Share
## https://sploitus.com/exploit?id=F7936CEA-A512-502D-A10E-02E54179D6B6
# DirtyFrag Detection Lab

A self-contained detection engineering lab for [DirtyFrag](https://github.com/V4bel/dirtyfrag) โ€” a Linux LPE (2026) that chains `xfrm-ESP` and `RxRPC` page-cache writes for a deterministic root escalation on all major distributions.

## Lab Topology

```mermaid
graph LR
    subgraph PVE["Proxmox VE 8.x  ยท  192.168.X.1"]
        subgraph KALI["Attacker  ยท  Kali Linux 2024.x  ยท  192.168.X.30"]
            K["gcc -O0 -Wall -o /tmp/exp exp.c -lutil\nnmap  ยท  scp  ยท  /tmp/exp"]
        end

        subgraph UBUNTU["Target  ยท  Ubuntu 24.04 LTS  ยท  192.168.X.20"]
            T["Kernel 6.8.0-106-generic  โ†  VULNERABLE\nuser@ubuntu  uid=1000\nโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€\nElastic Agent 8.19.14  ยท  Fleet-enrolled\nauditd_manager integration  ยท  df_* rules"]
        end

        subgraph SIEM["Defender  ยท  Debian 12  ยท  192.168.X.10  (Docker)"]
            S["Elasticsearch 8.19.14\nKibana 8.19.14  ยท  Fleet Server\nlogs-auditd_manager.auditd-*\n134 events captured  ยท  16 alerts fired"]
        end
    end

    K   -->|"run /tmp/exp\nuid=1000 โ†’ uid=0  ~6 s"| T
    T   -->|"134 auditd events / run\nECS via Elastic Agent"| S
    S   -->|"3ร— CRITICAL  ยท  13ร— HIGH"| A["Analyst\nKibana Security โ†’ Alerts"]
```

## Exploit + Detection Chain

```mermaid
sequenceDiagram
    participant EXP  as /tmp/exp (uid=1000)
    participant KRN  as Kernel 6.8.0-106
    participant AUD  as auditd
    participant ES   as Elasticsearch
    participant KIB  as Kibana SIEM

    Note over EXP,KRN: Stage 1 โ€” Namespace (ESP path)
    EXP->>KRN: unshare(CLONE_NEWUSER|CLONE_NEWNET)
    KRN->>AUD: SYSCALL ยท key=df_unshare
    AUD->>ES: logs-auditd_manager.auditd-*
    ES->>KIB: HIGH ยท dirtyfrag-unshare-001

    Note over EXP,KRN: AppArmor blocks unshare on Ubuntu 24.04 โ†’ RxRPC fallback

    Note over EXP,KRN: Stage 2 โ€” RxRPC key (RxRPC path)
    EXP->>KRN: add_key("rxrpc", NULL, NULL, KEY_SPEC_SESSION_KEYRING)
    KRN->>AUD: SYSCALL ยท key=df_add_key

    Note over EXP,KRN: Stage 3 โ€” AF_ALG sockets ร— 3 (RxRPC path)
    EXP->>KRN: socket(AF_ALG=38, SOCK_SEQPACKET, 0) ร— 3
    KRN->>AUD: SYSCALL ยท key=df_af_alg ร— 3
    AUD->>ES: logs-auditd_manager.auditd-*
    ES->>KIB: HIGH ร— 12 ยท Prebuilt "Potential Copy-Fail"

    Note over EXP,KRN: Stage 4 โ€” Page-cache poisoning
    EXP->>KRN: splice() โ†’ /etc/passwd page-cacheplants root::0:0:root:/root:/bin/bash
    KRN->>AUD: SYSCALL ยท key=df_splicePATH  ยท key=df_passwd_write

    Note over EXP,KRN: Stage 5 โ€” Privilege escalation
    EXP->>KRN: execve("/usr/bin/su") [euid=0, auid=1000]
    KRN->>AUD: SYSCALL ยท key=df_uid_transition
    AUD->>ES: logs-auditd_manager.auditd-*
    ES->>KIB: CRITICAL ร— 3 ยท dirtyfrag-suid-su-001

    Note over EXP: uid=0  ยท  root@ubuntu ~#
    Note over KIB: Total: 16 alerts  ยท  3ร— CRITICAL  ยท  13ร— HIGH
```

## Quick Start

### Prerequisites

- Proxmox VE 7.x / 8.x host with internet access
- Ansible 2.14+ on your workstation
- `community.general` and `ansible.posix` Ansible collections

```bash
ansible-galaxy collection install community.general ansible.posix
pip install proxmoxer requests
```

### 1. Configure

```bash
cp deploy/ansible/inventory.yml.example deploy/ansible/inventory.yml
# Edit: set proxmox_host, passwords, network CIDR
```

### 2. Deploy Elastic SIEM

```bash
ansible-playbook deploy/ansible/site.yml --tags elastic-stack
```

### 3. Provision Proxmox VMs

```bash
# Create Ubuntu target VM + Kali VM
ansible-playbook deploy/ansible/site.yml --tags proxmox-vms
```

### 4. Enroll Elastic Agent on target

```bash
ansible-playbook deploy/ansible/site.yml --tags elastic-agent
```

### 5. Import detection rules

```bash
bash detection/elastic/import-rules.sh
```

### 6. Run the exploit

```bash
# From Kali or directly on target
gcc -O0 -Wall -o exp exploit/exp.c -lutil
./exp
# Expected: root@target:~#
```

Check Kibana โ†’ Security โ†’ Alerts. You should see 16+ alerts.

## What Gets Detected

| Rule | Type | Severity | Fires On |
|---|---|---|---|
| Potential Copy Fail (CVE-2026-31431) via AF_ALG | Prebuilt EQL | HIGH | socket(AF_ALG) + splice sequence |
| DirtyFrag - unshare() from Non-Standard Binary | Custom KQL | HIGH | unshare() syscall from non-unshare binary |
| DirtyFrag - Suspicious SUID Privilege Escalation | Custom EQL | CRITICAL | splice โ†’ su (uidโ†’euid=0) |
| DirtyFrag - RxRPC add_key + AF_ALG Sequence | Custom EQL | CRITICAL | Full RxRPC chain |

## Repository Layout

```
.
โ”œโ”€โ”€ README.md
โ”œโ”€โ”€ exploit/
โ”‚   โ””โ”€โ”€ exp.c                      # PoC (V4bel, educational use only)
โ”œโ”€โ”€ docs/
โ”‚   โ”œโ”€โ”€ DirtyFrag.md               # Full technical writeup
โ”‚   โ””โ”€โ”€ DirtyFrag-Detection.md     # Detection engineering guide
โ”œโ”€โ”€ deploy/
โ”‚   โ”œโ”€โ”€ docker/
โ”‚   โ”‚   โ”œโ”€โ”€ docker-compose.yml     # Elastic stack
โ”‚   โ”‚   โ””โ”€โ”€ .env.example
โ”‚   โ””โ”€โ”€ ansible/
โ”‚       โ”œโ”€โ”€ inventory.yml.example
โ”‚       โ”œโ”€โ”€ site.yml               # Master playbook
โ”‚       โ”œโ”€โ”€ group_vars/all.yml
โ”‚       โ””โ”€โ”€ roles/
โ”‚           โ”œโ”€โ”€ elastic-stack/     # Deploy ES+Kibana+Fleet in Docker
โ”‚           โ”œโ”€โ”€ elastic-agent/     # Install + enroll Elastic Agent
โ”‚           โ”œโ”€โ”€ proxmox-vm/        # Create Ubuntu target VM
โ”‚           โ””โ”€โ”€ proxmox-kali/      # Create Kali VM
โ””โ”€โ”€ detection/
    โ”œโ”€โ”€ auditd/
    โ”‚   โ””โ”€โ”€ dirtyfrag.rules        # Auditd rules (deploy via Fleet or directly)
    โ”œโ”€โ”€ elastic/
    โ”‚   โ”œโ”€โ”€ custom-rules/          # Elastic rule JSON exports
    โ”‚   โ””โ”€โ”€ import-rules.sh        # One-shot import script
    โ””โ”€โ”€ sigma/
        โ””โ”€โ”€ dirtyfrag.yml          # Sigma rules (backend-agnostic)
```

## Affected Kernels

- **xfrm-ESP path:** 2017-01-17 (`cac2661c53f3`) โ†’ upstream (โ‰ฅ 6.x)
- **RxRPC path:** 2023-06 (`2dc334f1a63a`) โ†’ upstream
- Both paths required for universal coverage; chain covered by Ubuntu 24.04 (AppArmor blocks ESP, rxrpc available by default)

## Mitigation

```bash
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' \
  > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"
```

## Legal

The PoC is provided for **authorized security testing and detection engineering only**. Do not run on systems you do not own or have explicit written permission to test.

Credits: Original vulnerability and exploit by [Hyunwoo Kim (@v4bel)](https://x.com/v4bel). Detection engineering by Howard Mukanda.