Share
## https://sploitus.com/exploit?id=F7936CEA-A512-502D-A10E-02E54179D6B6
# DirtyFrag Detection Lab
A self-contained detection engineering lab for [DirtyFrag](https://github.com/V4bel/dirtyfrag) โ a Linux LPE (2026) that chains `xfrm-ESP` and `RxRPC` page-cache writes for a deterministic root escalation on all major distributions.
## Lab Topology
```mermaid
graph LR
subgraph PVE["Proxmox VE 8.x ยท 192.168.X.1"]
subgraph KALI["Attacker ยท Kali Linux 2024.x ยท 192.168.X.30"]
K["gcc -O0 -Wall -o /tmp/exp exp.c -lutil\nnmap ยท scp ยท /tmp/exp"]
end
subgraph UBUNTU["Target ยท Ubuntu 24.04 LTS ยท 192.168.X.20"]
T["Kernel 6.8.0-106-generic โ VULNERABLE\nuser@ubuntu uid=1000\nโโโโโโโโโโโโโโโโโโโโ\nElastic Agent 8.19.14 ยท Fleet-enrolled\nauditd_manager integration ยท df_* rules"]
end
subgraph SIEM["Defender ยท Debian 12 ยท 192.168.X.10 (Docker)"]
S["Elasticsearch 8.19.14\nKibana 8.19.14 ยท Fleet Server\nlogs-auditd_manager.auditd-*\n134 events captured ยท 16 alerts fired"]
end
end
K -->|"run /tmp/exp\nuid=1000 โ uid=0 ~6 s"| T
T -->|"134 auditd events / run\nECS via Elastic Agent"| S
S -->|"3ร CRITICAL ยท 13ร HIGH"| A["Analyst\nKibana Security โ Alerts"]
```
## Exploit + Detection Chain
```mermaid
sequenceDiagram
participant EXP as /tmp/exp (uid=1000)
participant KRN as Kernel 6.8.0-106
participant AUD as auditd
participant ES as Elasticsearch
participant KIB as Kibana SIEM
Note over EXP,KRN: Stage 1 โ Namespace (ESP path)
EXP->>KRN: unshare(CLONE_NEWUSER|CLONE_NEWNET)
KRN->>AUD: SYSCALL ยท key=df_unshare
AUD->>ES: logs-auditd_manager.auditd-*
ES->>KIB: HIGH ยท dirtyfrag-unshare-001
Note over EXP,KRN: AppArmor blocks unshare on Ubuntu 24.04 โ RxRPC fallback
Note over EXP,KRN: Stage 2 โ RxRPC key (RxRPC path)
EXP->>KRN: add_key("rxrpc", NULL, NULL, KEY_SPEC_SESSION_KEYRING)
KRN->>AUD: SYSCALL ยท key=df_add_key
Note over EXP,KRN: Stage 3 โ AF_ALG sockets ร 3 (RxRPC path)
EXP->>KRN: socket(AF_ALG=38, SOCK_SEQPACKET, 0) ร 3
KRN->>AUD: SYSCALL ยท key=df_af_alg ร 3
AUD->>ES: logs-auditd_manager.auditd-*
ES->>KIB: HIGH ร 12 ยท Prebuilt "Potential Copy-Fail"
Note over EXP,KRN: Stage 4 โ Page-cache poisoning
EXP->>KRN: splice() โ /etc/passwd page-cacheplants root::0:0:root:/root:/bin/bash
KRN->>AUD: SYSCALL ยท key=df_splicePATH ยท key=df_passwd_write
Note over EXP,KRN: Stage 5 โ Privilege escalation
EXP->>KRN: execve("/usr/bin/su") [euid=0, auid=1000]
KRN->>AUD: SYSCALL ยท key=df_uid_transition
AUD->>ES: logs-auditd_manager.auditd-*
ES->>KIB: CRITICAL ร 3 ยท dirtyfrag-suid-su-001
Note over EXP: uid=0 ยท root@ubuntu ~#
Note over KIB: Total: 16 alerts ยท 3ร CRITICAL ยท 13ร HIGH
```
## Quick Start
### Prerequisites
- Proxmox VE 7.x / 8.x host with internet access
- Ansible 2.14+ on your workstation
- `community.general` and `ansible.posix` Ansible collections
```bash
ansible-galaxy collection install community.general ansible.posix
pip install proxmoxer requests
```
### 1. Configure
```bash
cp deploy/ansible/inventory.yml.example deploy/ansible/inventory.yml
# Edit: set proxmox_host, passwords, network CIDR
```
### 2. Deploy Elastic SIEM
```bash
ansible-playbook deploy/ansible/site.yml --tags elastic-stack
```
### 3. Provision Proxmox VMs
```bash
# Create Ubuntu target VM + Kali VM
ansible-playbook deploy/ansible/site.yml --tags proxmox-vms
```
### 4. Enroll Elastic Agent on target
```bash
ansible-playbook deploy/ansible/site.yml --tags elastic-agent
```
### 5. Import detection rules
```bash
bash detection/elastic/import-rules.sh
```
### 6. Run the exploit
```bash
# From Kali or directly on target
gcc -O0 -Wall -o exp exploit/exp.c -lutil
./exp
# Expected: root@target:~#
```
Check Kibana โ Security โ Alerts. You should see 16+ alerts.
## What Gets Detected
| Rule | Type | Severity | Fires On |
|---|---|---|---|
| Potential Copy Fail (CVE-2026-31431) via AF_ALG | Prebuilt EQL | HIGH | socket(AF_ALG) + splice sequence |
| DirtyFrag - unshare() from Non-Standard Binary | Custom KQL | HIGH | unshare() syscall from non-unshare binary |
| DirtyFrag - Suspicious SUID Privilege Escalation | Custom EQL | CRITICAL | splice โ su (uidโeuid=0) |
| DirtyFrag - RxRPC add_key + AF_ALG Sequence | Custom EQL | CRITICAL | Full RxRPC chain |
## Repository Layout
```
.
โโโ README.md
โโโ exploit/
โ โโโ exp.c # PoC (V4bel, educational use only)
โโโ docs/
โ โโโ DirtyFrag.md # Full technical writeup
โ โโโ DirtyFrag-Detection.md # Detection engineering guide
โโโ deploy/
โ โโโ docker/
โ โ โโโ docker-compose.yml # Elastic stack
โ โ โโโ .env.example
โ โโโ ansible/
โ โโโ inventory.yml.example
โ โโโ site.yml # Master playbook
โ โโโ group_vars/all.yml
โ โโโ roles/
โ โโโ elastic-stack/ # Deploy ES+Kibana+Fleet in Docker
โ โโโ elastic-agent/ # Install + enroll Elastic Agent
โ โโโ proxmox-vm/ # Create Ubuntu target VM
โ โโโ proxmox-kali/ # Create Kali VM
โโโ detection/
โโโ auditd/
โ โโโ dirtyfrag.rules # Auditd rules (deploy via Fleet or directly)
โโโ elastic/
โ โโโ custom-rules/ # Elastic rule JSON exports
โ โโโ import-rules.sh # One-shot import script
โโโ sigma/
โโโ dirtyfrag.yml # Sigma rules (backend-agnostic)
```
## Affected Kernels
- **xfrm-ESP path:** 2017-01-17 (`cac2661c53f3`) โ upstream (โฅ 6.x)
- **RxRPC path:** 2023-06 (`2dc334f1a63a`) โ upstream
- Both paths required for universal coverage; chain covered by Ubuntu 24.04 (AppArmor blocks ESP, rxrpc available by default)
## Mitigation
```bash
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' \
> /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"
```
## Legal
The PoC is provided for **authorized security testing and detection engineering only**. Do not run on systems you do not own or have explicit written permission to test.
Credits: Original vulnerability and exploit by [Hyunwoo Kim (@v4bel)](https://x.com/v4bel). Detection engineering by Howard Mukanda.