Skip to content

Adds module for DirtyClone variant (CVE-2026-43503)#21613

Open
eipoverflow wants to merge 5 commits into
rapid7:masterfrom
eipoverflow:exploit/linux/cve-2026-43503
Open

Adds module for DirtyClone variant (CVE-2026-43503)#21613
eipoverflow wants to merge 5 commits into
rapid7:masterfrom
eipoverflow:exploit/linux/cve-2026-43503

Conversation

@eipoverflow

@eipoverflow eipoverflow commented Jun 28, 2026

Copy link
Copy Markdown

Additional member of family bigger than Culkin family. Adds module for DirtyClone vulnerability (CVE-2026-43503), which is a variant of DirtyFrag vulnerability. DirtyClone is a Linux kernel local privilege escalation vulnerability
related to the DirtyFrag family of page-cache corruption bugs. The root cause is in
__pskb_copy_fclone(): when the xt_TEE netfilter target clones an ESP-in-UDP packet,
the clone has the SKBFL_SHARED_FRAG flag stripped. This causes esp_input() to
decrypt the clone's payload in-place, directly mutating the page-cache page that was
spliced into the packet — even if that page backs a read-only or immutable on-disk file
(e.g. a setuid binary). The on-disk file is left unchanged while the corrupted in-memory
view is immediately visible to all processes reading from the page cache.

Kernel versions up to 7.1-rc4 are vulnerable. The fix landed in 7.1-rc5.

  • Note: When testing on Ubuntu machine, you need to enable unprivileged user namespaces:
    sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

@msutovsky-r7 msutovsky-r7 added module needs-docs rn-modules release notes for new or majorly enhanced modules labels Jun 28, 2026
@github-actions

Copy link
Copy Markdown

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new (WIP) Linux local privilege escalation exploit module for a DirtyClone/DirtyFrag-family page-cache write vulnerability (CVE-2026-43503), along with the corresponding C exploit source stored under data/exploits/.

Changes:

  • Introduces a new local exploit module scaffold (dirtyclone_cve_2026_43503) wired for live-compilation of a C exploit.
  • Adds a C proof-of-concept exploit that targets /usr/bin/su via an ESP-in-UDP/XFRM-driven page-cache corruption technique.

Impact Analysis:

  • Blast radius: medium; affects only users who run this new module and any target systems it is executed against (local privilege escalation path).
  • Data and contract effects: none identified; no schema/payload contracts changed, but the exploit path can corrupt a SUID binary in page cache.
  • Rollback and test focus: rollback is straightforward (remove the new module + data file); highest-value validation is (1) check accuracy (no false positives), (2) successful payload execution path, and (3) behavior when live compilation is disabled.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 8 comments.

File Description
modules/exploits/linux/local/dirtyclone_cve_2026_43503.rb Adds the new local exploit module (currently WIP; check/payload/option handling needs work).
data/exploits/CVE-2026-43503/cve-2026-43503.c Adds the C exploit source used by the module (currently hardcodes /usr/bin/su).

Comment on lines +93 to +102
if live_compile?
exploit_c = exploit_data("CVE-2026-43503", "cve-2026-43503.c")
vprint_status("Compiling exploit live on target")
upload_and_compile(exploit_file, exploit_c)
vprint_status("Exploit in #{exploit_file}")
end

exploit_response = cmd_exec("#{exploit_file} -v")

vprint_status("#{exploit_response}")

vprint_status("#{exploit_response}")

cmd_exec("echo -n #{Base64.strict_encode64(payload.encoded)} | base64 -d | /usr/bin/su")
Comment on lines +75 to +77
def check
CheckCode::Appears("Target is vulnerable")
end
Comment on lines +34 to +38
'Name' => 'Sample Linux Priv Esc',
'Description' => %q{
This exploit module illustrates how a vulnerability could be exploited
in an linux command for priv esc.
},
Comment on lines +50 to +53
'References' => [
[ 'URL', 'http://www.example.com'],
[ 'CVE', '2026-43503']
],
Comment on lines +64 to +73
register_advanced_options [
OptString.new('WRITABLEDIR', [ true, 'A directory where we can write files', '/tmp' ]),
OptString.new('SUID_BINARY_PATH', [ true, '', '/usr/bin/su' ])
]
end

# Simplify pulling the writable directory variable
def base_dir
datastore['WRITABLEDIR'].to_s
end
Comment on lines +37 to +43
#define ENC_PORT 4500
#define SEQ_VAL 200
#define REPLAY_SEQ 100
#define TARGET_PATH "/usr/bin/su"
#define PATCH_OFFSET 0 /* Overwrite the whole ELF starting at file[0]. */
#define PAYLOAD_LEN 192 /* Bytes of shell_elf to write (48 triggers). */
#define ENTRY_OFFSET 0x78 /* Shellcode entry inside the new ELF. */
Comment on lines +6 to +8
class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html

@msutovsky-r7 msutovsky-r7 changed the title WIP: Adds module for DirtyClone variant (CVE-2026-43503) Adds module for DirtyClone variant (CVE-2026-43503) Jul 1, 2026
@msutovsky-r7 msutovsky-r7 marked this pull request as ready for review July 1, 2026 09:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

docs module rn-modules release notes for new or majorly enhanced modules

Projects

Status: Todo

Development

Successfully merging this pull request may close these issues.

4 participants