release v0.9.1: VM verification sweep 22 → 27

Five more CVEs empirically confirmed end-to-end against real Linux VMs: - CVE-2019-14287 sudo_runas_neg1 (Ubuntu 18.04 + sudoers grant) - CVE-2020-29661 tioscpgrp (Ubuntu 20.04 pinned to 5.4.0-26) - CVE-2024-26581 nft_pipapo (Ubuntu 22.04 + mainline 5.15.5) - CVE-2025-32463 sudo_chwoot (Ubuntu 22.04 + sudo 1.9.16p1 from source) - CVE-2025-6019 udisks_libblockdev (Debian 12 + udisks2 + polkit rule) Required real plumbing work: - Per-module provisioner hook (tools/verify-vm/provisioners/<module>.sh) - Two-phase provision in verify.sh (prep → reboot if needed → verify) fixes silent-fail where new kernel installed but VM never rebooted - GRUB_DEFAULT pinning in both pin-kernel and pin-mainline blocks (kernel downgrades like 5.4.0-169 → 5.4.0-26 now actually boot the target) - Old-mainline URL fallback in pin-mainline (≤ 4.15 debs at /v$KVER/ not /amd64/) mutagen_astronomy marked manual: true — mainline 4.14.70 kernel-panics on Ubuntu 18.04's rootfs ('Failed to execute /init (error -8)' — kernel config mismatch). Genuinely needs a CentOS 6 / Debian 7 image.
2026-05-23 23:35:02 -04:00
parent 270ddc1681
commit 8ac041a295
12 changed files with 230 additions and 59 deletions
@@ -1,3 +1,54 @@
+## SKELETONKEY v0.9.1 — VM verification sweep (22 → 27)
+
+Five more CVEs empirically confirmed end-to-end against real Linux VMs
+via `tools/verify-vm/`:
+
+| CVE | Module | Target environment |
+|---|---|---|
+| CVE-2019-14287 | `sudo_runas_neg1` | Ubuntu 18.04 (sudo 1.8.21p2 + `(ALL,!root)` grant via provisioner) |
+| CVE-2020-29661 | `tioscpgrp`      | Ubuntu 20.04 pinned to `5.4.0-26` (genuinely below the 5.4.85 backport) |
+| CVE-2024-26581 | `nft_pipapo`     | Ubuntu 22.04 + mainline `5.15.5` (below the 5.15.149 fix) |
+| CVE-2025-32463 | `sudo_chwoot`    | Ubuntu 22.04 + sudo `1.9.16p1` built from upstream into `/usr/local/bin` |
+| CVE-2025-6019  | `udisks_libblockdev` | Debian 12 + `udisks2` 2.9.4 + polkit allow rule for the verifier user |
+
+Footer goes from `22 empirically verified` → `27 empirically verified`.
+
+### Verifier infrastructure (the why)
+
+These verifications required real plumbing work that didn't exist before:
+
+- **Per-module provisioner hook** (`tools/verify-vm/provisioners/<module>.sh`)
+  — per-target setup that doesn't belong in the Vagrantfile (build sudo
+  from source, install udisks2 + polkit rule, drop a sudoers grant) now
+  lives in checked-in scripts that re-run idempotently on every verify.
+- **Two-phase provisioning** in `verify.sh` — prep provisioners run
+  first (install kernel, set grub default, drop polkit rule), then a
+  conditional reboot if `uname -r` doesn't match the target, then the
+  verifier proper. Fixes the silent-fail where the new kernel was
+  installed but the VM never actually rebooted into it.
+- **GRUB_DEFAULT pin in both `pin-kernel` and `pin-mainline` blocks** —
+  without this, grub's debian-version-compare picks the highest-sorting
+  vmlinuz as default; for downgrades (stock 4.15 → mainline 4.14.70, or
+  stock 5.4.0-169 → pinned 5.4.0-26) the wrong kernel won boot.
+- **Old-mainline URL fallback** — kernel.ubuntu.com puts ≤ 4.15 mainline
+  debs at `/v${KVER}/` not `/v${KVER}/amd64/`. Fallback handles both.
+
+### Honest residuals — 7 of 34 still unverified
+
+| Module | Why not verified |
+|---|---|
+| `vmwgfx` | needs a VMware guest; we're on Parallels |
+| `dirty_cow` | needs ≤ 4.4 kernel — older than any supported Vagrant box |
+| `mutagen_astronomy` | mainline 4.14.70 kernel-panics on Ubuntu 18.04 rootfs (`Failed to execute /init (error -8)` — kernel config mismatch). Genuinely needs CentOS 6 / Debian 7. |
+| `pintheft` | needs RDS kernel module loaded (Arch only autoloads it) |
+| `vsock_uaf` | needs `vsock_loopback` loaded — not autoloaded on common Vagrant boxes |
+| `dirtydecrypt`, `fragnesia` | need Linux 7.0 — not yet shipping as any distro kernel |
+
+All seven are flagged in `tools/verify-vm/targets.yaml` with `manual: true`
+and a rationale.
+
+---
+
 ## SKELETONKEY v0.9.0 — every year 2016 → 2026 now covered

 Five gap-filling modules. Closes the 2018 hole entirely and thickens
@@ -28,3 +28,8 @@
 {"module":"af_unix_gc","verified_at":"2026-05-23T21:27:13Z","host_kernel":"5.15.5-051505-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
 {"module":"nft_set_uaf","verified_at":"2026-05-23T21:30:41Z","host_kernel":"5.15.5-051505-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
 {"module":"stackrot","verified_at":"2026-05-23T21:34:12Z","host_kernel":"6.1.10-060110-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"sudo_chwoot","verified_at":"2026-05-24T02:39:11Z","host_kernel":"5.15.0-91-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"udisks_libblockdev","verified_at":"2026-05-24T02:44:17Z","host_kernel":"6.1.0-17-amd64","host_distro":"Debian GNU/Linux 12 (bookworm)","vm_box":"generic/debian12","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"nft_pipapo","verified_at":"2026-05-24T03:27:10Z","host_kernel":"5.15.5-051505-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"sudo_runas_neg1","verified_at":"2026-05-24T03:29:18Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
+{"module":"tioscpgrp","verified_at":"2026-05-24T03:31:08Z","host_kernel":"5.4.0-26-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"}
@@ -4,9 +4,9 @@
 <meta charset="UTF-8">
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
 <title>SKELETONKEY — Linux LPE corpus, VM-verified, SOC-ready detection</title>
-<meta name="description" content="One binary. 31 Linux privilege-escalation modules from 2016 to 2026. 22 of 26 CVEs empirically verified in real Linux VMs. 10 KEV-listed. 119 detection rules across auditd/sigma/yara/falco. MITRE ATT&CK and CWE annotated. --explain gives operator briefings.">
+<meta name="description" content="One binary. 39 Linux privilege-escalation modules from 2016 to 2026. 27 of 34 CVEs empirically verified in real Linux VMs. 10 KEV-listed. 151 detection rules across auditd/sigma/yara/falco. MITRE ATT&CK and CWE annotated. --explain gives operator briefings.">
 <meta property="og:title" content="SKELETONKEY — Linux LPE corpus, VM-verified">
-<meta property="og:description" content="31 Linux LPE modules; 22 of 26 CVEs empirically verified in real VMs. 119 detection rules. ATT&CK + CWE + KEV annotated.">
+<meta property="og:description" content="39 Linux LPE modules; 27 of 34 CVEs empirically verified in real VMs. 151 detection rules. ATT&CK + CWE + KEV annotated.">
 <meta property="og:type" content="website">
 <meta property="og:url" content="https://karazajac.github.io/SKELETONKEY/">
 <meta property="og:image" content="https://karazajac.github.io/SKELETONKEY/og.png">
@@ -56,14 +56,14 @@
  <div class="container hero-inner">
    <div class="hero-eyebrow">
      <span class="dot dot-pulse"></span>
-      v0.9.0 — released 2026-05-24
+      v0.9.1 — released 2026-05-24
    </div>
    <h1 class="hero-title">
      <span class="display-wordmark">SKELETONKEY</span>
    </h1>
    <p class="hero-tag">
      One binary. <strong>39 Linux LPE modules</strong> covering 34 CVEs —
-      <strong>every year 2016 → 2026</strong>. 22 of 34 confirmed against
+      <strong>every year 2016 → 2026</strong>. 27 of 34 confirmed against
      real Linux kernels in VMs. SOC-ready detection rules in four SIEM
      formats. MITRE ATT&amp;CK + CWE + CISA KEV annotated.
      <span class="hero-tag-pop">--explain gives a one-page operator briefing per CVE.</span>
@@ -82,7 +82,7 @@

    <div class="stats-row" id="stats-row">
      <div class="stat-chip"><span class="num" data-target="39">0</span><span>modules</span></div>
-      <div class="stat-chip stat-vfy"><span class="num" data-target="22">0</span><span>✓ VM-verified</span></div>
+      <div class="stat-chip stat-vfy"><span class="num" data-target="27">0</span><span>✓ VM-verified</span></div>
      <div class="stat-chip stat-kev"><span class="num" data-target="11">0</span><span>★ in CISA KEV</span></div>
      <div class="stat-chip"><span class="num" data-target="151">0</span><span>detection rules</span></div>
    </div>
@@ -598,7 +598,7 @@ uid=0(root) gid=0(root)</pre>
      who found the bugs.
    </p>
    <p class="footer-meta">
-      v0.9.0 · MIT · <a href="https://github.com/KaraZajac/SKELETONKEY">github.com/KaraZajac/SKELETONKEY</a>
+      v0.9.1 · MIT · <a href="https://github.com/KaraZajac/SKELETONKEY">github.com/KaraZajac/SKELETONKEY</a>
    </p>
  </div>
 </footer>
@@ -39,7 +39,7 @@
    Curated Linux LPE corpus.
  </text>
  <text x="80" y="278" font-family="'Inter',sans-serif" font-size="30" fill="#c5c5d3" font-weight="500">
-    Every year 2016 → 2026. 22 of 34 verified.
+    Every year 2016 → 2026. 27 of 34 verified.
  </text>

  <!-- stat chips -->
@@ -49,9 +49,9 @@
    <text x="28" y="38" font-family="'JetBrains Mono',monospace" font-weight="700" font-size="22" fill="#ecedf7">39</text>
    <text x="64" y="37" font-family="'Inter',sans-serif" font-size="16" fill="#8a8a9d">modules</text>

-    <!-- 22 VM-verified -->
+    <!-- 27 VM-verified -->
    <rect x="206" y="0" width="240" height="58" rx="29" fill="#161628" stroke="#10b981" stroke-opacity="0.5"/>
-    <text x="234" y="38" font-family="'JetBrains Mono',monospace" font-weight="700" font-size="22" fill="#34d399">22</text>
+    <text x="234" y="38" font-family="'JetBrains Mono',monospace" font-weight="700" font-size="22" fill="#34d399">27</text>
    <text x="270" y="37" font-family="'Inter',sans-serif" font-size="16" fill="#8a8a9d">✓ VM-verified</text>

    <!-- 11 KEV -->