7 Commits

Author	SHA1	Message	Date
leviathan	fa0228df9b	release v0.9.3: CVE metadata refresh (KEV 10→12) + dirtydecrypt bug fix ... CVE metadata refresh: - Added 8 entries to core/cve_metadata.c for the v0.8.0 + v0.9.0 module CVEs. Two are CISA-KEV-listed: - CVE-2018-14634 mutagen_astronomy (2026-01-26, CWE-190) - CVE-2025-32463 sudo_chwoot (2025-09-29, CWE-829) - Populated via direct curl when refresh-cve-metadata.py's Python urlopen hung on CISA's HTTP/2 endpoint for ~55 min — same data, different transport. dirtydecrypt module bug fix: - dd_detect() was wrongly gating 'predates the bug' on kernel < 7.0 - Per NVD CVE-2026-31635: bug entered at 6.16.1 stable; vulnerable through 6.18.22 / 6.19.12 / 7.0-rc7; fixed at 6.18.23 / 6.19.13 / 7.0 - Fix: predates-gate now uses 6.16.1; patched_branches[] adds {6,18,23} - Re-verified: dirtydecrypt now correctly returns VULNERABLE on mainline 6.19.7 instead of OK. Previously a false negative on real vulnerable kernels. Footer goes from '10 in CISA KEV' to '12 in CISA KEV'. Verified count stays at 28 but dirtydecrypt's record is now a TRUE VULNERABLE match (was OK match).	2026-05-24 01:17:58 -04:00
leviathan	d52fcd5512	docs: sweep stale counts to match v0.9.2 binary state ... Audit found several user-facing surfaces still carrying old numbers from earlier releases. Brought everything in line with the binary's authoritative footer ('39 modules · 10 KEV · 28 verified · 7 any'). README.md: - Status section: v0.9.0 → v0.9.2 framing; describe the 22 → 28 verification arc (v0.9.1 + v0.9.2) - '119 detection rules' → 151 (current bundled count) - '10 of 26 KEV-listed' → '10 of 34' - 'Not yet verified (4 of 26 CVEs)' → '(6 of 34 CVEs)' with the new honest list (vmwgfx, dirty_cow, mutagen_astronomy, pintheft, vsock_uaf, fragnesia) and the reason each is blocked - Example --auto output: 31 → 39 modules docs/index.html: - '22 of 26 CVEs confirmed' → '28 of 34', mainline kernel list expanded (5.4.0-26 / 5.15.5 / 6.1.10 / 6.19.7) - Corpus section '26 CVEs across 10 years' → '34 CVEs' - '26 CVEs, 10-year span' (author list intro) → '34 CVEs' - Footer feature list '22 of 26' → '28 of 34' - KEV stat chip 11 → 10 (matches binary; the anticipated 11th from metadata refresh hasn't been added yet) - '119 detection rules' → '151' (two occurrences) docs/og.svg + og.png: - KEV chip 11 → 10 (matches binary) CVES.md: - '31 modules' → '39 modules covering 34 CVEs' - Rewrote the unverified-rows note to match the actual 6-module list No content changes to RELEASE_NOTES.md or ROADMAP.md — those entries correctly describe state at the time they were written.	2026-05-24 00:09:21 -04:00
leviathan	66cca39a55	release v0.9.2: dirtydecrypt verified on mainline 6.19.7 (22 → 28) ... Verifies CVE-2026-31635 dirtydecrypt's OK path on a kernel that predates the bug: 'kernel predates the rxgk RESPONSE-handling code added in 7.0' — match. Confirms detect() doesn't false-positive on older 6.x kernels. Attempted fragnesia (CVE-2026-46300) but mainline 7.0.5 .debs depend on libssl3t64 / libelf1t64 (t64-transition libs from Ubuntu 24.04+ / Debian 13+). No Parallels-supported Vagrant box ships those yet — dpkg --force-depends leaves the kernel package in iHR state with no /boot/vmlinuz. Marked manual: true with rationale. Verifier infrastructure: pin-mainline now uses dpkg --force-depends as a fallback so partial-install state can at least be inspected.	2026-05-24 00:03:35 -04:00
leviathan	8ac041a295	release v0.9.1: VM verification sweep 22 → 27 ... Five more CVEs empirically confirmed end-to-end against real Linux VMs: - CVE-2019-14287 sudo_runas_neg1 (Ubuntu 18.04 + sudoers grant) - CVE-2020-29661 tioscpgrp (Ubuntu 20.04 pinned to 5.4.0-26) - CVE-2024-26581 nft_pipapo (Ubuntu 22.04 + mainline 5.15.5) - CVE-2025-32463 sudo_chwoot (Ubuntu 22.04 + sudo 1.9.16p1 from source) - CVE-2025-6019 udisks_libblockdev (Debian 12 + udisks2 + polkit rule) Required real plumbing work: - Per-module provisioner hook (tools/verify-vm/provisioners/<module>.sh) - Two-phase provision in verify.sh (prep → reboot if needed → verify) fixes silent-fail where new kernel installed but VM never rebooted - GRUB_DEFAULT pinning in both pin-kernel and pin-mainline blocks (kernel downgrades like 5.4.0-169 → 5.4.0-26 now actually boot the target) - Old-mainline URL fallback in pin-mainline (≤ 4.15 debs at /v$KVER/ not /amd64/) mutagen_astronomy marked manual: true — mainline 4.14.70 kernel-panics on Ubuntu 18.04's rootfs ('Failed to execute /init (error -8)' — kernel config mismatch). Genuinely needs a CentOS 6 / Debian 7 image.	2026-05-23 23:35:02 -04:00
leviathan	d84b3b0033	release v0.9.0: 5 gap-fillers — every year 2016 → 2026 now covered ... Five new modules close the 2018 gap entirely and thicken 2019 / 2020 / 2024. All five carry the full 4-format detection-rule corpus + opsec_notes + arch_support + register helpers. CVE-2018-14634 — mutagen_astronomy (Qualys, closes 2018) create_elf_tables() int wrap → SUID-execve stack corruption. CISA KEV-listed Jan 2026 despite the bug's age; legacy RHEL 7 / CentOS 7 / Debian 8 fleets still affected. 🟡 PRIMITIVE. arch_support: x86_64+unverified-arm64. CVE-2019-14287 — sudo_runas_neg1 (Joe Vennix) sudo -u#-1 → uid_t underflow → root despite (ALL,!root) blacklist. Pure userspace logic bug; the famous Apple Information Security finding. detect() looks for a (ALL,!root) grant in sudo -ln output; PRECOND_FAIL when no such grant exists for the invoking user. arch_support: any (4 -> 5 userspace 'any' modules). CVE-2020-29661 — tioscpgrp (Jann Horn / Project Zero) TTY TIOCSPGRP ioctl race on PTY pairs → struct pid UAF in kmalloc-256. Affects everything through Linux 5.9.13. 🟡 PRIMITIVE (race-driver + msg_msg groom). Public PoCs from grsecurity / spender + Maxime Peterlin. CVE-2024-50264 — vsock_uaf (a13xp0p0v / Pwnie Award 2025 winner) AF_VSOCK connect-race UAF in kmalloc-96. Pwn2Own 2024 + Pwnie 2025 winner. Reachable as plain unprivileged user (no userns required — unusual). Two public exploit paths: @v4bel+@qwerty kernelCTF (BPF JIT spray + SLUBStick) and Alexander Popov / PT SWARM (msg_msg). 🟡 PRIMITIVE. CVE-2024-26581 — nft_pipapo (Notselwyn II, 'Flipping Pages') nft_set_pipapo destroy-race UAF. Sibling to nf_tables (CVE-2024-1086) from the same Notselwyn paper. Distinct bug in the pipapo set substrate. Same family signature. 🟡 PRIMITIVE. Plumbing changes: core/registry.h + registry_all.c — 5 new register declarations + calls. Makefile — 5 new MUT/SRN/TIO/VSK/PIP module groups in MODULE_OBJS. tests/test_detect.c — 7 new test rows covering the new modules (above-fix OK, predates-the-bug OK, sudo-no-grant PRECOND_FAIL). tools/verify-vm/targets.yaml — verifier entries for all 5 with honest 'expect_detect' values based on what Vagrant boxes can realistically reach (mutagen_astronomy gets OK on stock 18.04 since 4.15.0-213 is post-fix; sudo_runas_neg1 gets PRECOND_FAIL because no (ALL,!root) grant on default vagrant user; tioscpgrp + nft_pipapo VULNERABLE with kernel pins; vsock_uaf flagged manual because vsock module rarely available on CI runners). tools/refresh-cve-metadata.py — added curl fallback for the CISA KEV CSV fetch (urlopen times out intermittently against CISA's HTTP/2 endpoint). Corpus growth across v0.8.0 + v0.9.0: v0.7.1 v0.8.0 v0.9.0 Modules 31 34 39 Distinct CVEs 26 29 34 KEV-listed 10 10 11 (mutagen_astronomy) arch 'any' 4 6 7 (sudo_runas_neg1) Years 2016-2026: 10/11 10/11 **11/11** Year-by-year coverage: 2016: 1 2017: 1 2018: 1 2019: 2 2020: 2 2021: 5 2022: 5 2023: 8 2024: 3 2025: 2 2026: 4 CVE-2018 gap → CLOSED. Every year from 2016 through 2026 now has at least one module. Surfaces updated: - README.md: badge → 22 VM-verified / 34, Status section refreshed - docs/index.html: hero eyebrow + footer → v0.9.0, hero tagline 'every year 2016 → 2026', stats chips → 39 / 22 / 11 / 151 - docs/RELEASE_NOTES.md: v0.9.0 entry added on top with year coverage matrix + per-module breakdown; v0.8.0 + v0.7.1 entries preserved below - docs/og.svg + og.png: regenerated with new numbers + 'Every year 2016 → 2026' tagline CVE metadata refresh (tools/refresh-cve-metadata.py) deferred to follow-up — CISA KEV CSV + NVD CVE API were timing out during the v0.9.0 push window. The 5 new CVEs will return NULL from cve_metadata_lookup() until the refresh runs (—module-info simply skips the WEAKNESS/THREAT INTEL header for them; no functional impact). Re-run 'tools/refresh-cve-metadata.py' when network cooperates. Tests: macOS local 33/33 kernel_range pass; detect-test stubs (88 total) build clean; ASan/UBSan + clang-tidy CI jobs still green from the v0.7.x setup.	2026-05-23 22:15:44 -04:00
leviathan	6e0f811a2c	README + site + binary: surface 22-of-26 VM-verified count ... Updates the visible 'how trustworthy is this' signal across all three touchpoints after the verifier sweep landed 22 modules confirmed in real Linux VMs: README.md - Badge: '28 verified + 3 ported' → '22 VM-verified / 26'. - Headline tagline: emphasizes the 22-of-26 empirical confirmation. - 'Corpus at a glance' restructured: tier counts unchanged, but the stale '3 ported-but-unverified' subsection is replaced by a new 'Empirical verification' table breaking the 22 records down by distro/kernel. - 'Status' section refreshed for v0.6.0 reality: 88 tests + 22 verifications + mainline kernel fetch + --explain + KEV/CWE/ATT&CK metadata + 119 detection rules. The four still-unverified entries (vmwgfx, dirty_cow, dirtydecrypt, fragnesia) are listed with their blocking reasons. docs/index.html - Hero stats row gets a new '22 ✓ VM-verified' chip (emerald-styled via new .stat-vfy CSS class), keeping modules/KEV/rules siblings. - Hero tagline calls out '22 of 26 CVEs empirically verified'. - Meta description + og:description updated. - Bento card 'Verifier ready' rewritten as '22 modules empirically verified' with concrete distro/kernel breakdown; styled with new .bento-vfy class for emerald accent (matches the stat chip). - Timeline 'shipped' column adds the verifier wins; 'in flight' swapped to current open items (drift fixes, packagekit provisioner, custom <=4.4 box for dirty_cow). docs/og.svg + docs/og.png - 4-chip stats row instead of 3: 31 modules · 22 ✓ VM-verified · 10 ★ in CISA KEV · 119 detection rules. Tagline now '22 of 26 CVEs verified in real Linux VMs.' Re-rendered to PNG via rsvg-convert. skeletonkey.c (binary) - --list footer now prints '31 modules registered · 10 in CISA KEV (★) · 22 empirically verified in real VMs (✓)'. Counts computed from the registry + cve_metadata + verifications tables at runtime (so it stays accurate as more verifications land — the JSONL refresh propagates automatically). No code logic changed; only surfacing.	2026-05-23 18:03:38 -04:00
leviathan	5071ad4ba9	site: marketing-grade redesign with --explain showcase + animated hero ... Full rewrite of docs/index.html + style.css + new app.js + OG card. Hero - Animated gradient mesh background (3 drifting blurred blobs; respects prefers-reduced-motion). - Space Grotesk display wordmark with subtle white→gray gradient. - Eyebrow chip with pulsing dot showing current release. - Type-on-load install command with blinking cursor in a faux-terminal chrome (traffic-light dots, title bar, copy button). - Stats row that counts up from 0 on first paint: 31 modules, 10 KEV, 119 detection rules, 88 tests. - Primary CTA + secondary 'See --explain in action' + GitHub link. Trust strip - 'Grounded in authoritative sources' row: CISA KEV, NVD CVE API, MITRE ATT&CK, kernel.org stable tree, Debian Security Tracker, NIST CWE. Establishes the federal-data-source provenance. --explain showcase (flagship section) - Big terminal mockup that types out a real --explain nf_tables run line-by-line on scroll-into-view (45-95ms per line, easing). - Four annotation cards explaining each part: triage metadata, host fingerprint, detect() trace, OPSEC footprint. Bento grid (8 feature cards in a varied 3-col layout) - Auto-pick safest exploit (large card with code sample) - 119 detection rules (with animated per-format coverage bars) - CISA KEV prioritized (red-accented) - OPSEC notes per exploit - One host fingerprint, every module (large card with struct excerpt) - JSON for pipelines - No SaaS, no telemetry - Verifier ready (Vagrant + Parallels) Module corpus - Same green/yellow split as before, but every KEV-listed module pill now carries a ★ prefix + red-tinted border so 'actively exploited in the wild' is visible at a glance. Audience - 4 colored cards (red/blue/gray/purple) — pentesters, SOC, sysadmins, researchers — each with a deep link to the right doc. Verified-vs-claimed honesty callout - Featured gradient-bordered card restating the no-fabricated-offsets bar. ✓ icon, project's defining trust claim. Quickstart - Tabbed: install / scan / explain / auto / detect-rules. Each tab is a short, copy-ready snippet with inline comments. Roadmap timeline - Three columns: shipped / in flight / next. Shipped lists every feature from the last several sessions (--explain, OPSEC, CWE/ ATT&CK/KEV pipeline, 119 rules, host refactor, 88 tests, drift detector, VM scaffold). Next lists arm64 musl, mass-fleet aggregator, SIEM query templates, CI hardening. Footer - Four-column gradient footer (Brand / Project / Docs / Ethics) + bottom bar with credits to original PoC authors + license + repo link. Tech - Typography: Inter (UI) + JetBrains Mono (code) + Space Grotesk (display wordmark), all via Google Fonts with display=swap. - Palette: deep purple-tinted dark (#07070d) + emerald accent (#10b981) + cyan secondary (#06b6d4) + KEV-red (#ef4444) + violet (#a855f7) for threat-intel framing. - CSS: ~28KB unminified, custom-properties driven; gracefully degrades to single-column on every grid section at narrow widths. - JS: ~8KB vanilla, no frameworks. Respects prefers-reduced-motion everywhere. IntersectionObserver-driven scroll reveal and stat-count-up. - OG image: hand-authored SVG → rsvg-convert → 1200x630 PNG (121KB). Renders cleanly when shared on Twitter/LinkedIn/Slack. - 4 new files: app.js, og.svg, og.png; rewrites: index.html, style.css. Refreshed content: - v0.5.0 → v0.6.0 throughout. - '28 verified modules' → 31. - Adds KEV cross-ref, --explain, OPSEC, ATT&CK/CWE callouts that didn't exist in the previous version. HTML structure validated balanced (Python html.parser smoke test).	2026-05-23 11:42:56 -04:00