diff --git a/fragnesia/README.md b/fragnesia/README.md index eae6a9b..45b85be 100644 --- a/fragnesia/README.md +++ b/fragnesia/README.md @@ -1,8 +1,14 @@ # Fragnesia +

+fragnesia logo +

+ ## Abstract -Fragnesia is a universal Linux local privilege escalation exploit, discovered by [William Bowling](https://x.com/wcbowling?lang=en) with the [V12 team](https://x.com/v12sec). Fragnesia is a member of the [Dirty Frag vulnerability class](https://github.com/V4bel/dirtyfrag/tree/master). This is a **separate bug** in the ESP/XFRM from dirtyfrag which has received [its own patch](https://lists.openwall.net/netdev/2026/05/13/79). However, it is in the same surface and the mitigation is the same as for dirtyfrag. +https://github.com/user-attachments/assets/d8cdf3ad-2874-4a92-9a2e-46ae6e9a6761 + +Fragnesia is a universal Linux local privilege escalation exploit, discovered with [V12](https://v12.sh) by [William Bowling](https://x.com/wcbowling?lang=en) with the [V12 team](https://x.com/v12sec). Fragnesia is a member of the [Dirty Frag](https://github.com/V4bel/dirtyfrag) vulnerability class. This is a **separate bug** in the ESP/XFRM from dirtyfrag which has received [its own patch](https://lists.openwall.net/netdev/2026/05/13/79). However, it is in the same surface and the mitigation is the same as for dirtyfrag. It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition. @@ -10,6 +16,10 @@ The technique extends the page-cache write bug class that includes Dirty Pipe: w The exploit builds a 256-entry lookup table mapping each possible keystream byte to its corresponding nonce, then iterates over a payload, firing the splice/ULP race for each byte that needs changing. It writes a small position-independent ELF stub (setresuid/setresgid/execve `/bin/sh`) over the first 192 bytes of `/usr/bin/su` in the page cache, then calls `execve("/usr/bin/su")` to obtain a root shell. The page cache modification is not backed to disk; the on-disk binary is untouched. +## "Fragnesia"? + +Yes, because the core bug is: the skb “forgets” that a frag is shared during coalescing. + ## Exploitation **One-line special:** @@ -49,7 +59,9 @@ printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/fal All versions affected by dirtyfrag are affected. -Any versions without this patch: https://lists.openwall.net/netdev/2026/05/13/79, so any Linux kernel before May 13 2026. +Any versions without this patch: https://lists.openwall.net/netdev/2026/05/13/79, so Linux kernels before May 13 2026. + +Confirmed working on `Linux localhost 6.8.0-111-generic #111-Ubuntu SMP PREEMPT_DYNAMIC Sat Apr 11 23:16:02 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux` (vps purchased from Linode) ## How It Works