release v0.9.1: VM verification sweep 22 → 27
release / build (arm64) (push) Waiting to run
release / build (x86_64) (push) Waiting to run
release / build (x86_64-static / musl) (push) Waiting to run
release / build (arm64-static / musl) (push) Waiting to run
release / release (push) Blocked by required conditions
release / build (arm64) (push) Waiting to run
release / build (x86_64) (push) Waiting to run
release / build (x86_64-static / musl) (push) Waiting to run
release / build (arm64-static / musl) (push) Waiting to run
release / release (push) Blocked by required conditions
Five more CVEs empirically confirmed end-to-end against real Linux VMs:
- CVE-2019-14287 sudo_runas_neg1 (Ubuntu 18.04 + sudoers grant)
- CVE-2020-29661 tioscpgrp (Ubuntu 20.04 pinned to 5.4.0-26)
- CVE-2024-26581 nft_pipapo (Ubuntu 22.04 + mainline 5.15.5)
- CVE-2025-32463 sudo_chwoot (Ubuntu 22.04 + sudo 1.9.16p1 from source)
- CVE-2025-6019 udisks_libblockdev (Debian 12 + udisks2 + polkit rule)
Required real plumbing work:
- Per-module provisioner hook (tools/verify-vm/provisioners/<module>.sh)
- Two-phase provision in verify.sh (prep → reboot if needed → verify)
fixes silent-fail where new kernel installed but VM never rebooted
- GRUB_DEFAULT pinning in both pin-kernel and pin-mainline blocks
(kernel downgrades like 5.4.0-169 → 5.4.0-26 now actually boot the target)
- Old-mainline URL fallback in pin-mainline (≤ 4.15 debs at /v$KVER/ not /amd64/)
mutagen_astronomy marked manual: true — mainline 4.14.70 kernel-panics on
Ubuntu 18.04's rootfs ('Failed to execute /init (error -8)' — kernel config
mismatch). Genuinely needs a CentOS 6 / Debian 7 image.
This commit is contained in:
Vendored
+42
-6
@@ -73,7 +73,19 @@ Vagrant.configure("2") do |c|
|
||||
echo "[+] installing #{pkg} (kernel target #{kver})"
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
apt-get install -y -qq #{pkg}
|
||||
echo "[i] kernel #{pkg} installed; reboot via 'vagrant reload'"
|
||||
echo "[i] kernel #{pkg} installed"
|
||||
fi
|
||||
# Pin grub default to this specific kernel. Without it, grub
|
||||
# picks the highest-versioned kernel installed (typically a
|
||||
# stock HWE backport that's POST-fix), defeating the pin's
|
||||
# purpose. Find the kver string by stripping linux-image-
|
||||
# prefix from the pkg name.
|
||||
PINNED_KVER="$(echo '#{pkg}' | sed 's/^linux-image-//')"
|
||||
if [ -f "/boot/vmlinuz-${PINNED_KVER}" ]; then
|
||||
GRUB_ENTRY="Advanced options for Ubuntu>Ubuntu, with Linux ${PINNED_KVER}"
|
||||
sed -i "s|^GRUB_DEFAULT=.*|GRUB_DEFAULT=\\"${GRUB_ENTRY}\\"|" /etc/default/grub
|
||||
echo "[+] GRUB_DEFAULT pinned to: ${GRUB_ENTRY}"
|
||||
update-grub 2>&1 | tail -3
|
||||
fi
|
||||
SHELL
|
||||
end
|
||||
@@ -90,16 +102,24 @@ Vagrant.configure("2") do |c|
|
||||
m.vm.provision "shell", name: "pin-mainline-#{mainline}", inline: <<-SHELL
|
||||
set -e
|
||||
KVER="#{mainline}"
|
||||
# already booted into it?
|
||||
# already booted into it? Still fall through to grub-pin to
|
||||
# make sure GRUB_DEFAULT stays correct even after stock kernel
|
||||
# upgrades that might reorder grub entries.
|
||||
BOOTED_INTO_TARGET=0
|
||||
if uname -r | grep -q "^${KVER}-[0-9]\\+-generic"; then
|
||||
echo "[=] mainline ${KVER} already booted ($(uname -r))"
|
||||
exit 0
|
||||
BOOTED_INTO_TARGET=1
|
||||
fi
|
||||
# already installed on disk (waiting on reboot)?
|
||||
|
||||
# already installed on disk? Skip the download/install but
|
||||
# still run the grub-pin block at the end.
|
||||
SKIP_INSTALL=0
|
||||
if ls /boot/vmlinuz-${KVER}-* >/dev/null 2>&1; then
|
||||
echo "[=] mainline ${KVER} already installed; needs reboot"
|
||||
exit 0
|
||||
echo "[=] mainline ${KVER} already installed on disk"
|
||||
SKIP_INSTALL=1
|
||||
fi
|
||||
|
||||
if [ "$SKIP_INSTALL" -eq 0 ]; then
|
||||
echo "[+] fetching kernel.ubuntu.com mainline v${KVER}"
|
||||
# Newer mainline kernels live under /v${KVER}/amd64/; older ones
|
||||
# (≤ ~4.15) put debs at /v${KVER}/ directly. Try /amd64/ first;
|
||||
@@ -131,6 +151,22 @@ Vagrant.configure("2") do |c|
|
||||
done
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
dpkg -i *.deb || apt-get install -f -y -qq
|
||||
fi # end SKIP_INSTALL guard
|
||||
|
||||
# Pin grub default to the just-installed mainline kernel. Without
|
||||
# this, grub's debian-version-compare picks the highest-sorting
|
||||
# vmlinuz-* as default; for downgrades (e.g. stock 4.15 → mainline
|
||||
# 4.14.70), the OLD kernel wins because 4.15 > 4.14 numerically.
|
||||
MAINLINE_VMLINUZ=$(ls /boot/vmlinuz-${KVER}-* 2>/dev/null | head -1)
|
||||
if [ -n "$MAINLINE_VMLINUZ" ]; then
|
||||
MAINLINE_KVER=$(basename "$MAINLINE_VMLINUZ" | sed 's/^vmlinuz-//')
|
||||
# The "Advanced options" submenu entry id is stable across
|
||||
# update-grub runs as "gnulinux-advanced-<UUID>>gnulinux-<kver>-advanced-<UUID>".
|
||||
# Easier: use the human menuentry path.
|
||||
GRUB_ENTRY="Advanced options for Ubuntu>Ubuntu, with Linux ${MAINLINE_KVER}"
|
||||
sed -i "s|^GRUB_DEFAULT=.*|GRUB_DEFAULT=\\"${GRUB_ENTRY}\\"|" /etc/default/grub
|
||||
echo "[+] GRUB_DEFAULT pinned to: ${GRUB_ENTRY}"
|
||||
fi
|
||||
update-grub 2>&1 | tail -3
|
||||
echo "[i] mainline ${KVER} installed; reboot via 'vagrant reload'"
|
||||
SHELL
|
||||
|
||||
@@ -9,7 +9,7 @@
|
||||
set -e
|
||||
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
apt-get install -y -qq udisks2 libblockdev-utils3 >/dev/null
|
||||
apt-get install -y -qq udisks2 libblockdev-utils2 >/dev/null
|
||||
|
||||
mkdir -p /etc/polkit-1/rules.d
|
||||
cat >/etc/polkit-1/rules.d/49-skk-verify.rules <<'EOF'
|
||||
@@ -31,4 +31,4 @@ sleep 2
|
||||
echo "[+] udisks2 status:"
|
||||
systemctl is-active udisks2.service
|
||||
echo "[+] udisks2 version: $(dpkg-query -W -f='${Version}' udisks2)"
|
||||
echo "[+] libblockdev version: $(dpkg-query -W -f='${Version}' libblockdev-utils3 2>/dev/null || dpkg-query -W -f='${Version}' libblockdev-utils2)"
|
||||
echo "[+] libblockdev version: $(dpkg-query -W -f='${Version}' libblockdev-utils2)"
|
||||
|
||||
@@ -248,12 +248,12 @@ pintheft:
|
||||
# ── v0.9.0 additions (gap fillers 2018 / 2019 / 2020 / 2024) ──────
|
||||
|
||||
mutagen_astronomy:
|
||||
box: ubuntu1804 # stock 4.15.0-213 is post-fix; mainline 4.14.70 is one below the .71 fix
|
||||
box: ""
|
||||
kernel_pkg: ""
|
||||
mainline_version: "4.14.70"
|
||||
kernel_version: "4.14.70"
|
||||
expect_detect: VULNERABLE
|
||||
notes: "CVE-2018-14634; Qualys Mutagen Astronomy. Mainline 4.14.70 sits one stable below the 4.14.71 backport. Old mainline kernels live at /v${KVER}/ directly (no /amd64/ subdir); Vagrantfile's pin-mainline provisioner falls back to the bare path."
|
||||
kernel_version: ""
|
||||
expect_detect: ""
|
||||
manual: true
|
||||
notes: "CVE-2018-14634; Qualys Mutagen Astronomy. No good Vagrant verification environment: stock Ubuntu 18.04 (4.15.0-213) returns detect()=VULNERABLE because the module's kernel_range table has no entry for the 4.15.x series (Ubuntu's HWE backports are not modeled), but the kernel IS actually patched — false-positive of the conservative module logic. Mainline 4.14.70 (target VULNERABLE kernel) panics on Ubuntu 18.04's rootfs with 'Failed to execute /init (error -8)' — kernel config mismatch (binfmt_elf as module rather than baked-in). Genuinely vulnerable verification needs a contemporary CentOS 6 / Debian 7 image with original-vintage kernel; deferred to custom-box workflow."
|
||||
|
||||
sudo_runas_neg1:
|
||||
box: ubuntu1804 # ships sudo 1.8.21p2 (vulnerable; pre-1.8.28 fix)
|
||||
@@ -279,7 +279,8 @@ vsock_uaf:
|
||||
|
||||
nft_pipapo:
|
||||
box: ubuntu2204 # 5.15 stock + HWE — same pipapo set substrate as nf_tables
|
||||
kernel_pkg: linux-image-5.15.0-43-generic
|
||||
kernel_version: "5.15.0-43"
|
||||
kernel_pkg: ""
|
||||
mainline_version: "5.15.5"
|
||||
kernel_version: "5.15.5"
|
||||
expect_detect: VULNERABLE
|
||||
notes: "CVE-2024-26581; nft_pipapo destroy-race (Notselwyn II). Same Vagrant target as nf_tables works here — stock 5.15.0-43 is below the 5.15.149 backport. Userns gate must be open (sysctl kernel.unprivileged_userns_clone=1)."
|
||||
notes: "CVE-2024-26581; nft_pipapo destroy-race (Notselwyn II). Same mainline 5.15.5 target as nf_tables works here — 5.15.5 is below the 5.15.149 backport. (Switched from apt-pinned 5.15.0-43 after that package was removed from Ubuntu repos.) Userns gate must be open (sysctl kernel.unprivileged_userns_clone=1)."
|
||||
|
||||
+39
-14
@@ -139,19 +139,6 @@ if ! vagrant status "$VM_HOSTNAME" 2>&1 | grep -q "running"; then
|
||||
vagrant up "$VM_HOSTNAME" --provider=parallels
|
||||
fi
|
||||
|
||||
# Reboot if any kernel pin was applied (uname -r != target).
|
||||
if [[ -n "$KERNEL_PKG" || -n "$MAINLINE" ]]; then
|
||||
current_kver=$(vagrant ssh "$VM_HOSTNAME" -c "uname -r" 2>/dev/null | tr -d '\r')
|
||||
target_match="$KERNEL_VER"
|
||||
[[ -n "$MAINLINE" ]] && target_match="$MAINLINE"
|
||||
if [[ "$current_kver" != *"$target_match"* ]]; then
|
||||
echo "[*] current kernel $current_kver != target $target_match; rebooting..."
|
||||
vagrant reload "$VM_HOSTNAME"
|
||||
sleep 5
|
||||
fi
|
||||
fi
|
||||
|
||||
# Run the explain probe.
|
||||
LOG="$LOG_DIR/verify-${MODULE}-$(date +%Y%m%d-%H%M%S).log"
|
||||
|
||||
# Force rsync the source tree in. vagrant up runs rsync automatically on
|
||||
@@ -160,8 +147,46 @@ LOG="$LOG_DIR/verify-${MODULE}-$(date +%Y%m%d-%H%M%S).log"
|
||||
echo "[*] syncing source into VM..."
|
||||
vagrant rsync "$VM_HOSTNAME" 2>&1 | tail -5
|
||||
|
||||
# Two-phase provisioning so the new kernel actually boots before verify:
|
||||
# PREP: install kernel (apt or mainline) + pin grub default + run any
|
||||
# module-specific provisioner (sudoers grant, sudo build, ...).
|
||||
# ── conditional reboot if uname -r doesn't match target ──
|
||||
# VERIFY: build skeletonkey + run --explain --active.
|
||||
PREP_PROVS=()
|
||||
[[ -n "$KERNEL_PKG" ]] && PREP_PROVS+=("pin-kernel-${KERNEL_PKG}")
|
||||
[[ -n "$MAINLINE" ]] && PREP_PROVS+=("pin-mainline-${MAINLINE}")
|
||||
[[ -f "$VM_DIR/provisioners/${MODULE}.sh" ]] && PREP_PROVS+=("module-provision-${MODULE}")
|
||||
|
||||
if [[ ${#PREP_PROVS[@]} -gt 0 ]]; then
|
||||
echo "[*] running prep provisioners: ${PREP_PROVS[*]}"
|
||||
vagrant provision "$VM_HOSTNAME" \
|
||||
--provision-with "$(IFS=,; echo "${PREP_PROVS[*]}")" 2>&1 | tee "$LOG"
|
||||
fi
|
||||
|
||||
# Reboot if a kernel pin moved us off the target. This must run AFTER
|
||||
# the prep provisioners (which install the kernel + set GRUB_DEFAULT),
|
||||
# otherwise the reboot picks the stock kernel and we never land on the
|
||||
# target.
|
||||
if [[ -n "$KERNEL_PKG" || -n "$MAINLINE" ]]; then
|
||||
current_kver=$(vagrant ssh "$VM_HOSTNAME" -c "uname -r" 2>/dev/null | tr -d '\r')
|
||||
target_match="$KERNEL_VER"
|
||||
[[ -n "$MAINLINE" ]] && target_match="$MAINLINE"
|
||||
if [[ "$current_kver" != *"$target_match"* ]]; then
|
||||
echo "[*] current kernel $current_kver != target $target_match; rebooting..."
|
||||
vagrant reload "$VM_HOSTNAME" 2>&1 | tee -a "$LOG"
|
||||
sleep 5
|
||||
post_kver=$(vagrant ssh "$VM_HOSTNAME" -c "uname -r" 2>/dev/null | tr -d '\r')
|
||||
echo "[*] post-reboot kernel: $post_kver" | tee -a "$LOG"
|
||||
if [[ "$post_kver" != *"$target_match"* ]]; then
|
||||
echo "[!] reboot did NOT land on target kernel $target_match (got $post_kver)" | tee -a "$LOG"
|
||||
echo " detect() will still run, but verification is on the wrong kernel" | tee -a "$LOG"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "[*] running verifier..."
|
||||
vagrant provision "$VM_HOSTNAME" --provision-with build-and-verify 2>&1 | tee "$LOG"
|
||||
vagrant provision "$VM_HOSTNAME" \
|
||||
--provision-with build-and-verify 2>&1 | tee -a "$LOG"
|
||||
|
||||
# Parse verdict. Vagrant prefixes provisioner output with the VM name
|
||||
# (e.g. " skk-pwnkit: VERDICT: VULNERABLE"), so anchor on the VERDICT
|
||||
|
||||
Reference in New Issue
Block a user