leviathan
a8c8d5ef1f
Two new page-cache-write LPE modules, both ported from the public V12 security PoCs (github.com/v12-security/pocs): - dirtydecrypt (CVE-2026-31635): rxgk missing-COW in-place decrypt. rxgk_decrypt_skb() decrypts spliced page-cache pages before the HMAC check, corrupting the page cache of a read-only file. Sibling of Copy Fail / Dirty Frag in the rxrpc subsystem. - fragnesia (CVE-2026-46300): XFRM ESP-in-TCP skb_try_coalesce() loses the SHARED_FRAG marker, so the ESP-in-TCP receive path decrypts page-cache pages in place. A latent bug exposed by the Dirty Frag fix (f4c50a4034e6). Retires the old _stubs/fragnesia_TBD stub. Both wrap the PoC exploit primitive in the skeletonkey_module interface: detect/exploit/cleanup, an --active /tmp sentinel probe, --no-shell support, and embedded auditd + sigma rules. The exploit body runs in a forked child so the PoC's exit()/die() paths cannot tear down the dispatcher. The fragnesia port drops the upstream PoC's ANSI TUI (incompatible with a shared dispatcher); the exploit mechanism is reproduced faithfully. Linux-only code is guarded with #ifdef __linux__ so the modules still compile on non-Linux dev boxes. VERIFICATION: ported, NOT yet validated end-to-end on a vulnerable-kernel VM. The CVE fix commits are not pinned, so detect() is precondition-only (PRECOND_FAIL / TEST_ERROR, never a blind VULNERABLE) and --auto will not fire them unless --active confirms. macOS stub-path compiles verified locally; the Linux exploit-path build is covered by CI (build.yml, ubuntu) only. See each MODULE.md. Wiring: core/registry.h, skeletonkey.c, Makefile, CVES.md, ROADMAP.md.
31 lines
855 B
YAML
31 lines
855 B
YAML
title: Possible Fragnesia exploitation (CVE-2026-46300)
|
|
id: 9b3d2e71-skeletonkey-fragnesia
|
|
status: experimental
|
|
description: |
|
|
Detects the file-modification footprint of the Fragnesia XFRM
|
|
ESP-in-TCP page-cache write (CVE-2026-46300): non-root modification
|
|
of a setuid-root binary or credential file, typically inside a
|
|
freshly created user + network namespace.
|
|
references:
|
|
- https://github.com/v12-security/pocs/tree/main/fragnesia
|
|
- https://lists.openwall.net/netdev/2026/05/13/79
|
|
logsource:
|
|
product: linux
|
|
service: auditd
|
|
detection:
|
|
modification:
|
|
type: 'PATH'
|
|
name|startswith:
|
|
- '/usr/bin/su'
|
|
- '/bin/su'
|
|
- '/etc/passwd'
|
|
- '/etc/shadow'
|
|
not_root:
|
|
auid|expression: '!= 0'
|
|
condition: modification and not_root
|
|
level: high
|
|
tags:
|
|
- attack.privilege_escalation
|
|
- attack.t1068
|
|
- cve.2026.46300
|