leviathan
a8c8d5ef1f
Two new page-cache-write LPE modules, both ported from the public V12 security PoCs (github.com/v12-security/pocs): - dirtydecrypt (CVE-2026-31635): rxgk missing-COW in-place decrypt. rxgk_decrypt_skb() decrypts spliced page-cache pages before the HMAC check, corrupting the page cache of a read-only file. Sibling of Copy Fail / Dirty Frag in the rxrpc subsystem. - fragnesia (CVE-2026-46300): XFRM ESP-in-TCP skb_try_coalesce() loses the SHARED_FRAG marker, so the ESP-in-TCP receive path decrypts page-cache pages in place. A latent bug exposed by the Dirty Frag fix (f4c50a4034e6). Retires the old _stubs/fragnesia_TBD stub. Both wrap the PoC exploit primitive in the skeletonkey_module interface: detect/exploit/cleanup, an --active /tmp sentinel probe, --no-shell support, and embedded auditd + sigma rules. The exploit body runs in a forked child so the PoC's exit()/die() paths cannot tear down the dispatcher. The fragnesia port drops the upstream PoC's ANSI TUI (incompatible with a shared dispatcher); the exploit mechanism is reproduced faithfully. Linux-only code is guarded with #ifdef __linux__ so the modules still compile on non-Linux dev boxes. VERIFICATION: ported, NOT yet validated end-to-end on a vulnerable-kernel VM. The CVE fix commits are not pinned, so detect() is precondition-only (PRECOND_FAIL / TEST_ERROR, never a blind VULNERABLE) and --auto will not fire them unless --active confirms. macOS stub-path compiles verified locally; the Linux exploit-path build is covered by CI (build.yml, ubuntu) only. See each MODULE.md. Wiring: core/registry.h, skeletonkey.c, Makefile, CVES.md, ROADMAP.md.
46 lines
1.9 KiB
Markdown
46 lines
1.9 KiB
Markdown
# NOTICE — dirtydecrypt
|
|
|
|
## Vulnerability
|
|
|
|
**CVE-2026-31635** — "DirtyDecrypt" / "DirtyCBC". Missing copy-on-write
|
|
guard in `rxgk_decrypt_skb()` (`net/rxrpc/rxgk_common.h`). The function
|
|
calls `skb_to_sgvec()` then `crypto_krb5_decrypt()` with no
|
|
`skb_cow_data()`; the `krb5enc` AEAD template (`crypto/krb5enc.c`)
|
|
decrypts **in place** before verifying the HMAC. When the skb fragment
|
|
pages are page-cache pages (spliced in via `MSG_SPLICE_PAGES` over
|
|
loopback), the in-place decrypt corrupts the page cache of a read-only
|
|
file. The same pattern exists in rxkad (`rxkad_verify_packet_2`).
|
|
|
|
Sibling of Copy Fail (CVE-2026-31431) and Dirty Frag
|
|
(CVE-2026-43284 / CVE-2026-43500) — all are page-cache write
|
|
primitives that abuse a missing COW boundary.
|
|
|
|
## Research credit
|
|
|
|
Discovered and reported by the **Zellic** and **V12 security** team.
|
|
Public proof-of-concept by **Luna Tong** ("cts" / "gf_256"), Zellic
|
|
co-founder, on the V12 team.
|
|
|
|
> Reference PoC: <https://github.com/v12-security/pocs/tree/main/dirtydecrypt>
|
|
|
|
On disclosure (2026-05-09) the kernel maintainers indicated the issue
|
|
duplicated a flaw already patched in mainline; CVE-2026-31635 was
|
|
assigned subsequently.
|
|
|
|
## SKELETONKEY role
|
|
|
|
`skeletonkey_modules.c` is a port of the V12 PoC into the
|
|
`skeletonkey_module` interface. The exploit primitive — the
|
|
`fire()` / `pagecache_write()` sliding-window machinery, the rxgk XDR
|
|
token builder, the 120-byte ET_DYN ELF payload — is reproduced from
|
|
that PoC. SKELETONKEY adds the detect/cleanup lifecycle, an `--active`
|
|
sentinel probe, `--no-shell` support, and the embedded detection
|
|
rules. Research credit belongs to the people above.
|
|
|
|
## Verification status
|
|
|
|
**Ported, not yet validated end-to-end on a vulnerable-kernel VM.**
|
|
The CVE-2026-31635 fix commit is not yet pinned in this module, so
|
|
`detect()` does not perform a kernel-version patched/vulnerable
|
|
verdict — see `MODULE.md`.
|