diff --git a/CVES.md b/CVES.md index 9b49e14..ca84a69 100644 --- a/CVES.md +++ b/CVES.md @@ -23,7 +23,7 @@ Status legend: - ๐Ÿ”ด **DEPRECATED** โ€” fully patched everywhere relevant; kept for historical reference only -**Counts (v0.2.0):** ๐ŸŸข 13 ยท ๐ŸŸก 7 (all `--full-chain` capable) ยท ๐Ÿ”ต 0 ยท โšช 1 ยท ๐Ÿ”ด 0 +**Counts (v0.3.0):** ๐ŸŸข 13 ยท ๐ŸŸก 11 (all `--full-chain` capable) ยท ๐Ÿ”ต 0 ยท โšช 1 ยท ๐Ÿ”ด 0 ## Inventory @@ -50,6 +50,10 @@ Status legend: | CVE-2022-0185 | legacy_parse_param fsconfig heap OOB โ†’ container-escape | LPE (cross-cache UAF โ†’ cred overwrite from rootless container) | mainline 5.16.2 (Jan 2022) | `fuse_legacy` | ๐ŸŸก | userns+mountns reach, fsopen("cgroup2") + double fsconfig SET_STRING fires the 4k OOB, msg_msg cross-cache groom in kmalloc-4k, MSG_COPY read-back detects whether the OOB landed in an adjacent neighbour. Stops before the m_ts overflow โ†’ MSG_COPY arbitrary read chain (scaffold present, no per-kernel offsets). **Container-escape angle** โ€” relevant to rootless docker/podman/snap. Branch backports: 5.16.2 / 5.15.14 / 5.10.91 / 5.4.171. | | CVE-2023-3269 | StackRot โ€” maple-tree VMA-split UAF | LPE (kernel R/W via maple node use-after-RCU) | mainline 6.4-rc4 (Jul 2023) | `stackrot` | ๐ŸŸก | Two-thread race driver (MAP_GROWSDOWN + mremap rotation vs fork+fault) with cpu pinning + 3 s budget; kmalloc-192 spray for anon_vma/anon_vma_chain; race-iteration + signal breadcrumb. Honest reliability note in module header: **~<1% race-win/run on a vulnerable kernel** โ€” the public PoC averages minutes-to-hours and needs a much wider VMA staging matrix to be reliable. Useful as a "is the maple-tree path reachable here?" probe. Branch backports: 6.4.4 / 6.3.13 / 6.1.37. | | CVE-2020-14386 | AF_PACKET tpacket_rcv VLAN integer underflow | LPE (heap OOB write via crafted frame) | mainline 5.9 (Sep 2020) | `af_packet2` | ๐ŸŸก | Sibling of CVE-2017-7308; tp_reserve underflow + sendmmsg skb spray + slab-delta witness. PRIMITIVE-DEMO scope (no cred overwrite). Branch backports: 5.8.7 / 5.7.16 / 5.4.62 / 4.19.143 / 4.14.197 / 4.9.235. Or Cohen's disclosure. Shares `iamroot-af-packet` audit key with CVE-2017-7308. | +| CVE-2023-32233 | nf_tables anonymous-set UAF | LPE (kernel UAF in nft_set transaction) | mainline 6.4-rc4 (May 2023) | `nft_set_uaf` | ๐ŸŸก | Sondej+Krysiuk. Hand-rolled nfnetlink batch (NEWTABLE โ†’ NEWCHAIN โ†’ NEWSET(ANON\|EVAL) โ†’ NEWRULE(lookup) โ†’ DELSET โ†’ DELRULE) drives the deactivation skip; cg-512 msg_msg cross-cache spray. Branch backports: 4.19.283 / 5.4.243 / 5.10.180 / 5.15.111 / 6.1.28 / 6.2.15 / 6.3.2. --full-chain forges freed-set with `set->data = kaddr`. | +| CVE-2023-4622 | AF_UNIX garbage-collector race UAF | LPE (slab UAF, plain unprivileged) | mainline 6.6-rc1 (Aug 2023) | `af_unix_gc` | ๐ŸŸก | Lin Ma. Two-thread race driver: SCM_RIGHTS cycle vs unix_gc trigger; kmalloc-512 (SLAB_TYPESAFE_BY_RCU) refill via msg_msg. **Widest deployment of any module โ€” bug exists since 2.x.** No userns required. Branch backports: 4.14.326 / 4.19.295 / 5.4.257 / 5.10.197 / 5.15.130 / 6.1.51 / 6.5.0. | +| CVE-2022-25636 | nft_fwd_dup_netdev_offload heap OOB | LPE (kernel R/W via offload action[] OOB) | mainline 5.17 / 5.16.11 (Feb 2022) | `nft_fwd_dup` | ๐ŸŸก | Aaron Adams (NCC). NFT_CHAIN_HW_OFFLOAD chain + 16 immediates + fwd writes past action.entries[1]. msg_msg kmalloc-512 spray. Branch backports: 5.4.181 / 5.10.102 / 5.15.25 / 5.16.11. | +| CVE-2023-0179 | nft_payload set-id memory corruption | LPE (regs->data[] OOB R/W) | mainline 6.2-rc4 / 6.1.6 (Jan 2023) | `nft_payload` | ๐ŸŸก | Davide Ornaghi. NFTA_SET_DESC variable-length element + NFTA_SET_ELEM_EXPRESSIONS payload-set whose verdict.code drives the OOB. Dual cg-96 + 1k spray. Branch backports: 4.14.302 / 4.19.269 / 5.4.229 / 5.10.163 / 5.15.88 / 6.1.6. | | CVE-TBD | Fragnesia (ESP shared-frag in-place encrypt) | LPE (page-cache write) | mainline TBD | `_stubs/fragnesia_TBD` | โšช | Stub. Per `findings/audit_leak_write_modprobe_backups_2026-05-16.md`, requires CAP_NET_ADMIN in userns netns โ€” may or may not be in-scope depending on target environment. | ## Operations supported per module @@ -78,6 +82,10 @@ Symbols: โœ“ = supported, โ€” = not applicable / no automated path. | af_packet2 | โœ“ | โœ“ (primitive) | โ€” (upgrade kernel) | โ€” | โœ“ (auditd, shared key) | | fuse_legacy | โœ“ | โœ“ (primitive) | โ€” (upgrade kernel) | โœ“ (queue drain) | โœ“ (auditd) | | stackrot | โœ“ | โœ“ (race) | โ€” (upgrade kernel) | โœ“ (log unlink) | โœ“ (auditd) | +| nft_set_uaf | โœ“ | โœ“ (primitive) | โ€” (upgrade kernel) | โœ“ (queue drain) | โœ“ (auditd + sigma) | +| af_unix_gc | โœ“ | โœ“ (race) | โ€” (upgrade kernel) | โœ“ (queue drain) | โœ“ (auditd) | +| nft_fwd_dup | โœ“ | โœ“ (primitive) | โ€” (upgrade kernel) | โœ“ (queue drain) | โœ“ (auditd) | +| nft_payload | โœ“ | โœ“ (primitive) | โ€” (upgrade kernel) | โœ“ (queue drain) | โœ“ (auditd + sigma) | ## Pipeline for additions diff --git a/README.md b/README.md index 43b0e94..67b03a9 100644 --- a/README.md +++ b/README.md @@ -94,20 +94,21 @@ The same binary covers offense and defense: ## Status -**Active โ€” v0.2.0 cut 2026-05-16.** Corpus covers **20 modules** +**Active โ€” v0.3.0 cut 2026-05-16.** Corpus covers **24 modules** across the 2016 โ†’ 2026 LPE timeline: - ๐ŸŸข **13 modules land root** end-to-end on a vulnerable host (copy_fail family ร—5, dirty_pipe, entrybleed leak, pwnkit, overlayfs CVE-2021-3493, dirty_cow, ptrace_traceme, cgroup_release_agent, overlayfs_setuid CVE-2023-0386). -- ๐ŸŸก **7 modules fire the kernel primitive** by default and refuse to - claim root without empirical confirmation. Pass `--full-chain` to - engage the shared `modprobe_path` finisher and attempt root pop โ€” - requires kernel offsets via env vars / `/proc/kallsyms` / +- ๐ŸŸก **11 modules fire the kernel primitive** by default and refuse + to claim root without empirical confirmation. Pass `--full-chain` + to engage the shared `modprobe_path` finisher and attempt root + pop โ€” requires kernel offsets via env vars / `/proc/kallsyms` / `/boot/System.map`; see [`docs/OFFSETS.md`](docs/OFFSETS.md). - Modules: af_packet, af_packet2, cls_route4, fuse_legacy, nf_tables, - netfilter_xtcompat, stackrot. + Modules: af_packet, af_packet2, af_unix_gc, cls_route4, + fuse_legacy, nf_tables, netfilter_xtcompat, nft_fwd_dup, + nft_payload, nft_set_uaf, stackrot. - Detection rules ship inline (auditd / sigma / yara / falco) and are exported via `iamroot --detect-rules --format=โ€ฆ`. diff --git a/iamroot.c b/iamroot.c index bee9874..87abd9e 100644 --- a/iamroot.c +++ b/iamroot.c @@ -25,7 +25,7 @@ #include #include -#define IAMROOT_VERSION "0.2.0" +#define IAMROOT_VERSION "0.3.0" static const char BANNER[] = "\n"