kuniyal08/Dirty-Frag-CVE-2026-43284

# Dirty-Frag-CVE-2026-43284 # Dirty Frag (CVE‑2026‑43284 & CVE‑2026‑43500) — Exploit Reproduction & Detection Lab This repository documents the end‑to‑end reproduction, detection engineering, and incident response for the **Dirty Frag** Linux kernel local privilege escalation (LPE) chain. Dirty Frag chains two deterministic logic bugs—**CVE‑2026‑43284** (xfrm/ESP) and **CVE‑2026‑43500** (RxRPC)—to let an unprivileged local user overwrite the page cache of read‑only files (e.g., `/usr/bin/su`) and obtain a root shell. ## Key Findings - ✅ Successfully exploited Dirty Frag on Kali Linux 2026.1 (kernel 6.18.12+kali‑amd64) - ✅ Deployed auditd syscall‑level detection rules - ✅ Created Sigma and YARA rules for cross‑platform detection - ✅ Developed a complete incident response playbook - ✅ Documented every step with screenshots for portfolio use ### Why This Matters Dirty Frag is a **logic flaw**, not a memory corruption. It is **deterministic**, affects virtually every Linux distribution shipped since **2017**, and is completely **fileless**—traditional file integrity monitoring (AIDE, Tripwire) cannot see it. The public PoC is a single C file that chains both the ESP and RxRPC paths. ## Lab Environment Component | Details ---|--- Hypervisor | VirtualBox Target VM | Kali Linux 2026.1 Kernel | 6.18.12+kali‑amd64 Exploit PoC | [V4bel/dirtyfrag](https://github.com/V4bel/dirtyfrag) Detection | auditd, Sigma, YARA ## Reproduction Steps ### 1. Verify Kali Version & Kernel The lab starts by confirming the target is running a vulnerable kernel. cat /etc/os-release | head -3 uname -r 📸 screenshots/pre_exploit_id.png — Kali 2026.1 release and kernel details. Output of uname -r shows vulnerable kernel 6.18.12+kali‑amd64. 2. Check for Vulnerable Modules The exploit requires the esp4, esp6, and rxrpc kernel modules. lsmod | grep -E "esp4|esp6|rxrpc" modinfo esp4 esp6 rxrpc 2>/dev/null | grep -E "^(name|depends)" 📸 screenshots/module_mitigation.png — lsmod and modinfo confirm the vulnerable modules are available. 3. Python Version The Python‑based variant of the PoC needs Python 3.10+. We verify the interpreter. python3 --version Python 3.12 is installed and ready. 4. Vulnerability Checker (Non‑Destructive) Before running the full exploit, a safe checker script confirms the system is vulnerable. python3 poc/check_vulnerable.py The checker reports "potentially vulnerable", clearing the way for exploitation. 5. Create Unprivileged User An unprivileged testuser account simulates an attacker without special rights. sudo useradd -m testuser sudo passwd testuser su - testuser id 📸 id shows UID 1001, confirming non‑root access. 6. Clone & Execute the Exploit The official V4bel PoC is cloned and compiled from the unprivileged account. git clone https://github.com/V4bel/dirtyfrag.git cd dirtyfrag gcc -O0 -Wall -o exp exp.c -lutil ./exp 📸 screenshots/exploit_execution.png — The exploit overwrites the page cache of /usr/bin/su and detonates the corrupted binary. 📸 screenshots/post_exploit_root.png — whoami and id output prove full root escalation. 7. Verify Fileless Nature (No Disk Modification) The exploit only corrupts the in‑memory page cache. The on‑disk /usr/bin/su retains its original checksum. sha256sum /usr/bin/su The sha256sum matches the original package hash even after exploitation, confirming no disk modification. 8. Post‑Exploit Cleanup (Critical!) After running the exploit, the page cache is contaminated. Always flush it: echo 3 | sudo tee /proc/sys/vm/drop_caches # Or reboot the system Detection Engineering Dirty Frag cannot be detected by file integrity monitoring. Instead, we focus on the syscall‑level primitives it uses. auditd Rules We deploy custom auditd rules that trigger on: socket(AF_ALG) family 38 and socket(AF_RXRPC) family 21 creation splice() syscall usage unshare(CLONE_NEWUSER | CLONE_NEWNET) namespace creation Read access to setuid binaries by unprivileged processes # /etc/audit/rules.d/dirtyfrag.rules -a always,exit -F arch=b64 -S socket -F a0=38 -F uid!=0 -k dirtyfrag_af_alg -a always,exit -F arch=b64 -S socket -F a0=21 -F uid!=0 -k dirtyfrag_rxrpc -a always,exit -F arch=b64 -S splice -F uid!=0 -k dirtyfrag_splice -a always,exit -F arch=b64 -S unshare -F uid!=0 -k dirtyfrag_namespace -w /usr/bin/su -p r -k dirtyfrag_suid_read All custom rules are active, verified with auditctl -l. After running the exploit a second time, we see alerts for the exact syscalls used: ausearch -k dirtyfrag_af_alg shows an AF_ALG socket creation event from the testuser process ausearch -k dirtyfrag_splice shows a splice() event from the same PID, a strong correlation ausearch -k dirtyfrag_namespace shows namespace creation Sigma Rule A Sigma rule translates the auditd findings into a vendor‑neutral SIEM format. File: detection/sigma/dirty_frag_exploit.yml YARA Rule A YARA rule helps identify Dirty Frag exploit code on disk and in memory. File: detection/yara/dirty_frag_exploit.yar Detection Coverage Summary Layer What it Sees Status auditd AF_ALG/AF_RXRPC socket + splice syscalls + unshare ✅ Deployed Sigma Syscall patterns via SIEM ✅ Rule ready YARA PoC code on disk / in memory ✅ Rule ready FIM (AIDE/Tripwire) File changes ❌ Blind – no disk write occurs Incident Response Playbook A full incident response report is available in reports/incident-dirtyfrag.md. It includes: Executive summary — Dirty Frag exploitation observed Indicators of compromise (IoCs) — auditd alerts for AF_ALG/AF_RXRPC socket creation, splice() calls, unshare namespace events, and SUID binary execution by non‑root processes MITRE ATT&CK mapping — T1068 (Exploitation for Privilege Escalation), T1611 (Escape to Host) Containment and eradication steps — Module blacklisting, page cache flush, kernel upgrade Lessons learned regarding fileless attacks and the importance of syscall‑level auditing Mitigation Immediate mitigation (no reboot required): echo "install esp4 /bin/false" | sudo tee /etc/modprobe.d/dirtyfrag.conf echo "install esp6 /bin/false" | sudo tee -a /etc/modprobe.d/dirtyfrag.conf echo "install rxrpc /bin/false" | sudo tee -a /etc/modprobe.d/dirtyfrag.conf sudo rmmod esp4 esp6 rxrpc 2>/dev/null ⚠️ Impact: Disabling these modules breaks IPsec VPNs and AFS filesystem functionality. A ready‑to‑use mitigation script is included at mitigation/dirtyfrag_mitigation.sh. Permanent fix: Upgrade your kernel to a patched version.