leviathan
9593d90385
rename: IAMROOT → SKELETONKEY across the entire project
...
release / build (arm64) (push) Waiting to run
release / build (x86_64) (push) Waiting to run
release / release (push) Blocked by required conditions
Breaking change. Tool name, binary name, function/type names,
constant names, env vars, header guards, file paths, and GitHub
repo URL all rebrand IAMROOT → SKELETONKEY.
Changes:
- All "IAMROOT" → "SKELETONKEY" (constants, env vars, enum
values, docs, comments)
- All "iamroot" → "skeletonkey" (functions, types, paths, CLI)
- iamroot.c → skeletonkey.c
- modules/*/iamroot_modules.{c,h} → modules/*/skeletonkey_modules.{c,h}
- tools/iamroot-fleet-scan.sh → tools/skeletonkey-fleet-scan.sh
- Binary "iamroot" → "skeletonkey"
- GitHub URL KaraZajac/IAMROOT → KaraZajac/SKELETONKEY
- .gitignore now expects build output named "skeletonkey"
- /tmp/iamroot-* tmpfiles → /tmp/skeletonkey-*
- Env vars IAMROOT_MODPROBE_PATH etc. → SKELETONKEY_*
New ASCII skeleton-key banner (horizontal key icon + ANSI Shadow
SKELETONKEY block letters) replaces the IAMROOT banner in
skeletonkey.c and README.md.
VERSION: 0.3.1 → 0.4.0 (breaking).
Build clean on Debian 6.12.86. `skeletonkey --version` → 0.4.0.
All 24 modules still register; no functional code changes — pure
rename + banner refresh.
2026-05-16 22:43:49 -04:00
leviathan
9d88b475c1
v0.3.1: --dump-offsets tool + NOTICE.md per module
...
release / build (arm64) (push) Waiting to run
release / build (x86_64) (push) Waiting to run
release / release (push) Blocked by required conditions
The README has been claiming "each module credits the original CVE
reporter and PoC author in its NOTICE.md" since v0.1.0, but only
copy_fail_family actually shipped one. Fixed.
modules/<name>/NOTICE.md (×19 new + 1 existing): per-module
research credit covering CVE ID, discoverer, original advisory
URL where public, upstream fix commit, IAMROOT's role.
iamroot.c: new --dump-offsets subcommand. Resolves kernel offsets
via the existing core/offsets.c four-source chain (env →
/proc/kallsyms → /boot/System.map → embedded table), then emits
a ready-to-paste C struct entry for kernel_table[]. Run once
as root on a target kernel build; upstream via PR. Eliminates
fabricating offsets — every shipped entry traces back to a
`iamroot --dump-offsets` invocation on a real kernel.
docs/OFFSETS.md: documents the --dump-offsets workflow.
CVES.md: notes the NOTICE.md convention + offset dump tool.
iamroot.c: bump IAMROOT_VERSION 0.3.0 → 0.3.1.
2026-05-16 22:33:43 -04:00
leviathan
6eab6d3f70
Add cgroup_release_agent CVE-2022-0492 — FULL working exploit
...
Universal container-escape LPE. Doesn't need msg_msg cross-cache groom,
no arch-specific shellcode, no version-specific offsets — bug is
structural (priv check in wrong namespace).
Mechanism:
1. unshare(CLONE_NEWUSER | CLONE_NEWNS) → become 'root' in userns
2. write uid_map/gid_map (deny setgroups first)
3. mount cgroup v1 (rdma controller; memory fallback)
4. mkdir /<mnt>/iamroot subgroup
5. write payload-path → release_agent (in mount root)
6. write '1' → notify_on_release (in subgroup)
7. write our pid → cgroup.procs (in subgroup)
8. exit → cgroup empties → kernel exec's payload as INIT-ns uid=0
9. Payload drops /tmp/iamroot-cgroup-sh with setuid root
10. Parent polls for the setuid-shell appearance + exec's it -p
- kernel_range: K < 5.17 mainline, backports across 4.9 / 4.14 / 4.19 /
5.4 / 5.10 / 5.15 / 5.16 LTS branches.
- Detect probes user_ns+mount_ns clone via fork-isolated child.
- Cleanup removes /tmp/iamroot-cgroup-* + umount the workspace.
- Auditd: flag unshare + mount(cgroup) + /sys/fs/cgroup writes from
non-root. Sigma rule for unshare+cgroup-mount chain.
Path buffers oversized to silence GCC -Wformat-truncation noise
(cgdir 384, ra_path 384, nor_path/cgproc_path 512).
Verified on Debian 6.12.86 (patched): detect reports OK; exploit
refuses cleanly. Module count = 19.
2026-05-16 21:09:34 -04:00
leviathan