diff --git a/docs/DETECTION_PLAYBOOK.md b/docs/DETECTION_PLAYBOOK.md index b64612e..8aa08eb 100644 --- a/docs/DETECTION_PLAYBOOK.md +++ b/docs/DETECTION_PLAYBOOK.md @@ -168,6 +168,70 @@ skeletonkey --detect-rules --format=sigma > /etc/sigma/skeletonkey.yml sigmac -t elastic /etc/sigma/skeletonkey.yml ``` +### YARA artifact scanning + +YARA rules catch the **post-fire** state — page-cache shellcode +overwrites, malicious `.deb` drops, `/etc/passwd` UID flips. Run them +as a scheduled scan against sensitive paths: + +```bash +# Ship YARA rules +sudo skeletonkey --detect-rules --format=yara | sudo tee /etc/yara/skeletonkey.yar + +# Scheduled scan via cron — catches the page-cache and /tmp artifacts +# /etc/cron.d/skeletonkey-yara +*/15 * * * * root yara -r /etc/yara/skeletonkey.yar \ + /etc/passwd /tmp /usr/bin/su /usr/bin/passwd \ + 2>>/var/log/skeletonkey-yara.log +``` + +What each rule catches: + +| Rule | Triggers on | +|---|---| +| `etc_passwd_uid_flip` | Non-root user line in `/etc/passwd` with a zero-padded UID (`0000+`). Canonical Copy Fail / Dirty Frag / Dirty Pipe / DirtyDecrypt outcome. | +| `etc_passwd_root_no_password` | `root` line with empty password field — DirtyDecrypt's intermediate corruption step. | +| `pwnkit_gconv_modules_cache` | Small `gconv-modules` text file with a `module UTF-8// X// /tmp/…` redefinition. | +| `dirty_pipe_passwd_uid_flip` | Same UID-flip pattern (Dirty Pipe-specific tag). | +| `dirtydecrypt_payload_overlay` | First 28 bytes of `/usr/bin/su` (or similar) match the embedded 120-byte ET_DYN shellcode the V12 PoC overlays. | +| `fragnesia_payload_overlay` | Same shape for the 192-byte Fragnesia payload. | +| `pack2theroot_malicious_deb` | `.deb` ar-archive in `/tmp` with the SUID-bash postinst. | +| `pack2theroot_suid_bash_drop` | `/tmp/.suid_bash` exists and is a real bash ELF. | + +The page-cache overlay rules (`dirtydecrypt_payload_overlay`, +`fragnesia_payload_overlay`) are particularly high-signal: no +legitimate ELF starts with those exact 28 bytes, so a hit means the +exploit landed. + +### Falco runtime detection + +Falco catches the exploit **as it fires** by hooking syscalls and +namespace events. Best deploy for K8s / container hosts but works on +any modern Linux: + +```bash +sudo skeletonkey --detect-rules --format=falco \ + | sudo tee /etc/falco/rules.d/skeletonkey.yaml +sudo falco --validate /etc/falco/rules.d/skeletonkey.yaml +sudo systemctl reload falco # or restart, depending on distro +``` + +What each rule catches: + +| Rule | Triggers on | +|---|---| +| `Pwnkit-style pkexec invocation` | `pkexec` spawned with empty argv (the bug's hallmark). | +| `Pwnkit-style GCONV_PATH injection` | Non-root sets `GCONV_PATH=` / `CHARSET=` before spawning a setuid binary. | +| `AF_ALG authenc keyblob installed by non-root` | `socket(AF_ALG)` by non-root — Copy Fail / GCM variant primitive. | +| `XFRM NETLINK_XFRM bind from unprivileged userns` | XFRM SA setup from non-root userns — Dirty Frag / Fragnesia primitive. | +| `/etc/passwd modified by non-root` | Post-fire signal for the whole page-cache-write family. | +| `Dirty Pipe splice from setuid/sensitive file by non-root` | `splice()` of `/etc/passwd` or `/usr/bin/su` by non-root. | +| `AF_RXRPC socket created by non-root` | DirtyDecrypt primitive — `socket(AF_RXRPC)` is nearly unheard-of in production. | +| `rxrpc security key added` | `add_key("rxrpc", …)` by non-root — DirtyDecrypt handshake setup. | +| `TCP_ULP=espintcp set by non-root` | Fragnesia trigger — flipping a TCP socket to espintcp ULP. | +| `SUID bash dropped to /tmp` | Pack2TheRoot postinst landing `/tmp/.suid_bash`. | +| `dpkg invoked by PackageKit on behalf of non-root caller` | Pack2TheRoot chain — `packagekitd → dpkg` installing a /tmp `.pk-*.deb`. | + ## Day-to-day operational shape ### What "good" looks like in the SIEM @@ -245,6 +309,96 @@ sudo rm /etc/sysctl.d/99-dirtyfail-mitigations.conf # Reload affected modules / sysctls per your distro ``` +## Per-module detection coverage + +Across the 4 rule formats: + +| Module | CVE | auditd | sigma | yara | falco | +|---|---|:-:|:-:|:-:|:-:| +| copy_fail | CVE-2026-31431 | ✓ | ✓ | ✓ | ✓ | +| copy_fail_gcm | (variant) | ✓ | ✓ | ✓ | ✓ | +| dirty_frag_esp | CVE-2026-43284 | ✓ | ✓ | ✓ | ✓ | +| dirty_frag_esp6 | CVE-2026-43284 | ✓ | ✓ | ✓ | ✓ | +| dirty_frag_rxrpc | CVE-2026-43500 | ✓ | ✓ | ✓ | ✓ | +| dirty_pipe | CVE-2022-0847 | ✓ | ✓ | ✓ | ✓ | +| dirtydecrypt | CVE-2026-31635 | ✓ | ✓ | ✓ | ✓ | +| fragnesia | CVE-2026-46300 | ✓ | ✓ | ✓ | ✓ | +| pwnkit | CVE-2021-4034 | ✓ | ✓ | ✓ | ✓ | +| pack2theroot | CVE-2026-41651 | ✓ | ✓ | ✓ | ✓ | +| Other 21 modules | various | ✓ | partial | — | — | + +Full 4-format coverage on the 10 highest-value modules; auditd +covers everything. YARA / Falco expansion to the remaining 21 modules +is incremental contributor work (each module's `detect_yara` / +`detect_falco` field in the module struct just needs a string). + +## Correlation across formats + +Single-format detections are useful; the high-confidence signal is +the **correlation across formats** for the same module in a short +window. Each exploit leaves a recognisable multi-format trail: + +| Exploit | falco fires | auditd fires | yara confirms | +|---|---|---|---| +| Pwnkit | `pkexec` empty argv | `execve /usr/bin/pkexec` + `GCONV_PATH=` env | gconv-modules cache in /tmp | +| Dirty Pipe | `splice()` from `/etc/passwd` | splice + write to `/etc/passwd` | UID flip in `/etc/passwd` | +| Copy Fail | `socket(AF_ALG)` | algif_aead + `ALG_SET_KEY` | UID flip in `/etc/passwd` | +| Dirty Frag (ESP) | NETLINK_XFRM sendto + TCP_ULP | XFRM_MSG_NEWSA | UID flip in `/etc/passwd` | +| DirtyDecrypt | `socket(AF_RXRPC)` + `add_key(rxrpc)` | AF_RXRPC + add_key | 120-byte ELF overwrites `/usr/bin/su` | +| Fragnesia | `TCP_ULP=espintcp` from non-root | XFRM + setsockopt(TCP_ULP) | 192-byte ELF overwrites `/usr/bin/su` | +| Pack2TheRoot | dpkg invoked by packagekitd with /tmp/.pk-*.deb | new `.deb` in `/tmp` + `chmod 4755` on `/tmp/.suid_bash` | malicious `.deb` + SUID bash both present | + +If **three of the four signals** fire for the same module in the same +window, the exploit landed. **One signal alone** in a noisy +environment is more likely a tuning FP; **three signals** is incident +response. + +## Worked example: catching DirtyDecrypt end-to-end + +A SOC operator gets a Falco page: + +``` +CRITICAL AF_RXRPC socket() by non-root (user=alice proc=poc pid=44231) +``` + +1. **Confirm via auditd** — pull events keyed on the family: + ```bash + sudo ausearch -k skeletonkey-dirtydecrypt-rxrpc -ts recent + ``` + Expect: `socket(...,33,...)` + subsequent `add_key("rxrpc",...)`. + +2. **Confirm via yara** — scan setuid binaries for the page-cache + overlay: + ```bash + yara /etc/yara/skeletonkey.yar /usr/bin/su /usr/bin/passwd + ``` + If `dirtydecrypt_payload_overlay` matches `/usr/bin/su`, **the + exploit landed** — the binary's page cache has been overwritten + with the 120-byte shellcode. + +3. **Recover** — the on-disk binary is intact; only the page cache is + corrupted. Drop it: + ```bash + sudo skeletonkey --cleanup dirtydecrypt # or: echo 3 > /proc/sys/vm/drop_caches + ``` + +4. **Sigma hunt for lateral / repeat** — query your SIEM with the + sigma rule ID `7c1e9a40-skeletonkey-dirtydecrypt` over the last 7 + days to find any other hosts. + +5. **Patch.** DirtyDecrypt's mainline fix is commit `a2567217` in + Linux 7.0 — see [`CVES.md`](../CVES.md) for distro backports. + +6. **Harden.** `rxrpc` is rarely needed on non-AFS hosts: + ```bash + echo "blacklist rxrpc" | sudo tee /etc/modprobe.d/blacklist-rxrpc.conf + sudo update-initramfs -u + ``` + +The same shape applies to every module: pick the auditd key, the +yara rule for the artifact, the falco rule for the runtime signal, +and the sigma rule for the hunt. + ## Common false positives + tuning | Rule key | False positive | Fix | diff --git a/modules/copy_fail_family/skeletonkey_modules.c b/modules/copy_fail_family/skeletonkey_modules.c index 15810bb..0927f10 100644 --- a/modules/copy_fail_family/skeletonkey_modules.c +++ b/modules/copy_fail_family/skeletonkey_modules.c @@ -157,6 +157,82 @@ static const char copy_fail_family_sigma[] = "level: high\n" "tags: [attack.privilege_escalation, attack.t1068, cve.2026.31431, cve.2026.43284, cve.2026.43500]\n"; +/* YARA + Falco rules shared across the 5 family modules. Scanned via + * --detect-rules; the dispatcher dedups by pointer so the rule blob + * emits once even though copy_fail / copy_fail_gcm / dirty_frag_* + * all point at the same string. */ +static const char copy_fail_family_yara[] = + "rule etc_passwd_uid_flip : page_cache_write\n" + "{\n" + " meta:\n" + " cve = \"CVE-2026-31431 / CVE-2026-43284 / CVE-2026-43500\"\n" + " description = \"/etc/passwd page-cache UID flip: a non-root user line shows a zero-padded UID (the canonical Copy Fail / Dirty Frag / DirtyDecrypt / Dirty Pipe payload). Scan /etc/passwd; legitimate root uses plain '0:', never '0000:'.\"\n" + " author = \"SKELETONKEY\"\n" + " strings:\n" + " // lowercase-start username, optional shadow ('x') password, then UID 0000 or longer\n" + " $uid_flip = /\\n[a-z_][a-z0-9_-]{0,30}:[^:]{0,8}:0{4,}:[0-9]+:/\n" + " condition:\n" + " $uid_flip\n" + "}\n" + "\n" + "rule etc_passwd_root_no_password\n" + "{\n" + " meta:\n" + " cve = \"CVE-2026-31635 (DirtyDecrypt sliding-window write)\"\n" + " description = \"/etc/passwd root entry rewritten to have an empty password field — the DirtyDecrypt PoC's intermediate corruption (rewrite root's password to empty, then `su root` without password).\"\n" + " author = \"SKELETONKEY\"\n" + " strings:\n" + " $root_open = /\\nroot::0:0:/ // empty password (canonical x or ! when shadowed)\n" + " condition:\n" + " $root_open\n" + "}\n"; + +static const char copy_fail_family_falco[] = + "- rule: AF_ALG authenc keyblob installed by non-root (Copy Fail primitive)\n" + " desc: |\n" + " A non-root process creates an AF_ALG socket and installs an\n" + " authencesn(hmac(sha256),cbc(aes)) keyblob via ALG_SET_KEY.\n" + " Core of the Copy Fail (CVE-2026-31431) primitive — also\n" + " triggered by the GCM variant. AF_ALG by non-root is rare on\n" + " most servers; tune by allow-listing your crypto-using daemons.\n" + " condition: >\n" + " evt.type = socket and evt.arg[0] = 38 and not user.uid = 0\n" + " output: >\n" + " AF_ALG socket() by non-root (user=%user.name pid=%proc.pid\n" + " ppid=%proc.ppid parent=%proc.pname cmdline=\"%proc.cmdline\")\n" + " priority: WARNING\n" + " tags: [process, cve.2026.31431, copy_fail]\n" + "\n" + "- rule: XFRM NETLINK_XFRM bind from unprivileged userns (Dirty Frag primitive)\n" + " desc: |\n" + " A NETLINK_XFRM socket is opened from inside an unprivileged\n" + " user namespace, with subsequent XFRM_MSG_NEWSA installing an\n" + " ESP(rfc4106(gcm(aes))) state. Core of the Dirty Frag esp/esp6\n" + " variants — also tripped by Fragnesia's setup phase. Legitimate\n" + " XFRM use is normally privileged (strongSwan, libreswan).\n" + " condition: >\n" + " evt.type = sendto and not user.uid = 0 and\n" + " proc.aname[1] != \"\" // we want non-init userns; refine with k8s.namespace or container.id\n" + " output: >\n" + " NETLINK_XFRM sendto from non-root (user=%user.name pid=%proc.pid\n" + " proc=%proc.name)\n" + " priority: WARNING\n" + " tags: [process, cve.2026.43284, dirty_frag]\n" + "\n" + "- rule: /etc/passwd modified by non-root (Copy Fail / Dirty Frag / Dirty Pipe outcome)\n" + " desc: |\n" + " /etc/passwd is read-only for non-root, so a non-root caller\n" + " showing up on its open(W_OK) audit trail indicates a\n" + " page-cache write primitive succeeded. Catches the post-fire\n" + " state for the whole copy_fail family + dirty_pipe.\n" + " condition: >\n" + " open_write and fd.name = /etc/passwd and not user.uid = 0\n" + " output: >\n" + " Non-root write to /etc/passwd (user=%user.name pid=%proc.pid\n" + " proc=%proc.name)\n" + " priority: CRITICAL\n" + " tags: [filesystem, mitre_privilege_escalation, T1068, copy_fail, dirty_frag]\n"; + const struct skeletonkey_module copy_fail_module = { .name = "copy_fail", .cve = "CVE-2026-31431", @@ -169,8 +245,8 @@ const struct skeletonkey_module copy_fail_module = { .cleanup = copy_fail_family_cleanup, .detect_auditd = copy_fail_family_auditd, .detect_sigma = copy_fail_family_sigma, - .detect_yara = NULL, - .detect_falco = NULL, + .detect_yara = copy_fail_family_yara, + .detect_falco = copy_fail_family_falco, }; /* ----- copy_fail_gcm (variant, no CVE) ----- */ @@ -201,8 +277,8 @@ const struct skeletonkey_module copy_fail_gcm_module = { .cleanup = copy_fail_family_cleanup, .detect_auditd = copy_fail_family_auditd, .detect_sigma = copy_fail_family_sigma, - .detect_yara = NULL, - .detect_falco = NULL, + .detect_yara = copy_fail_family_yara, + .detect_falco = copy_fail_family_falco, }; /* ----- dirty_frag_esp (CVE-2026-43284 v4) ----- */ @@ -233,8 +309,8 @@ const struct skeletonkey_module dirty_frag_esp_module = { .cleanup = copy_fail_family_cleanup, .detect_auditd = copy_fail_family_auditd, .detect_sigma = copy_fail_family_sigma, - .detect_yara = NULL, - .detect_falco = NULL, + .detect_yara = copy_fail_family_yara, + .detect_falco = copy_fail_family_falco, }; /* ----- dirty_frag_esp6 (CVE-2026-43284 v6) ----- */ @@ -265,8 +341,8 @@ const struct skeletonkey_module dirty_frag_esp6_module = { .cleanup = copy_fail_family_cleanup, .detect_auditd = copy_fail_family_auditd, .detect_sigma = copy_fail_family_sigma, - .detect_yara = NULL, - .detect_falco = NULL, + .detect_yara = copy_fail_family_yara, + .detect_falco = copy_fail_family_falco, }; /* ----- dirty_frag_rxrpc (CVE-2026-43500) ----- */ @@ -297,8 +373,8 @@ const struct skeletonkey_module dirty_frag_rxrpc_module = { .cleanup = copy_fail_family_cleanup, .detect_auditd = copy_fail_family_auditd, .detect_sigma = copy_fail_family_sigma, - .detect_yara = NULL, - .detect_falco = NULL, + .detect_yara = copy_fail_family_yara, + .detect_falco = copy_fail_family_falco, }; /* ----- Family registration ----- */ diff --git a/modules/dirty_pipe_cve_2022_0847/skeletonkey_modules.c b/modules/dirty_pipe_cve_2022_0847/skeletonkey_modules.c index 49ee2f4..8097591 100644 --- a/modules/dirty_pipe_cve_2022_0847/skeletonkey_modules.c +++ b/modules/dirty_pipe_cve_2022_0847/skeletonkey_modules.c @@ -460,6 +460,39 @@ static const char dirty_pipe_auditd[] = "-a always,exit -F arch=b64 -S splice -k skeletonkey-dirty-pipe-splice\n" "-a always,exit -F arch=b32 -S splice -k skeletonkey-dirty-pipe-splice\n"; +static const char dirty_pipe_yara[] = + "rule dirty_pipe_passwd_uid_flip : cve_2022_0847 page_cache_write\n" + "{\n" + " meta:\n" + " cve = \"CVE-2022-0847\"\n" + " description = \"Dirty Pipe (CVE-2022-0847): /etc/passwd page-cache UID flip — non-root username remapped to UID 0000+. Scan /etc/passwd directly; legitimate root entries use '0:', never '0000:'.\"\n" + " author = \"SKELETONKEY\"\n" + " strings:\n" + " $uid_flip = /\\n[a-z_][a-z0-9_-]{0,30}:[^:]{0,8}:0{4,}:[0-9]+:/\n" + " condition:\n" + " $uid_flip\n" + "}\n"; + +static const char dirty_pipe_falco[] = + "- rule: Dirty Pipe splice from setuid/sensitive file by non-root\n" + " desc: |\n" + " A non-root process calls splice() with a fd pointing at a\n" + " setuid-root binary or a credential file. The Dirty Pipe\n" + " primitive (CVE-2022-0847) splices 1 byte from the target to\n" + " a prepared pipe to inherit the stale PIPE_BUF_FLAG_CAN_MERGE,\n" + " then writes attacker bytes that land in the file's page cache.\n" + " condition: >\n" + " evt.type = splice and not user.uid = 0 and\n" + " (fd.name in (/etc/passwd, /etc/shadow, /etc/sudoers)\n" + " or fd.name startswith /usr/bin/su\n" + " or fd.name startswith /usr/bin/passwd\n" + " or fd.name startswith /bin/su)\n" + " output: >\n" + " Dirty Pipe-style splice from sensitive file by non-root\n" + " (user=%user.name proc=%proc.name fd=%fd.name pid=%proc.pid)\n" + " priority: CRITICAL\n" + " tags: [filesystem, mitre_privilege_escalation, T1068, cve.2022.0847]\n"; + static const char dirty_pipe_sigma[] = "title: Possible Dirty Pipe exploitation (CVE-2022-0847)\n" "id: f6b13c08-skeletonkey-dirty-pipe\n" @@ -487,8 +520,8 @@ const struct skeletonkey_module dirty_pipe_module = { .cleanup = dirty_pipe_cleanup, .detect_auditd = dirty_pipe_auditd, .detect_sigma = dirty_pipe_sigma, - .detect_yara = NULL, - .detect_falco = NULL, + .detect_yara = dirty_pipe_yara, + .detect_falco = dirty_pipe_falco, }; void skeletonkey_register_dirty_pipe(void) diff --git a/modules/dirtydecrypt_cve_2026_31635/skeletonkey_modules.c b/modules/dirtydecrypt_cve_2026_31635/skeletonkey_modules.c index 32417c6..48ee0f1 100644 --- a/modules/dirtydecrypt_cve_2026_31635/skeletonkey_modules.c +++ b/modules/dirtydecrypt_cve_2026_31635/skeletonkey_modules.c @@ -921,6 +921,55 @@ static const char dd_auditd[] = "-a always,exit -F arch=b64 -S splice -k skeletonkey-dirtydecrypt-splice\n" "-a always,exit -F arch=b32 -S splice -k skeletonkey-dirtydecrypt-splice\n"; +static const char dd_yara[] = + "rule dirtydecrypt_payload_overlay : cve_2026_31635 page_cache_write\n" + "{\n" + " meta:\n" + " cve = \"CVE-2026-31635\"\n" + " description = \"DirtyDecrypt payload: the 120-byte ET_DYN x86_64 ELF the public V12 PoC overlays onto the first bytes of a setuid binary's page cache. Scan setuid-root binaries (/usr/bin/su etc.); legitimate binaries are much larger and never start with this exact shellcode.\"\n" + " author = \"SKELETONKEY\"\n" + " reference = \"https://github.com/v12-security/pocs/tree/main/dirtydecrypt\"\n" + " strings:\n" + " // First 28 bytes of the embedded tiny_elf[] payload.\n" + " $payload_head = { 7F 45 4C 46 02 01 01 00 00 00 00 00 00 00 00 00 03 00 3E 00 01 00 00 00 68 00 00 00 }\n" + " // The setuid(0)+execve(/bin/sh) tail at offset 104 of the payload.\n" + " $shellcode = { B0 69 0F 05 48 8D 3D DD FF FF FF 6A 3B 58 0F 05 }\n" + " $sh = \"/bin/sh\"\n" + " condition:\n" + " // Setuid binaries are at minimum a few KB; the payload is\n" + " // 120 bytes overlaid at offset 0 so the rest of the file\n" + " // remains the original binary content (or padding).\n" + " $payload_head at 0 and $shellcode and $sh and filesize > 4096\n" + "}\n"; + +static const char dd_falco[] = + "- rule: AF_RXRPC socket created by non-root (DirtyDecrypt primitive)\n" + " desc: |\n" + " Non-root process creates an AF_RXRPC socket. AF_RXRPC is the\n" + " family the DirtyDecrypt (CVE-2026-31635) primitive needs to\n" + " trigger the rxgk in-place decrypt. Most production hosts do\n" + " not use AF_RXRPC at all (it's AFS-flavoured); a non-root\n" + " open here is highly suspicious.\n" + " condition: >\n" + " evt.type = socket and evt.arg[0] = 33 and not user.uid = 0\n" + " output: >\n" + " AF_RXRPC socket() by non-root (user=%user.name proc=%proc.name\n" + " pid=%proc.pid parent=%proc.pname)\n" + " priority: CRITICAL\n" + " tags: [process, mitre_privilege_escalation, T1068, cve.2026.31635]\n" + "\n" + "- rule: rxrpc security key added (DirtyDecrypt handshake setup)\n" + " desc: |\n" + " add_key(\"rxrpc\", …) by a non-root process — the DirtyDecrypt\n" + " PoC adds an rxrpc-typed key carrying a forged rxgk XDR token\n" + " for each fire() of the page-cache write primitive.\n" + " condition: >\n" + " evt.type = add_key and evt.arg[0] contains \"rxrpc\" and not user.uid = 0\n" + " output: >\n" + " rxrpc add_key by non-root (user=%user.name proc=%proc.name)\n" + " priority: WARNING\n" + " tags: [process, cve.2026.31635]\n"; + static const char dd_sigma[] = "title: Possible DirtyDecrypt exploitation (CVE-2026-31635)\n" "id: 7c1e9a40-skeletonkey-dirtydecrypt\n" @@ -953,8 +1002,8 @@ const struct skeletonkey_module dirtydecrypt_module = { .cleanup = dd_cleanup, .detect_auditd = dd_auditd, .detect_sigma = dd_sigma, - .detect_yara = NULL, - .detect_falco = NULL, + .detect_yara = dd_yara, + .detect_falco = dd_falco, }; void skeletonkey_register_dirtydecrypt(void) diff --git a/modules/fragnesia_cve_2026_46300/skeletonkey_modules.c b/modules/fragnesia_cve_2026_46300/skeletonkey_modules.c index 8fd7f3a..4485928 100644 --- a/modules/fragnesia_cve_2026_46300/skeletonkey_modules.c +++ b/modules/fragnesia_cve_2026_46300/skeletonkey_modules.c @@ -1124,6 +1124,58 @@ static const char fg_auditd[] = "# splice() drives page-cache pages into the ESP-in-TCP stream\n" "-a always,exit -F arch=b64 -S splice -k skeletonkey-fragnesia-splice\n"; +static const char fg_yara[] = + "rule fragnesia_payload_overlay : cve_2026_46300 page_cache_write\n" + "{\n" + " meta:\n" + " cve = \"CVE-2026-46300\"\n" + " description = \"Fragnesia payload: the 192-byte ET_EXEC x86_64 ELF the public V12 PoC overlays onto the first bytes of /usr/bin/su (or sibling setuid binary). Detects post-fire page-cache contents via direct scan.\"\n" + " author = \"SKELETONKEY\"\n" + " reference = \"https://github.com/v12-security/pocs/tree/main/fragnesia\"\n" + " strings:\n" + " // First 28 bytes of the embedded shell_elf[] payload.\n" + " $payload_head = { 7F 45 4C 46 02 01 01 00 00 00 00 00 00 00 00 00 02 00 3E 00 01 00 00 00 78 00 40 00 }\n" + " // The setuid+setgid+seteuid(0) prelude\n" + " $shellcode_drop = { 31 FF 31 F6 31 C0 B0 6A 0F 05 B0 69 0F 05 B0 74 0F 05 }\n" + " $sh = \"/bin/sh\"\n" + " $term = \"TERM=xterm\"\n" + " condition:\n" + " $payload_head at 0 and $shellcode_drop and $sh and $term and filesize > 4096\n" + "}\n"; + +static const char fg_falco[] = + "- rule: TCP_ULP=espintcp set by non-root (Fragnesia trigger)\n" + " desc: |\n" + " A non-root process flips a TCP socket into the espintcp ULP\n" + " inside an unprivileged userns. Core of the Fragnesia\n" + " (CVE-2026-46300) trigger — also the Dirty Frag ESP-in-TCP\n" + " setup. Legitimate use of TCP_ULP=espintcp from non-root is\n" + " essentially never seen in production.\n" + " condition: >\n" + " evt.type = setsockopt and evt.arg.optname = TCP_ULP and\n" + " not user.uid = 0\n" + " output: >\n" + " Fragnesia-style TCP_ULP=espintcp by non-root\n" + " (user=%user.name proc=%proc.name pid=%proc.pid)\n" + " priority: CRITICAL\n" + " tags: [network, mitre_privilege_escalation, T1068, cve.2026.46300]\n" + "\n" + "- rule: ESP-in-TCP splice to crafted TCP connection (Fragnesia paged-frag write)\n" + " desc: |\n" + " splice() of a setuid binary's pages into a TCP socket whose\n" + " peer is configured for espintcp. Fragnesia's sender path\n" + " splices the carrier file (/usr/bin/su) into the loopback TCP\n" + " flow to land the in-place decrypt on the carrier's page cache.\n" + " condition: >\n" + " evt.type = splice and not user.uid = 0 and\n" + " (fd.name startswith /usr/bin/su or fd.name startswith /bin/su\n" + " or fd.name startswith /usr/bin/passwd)\n" + " output: >\n" + " splice() of setuid binary by non-root (user=%user.name\n" + " proc=%proc.name fd=%fd.name)\n" + " priority: WARNING\n" + " tags: [filesystem, cve.2026.46300]\n"; + static const char fg_sigma[] = "title: Possible Fragnesia exploitation (CVE-2026-46300)\n" "id: 9b3d2e71-skeletonkey-fragnesia\n" @@ -1156,8 +1208,8 @@ const struct skeletonkey_module fragnesia_module = { .cleanup = fg_cleanup, .detect_auditd = fg_auditd, .detect_sigma = fg_sigma, - .detect_yara = NULL, - .detect_falco = NULL, + .detect_yara = fg_yara, + .detect_falco = fg_falco, }; void skeletonkey_register_fragnesia(void) diff --git a/modules/pack2theroot_cve_2026_41651/skeletonkey_modules.c b/modules/pack2theroot_cve_2026_41651/skeletonkey_modules.c index 2ee38b2..5b559f8 100644 --- a/modules/pack2theroot_cve_2026_41651/skeletonkey_modules.c +++ b/modules/pack2theroot_cve_2026_41651/skeletonkey_modules.c @@ -660,6 +660,94 @@ static const char p2tr_auditd[] = "-a always,exit -F arch=b64 -S execve -F path=/usr/bin/apt-get \\\n" " -F auid!=0 -k skeletonkey-pack2theroot-apt\n"; +static const char p2tr_yara[] = + "rule pack2theroot_malicious_deb : cve_2026_41651\n" + "{\n" + " meta:\n" + " cve = \"CVE-2026-41651\"\n" + " description = \"Pack2TheRoot payload .deb: small ar archive whose postinst installs a setuid copy of bash to /tmp/.suid_bash. The Vozec PoC + SKELETONKEY's port both leave this artifact in /tmp.\"\n" + " author = \"SKELETONKEY\"\n" + " reference = \"https://github.com/Vozec/CVE-2026-41651\"\n" + " strings:\n" + " $deb_magic = \"!\"\n" + " $postinst_suid = \"install -m 4755 /bin/bash\"\n" + " $skk_payload = \"Package: skeletonkey-p2tr-payload\"\n" + " $skk_dummy = \"Package: skeletonkey-p2tr-dummy\"\n" + " $vozec_payload = \"Package: pk-poc-payload\"\n" + " $vozec_dummy = \"Package: pk-poc-dummy\"\n" + " condition:\n" + " // Small ar archive matching .deb layout, containing either\n" + " // the published-PoC package names or the SUID-bash postinst.\n" + " $deb_magic at 0 and\n" + " ($postinst_suid or any of ($skk_payload, $skk_dummy, $vozec_payload, $vozec_dummy)) and\n" + " filesize < 64KB\n" + "}\n" + "\n" + "rule pack2theroot_suid_bash_drop : cve_2026_41651\n" + "{\n" + " meta:\n" + " cve = \"CVE-2026-41651\"\n" + " description = \"Pack2TheRoot SUID-bash artifact: /tmp/.suid_bash is the setuid bash dropped by the malicious postinst. Pair this YARA scan with auditd watch -w /tmp/.suid_bash for catch-on-create.\"\n" + " author = \"SKELETONKEY\"\n" + " strings:\n" + " $elf = { 7F 45 4C 46 02 01 01 }\n" + " $bash = \"GNU bash\"\n" + " condition:\n" + " // The rule itself can't see the file path; the operator\n" + " // points YARA at /tmp/.suid_bash specifically. Match\n" + " // confirms the file is a real bash ELF (not a planted decoy).\n" + " $elf at 0 and $bash\n" + "}\n"; + +static const char p2tr_falco[] = + "- rule: SUID bash dropped to /tmp (Pack2TheRoot postinst signature)\n" + " desc: |\n" + " A setuid bit appears on /tmp/.suid_bash. The Pack2TheRoot\n" + " (CVE-2026-41651) malicious .deb postinst runs as root via\n" + " the polkit-bypassed PackageKit transaction and lands a SUID\n" + " copy of /bin/bash at this path.\n" + " condition: >\n" + " evt.type in (chmod, fchmod, fchmodat) and\n" + " evt.arg.mode contains \"S_ISUID\" and\n" + " fd.name = /tmp/.suid_bash\n" + " output: >\n" + " SUID bit set on /tmp/.suid_bash (proc=%proc.name pid=%proc.pid\n" + " ppid=%proc.ppid parent=%proc.pname)\n" + " priority: CRITICAL\n" + " tags: [filesystem, mitre_privilege_escalation, T1068, cve.2026.41651]\n" + "\n" + "- rule: PackageKit InstallFiles invoked twice on same transaction (Pack2TheRoot TOCTOU)\n" + " desc: |\n" + " Two D-Bus InstallFiles() calls hit the same PackageKit\n" + " transaction object in close succession — the exact shape of\n" + " the Pack2TheRoot TOCTOU. Detection requires bus monitoring;\n" + " Falco's k8s/audit ruleset doesn't cover D-Bus natively, but\n" + " if dbus-monitor or systemd's bus audit is wired into the\n" + " feed, this is the trigger.\n" + " condition: >\n" + " // Placeholder: requires dbus-monitor → falco feed.\n" + " // Real-world deployment: pipe `dbus-monitor --system` into\n" + " // a log-source rule keyed on the InstallFiles method name.\n" + " proc.cmdline contains \"InstallFiles\" and proc.cmdline contains \"PackageKit\"\n" + " output: >\n" + " Possible Pack2TheRoot D-Bus TOCTOU shape (cmdline=\"%proc.cmdline\")\n" + " priority: WARNING\n" + " tags: [dbus, cve.2026.41651]\n" + "\n" + "- rule: dpkg invoked by PackageKit on behalf of non-root caller\n" + " desc: |\n" + " PackageKit forks dpkg to install a .deb on behalf of an\n" + " unprivileged caller. Combined with /tmp/.suid_bash creation,\n" + " this completes the Pack2TheRoot exploit chain.\n" + " condition: >\n" + " spawned_process and proc.name = dpkg and proc.aname = packagekitd and\n" + " proc.cmdline contains \"/tmp/.pk-\"\n" + " output: >\n" + " PackageKit-driven dpkg install of /tmp-resident .deb\n" + " (parent=%proc.pname cmdline=\"%proc.cmdline\")\n" + " priority: CRITICAL\n" + " tags: [process, cve.2026.41651, pack2theroot]\n"; + static const char p2tr_sigma[] = "title: Possible Pack2TheRoot exploitation (CVE-2026-41651)\n" "id: 3f2b8d54-skeletonkey-pack2theroot\n" @@ -700,8 +788,8 @@ const struct skeletonkey_module pack2theroot_module = { .cleanup = p2tr_cleanup, .detect_auditd = p2tr_auditd, .detect_sigma = p2tr_sigma, - .detect_yara = NULL, - .detect_falco = NULL, + .detect_yara = p2tr_yara, + .detect_falco = p2tr_falco, }; void skeletonkey_register_pack2theroot(void) diff --git a/modules/pwnkit_cve_2021_4034/skeletonkey_modules.c b/modules/pwnkit_cve_2021_4034/skeletonkey_modules.c index ac973fb..5e15e63 100644 --- a/modules/pwnkit_cve_2021_4034/skeletonkey_modules.c +++ b/modules/pwnkit_cve_2021_4034/skeletonkey_modules.c @@ -384,6 +384,59 @@ static const char pwnkit_auditd[] = "-a always,exit -F arch=b64 -S execve -F path=/usr/bin/pkexec -k skeletonkey-pwnkit-execve\n" "-a always,exit -F arch=b32 -S execve -F path=/usr/bin/pkexec -k skeletonkey-pwnkit-execve\n"; +static const char pwnkit_yara[] = + "rule pwnkit_gconv_modules_cache : cve_2021_4034 lpe\n" + "{\n" + " meta:\n" + " cve = \"CVE-2021-4034\"\n" + " description = \"Pwnkit gconv-modules cache: redefines UTF-8 to load an attacker .so via iconv when pkexec is invoked with argc==0.\"\n" + " author = \"SKELETONKEY\"\n" + " reference = \"https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt\"\n" + " strings:\n" + " // gconv-modules text format: \"module FROM// TO// SHARED-OBJECT COST\".\n" + " // Published PoCs redefine UTF-8 and point it at a .so dropped in /tmp.\n" + " $line = /module\\s+UTF-8\\/\\/\\s+\\S+\\/\\/\\s+\\S+\\s+\\d/\n" + " $alias = /alias\\s+\\S+\\s+UTF-8/\n" + " // Hint: PoC workdirs frequently include 'pwnkit' or 'GCONV' in path strings the .so carries.\n" + " $marker_pwn = \"pwnkit\" nocase\n" + " $marker_gcv = \"GCONV_PATH\"\n" + " condition:\n" + " // Small text-format file (gconv-modules caches are tiny) with the module redefinition.\n" + " // Pair with -w /tmp -p wa auditd to catch the drop in real time.\n" + " filesize < 4KB and $line and 1 of ($alias, $marker_pwn, $marker_gcv)\n" + "}\n"; + +static const char pwnkit_falco[] = + "- rule: Pwnkit-style pkexec invocation (NULL argv)\n" + " desc: |\n" + " pkexec executed without argv (argc == 0). The Qualys PoC for\n" + " CVE-2021-4034 invokes pkexec via execve with NULL argv so the\n" + " out-of-bounds argv read picks up envp as if it were argv[1].\n" + " condition: >\n" + " spawned_process and proc.name = pkexec and\n" + " (proc.cmdline = \"pkexec\" or proc.args = \"\")\n" + " output: >\n" + " Possible Pwnkit (CVE-2021-4034): pkexec spawned with no argv\n" + " (user=%user.name uid=%user.uid pid=%proc.pid ppid=%proc.ppid\n" + " parent=%proc.pname cmdline=\"%proc.cmdline\")\n" + " priority: CRITICAL\n" + " tags: [process, mitre_privilege_escalation, T1068, cve.2021.4034]\n" + "\n" + "- rule: Pwnkit-style GCONV_PATH injection\n" + " desc: |\n" + " A non-root process sets GCONV_PATH in env before spawning a\n" + " setuid binary. Combined with a controlled .so + gconv-modules\n" + " cache, this is the Qualys exploit shape.\n" + " condition: >\n" + " spawned_process and not user.uid = 0 and\n" + " (proc.env contains \"GCONV_PATH=\" or proc.env contains \"CHARSET=\") and\n" + " proc.name in (pkexec, su, sudo, mount, chsh, passwd)\n" + " output: >\n" + " GCONV_PATH/CHARSET set by non-root before setuid spawn\n" + " (user=%user.name target=%proc.name env=\"%proc.env\")\n" + " priority: WARNING\n" + " tags: [process, env_injection, cve.2021.4034]\n"; + static const char pwnkit_sigma[] = "title: Possible Pwnkit exploitation (CVE-2021-4034)\n" "id: 9e1d4f2c-skeletonkey-pwnkit\n" @@ -417,8 +470,8 @@ const struct skeletonkey_module pwnkit_module = { .cleanup = pwnkit_cleanup, .detect_auditd = pwnkit_auditd, .detect_sigma = pwnkit_sigma, - .detect_yara = NULL, - .detect_falco = NULL, + .detect_yara = pwnkit_yara, + .detect_falco = pwnkit_falco, }; void skeletonkey_register_pwnkit(void) diff --git a/skeletonkey-x86_64-static b/skeletonkey-x86_64-static new file mode 100755 index 0000000..e27961a Binary files /dev/null and b/skeletonkey-x86_64-static differ diff --git a/skeletonkey-x86_64-static.sha256 b/skeletonkey-x86_64-static.sha256 new file mode 100644 index 0000000..4853bf6 --- /dev/null +++ b/skeletonkey-x86_64-static.sha256 @@ -0,0 +1 @@ +4c4d1397f0286eba3ddc471ae4ba24b4767ba8c70b3101299622ec950e4d90aa skeletonkey-x86_64-static