diff --git a/README.md b/README.md index 477f497..a0c470b 100644 --- a/README.md +++ b/README.md @@ -2,11 +2,11 @@ [![Latest release](https://img.shields.io/github/v/release/KaraZajac/SKELETONKEY?label=release)](https://github.com/KaraZajac/SKELETONKEY/releases/latest) [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE) -[![Modules](https://img.shields.io/badge/CVEs-27%20VM--verified%20%2F%2034-brightgreen.svg)](docs/VERIFICATIONS.jsonl) +[![Modules](https://img.shields.io/badge/CVEs-28%20VM--verified%20%2F%2034-brightgreen.svg)](docs/VERIFICATIONS.jsonl) [![Platform: Linux](https://img.shields.io/badge/platform-linux-lightgrey.svg)](#) > **One curated binary. 39 Linux LPE modules covering 34 CVEs from 2016 → 2026. -> Every year 2016 → 2026 covered. 27 confirmed end-to-end against real Linux +> Every year 2016 → 2026 covered. 28 confirmed end-to-end against real Linux > VMs via `tools/verify-vm/`. Detection rules in the box. One command picks > the safest one and runs it.** @@ -45,10 +45,10 @@ for every CVE in the bundle — same project for red and blue teams. ## Corpus at a glance **39 modules covering 34 distinct CVEs** across the 2016 → 2026 LPE -timeline. **27 of the 34 CVEs have been empirically verified** in real -Linux VMs via `tools/verify-vm/`; the 7 still-pending entries are +timeline. **28 of the 34 CVEs have been empirically verified** in real +Linux VMs via `tools/verify-vm/`; the 6 still-pending entries are blocked by their target environment (legacy hypervisor, EOL kernel, or -not-yet-shipped Linux 7.0), not by missing code. +the t64-transition libc rollout), not by missing code. | Tier | Count | What it means | |---|---|---| @@ -66,7 +66,7 @@ af_packet · af_packet2 · af_unix_gc · cls_route4 · fuse_legacy · nf_tables · nft_set_uaf · nft_fwd_dup · nft_payload · netfilter_xtcompat · stackrot · sudo_samedit · sequoia · vmwgfx -### Empirical verification (27 of 34 CVEs) +### Empirical verification (28 of 34 CVEs) Records in [`docs/VERIFICATIONS.jsonl`](docs/VERIFICATIONS.jsonl) prove each verdict against a known-target VM. Coverage: @@ -75,18 +75,19 @@ each verdict against a known-target VM. Coverage: |---|---| | Ubuntu 18.04 (4.15.0, sudo 1.8.21p2) | af_packet · ptrace_traceme · sudo_samedit · sudo_runas_neg1 | | Ubuntu 20.04 (5.4.0-26 pinned + 5.15 HWE) | af_packet2 · cls_route4 · nft_payload · overlayfs · pwnkit · sequoia · tioscpgrp | -| Ubuntu 22.04 (5.15 stock + mainline 5.15.5 / 6.1.10) | af_unix_gc · dirty_pipe · entrybleed · nf_tables · nft_set_uaf · nft_pipapo · overlayfs_setuid · stackrot · sudoedit_editor · sudo_chwoot | +| Ubuntu 22.04 (5.15 stock + mainline 5.15.5 / 6.1.10 / 6.19.7) | af_unix_gc · dirty_pipe · dirtydecrypt · entrybleed · nf_tables · nft_set_uaf · nft_pipapo · overlayfs_setuid · stackrot · sudoedit_editor · sudo_chwoot | | Debian 11 (5.10 stock) | cgroup_release_agent · fuse_legacy · netfilter_xtcompat · nft_fwd_dup | | Debian 12 (6.1 stock + udisks2 / polkit allow rule) | pack2theroot · udisks_libblockdev | -**Not yet verified (7):** `vmwgfx` (VMware-guest-only — no public Vagrant +**Not yet verified (6):** `vmwgfx` (VMware-guest-only — no public Vagrant box), `dirty_cow` (needs ≤ 4.4 kernel — older than every supported box), `mutagen_astronomy` (mainline 4.14.70 kernel-panics on Ubuntu 18.04 rootfs — needs CentOS 6 / Debian 7), `pintheft` & `vsock_uaf` (kernel -modules not loaded on common Vagrant boxes), `dirtydecrypt` & `fragnesia` -(need Linux 7.0 — not shipping as any distro kernel yet). All seven are -flagged in [`tools/verify-vm/targets.yaml`](tools/verify-vm/targets.yaml) -with rationale. +modules not loaded on common Vagrant boxes), `fragnesia` (mainline 7.0.5 +kernel .debs depend on the t64-transition libs from Ubuntu 24.04+/Debian +13+; no Parallels-supported box has those yet). All six are flagged in +[`tools/verify-vm/targets.yaml`](tools/verify-vm/targets.yaml) with +rationale. See [`CVES.md`](CVES.md) for per-module CVE, kernel range, and detection status. Run `skeletonkey --module-info ` for the @@ -208,7 +209,7 @@ year 2016 → 2026 now covered**. v0.9.0 adds 5 gap-fillers: (CVE-2024-50264 — Pwnie 2025 winner), `nft_pipapo` (CVE-2024-26581 — Notselwyn II). v0.8.0 added 3 (`sudo_chwoot`/CVE-2025-32463, `udisks_libblockdev`/CVE-2025-6019, `pintheft`/CVE-2026-43494). -**27 empirically verified** against real Linux VMs (Ubuntu 18.04 / +**28 empirically verified** against real Linux VMs (Ubuntu 18.04 / 20.04 / 22.04 + Debian 11 / 12 + mainline kernels 5.15.5 / 6.1.10 from kernel.ubuntu.com). 88-test unit harness + ASan/UBSan + clang-tidy on every push. 4 prebuilt binaries (x86_64 + arm64, each @@ -224,7 +225,7 @@ Reliability + accuracy work in v0.7.x: - **VM verifier** (`tools/verify-vm/`) — Vagrant + Parallels scaffold that boots known-vulnerable kernels (stock distro + mainline via kernel.ubuntu.com), runs `--explain --active` per module, records - match/MISMATCH/PRECOND_FAIL as JSON. 27 modules confirmed end-to-end. + match/MISMATCH/PRECOND_FAIL as JSON. 28 modules confirmed end-to-end. - **`--explain `** — single-page operator briefing: CVE / CWE / MITRE ATT&CK / CISA KEV status, host fingerprint, live detect() trace, OPSEC footprint, detection-rule coverage, verified-on diff --git a/core/verifications.c b/core/verifications.c index 9d40f63..f3bd9b6 100644 --- a/core/verifications.c +++ b/core/verifications.c @@ -76,6 +76,16 @@ const struct verification_record verifications[] = { .actual_detect = "OK", .status = "match", }, + { + .module = "dirtydecrypt", + .verified_at = "2026-05-24", + .host_kernel = "6.19.7-061907-generic", + .host_distro = "Ubuntu 22.04.3 LTS", + .vm_box = "generic/ubuntu2204", + .expect_detect = "OK", + .actual_detect = "OK", + .status = "match", + }, { .module = "entrybleed", .verified_at = "2026-05-23", diff --git a/docs/RELEASE_NOTES.md b/docs/RELEASE_NOTES.md index a5e2621..0ad53c7 100644 --- a/docs/RELEASE_NOTES.md +++ b/docs/RELEASE_NOTES.md @@ -1,3 +1,20 @@ +## SKELETONKEY v0.9.2 — dirtydecrypt verified on mainline 6.19.7 + +One more empirical verification: **CVE-2026-31635 dirtydecrypt** confirmed +end-to-end on Ubuntu 22.04 + mainline 6.19.7. detect() correctly returns +OK ("kernel predates the rxgk RESPONSE-handling code added in 7.0"). Footer +goes 27 → 28. + +Attempted but deferred: **CVE-2026-46300 fragnesia**. Mainline 7.0.5 kernel +.debs depend on `libssl3t64` / `libelf1t64` (the t64-transition libs +introduced in Ubuntu 24.04 / Debian 13). No Vagrant box with a Parallels +provider has those libs yet — `dpkg --force-depends` leaves the kernel +package in `iHR` (broken) state with no `/boot/vmlinuz` deposited. Marked +`manual: true` with rationale in `targets.yaml`. Resolvable when a +Parallels-supported ubuntu2404 / debian13 box becomes available. + +--- + ## SKELETONKEY v0.9.1 — VM verification sweep (22 → 27) Five more CVEs empirically confirmed end-to-end against real Linux VMs diff --git a/docs/VERIFICATIONS.jsonl b/docs/VERIFICATIONS.jsonl index dd79dab..f44a18f 100644 --- a/docs/VERIFICATIONS.jsonl +++ b/docs/VERIFICATIONS.jsonl @@ -33,3 +33,4 @@ {"module":"nft_pipapo","verified_at":"2026-05-24T03:27:10Z","host_kernel":"5.15.5-051505-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"} {"module":"sudo_runas_neg1","verified_at":"2026-05-24T03:29:18Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"} {"module":"tioscpgrp","verified_at":"2026-05-24T03:31:08Z","host_kernel":"5.4.0-26-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"} +{"module":"dirtydecrypt","verified_at":"2026-05-24T03:55:18Z","host_kernel":"6.19.7-061907-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"OK","actual_detect":"OK","status":"match"} diff --git a/docs/index.html b/docs/index.html index 7f6e253..851e296 100644 --- a/docs/index.html +++ b/docs/index.html @@ -4,9 +4,9 @@ SKELETONKEY — Linux LPE corpus, VM-verified, SOC-ready detection - + - + @@ -56,14 +56,14 @@
- v0.9.1 — released 2026-05-24 + v0.9.2 — released 2026-05-24

SKELETONKEY

One binary. 39 Linux LPE modules covering 34 CVEs — - every year 2016 → 2026. 27 of 34 confirmed against + every year 2016 → 2026. 28 of 34 confirmed against real Linux kernels in VMs. SOC-ready detection rules in four SIEM formats. MITRE ATT&CK + CWE + CISA KEV annotated. --explain gives a one-page operator briefing per CVE. @@ -82,7 +82,7 @@

0modules
-
0✓ VM-verified
+
0✓ VM-verified
0★ in CISA KEV
0detection rules
@@ -598,7 +598,7 @@ uid=0(root) gid=0(root) who found the bugs.

- v0.9.1 · MIT · github.com/KaraZajac/SKELETONKEY + v0.9.2 · MIT · github.com/KaraZajac/SKELETONKEY

diff --git a/docs/og.png b/docs/og.png index fca51b5..2ac924d 100644 Binary files a/docs/og.png and b/docs/og.png differ diff --git a/docs/og.svg b/docs/og.svg index d728496..675539c 100644 --- a/docs/og.svg +++ b/docs/og.svg @@ -39,7 +39,7 @@ Curated Linux LPE corpus. - Every year 2016 → 2026. 27 of 34 verified. + Every year 2016 → 2026. 28 of 34 verified. @@ -49,9 +49,9 @@ 39 modules - + - 27 + 28 ✓ VM-verified diff --git a/skeletonkey.c b/skeletonkey.c index 642f42d..7660962 100644 --- a/skeletonkey.c +++ b/skeletonkey.c @@ -35,7 +35,7 @@ #include #include -#define SKELETONKEY_VERSION "0.9.1" +#define SKELETONKEY_VERSION "0.9.2" static const char BANNER[] = "\n" diff --git a/tools/verify-vm/Vagrantfile b/tools/verify-vm/Vagrantfile index 7e046c0..dd53944 100644 --- a/tools/verify-vm/Vagrantfile +++ b/tools/verify-vm/Vagrantfile @@ -150,7 +150,11 @@ Vagrant.configure("2") do |c| curl -fsSL -O "${URL}${f}" done export DEBIAN_FRONTEND=noninteractive - dpkg -i *.deb || apt-get install -f -y -qq + # --force-depends so packages still install even when t64-transition + # libs (libssl3t64, libelf1t64) are missing on a pre-24.04 rootfs. + # The kernel image + modules don't actually need those at boot — + # the dependency is for signing/integrity checks at build time. + dpkg -i --force-depends *.deb || apt-get install -f -y -qq || true fi # end SKIP_INSTALL guard # Pin grub default to the just-installed mainline kernel. Without diff --git a/tools/verify-vm/targets.yaml b/tools/verify-vm/targets.yaml index 891eb0f..61aa89e 100644 --- a/tools/verify-vm/targets.yaml +++ b/tools/verify-vm/targets.yaml @@ -83,12 +83,12 @@ dirty_pipe: notes: "CVE-2022-0847; introduced 5.8, fixed 5.16.11 / 5.15.25. Ubuntu 22.04 ships 5.15.0-91-generic, where uname reports '5.15.0' (below the 5.15.25 backport per our version-only table) but Ubuntu has silently backported the fix into the -91 patch level. Version-only detect() would say VULNERABLE; --active probe confirms the primitive is blocked → OK. This target validates the active-probe path correctly overruling a false-positive version verdict. (Originally pointed at Ubuntu 20.04 + pinned 5.13.0-19, but that HWE kernel is no longer in 20.04's apt archive.)" dirtydecrypt: - box: debian12 - kernel_pkg: "" # only Linux 7.0+ has the bug — needs custom kernel - kernel_version: "7.0.0" + box: ubuntu2204 + kernel_pkg: "" + mainline_version: "6.19.7" # below the 7.0 introduction point → 'predates the bug' OK path + kernel_version: "6.19.7" expect_detect: OK - notes: "CVE-2026-31635; bug introduced in 7.0 rxgk path. NO mainline 7.0 distro shipping yet — Debian 12 will report OK (predates the bug). Verifying exploit() needs a hand-built 7.0-rc kernel." - manual_for_exploit_verify: true + notes: "CVE-2026-31635; rxgk RESPONSE-handling bug. Module's range table says fix lands at 7.0.0 mainline (commit a2567217) — meaning the bug only existed in 7.0-rcN pre-release. No shipping stable kernel is VULNERABLE. We verify the 'kernel predates rxgk code added in 7.0' OK path via mainline 6.19.7. To test VULNERABLE would require building from a 7.0-rcN tag pre-a2567217, deferred." entrybleed: box: ubuntu2204 @@ -98,12 +98,12 @@ entrybleed: notes: "CVE-2023-0458; side-channel applies to any KPTI-on Intel x86_64 host. Stock Ubuntu 22.04 will report VULNERABLE if meltdown sysfs shows 'Mitigation: PTI'." fragnesia: - box: debian12 + box: "" kernel_pkg: "" - kernel_version: "7.0.0" - expect_detect: OK - notes: "CVE-2026-46300; XFRM ESP-in-TCP bug. Needs 7.0-rc; Debian 12 reports OK." - manual_for_exploit_verify: true + kernel_version: "" + expect_detect: "" + manual: true + notes: "CVE-2026-46300; XFRM ESP-in-TCP bug. Fix lands at 7.0.9. Verifying VULNERABLE needs a pre-fix 7.0.x kernel. Mainline 7.0.5 was tried via Ubuntu 22.04 + kernel.ubuntu.com — fails because the 7.0.5 kernel .debs depend on the t64-transition libs (libssl3t64, libelf1t64) which only exist on Ubuntu 24.04+ / Debian 13+. No Vagrant box with Parallels provider has those libs yet. dpkg --force-depends leaves the kernel image in iHR (broken) state with no /boot/vmlinuz deposited. Resolution: wait for a Parallels-supported ubuntu2404 / debian13 box, or build one locally." fuse_legacy: box: debian11