian will release kernel updates once available.
3. Assess your exposure. If your systems don't use IPsec or rxrpc, the mitigation is safe. If they do, you'll need to weigh the risk of leaving the modules loaded vs. potential service disruption.
4. Check your security monitoring. Exploitation of Dirty Frag leaves traces: unexpected ESP packets on loopback, XFRM netlink traffic, and sudden changes to setuid binaries.

This is a serious vulnerability. The broken embargo means attackers have a head start. Act now.