leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

modules: add dirtydecrypt (CVE-2026-31635) + fragnesia (CVE-2026-46300)

Browse Source 
Two new page-cache-write LPE modules, both ported from the public V12
security PoCs (github.com/v12-security/pocs):

- dirtydecrypt (CVE-2026-31635): rxgk missing-COW in-place decrypt.
  rxgk_decrypt_skb() decrypts spliced page-cache pages before the HMAC
  check, corrupting the page cache of a read-only file. Sibling of
  Copy Fail / Dirty Frag in the rxrpc subsystem.

- fragnesia (CVE-2026-46300): XFRM ESP-in-TCP skb_try_coalesce() loses
  the SHARED_FRAG marker, so the ESP-in-TCP receive path decrypts
  page-cache pages in place. A latent bug exposed by the Dirty Frag
  fix (f4c50a4034e6). Retires the old _stubs/fragnesia_TBD stub.

Both wrap the PoC exploit primitive in the skeletonkey_module
interface: detect/exploit/cleanup, an --active /tmp sentinel probe,
--no-shell support, and embedded auditd + sigma rules. The exploit
body runs in a forked child so the PoC's exit()/die() paths cannot
tear down the dispatcher. The fragnesia port drops the upstream PoC's
ANSI TUI (incompatible with a shared dispatcher); the exploit
mechanism is reproduced faithfully. Linux-only code is guarded with
#ifdef __linux__ so the modules still compile on non-Linux dev boxes.

VERIFICATION: ported, NOT yet validated end-to-end on a
vulnerable-kernel VM. The CVE fix commits are not pinned, so detect()
is precondition-only (PRECOND_FAIL / TEST_ERROR, never a blind
VULNERABLE) and --auto will not fire them unless --active confirms.
macOS stub-path compiles verified locally; the Linux exploit-path
build is covered by CI (build.yml, ubuntu) only. See each MODULE.md.

Wiring: core/registry.h, skeletonkey.c, Makefile, CVES.md, ROADMAP.md.
This commit is contained in:
KaraZajac
2026-05-22 18:22:30 -04:00
parent 3b287f84f0
commit a8c8d5ef1f
18 changed files with 2476 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ROADMAP.md
+17 -1
View File
@@ -164,10 +164,26 @@ Backfill of historical and recent LPEs as time allows.
(hand-rolled nfnetlink, NFT_GOTO+DROP malformed verdict,
msg_msg kmalloc-cg-96 groom, no pipapo R/W chain).
**Landed (ported from public PoC, pending VM verification):**
- [x] **CVE-2026-46300** — Fragnesia: 🟡 XFRM ESP-in-TCP page-cache
write. Ported from the V12 PoC; the old `_stubs/fragnesia_TBD`
stub is retired. The stub's open question ("is the
unprivileged-userns-netns scenario in scope?") is resolved —
the module ships and reports `PRECOND_FAIL` when the userns gate
is closed.
- [x] **CVE-2026-31635** — DirtyDecrypt: 🟡 rxgk missing-COW in-place
decrypt page-cache write. Ported from the V12 PoC.
- [ ] **Verify both on a vulnerable-kernel VM**, pin the CVE fix
commits, add `kernel_range` tables, and promote 🟡 → 🟢. Until
then `detect()` is precondition-only (no version verdict) and
`--auto` will not fire them blind.
**Carry-overs:**
- [ ] **CVE-2023-2008** — vmwgfx OOB write
- [ ] Fragnesia (if it lands as a CVE)
- [ ] **CVE-2026-41651** — Pack2TheRoot (PackageKit daemon userspace
LPE; cross-distro). Candidate — userspace LPE in the pwnkit vein.
- [ ] Anything we ourselves disclose — bundled AFTER upstream patch
ships (responsible-disclosure-first)