• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

Copy Fail: One 732-Byte Python Script Gives Root on Ubuntu, RHEL, SUSE, Amazon Linux

Interesting: My hosting provider has blocked access to cpanel, SSH, FTP among others in response to this exploit. Good to see they're on top of things.
 
Mazzspeed said:
Interesting: My hosting provider has blocked access to cpanel, SSH, FTP among others in response to this exploit. Good to see they're on top of things.
Click to expand...
Actually, that may also be for other reasons (cpanel anyhow).
 
Yeah, too bad a 3rd party released the information about DirtyFrag early. The original researcher who discovered it actually followed good disclosure procedures unlike Theori, who found CopyFail. So we shouldn't really know about DirtyFrag just yet.

Sometimes I honestly find it mind-boggling that companies/people think it's a good idea to drop some of these exploits on the world without preparation. Ubuntu only pushed CopyFail kernel fixes for versions like 22.04 today. They're so new they haven't even hit my repos yet.
 
Vermillion said:
Yeah, too bad a 3rd party released the information about DirtyFrag early. The original researcher who discovered it actually followed good disclosure procedures unlike Theori, who found CopyFail. So we shouldn't really know about DirtyFrag just yet.

Sometimes I honestly find it mind-boggling that companies/people think it's a good idea to drop some of these exploits on the world without preparation. Ubuntu only pushed CopyFail kernel fixes for versions like 22.04 today. They're so new they haven't even hit my repos yet.
Click to expand...
At the pace zero days are seen in the wild, it might've been done this way due to being detected somewhere.
 
CrimsonKnight13 said:
At the pace zero days are seen in the wild, it might've been done this way due to being detected somewhere.
Click to expand...
If DirtyFrag was being exploited before the disclosure no one has mentioned it. The researcher only released his POC and all his documentation after a 3rd party released information about HIS reporting of the exploit. So basically he followed proper procedures. There was an embargo in place to keep the information private for a set number of days to allow time for it to be patched. A 3rd party who had access to the disclosure released information very prematurely, so here we with an unpatched LPE again due to stupidity.
 
Vermillion said:
If DirtyFrag was being exploited before the disclosure no one has mentioned it. The researcher only released his POC and all his documentation after a 3rd party released information about HIS reporting of the exploit. So basically he followed proper procedures. There was an embargo in place to keep the information private for a set number of days to allow time for it to be patched. A 3rd party who had access to the disclosure released information very prematurely, so here we with an unpatched LPE again due to stupidity.
Click to expand...
Ah, that explains it better. Thanks.

I didn't look too deeply into it.
 
Vermillion said:
If DirtyFrag was being exploited before the disclosure no one has mentioned it.
Click to expand...
Could have been for a couple of years without no know able to tell, would not leave trace either (all in memory and the users get access to clean his tracks if there any), specially if it is a CCP, Mossad type entity that can afford to only use it on special occasion, specially with an working agent inside the institution using those....
 
Last edited:
tested dirtyfrag on Ubuntu and CachyOS, didnt try on RHEL yet. Haven't run updates today yet either. script kiddies going to be having too much fun again. Insider threats are vast majority of incidents, no fun.

*Fails on CachyOS with update
 
Last edited:
cjcox said:
Actually, that may also be for other reasons (cpanel anyhow).
Click to expand...
I don't believe it is. They don't want people using SSH or FTP for obvious reasons as such tools can be used it to gain root access, and they don't want people having access to cpanel as they could re-enable SSH and FTP.
 
4saken said:
Just to show it real quick, made a quick capture.
non sudo user, just python script. can just disable/unload the algif_aead module, which is the culprit.

View attachment 800187
Click to expand...

Would probably be better if you did cat on failcopy instead because the time you stay in vim is like half a second.
I'm assuming the silver lining is that they need ssh or local shell access, at least. Or have the script uploaded to the server and then in some way executable by the web user (and/or you have arbitrary remote code execution vulnerability in one of your web scripts, in which case you royally fucked up anyway).

Edit... actually saw a socket opening in there somewhere. Guess the only thing that saves you there is firewall, depending on what exactly that's used for...
 

"Fragnesia Made Public As Latest Linux Local Privilege Escalation Vulnerability (phoronix.com)8

Posted by BeauHD on Wednesday May 13, 2026 @03:00PM from the here-we-go-again dept.
A new Linux local privilege escalation flaw called Fragnesia has been disclosed as a Dirty Frag-like vulnerability, allowing arbitrary byte writes into the kernel page cache of read-only files through a separate ESP/XFRM logic bug. Phoronix reports:Proof of concept code for Fragnesia is already out there. There is a two-line patch for addressing the issue within the Linux kernel's skbuff.c code. That patch hasn't yet been mainlined or picked up by any mainline kernel releases but presumably will be in short order for addressing this local privilege escalation issue.More details can be found here."
 
You must log in or register to reply here.
Back
Top