Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
john_strinlai 3 hours ago

"Because the embargo has now been broken, no patches or CVEs exist for these vulnerabilities."

link: https://github.com/V4bel/dirtyfrag

detailed writeup: https://github.com/V4bel/dirtyfrag/blob/master/assets/write-...

importantly:

"Copy Fail was the motivation for starting this research. In particular, xfrm-ESP Page-Cache Write in the Dirty Frag vulnerability chain shares the same sink as Copy Fail. However, it is triggered regardless of whether the algif_aead module is available. In other words, even on systems where the publicly known Copy Fail mitigation (algif_aead blacklist) is applied, your Linux is still vulnerable to Dirty Frag."

mitigation (i have not tested or verified!):

"Because the responsible disclosure schedule and the embargo have been broken, no patch exists for any distribution. Use the following command to remove the modules in which the vulnerabilities occur."

    sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"
conversation around the mitigation suggests you need a reboot or run this after the above on already-exploited machines:

    sudo echo 3 > /prox/sys/vm/drop_caches
progval 2 hours ago | parent | next [-]

"sudo" in "sudo echo 3 > /prox/sys/vm/drop_caches" does not do anything because only runs echo, not the write.

And if a machine is already exploited, it's too late to do just that. You need to rebuild the whole disk image because anything on it could be compromised.

john_strinlai 2 hours ago | parent [-]

>And if a machine is already exploited, it's too late to do just that. You need to rebuild the whole disk image because anything on it could be compromised.

this is more targeted at the people who run the PoC to see if their machine is vulnerable.

just transcribing some relevant stuff from https://github.com/V4bel/dirtyfrag/issues/1 so that people visiting this thread dont need to poke around a bunch of different places.

dundarious 2 hours ago | parent | prev | next [-]

You can't sudo echo and redirect from the non-sudo shell like that.

    echo 3 | sudo tee /proc/sys/vm/drop_caches
or

    sudo sh -c 'echo 3 > /proc/sys/vm/drop_caches'
Also fixed your typo in /proc...
throw0101c 2 hours ago | parent | next [-]

Also try:

     sudo sysctl -w vm.drop_caches=3
wpollock an hour ago | parent | prev | next [-]

Or more simply, use

   su -c 'echo 3 > /proc/sys/vm/drop_caches'
seba_dos1 an hour ago | parent [-]

echo 3 | sudo tee /proc/sys/vm/drop_caches

john_strinlai 2 hours ago | parent | prev [-]

thanks. copy pasting from the github via my phone, and should have taken the extra few mins

dundarious 34 minutes ago | parent [-]

No worries, overall a very useful summary comment.

danudey an hour ago | parent | prev [-]

Just FYI, you can also mitigate it with `echo 1 > ...`; you don't need to drop everything, dropping `1` clears the page cache and that's enough.

Tested locally on Ubuntu 26.04:

1. Ran the exploit and got root

2. Configured the mitigations

3. Ran `su` again with no parameters and immediately got root again unprompted

4. Cleared the page cache

5. `su` asked for a password