leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

review pass: fidelity + credits + count consistency for ported modules

Browse Source 
Three-agent rigorous review of the dirtydecrypt + fragnesia ports plus
repo-wide doc consistency, followed by a full Linux build verification.

dirtydecrypt (NOTICE + detection rules):
- NOTICE.md: removed an unsupported "Zellic co-founder" detail and a
  fabricated disclosure-date narrative; tightened phrasing of the
  Zellic + V12 credit; noted that upstream poc.c carries no
  author/license header of its own.
- Embedded auditd + sigma rules and detect/sigma.yml broadened to
  cover every binary in dd_targets[] (added /usr/bin/mount,
  /usr/bin/passwd, /usr/bin/chsh) and added the b32 splice rule, so
  the embedded ruleset matches the on-disk reference and the carrier
  list the exploit actually targets.
- Exploit primitive verified byte-for-byte against the V12 PoC
  (tiny_elf[] identical, all rxgk/XDR/fire/pagecache_write logic
  token-identical). docker gcc:latest compile of the Linux path:
  COMPILE_OK, zero warnings.

fragnesia: review found no defects. Exploit primitive byte-identical
to the V12 PoC (shell_elf[] 192 bytes identical, AF_ALG GCM keystream
table + userns/netns/XFRM + receiver/sender/run_trigger_pair all
faithful). The deliberate omissions (ANSI TUI, CLI arg parsing) drop
nothing exploit-critical. docker gcc:latest compile: COMPILE_OK; full
project build links into a working skeletonkey ELF and --list shows
the module registered correctly.

Repo docs (README.md / CVES.md / ROADMAP.md):
- Chose to keep "28 verified" as the headline; the two ported
  modules are represented as a separate clearly-labelled tier
  ("ported-but-unverified") that is explicitly excluded from the
  28-module verified counts. README + CVES.md + ROADMAP.md now tell
  one consistent story.
- Filled a pre-existing documentation gap: sudo_samedit, sequoia,
  sudoedit_editor, vmwgfx were registered + built but absent from
  CVES.md's inventory + operations tables. Added rows synthesized
  from each module's .cve / .summary / .kernel_range fields.
- ROADMAP Phase 8 "7 🟡 PRIMITIVE modules" → "14"; added a "Landed
  since v0.1.0" group; moved vmwgfx out of the stale carry-overs.

docs site (docs/index.html):
- Stat box "28 / total modules" → "28 / verified modules" (the 14+14
  breakdown now sums to the headline consistently).
- Terminal example "scanning 28 modules" → "scanning 30 modules"
  (was factually wrong — the binary literally prints module_count()
  which is 30).
- Status line: updated to mention the 2 ported-but-unverified
  modules and mirror the README phrasing.
- docs/LAUNCH.md left as a dated v0.5.0 launch snapshot.

Build verification: `docker run gcc:latest make clean && make` —
links into a 30-module skeletonkey ELF on Linux. macOS dev box still
hits the pre-existing dirty_pipe header gap; unchanged.

.gitignore: added /skeletonkey to exclude the top-level build
artifact (the existing modules/*/skeletonkey only covered per-module
binaries; the root one was getting picked up by `git add -A`).
This commit is contained in:
KaraZajac
2026-05-22 18:41:37 -04:00
parent a8c8d5ef1f
commit ac557b67d0
8 changed files with 90 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/dirtydecrypt_cve_2026_31635/skeletonkey_modules.c
+8 -2
View File
@@ -856,8 +856,12 @@ static skeletonkey_result_t dd_cleanup(const struct skeletonkey_ctx *ctx)
static const char dd_auditd[] =
"# DirtyDecrypt (CVE-2026-31635) — auditd detection rules\n"
"# rxgk in-place decrypt corrupts the page cache of a read-only file.\n"
"# Watches every payload carrier in dd_targets[] plus credential files.\n"
"-w /usr/bin/su -p wa -k skeletonkey-dirtydecrypt\n"
"-w /bin/su -p wa -k skeletonkey-dirtydecrypt\n"
"-w /usr/bin/mount -p wa -k skeletonkey-dirtydecrypt\n"
"-w /usr/bin/passwd -p wa -k skeletonkey-dirtydecrypt\n"
"-w /usr/bin/chsh -p wa -k skeletonkey-dirtydecrypt\n"
"-w /etc/passwd -p wa -k skeletonkey-dirtydecrypt\n"
"-w /etc/shadow -p wa -k skeletonkey-dirtydecrypt\n"
"# AF_RXRPC socket creation by non-root (family 33) — core of the trigger\n"
@@ -865,7 +869,8 @@ static const char dd_auditd[] =
"# rxrpc security keys added to the keyring\n"
"-a always,exit -F arch=b64 -S add_key -k skeletonkey-dirtydecrypt-key\n"
"# splice() drives the page-cache pages into the forged DATA packet\n"
"-a always,exit -F arch=b64 -S splice -k skeletonkey-dirtydecrypt-splice\n";
"-a always,exit -F arch=b64 -S splice -k skeletonkey-dirtydecrypt-splice\n"
"-a always,exit -F arch=b32 -S splice -k skeletonkey-dirtydecrypt-splice\n";
static const char dd_sigma[] =
"title: Possible DirtyDecrypt exploitation (CVE-2026-31635)\n"
@@ -879,7 +884,8 @@ static const char dd_sigma[] =
"detection:\n"
" modification:\n"
" type: 'PATH'\n"
" name|startswith: ['/usr/bin/su', '/bin/su', '/etc/passwd', '/etc/shadow']\n"
" name|startswith: ['/usr/bin/su', '/bin/su', '/usr/bin/mount',\n"
" '/usr/bin/passwd', '/usr/bin/chsh', '/etc/passwd', '/etc/shadow']\n"
" not_root:\n"
" auid|expression: '!= 0'\n"
" condition: modification and not_root\n"