"Dirty Frag is a case that extends the bug class to which Dirty Pipe and Copy Fail belong. Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high."
"Successful exploitation of the flaw could allow an unprivileged local user to gain elevated root access on most Linux distributions, including Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44."
"xfrm-ESP Page-Cache Write, which is rooted in the IPSec (xfrm) subsystem, provides attackers with a 4-byte store primitive like Copy Fail and overwrites a small amount in the kernel's page cache. However, the exploit requires the unprivileged user to create a namespace, a step that's blocked by Ubuntu through AppArmor. In such an environment, xfrm-ESP Page-Cache Write cannot be triggered."
A new unpatched local privilege escalation vulnerability in the Linux kernel enables unprivileged users to gain root privileges on most Linux distributions. The flaw, called Dirty Frag, extends the bug class of Dirty Pipe and Copy Fail by using deterministic logic rather than timing races, resulting in a very high success rate. It chains the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability. The xfrm-ESP issue originates from a January 2017 code commit, while the RxRPC issue was introduced in June 2023. The exploit overwrites a small amount in the kernel page cache and provides a 4-byte store primitive. Namespace creation requirements can block triggering on Ubuntu due to AppArmor.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]