leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

release v0.9.0: 5 gap-fillers — every year 2016 → 2026 now covered

Browse Source 
Five new modules close the 2018 gap entirely and thicken
2019 / 2020 / 2024. All five carry the full 4-format detection-rule
corpus + opsec_notes + arch_support + register helpers.

CVE-2018-14634 — mutagen_astronomy (Qualys, closes 2018)
  create_elf_tables() int wrap → SUID-execve stack corruption.
  CISA KEV-listed Jan 2026 despite the bug's age; legacy RHEL 7 /
  CentOS 7 / Debian 8 fleets still affected. 🟡 PRIMITIVE.
  arch_support: x86_64+unverified-arm64.

CVE-2019-14287 — sudo_runas_neg1 (Joe Vennix)
  sudo -u#-1 → uid_t underflow → root despite (ALL,!root) blacklist.
  Pure userspace logic bug; the famous Apple Information Security
  finding. detect() looks for a (ALL,!root) grant in sudo -ln output;
  PRECOND_FAIL when no such grant exists for the invoking user.
  arch_support: any (4 -> 5 userspace 'any' modules).

CVE-2020-29661 — tioscpgrp (Jann Horn / Project Zero)
  TTY TIOCSPGRP ioctl race on PTY pairs → struct pid UAF in
  kmalloc-256. Affects everything through Linux 5.9.13. 🟡 PRIMITIVE
  (race-driver + msg_msg groom). Public PoCs from grsecurity /
  spender + Maxime Peterlin.

CVE-2024-50264 — vsock_uaf (a13xp0p0v / Pwnie Award 2025 winner)
  AF_VSOCK connect-race UAF in kmalloc-96. Pwn2Own 2024 + Pwnie
  2025 winner. Reachable as plain unprivileged user (no userns
  required — unusual). Two public exploit paths: @v4bel+@qwerty
  kernelCTF (BPF JIT spray + SLUBStick) and Alexander Popov / PT
  SWARM (msg_msg). 🟡 PRIMITIVE.

CVE-2024-26581 — nft_pipapo (Notselwyn II, 'Flipping Pages')
  nft_set_pipapo destroy-race UAF. Sibling to nf_tables
  (CVE-2024-1086) from the same Notselwyn paper. Distinct bug in
  the pipapo set substrate. Same family signature. 🟡 PRIMITIVE.

Plumbing changes:

  core/registry.h + registry_all.c — 5 new register declarations
    + calls.
  Makefile — 5 new MUT/SRN/TIO/VSK/PIP module groups in MODULE_OBJS.
  tests/test_detect.c — 7 new test rows covering the new modules
    (above-fix OK, predates-the-bug OK, sudo-no-grant PRECOND_FAIL).
  tools/verify-vm/targets.yaml — verifier entries for all 5 with
    honest 'expect_detect' values based on what Vagrant boxes can
    realistically reach (mutagen_astronomy gets OK on stock 18.04
    since 4.15.0-213 is post-fix; sudo_runas_neg1 gets PRECOND_FAIL
    because no (ALL,!root) grant on default vagrant user; tioscpgrp
    + nft_pipapo VULNERABLE with kernel pins; vsock_uaf flagged
    manual because vsock module rarely available on CI runners).
  tools/refresh-cve-metadata.py — added curl fallback for the CISA
    KEV CSV fetch (urlopen times out intermittently against CISA's
    HTTP/2 endpoint).

Corpus growth across v0.8.0 + v0.9.0:

                v0.7.1    v0.8.0    v0.9.0
  Modules          31        34        39
  Distinct CVEs    26        29        34
  KEV-listed       10        10        11 (mutagen_astronomy)
  arch 'any'        4         6         7 (sudo_runas_neg1)
  Years 2016-2026:  10/11     10/11     **11/11**

Year-by-year coverage:

  2016: 1   2017: 1   2018: 1   2019: 2   2020: 2
  2021: 5   2022: 5   2023: 8   2024: 3   2025: 2   2026: 4

CVE-2018 gap → CLOSED. Every year from 2016 through 2026 now has
at least one module.

Surfaces updated:
  - README.md: badge → 22 VM-verified / 34, Status section refreshed
  - docs/index.html: hero eyebrow + footer → v0.9.0, hero tagline
    'every year 2016 → 2026', stats chips → 39 / 22 / 11 / 151
  - docs/RELEASE_NOTES.md: v0.9.0 entry added on top with year
    coverage matrix + per-module breakdown; v0.8.0 + v0.7.1 entries
    preserved below
  - docs/og.svg + og.png: regenerated with new numbers + 'Every
    year 2016 → 2026' tagline

CVE metadata refresh (tools/refresh-cve-metadata.py) deferred to
follow-up — CISA KEV CSV + NVD CVE API were timing out during the
v0.9.0 push window. The 5 new CVEs will return NULL from
cve_metadata_lookup() until the refresh runs (—module-info simply
skips the WEAKNESS/THREAT INTEL header for them; no functional
impact). Re-run 'tools/refresh-cve-metadata.py' when network
cooperates.

Tests: macOS local 33/33 kernel_range pass; detect-test stubs (88
total) build clean; ASan/UBSan + clang-tidy CI jobs still green
from the v0.7.x setup.
This commit is contained in:
KaraZajac
2026-05-23 22:15:44 -04:00
parent 4af82b82d9
commit d84b3b0033
28 changed files with 2850 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/refresh-cve-metadata.py
+19 -4
View File
@@ -83,14 +83,29 @@ def discover_cves() -> list[str]:
def fetch_kev_catalog() -> dict[str, str]:
"""Return {cve_id: date_added_yyyy_mm_dd} from CISA's KEV CSV."""
"""Return {cve_id: date_added_yyyy_mm_dd} from CISA's KEV CSV.
Python's urlopen sometimes times out on CISA's HTTP/2 endpoint
even though curl works fine; we try urlopen first with a 60s
budget, then fall back to shelling out to curl. Either way we
end up with the same CSV bytes."""
print(f"[*] fetching CISA KEV catalog ({KEV_URL})", file=sys.stderr)
data: str | None = None
try:
with urllib.request.urlopen(KEV_URL, timeout=30) as r:
with urllib.request.urlopen(KEV_URL, timeout=60) as r:
data = r.read().decode("utf-8", errors="replace")
except urllib.error.URLError as e:
print(f"[!] KEV fetch failed: {e}", file=sys.stderr)
sys.exit(1)
print(f"[!] urlopen failed ({e}); falling back to curl", file=sys.stderr)
if data is None:
import subprocess
try:
data = subprocess.check_output(
["curl", "-fsSL", "--max-time", "60", KEV_URL],
stderr=subprocess.DEVNULL,
).decode("utf-8", errors="replace")
except (subprocess.CalledProcessError, FileNotFoundError) as e:
print(f"[!] curl fallback also failed: {e}", file=sys.stderr)
sys.exit(1)
out: dict[str, str] = {}
reader = csv.DictReader(io.StringIO(data))
for row in reader:
tools/verify-vm/targets.yaml
+62
View File
@@ -220,3 +220,65 @@ vmwgfx:
expect_detect: PRECOND_FAIL
notes: "CVE-2023-2008; vmwgfx DRM only reachable on VMware guests. No Vagrant box; verify manually inside a VMware VM with a vulnerable kernel (e.g. Debian 11 / 5.10.0)."
manual: true
# ── v0.8.0 additions ──────────────────────────────────────────────
sudo_chwoot:
box: ubuntu2204 # 22.04 ships sudo 1.9.9 (pre-feature) — need a 1.9.14+ install
kernel_pkg: "" # this bug is sudo-version-gated, not kernel
kernel_version: "5.15.0"
expect_detect: OK
notes: "CVE-2025-32463; sudo --chroot NSS shim. Vulnerable range is sudo [1.9.14, 1.9.17p0]. Ubuntu 22.04 ships sudo 1.9.9 which PREDATES the vulnerable --chroot code path — so detect correctly returns OK. To validate VULNERABLE empirically, provision a vulnerable sudo build into the VM (e.g. apt install -t backports sudo=1.9.16-1 or build from source). Deferred."
udisks_libblockdev:
box: debian12 # 12 ships udisks2 2.10.x + libblockdev 3.0.x — vulnerable
kernel_pkg: ""
kernel_version: "6.1.0"
expect_detect: PRECOND_FAIL
notes: "CVE-2025-6019; udisks/libblockdev SUID-on-mount. Debian 12's cloud image is server-oriented — udisksd is NOT installed by default. detect correctly returns PRECOND_FAIL ('udisksd not installed; bug unreachable here'). To validate VULNERABLE empirically, install udisks2 + log in as an active-session user (Vagrant SSH session is NOT active per polkit — needs a real console session). Both gates are real and the detect honestly surfaces them; deferred."
pintheft:
box: "" # RDS is blacklisted on every common Vagrant box's stock kernel
kernel_pkg: ""
kernel_version: ""
expect_detect: OK
notes: "CVE-2026-43494; PinTheft. Among Vagrant-supported distros, NONE autoload the rds kernel module (Arch Linux is the only common distro that does, and there's no maintained generic/arch-linux Vagrant box). On Debian/Ubuntu/Fedora boxes the AF_RDS socket() call fails with EAFNOSUPPORT → detect correctly returns OK ('bug exists in kernel but unreachable from userland here'). Verifying the VULNERABLE path needs either an Arch box, or a custom box with the rds module pre-loaded ('modprobe rds && modprobe rds_tcp'). Deferred."
manual: true
# ── v0.9.0 additions (gap fillers 2018 / 2019 / 2020 / 2024) ──────
mutagen_astronomy:
box: ubuntu1804 # 4.15.0-213 stock — already > 4.14.71 backport → OK
kernel_pkg: ""
kernel_version: "4.15.0"
expect_detect: OK
notes: "CVE-2018-14634; Qualys Mutagen Astronomy. Ubuntu 18.04 ships 4.15.0-213 which is post-fix. detect correctly returns OK. Verifying the VULNERABLE path empirically needs a 2.6.x / 3.10.x EOL kernel (e.g. RHEL 6 / CentOS 6 / Debian 7); deferred to a custom-box workflow."
sudo_runas_neg1:
box: ubuntu1804 # ships sudo 1.8.21p2 (vulnerable; pre-1.8.28 fix)
kernel_pkg: ""
kernel_version: "4.15.0"
expect_detect: PRECOND_FAIL
notes: "CVE-2019-14287; sudo Runas -u#-1. Ubuntu 18.04 ships sudo 1.8.21p2 which IS in the vulnerable range — but the default vagrant user has no (ALL,!root) sudoers grant for find_runas_blacklist_grant() to abuse, so detect correctly returns PRECOND_FAIL. To validate VULNERABLE empirically, provision a sudoers entry of the form 'vagrant ALL=(ALL,!root) /bin/vi' before verifying."
tioscpgrp:
box: ubuntu2004 # 5.4 stock kernels (5.4.0-26) are below the 5.4.85 backport
kernel_pkg: linux-image-5.4.0-26-generic
kernel_version: "5.4.0-26"
expect_detect: VULNERABLE
notes: "CVE-2020-29661; TTY TIOCSPGRP UAF race. Stock Ubuntu 20.04 5.4.0-26 is below the 5.4.85 LTS backport. /dev/ptmx is universally writable in CI containers. Should validate VULNERABLE."
vsock_uaf:
box: "" # vsock module typically not loaded on CI containers (no virtualization)
kernel_pkg: ""
kernel_version: ""
expect_detect: OK
notes: "CVE-2024-50264; Pwn2Own 2024 vsock UAF. AF_VSOCK requires the vsock kernel module, which autoloads only on KVM/QEMU GUESTS. Vagrant VMs running under Parallels are themselves guests, but their guest kernel may or may not have vsock loaded depending on the Parallels host. detect correctly returns OK when AF_VSOCK is unavailable. To validate VULNERABLE, ensure the VM kernel has CONFIG_VSOCKETS + virtio-vsock loaded ('modprobe vsock_loopback' may suffice on newer kernels)."
manual: true
nft_pipapo:
box: ubuntu2204 # 5.15 stock + HWE — same pipapo set substrate as nf_tables
kernel_pkg: linux-image-5.15.0-43-generic
kernel_version: "5.15.0-43"
expect_detect: VULNERABLE
notes: "CVE-2024-26581; nft_pipapo destroy-race (Notselwyn II). Same Vagrant target as nf_tables works here — stock 5.15.0-43 is below the 5.15.149 backport. Userns gate must be open (sysctl kernel.unprivileged_userns_clone=1)."