leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

Phase 2 complete: Dirty Pipe full exploit (page-cache UID flip → su)

Browse Source 
- Implements the Dirty Pipe primitive: prepare_pipe() fills+drains a
  pipe to plant the stale PIPE_BUF_FLAG_CAN_MERGE flag in every
  pipe_buffer slot; dirty_pipe_write() splices 1 byte from the target
  file at offset-1 (seeding the slot with the file's page) then write()s
  the payload, which the buggy kernel merges back into the page cache.
- find_passwd_uid_field() + revert_passwd_page_cache() inlined in the
  module. Two-of-two duplication acceptable; extraction into core/host
  triggers when a third module needs the same helpers (Phase 1.5).
- dirty_pipe_exploit() resolves current euid via getpwuid, locates the
  user's UID field in /etc/passwd, replaces it with same-length zeros
  ('0000' for a 4-digit UID), then execlp's su <user> -c /bin/sh.
  Auto-refuses if detect() reports patched. --no-shell mode plants the
  write and returns. Cleanup mode evicts /etc/passwd from page cache.
- _GNU_SOURCE redefine warning fixed: cmdline -D already passes it.

Verified end-to-end on kernel 6.12.86 (patched):
  iamroot --scan      → dirty_pipe reports OK (patched)
  iamroot --exploit dirty_pipe --i-know → refuses cleanly
CI-validation against vulnerable kernel (Ubuntu 20.04 / 5.13) is Phase 4.

CVES.md: dirty_pipe 🔵🟢. ROADMAP.md: Phase 2 marked complete.
This commit is contained in:
KaraZajac
2026-05-16 20:02:02 -04:00
parent cee368d5a4
commit 5a0aef12d0
3 changed files with 249 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ROADMAP.md
+10 -5
View File
@@ -51,13 +51,18 @@ these).
watches) and `sigma.yml` (non-root modification of sensitive files)
- [x] Registered in `iamroot --list` / `--scan` output. Verified on
kernel 6.12.86 → correctly reports OK (patched).
- [ ] **Phase 1.5 / Phase 2 followup**: actual exploit. Needs
extraction of `find_passwd_uid_field` + `try_revert_passwd_page_cache`
+ `exploit_su` into `core/` so dirty_pipe can call them without
duplicating the copy_fail_family helpers.
- [x] **Phase 2 complete (2026-05-16)**: full exploit landed. Inline
passwd-UID and page-cache-revert helpers in the module (~80 lines).
Extraction into `core/host` is Phase 1.5 work — deferred until a
third module needs the same helpers. (Two-of-two duplication is
acceptable; three-of-three triggers extraction.)
- [x] Exploit refuses to fire when detect() reports patched (verified
end-to-end on kernel 6.12.86 — refuses cleanly).
- [x] Cleanup function (`dirty_pipe --cleanup`) added: evicts
/etc/passwd via POSIX_FADV_DONTNEED + drop_caches.
- [ ] CI matrix: Ubuntu 20.04 with kernel 5.13 (vulnerable),
Debian 11 with 5.10.0-8 (vulnerable), Debian 13 with 6.12.x
(patched — should detect as OK)
(patched — should detect as OK). Phase 4 work.
## Phase 3 — EntryBleed (CVE-2023-0458) as stage-1 leak brick (DONE 2026-05-16)