leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

Phase 2 (partial): Dirty Pipe DETECT-ONLY module + core/kernel_range

Browse Source 
- core/kernel_range.{c,h}: branch-aware patched-version comparison.
  Every future module needs 'is the host kernel in the affected
  range?'; centralized here. Models stable-branch backports
  (e.g. 5.10.102, 5.15.25) so a 5.15.20 host correctly reports
  VULNERABLE while a 5.15.50 host reports OK.

- modules/dirty_pipe_cve_2022_0847/ (promoted out of _stubs):
  - iamroot_modules.{c,h}: dirty_pipe module exposing detect() that
    parses /proc/version and compares against the four known patched
    branches (5.10.102, 5.15.25, 5.16.11, 5.17+ inherited). Returns
    IAMROOT_OK / IAMROOT_VULNERABLE / IAMROOT_TEST_ERROR with stderr
    hints in human-readable scan mode.
  - exploit() returns IAMROOT_PRECOND_FAIL with a 'not yet
    implemented' message; landing the actual exploit needs Phase 1.5
    extraction of passwd/su helpers into core/.
  - detect/auditd.rules: splice() syscall + passwd/shadow file watches
  - detect/sigma.yml: non-root modification of /etc/passwd|shadow|sudoers

- iamroot.c main() calls iamroot_register_dirty_pipe() alongside
  the copy_fail_family registration.

- Makefile gains the dirty_pipe family as a separate object set.

Verified end-to-end on kctf-mgr (kernel 6.12.86): build clean, 6
modules in --list, --scan correctly reports dirty_pipe as patched,
JSON output ingest-ready.
This commit is contained in:
KaraZajac
2026-05-16 19:51:47 -04:00
parent 19b9162b1d
commit 1552a3bfcb
12 changed files with 363 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ROADMAP.md
+18 -7
View File
@@ -33,7 +33,7 @@ commitments.
because there's only one family today; the extraction is
mechanical and lands when a second family arrives.
## Phase 2 — Add Dirty Pipe (CVE-2022-0847)
## Phase 2 — Add Dirty Pipe (CVE-2022-0847) — PARTIAL (DETECT done 2026-05-16)
Public PoC, well-understood, useful for completeness — IAMROOT
without Dirty Pipe is incomplete as a "historical bundle." Affects
@@ -41,12 +41,23 @@ kernels ≤5.16.11/≤5.15.25/≤5.10.102 so coverage is older
deployments (worth bundling — many production boxes still run
these).
- [ ] `modules/dirty_pipe_cve_2022_0847/` — exploit + detect + range
metadata
- [ ] Test matrix: Ubuntu 20.04 (vulnerable kernels), Debian 11
(vulnerable kernels), modern kernels (immune — should detect
as patched)
- [ ] Detection rules: auditd splice/pipe write patterns
- [x] `modules/dirty_pipe_cve_2022_0847/` directory promoted out of
`_stubs/`
- [x] `core/kernel_range.{c,h}` — branch-aware patched-version
comparison (reusable by every future module)
- [x] `dirty_pipe_detect()` — kernel version check against
branch-backport thresholds (5.10.102 / 5.15.25 / 5.16.11 / 5.17+)
- [x] Detection rules: `auditd.rules` (splice() syscall + passwd/shadow
watches) and `sigma.yml` (non-root modification of sensitive files)
- [x] Registered in `iamroot --list` / `--scan` output. Verified on
kernel 6.12.86 → correctly reports OK (patched).
- [ ] **Phase 1.5 / Phase 2 followup**: actual exploit. Needs
extraction of `find_passwd_uid_field` + `try_revert_passwd_page_cache`
+ `exploit_su` into `core/` so dirty_pipe can call them without
duplicating the copy_fail_family helpers.
- [ ] CI matrix: Ubuntu 20.04 with kernel 5.13 (vulnerable),
Debian 11 with 5.10.0-8 (vulnerable), Debian 13 with 6.12.x
(patched — should detect as OK)
## Phase 3 — Add EntryBleed (CVE-2023-0458) as stage-1 leak brick