leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
29 Commits 1 Branch 20 Tags
3015e71ea3ea74b3526359c62707b2ec6f43f472
Commit Graph

16 Commits

Author SHA1 Message Date
leviathan 4e9741ef1f Add overlayfs_setuid CVE-2023-0386 — FULL working exploit 
Distro-agnostic overlayfs LPE — complements Ubuntu-specific CVE-2021-3493.
Same overlayfs family.

The bug: overlayfs copy_up preserves setuid bits even when the
unprivileged user triggering copy-up wouldn't normally have CAP_FSETID.

Exploit:
  1. unshare(USER|NS), uid_map self → root in userns
  2. Find a setuid binary on host (/usr/bin/su, sudo, passwd auto-pick)
  3. mount overlayfs with the binary's dirname as lower
  4. chown(merged/<binary>, 0, 0) — triggers copy-up; THE BUG: setuid
     bit persists in upper-layer copy despite our unprivileged context
  5. Open + truncate + replace upper-layer content with our payload
     (a compiled C binary that setresuid(0,0,0) + execle /bin/sh -p)
  6. exec upper-layer binary — runs as root via persistent setuid bit

- kernel_range: 5.11 ≤ K < 6.3, backports 5.15.110 / 6.1.27 / 6.2.13
- Detect refuses on patched / missing setuid carrier / userns denied
- Cleanup: rm -rf /tmp/iamroot-ovlsu-*
- Auditd: mount(overlay) + chown/fchown chain — shared with
  CVE-2021-3493 module via the family-level 'iamroot-overlayfs' key
- Compiles payload via target's gcc/cc (fallback dynamic if no -static)

Verified on Debian 6.12.86 (patched): detect reports OK; exploit
refuses cleanly. Module count = 20.

Coverage by year now (only 2018 gap remaining):
  2016: dirty_cow                                  🟢
  2017: af_packet                                  🔵
  2019: ptrace_traceme                             🟢
  2020: af_packet2                                 🔵
  2021: pwnkit, overlayfs, netfilter_xtcompat      🟢/🟢/🔵
  2022: dirty_pipe, cls_route4, fuse_legacy,
        cgroup_release_agent                       🟢/🔵/🔵/🟢
  2023: entrybleed, stackrot, overlayfs_setuid     🟢/🔵/🟢
  2024: nf_tables                                  🔵
  2026: copy_fail family (×5)                      🟢🟢🟢🟢🟢

16 of 20 modules have FULL working exploits (🟢).
 2026-05-16 21:11:37 -04:00
leviathan 6eab6d3f70 Add cgroup_release_agent CVE-2022-0492 — FULL working exploit 
Universal container-escape LPE. Doesn't need msg_msg cross-cache groom,
no arch-specific shellcode, no version-specific offsets — bug is
structural (priv check in wrong namespace).

Mechanism:
  1. unshare(CLONE_NEWUSER | CLONE_NEWNS) → become 'root' in userns
  2. write uid_map/gid_map (deny setgroups first)
  3. mount cgroup v1 (rdma controller; memory fallback)
  4. mkdir /<mnt>/iamroot subgroup
  5. write payload-path → release_agent (in mount root)
  6. write '1' → notify_on_release (in subgroup)
  7. write our pid → cgroup.procs (in subgroup)
  8. exit → cgroup empties → kernel exec's payload as INIT-ns uid=0
  9. Payload drops /tmp/iamroot-cgroup-sh with setuid root
  10. Parent polls for the setuid-shell appearance + exec's it -p

- kernel_range: K < 5.17 mainline, backports across 4.9 / 4.14 / 4.19 /
  5.4 / 5.10 / 5.15 / 5.16 LTS branches.
- Detect probes user_ns+mount_ns clone via fork-isolated child.
- Cleanup removes /tmp/iamroot-cgroup-* + umount the workspace.
- Auditd: flag unshare + mount(cgroup) + /sys/fs/cgroup writes from
  non-root. Sigma rule for unshare+cgroup-mount chain.

Path buffers oversized to silence GCC -Wformat-truncation noise
(cgdir 384, ra_path 384, nor_path/cgproc_path 512).

Verified on Debian 6.12.86 (patched): detect reports OK; exploit
refuses cleanly. Module count = 19.
 2026-05-16 21:09:34 -04:00
leviathan 7387ffd3bd Add stackrot (CVE-2023-3269) + af_packet2 (CVE-2020-14386) modules 
Two more for 'THE tool' coverage breadth.

stackrot CVE-2023-3269 (Ruihan Li, Jul 2023):
- maple-tree VMA-split UAF — kernel R/W via use-after-RCU
- **Different bug class than the netfilter-heavy 2022-2024 modules**
  (mm-class, broadens corpus shape)
- kernel_range: 6.1 ≤ K < 6.4-rc4, backports: 6.1.37 / 6.3.10 /
  mainline 6.4
- Pre-6.1 immune (no maple tree); 6.5+ patched
- Affects 6.1 LTS still widely deployed
- ~1000-line public PoC deferred for port

af_packet2 CVE-2020-14386 (Or Cohen, Sep 2020):
- AF_PACKET tpacket_rcv VLAN integer underflow → heap OOB
- Sibling of CVE-2017-7308; same subsystem, different code path
- kernel_range: 4.6 ≤ K, backports across 4.9 / 4.14 / 4.19 / 5.4 / 5.7 / 5.8
- Family-shared 'iamroot-af-packet' audit key (one ausearch covers both
  CVEs from one rule deployment)

Era coverage now (1 gap year remaining: 2018):
  2016: dirty_cow                              🟢
  2017: af_packet                              🔵
  2019: ptrace_traceme                         🟢
  2020: af_packet2                             🔵
  2021: pwnkit, overlayfs, netfilter_xtcompat  🟢/🟢/🔵
  2022: dirty_pipe, cls_route4, fuse_legacy    🟢/🔵/🔵
  2023: entrybleed, stackrot                   🟢/🔵
  2024: nf_tables                              🔵
  2026: copy_fail family (×5)                  🟢

18 modules total. Build clean. Scan on Debian 6.12.86: 13 OK / 5 VULN.
 2026-05-16 21:03:36 -04:00
leviathan b6dd1e0482 Add --audit command: system-hygiene scan (setuid/world-writable/caps/sudo) 
Beyond per-CVE detect (--scan), --audit answers 'is this box generally
exposed to privesc?' — the sysadmin-persona question. Distinguishes
IAMROOT from CVE-only tools (linux-exploit-suggester) and broad-enum
tools (linPEAS): focused on the LPE-exposure surface specifically.

Four scan categories:
- setuid: walks common bin dirs via find(1) -perm -4000. Annotates
  notable items: pkexec (Pwnkit history), fusermount3 (userns LPE
  history), sudo/su/passwd (expected, verify-integrity), snap-confine
  (Ubuntu snap escape history).
- world_writable: find /etc -perm -0002. Anything here = config edit
  by unprivileged user. Should be empty on a healthy box.
- capability: getcap -r over bin dirs. Flags cap_setuid+ep /
  cap_setgid+ep / cap_dac_override+ep / cap_sys_admin+ep specifically
  as 'privesc-equivalent if attacker-writable'.
- sudo NOPASSWD: grep /etc/sudoers + /etc/sudoers.d. Many legit
  service-account uses; flagged for operator review.

Output: human-readable table by default; --audit --json emits a single
JSON object with {audit: [findings...], summary: {category: count, ...}}.
Side-effect-free — read-only filesystem walks via popen(find/getcap/grep).

Fixed strncpy truncation warnings — switched to snprintf for path/note
copies into the finding struct.

iamroot.c MODE_AUDIT enum + --audit longopt + getopt 'A' + dispatcher
case. Usage block updated.

Verified end-to-end on Debian kctf-mgr:
  iamroot --audit       → 13 setuid binaries inventoried, 0 of the
                          other categories. pkexec correctly annotated.
  iamroot --audit --json → summary object suitable for SIEM ingest.
 2026-05-16 20:52:36 -04:00
leviathan a52f5a657f Phase 7: af_packet (CVE-2017-7308) + FUSE legacy (CVE-2022-0185) 
Two more famous LPEs broadening 'THE tool' coverage:

af_packet CVE-2017-7308 (Andrey Konovalov, Mar 2017):
- AF_PACKET TPACKET_V3 ring setup integer overflow → heap write-where
- Fills 2017 coverage gap
- kernel_range: 3.18.49 / 4.4.57 / 4.9.18 / 4.10.6 / mainline 4.11+
- Needs CAP_NET_RAW via user_ns clone
- Famous as the canonical 'userns + AF_PACKET → root' research-era LPE

fuse_legacy CVE-2022-0185 (William Liu / Crusaders-of-Rust, Jan 2022):
- legacy_parse_param fsconfig heap OOB → cross-cache UAF → root
- **Container-escape angle** — relevant to rootless docker/podman/snap
  (the system admin persona's nightmare)
- kernel_range: 5.4.171 / 5.10.91 / 5.15.14 / 5.16.2 / mainline 5.17+
- Needs user_ns + mount_ns to reach legacy_load() code path
- Originally reported as FUSE-specific but actually applies to any
  fs-mount path from userns (cgroup2, etc.)

Both detect-only initially; full exploits in follow-ups.

Coverage by year now:
  2016: dirty_cow                                  🟢
  2017: af_packet                                  🔵
  2019: ptrace_traceme                             🔵
  2021: pwnkit, overlayfs, netfilter_xtcompat      🟢/🟢/🔵
  2022: dirty_pipe, cls_route4, fuse_legacy        🟢/🔵/🔵
  2023: entrybleed                                 🟢
  2024: nf_tables                                  🔵
  2026: copy_fail family (×5)                      🟢

16 modules total. Build clean. Scan on kctf-mgr: 11 OK / 5 VULNERABLE.
 2026-05-16 20:49:58 -04:00
leviathan 102b117d4e Phase 7: PTRACE_TRACEME (CVE-2019-13272) + xt_compat (CVE-2021-22555) 
Two famous 2017-2020-era LPEs to broaden 'THE tool for folks'
coverage. Both detect-only initially; exploit ports as follow-ups.

ptrace_traceme (CVE-2019-13272 — jannh @ Google P0, Jun 2019):
- Famous because works on default-config systems with no user_ns
  required — locked-down environments were still vulnerable.
- kernel_range thresholds: 4.4.182 / 4.9.182 / 4.14.131 / 4.19.58 /
  5.0.20 / 5.1.17 / mainline 5.2+
- Exploit shape (deferred): fork → child PTRACE_TRACEME → parent
  execve setuid binary → child ptrace-injects shellcode → root.
- Auditd: flag PTRACE_TRACEME (request 0) — false positives via
  gdb/strace; tune by exclusion.

netfilter_xtcompat (CVE-2021-22555 — Andy Nguyen @ Google P0):
- Bug existed since 2.6.19 (2006) — 15 years of latent vuln. Famous
  for that age + default-config reachability via unprivileged_userns.
- kernel_range thresholds: 4.4.266 / 4.9.266 / 4.14.230 / 4.19.185
  / 5.4.110 / 5.10.27 / 5.11.10 / mainline 5.12+
- detect() probes user_ns+net_ns clone; locked-down → PRECOND_FAIL.
- Exploit shape (deferred): heap massage via msg_msg + sk_buff cross-
  cache groom → kernel R/W → cred or modprobe_path overwrite. ~400
  lines port from Andy's public exploit.c.
- Auditd: unshare + iptables-style setsockopt + msgsnd — combined,
  the canonical exploit footprint.

Both wired into iamroot.c, core/registry.h, Makefile. CVES.md rows
added with detailed status.

Coverage by year now:
  2016: dirty_cow                              🟢
  2019: ptrace_traceme                         🔵
  2021: pwnkit, overlayfs, netfilter_xtcompat  🟢/🟢/🔵
  2022: dirty_pipe, cls_route4                 🟢/🔵
  2023: entrybleed                             🟢
  2024: nf_tables                              🔵
  2026: copy_fail family (×5)                  🟢

Module count: 14. Build clean (no warnings).
 2026-05-16 20:47:24 -04:00
leviathan cb39cc5119 Phase 7: Dirty COW (CVE-2016-5195) FULL module — old-systems coverage 
The iconic 2016 LPE. Fills the 10-year coverage gap (now spanning
2016 → 2026): RHEL 6/7, Ubuntu 14.04, Ubuntu 16.04, embedded boxes,
IoT — many still in production with kernels predating the 4.9 fix.

- modules/dirty_cow_cve_2016_5195/iamroot_modules.{c,h}:
  - kernel_range: backport thresholds for 2.6 / 3.2 / 3.10 / 3.12 /
    3.16 / 3.18 / 4.4 / 4.7 / 4.8 / mainline 4.9
  - dirty_cow_write(): Phil-Oester-style two-thread race
    - mmap /etc/passwd MAP_PRIVATE (writes go COW)
    - writer thread: pwrite to /proc/self/mem at COW page offset
    - madviser thread: madvise(MADV_DONTNEED) to drop COW copy
    - poll-read /etc/passwd via separate fd to check if payload landed
    - 3-second timeout (race usually wins in ms on vulnerable kernels)
  - dirty_cow_exploit(): getpwuid → find_passwd_uid_field → race
    → execlp(su)
  - dirty_cow_cleanup(): POSIX_FADV_DONTNEED + drop_caches
  - Auditd rule: /proc/self/mem writes + madvise MADV_DONTNEED
  - Sigma rule: non-root /proc/self/mem open → high
- Makefile: -lpthread added to LDFLAGS for the binary link.
- iamroot.c + core/registry.h wired.
- CVES.md row added with detailed status; legend updated.

Verified end-to-end on kctf-mgr (6.12.86 — patched):
  iamroot --scan       → 'dirty_cow: kernel is patched' (OK)
  iamroot --exploit dirty_cow --i-know
                       → 'detect() says not vulnerable; refusing'
Module count = 12.
 2026-05-16 20:38:46 -04:00
leviathan 3ad1446489 Add cls_route4 CVE-2022-2588 module (detect-only) 
11th module. net/sched cls_route4 handle-zero dead UAF — discovered
by kylebot Aug 2022, fixed mainline 5.20 (commit 9efd23297cca).
Bug existed since 2.6.39 → very wide attack surface.

- modules/cls_route4_cve_2022_2588/iamroot_modules.{c,h}:
  - kernel_range thresholds: 5.4.213 / 5.10.143 / 5.15.69 / 5.18.18 /
    5.19.7 / mainline 5.20+
  - can_unshare_userns() probes user_ns+net_ns clone availability
    (the exploit's CAP_NET_ADMIN-in-userns gate)
  - cls_route4_module_available() checks /proc/modules
  - Reports VULNERABLE if kernel in range AND user_ns allowed;
    PRECOND_FAIL if user_ns denied; OK if patched.
  - Exploit stub returns IAMROOT_PRECOND_FAIL with reference to
    kylebot's public PoC.
  - Auditd rule: tc-style sendto syscalls (rough; legit traffic
    shaping will trip — tune by user).

iamroot.c + Makefile + core/registry.h wired. CVES.md row added.

Verified on kctf-mgr (6.12.86): module reports OK, total module
count = 11.
 2026-05-16 20:33:14 -04:00
leviathan fe33400f94 JSON polish: --list --json + --module-info + json_escape helper 
- iamroot.c: cmd_list() takes ctx and switches on ctx->json — emits
  one JSON object {version, modules:[{name, cve, family, kernel_range,
  summary, has:{detect, exploit, mitigate, cleanup, auditd, sigma,
  yara, falco}}, ...]}. The 'has' object lets a SIEM query module
  capability without parsing the rule body.
- New cmd_module_info(name, ctx): full per-module detail.
  Human-readable by default; --json switches to JSON with embedded
  rule-text bodies for auditd/sigma/yara/falco.
- emit_module_json() helper shared between --list --json and
  --module-info --json with include_rules toggle.
- json_escape() helper: minimal-but-safe escaping (quote, backslash,
  newline, CR, tab; drops other control bytes). Sufficient for our
  module-defined strings which are ASCII-only by convention.
- enum mode gains MODE_MODULE_INFO; longopts gains --module-info=<name>
  taking required argument; getopt_long short string 'I:'.
- Usage block updated.

Verified end-to-end on kctf-mgr:
  iamroot --list --json | jq '.modules[0]'  → module metadata object
  iamroot --module-info entrybleed          → human pretty-print
  iamroot --module-info entrybleed --json   → JSON with embedded sigma
 2026-05-16 20:31:20 -04:00
leviathan 3eeee01f06 Phase 7: overlayfs CVE-2021-3493 module (Ubuntu userns LPE) — detect-only 
10th module. Ubuntu-specific userns + overlayfs LPE that injects file
capabilities cross-namespace.

- modules/overlayfs_cve_2021_3493/iamroot_modules.{c,h}:
  - is_ubuntu() — parses /etc/os-release for ID=ubuntu or
    ID_LIKE=ubuntu. Non-Ubuntu hosts get IAMROOT_OK immediately (the
    bug is specific to Ubuntu's modified overlayfs).
  - unprivileged_userns_clone gate — sysctl=0 → PRECOND_FAIL
  - Active probe (--active): forks a child that enters userns +
    mountns and attempts the overlayfs mount inside /tmp. Mount
    success on Ubuntu = VULNERABLE. Mount denied = patched / AppArmor
    block. Child-isolated so parent's namespace state is untouched.
  - Version fallback: kernel < 5.13 = vulnerable-by-inference for
    Ubuntu kernels; recommend --active for confirmation.
  - Exploit: detect-only stub. Reference vsh's exploit-cve-2021-3493
    for full version (mount overlayfs in userns, drop binary with
    cap_setuid+ep into upper layer, re-exec outside ns).
  - Embedded auditd rules: mount(overlay) syscall + security.capability
    xattr writes (the exploit's two-step footprint).

Verified end-to-end on kctf-mgr (Debian):
  iamroot --scan → 'not Ubuntu — bug is Ubuntu-specific' → IAMROOT_OK

Module count: 10. Active-probe pattern now applies to dirty_pipe,
entrybleed, and overlayfs (and copy_fail_family via existing
dirtyfail_active_probes global). Detect quality across the corpus
materially improved this session.
 2026-05-16 20:22:32 -04:00
leviathan a4b7238e4a Phase 7: nf_tables CVE-2024-1086 + active probe for dirty_pipe 
dirty_pipe detect: active sentinel probe (Phase 1.5-ish improvement)
- New dirty_pipe_active_probe(): creates a /tmp probe file with known
  sentinel bytes, fires the Dirty Pipe primitive against it, re-reads
  via the page cache, returns true if the poisoning landed.
- detect() gated on ctx->active_probe: --scan does version-only check
  (fast, no side effects); --scan --active fires the empirical probe
  and overrides version inference with the empirical verdict. Catches
  silent distro backports that don't bump uname() version.
- Three verdicts now distinguishable:
  (a) version says patched, no active probe → 'patched (version-only)'
  (b) version says vulnerable, --active fires + probe lands → CONFIRMED
  (c) version says vulnerable, --active fires + probe blocked → 'likely
      patched via distro backport'
- Probe is safe: only /tmp, no /etc/passwd.

nf_tables CVE-2024-1086 (detect-only, new module):
- Famous Notselwyn UAF in nft_verdict_init. Affects 5.14 ≤ K, fixed
  mainline 6.8 with backports landing in 5.4.269 / 5.10.210 / 5.15.149
  / 6.1.74 / 6.6.13 / 6.7.2.
- detect() checks: kernel version range, AND unprivileged user_ns clone
  availability (the exploit's reachability gate — kernel-vulnerable
  but userns-locked-down hosts report PRECOND_FAIL, signalling that
  the kernel still needs patching but unprivileged path is closed).
- Ships auditd + sigma detection rules: unshare(CLONE_NEWUSER) chained
  with setresuid(0,0,0) on a previously-non-root process is the
  exploit's canonical telltale.
- Full Notselwyn-style exploit (cross-cache UAF → arbitrary R/W → cred
  overwrite or modprobe_path hijack) is the next commit.

9 modules total now. CVES.md and ROADMAP.md updated.
 2026-05-16 20:19:11 -04:00
leviathan 43e290b224 Phase 7: Pwnkit (CVE-2021-4034) detect-only module 
First USERSPACE LPE in IAMROOT (every prior module is kernel). Same
iamroot_module interface — the difference is the affected-version
check is package-version-based rather than kernel-version-based.

- modules/pwnkit_cve_2021_4034/:
  - iamroot_modules.{c,h}: detect() locates setuid pkexec (one of
    /usr/bin/pkexec, /usr/sbin/pkexec, /bin/pkexec, /sbin/pkexec,
    /usr/local/bin/pkexec) and parses 'pkexec --version' output.
    Handles BOTH version-string formats: legacy '0.105'/'0.120'
    (older polkit) AND modern bare-integer '121'/'126' (post-0.121
    rename to single-number scheme). Reports VULNERABLE on parse
    failure (conservative).
  - exploit() returns IAMROOT_PRECOND_FAIL with a 'not yet
    implemented' message; full Qualys-PoC follow-up is the next
    commit. ~200 lines including embedded .so generator.
  - MODULE.md documents the bug, affected ranges, distro backport
    landscape (RHEL 7/8, Ubuntu focal/impish, Debian buster/bullseye
    each have their own backported polkit version).
  - Embedded auditd + sigma detection rules:
    auditd: pkexec watch + execve audit
    sigma:  pkexec invocation + suspicious env (GCONV_PATH, CHARSET)

- core/registry.h adds iamroot_register_pwnkit() declaration.
- iamroot.c main() registers pwnkit.
- Makefile gains the pwnkit family as a separate object set.

Verified end-to-end on kctf-mgr (modern polkit 126):
  iamroot --list  → 8 modules
  iamroot --scan  → pwnkit reports 'version 126 ≥ 0.121 (fixed)'
  iamroot --detect-rules --format=auditd | grep pwnkit → emits
 2026-05-16 20:07:40 -04:00
leviathan cee368d5a4 Phase 5: --detect-rules export with dedup 
- core/module.h: struct iamroot_module gains detect_{auditd,sigma,yara,falco}
  fields. NULL = module doesn't ship a rule for that format.
  Embedded as C string literals in each module's iamroot_modules.c so
  the binary is self-contained (no data-dir install needed).
- iamroot.c: --detect-rules [--format=<f>] command. Walks module
  registry, deduplicates by pointer (family-shared rules emit once,
  siblings get a 'see family rules above' marker), writes to stdout
  for redirect into /etc/audit/rules.d/ or SIEM ingestion.
- Embedded rules for:
  - copy_fail_family (shared across 5 modules): auditd watches on
    passwd/shadow/sudoers/su + AF_ALG socket creation + xfrm setsockopt;
    Sigma rule covers the file-modification footprint.
  - dirty_pipe: auditd watches on same files + splice() syscalls;
    Sigma rule for non-root file modification.
  - entrybleed: Sigma INFORMATIONAL note (side-channel — no syscall
    trace; reliable detection needs perf-counter EDR).

Verified end-to-end on kctf-mgr:
  iamroot --detect-rules --format=auditd → 2 / 7 rules emit (deduped)
  iamroot --detect-rules --format=sigma  → 2 / 7 rules emit
 2026-05-16 19:58:26 -04:00
leviathan f03efbff13 Phase 3: EntryBleed module — working stage-1 kbase leak brick 
- modules/entrybleed_cve_2023_0458/ (promoted out of _stubs):
  - iamroot_modules.{c,h}: full EntryBleed primitive (rdtsc_start/end
    + prefetchnta + KASLR-slot timing sweep) wired into the standard
    iamroot_module interface. x86_64 only; ARM/other gracefully
    return IAMROOT_PRECOND_FAIL.
  - detect(): reads /sys/.../vulnerabilities/meltdown to decide
    KPTI status. Mitigation: PTI → VULNERABLE. Not affected → OK.
  - exploit(): sweeps the 16MiB KASLR range, prints leaked kbase
    (and KASLR slide). JSON-mode emits {"kbase":"0x..."} to stdout.
  - entrybleed_leak_kbase_lib(off) declared as a public library
    helper so future LPE chains needing a stage-1 leak can just
    #include the module's header and call it.
  - entry_SYSCALL_64 slot offset overridable via
    IAMROOT_ENTRYBLEED_OFFSET (default 0x5600000 for lts-6.12.x).

- __always_inline fallback added since glibc/Linux-kernel macro
  isn't universal; module now builds clean under macOS clangd lint
  and on musl.

- iamroot.c registers entrybleed alongside the other families;
  Makefile gains it as a separate object set.

Verified end-to-end on kctf-mgr (Debian 6.12.86):
  iamroot --exploit entrybleed --i-know
  → [+] entrybleed: leaked kbase = 0xffffffff8d800000

This is the FIRST WORKING-EXPLOIT module in IAMROOT (5
copy_fail_family modules wrap existing code from DIRTYFAIL;
dirty_pipe is detect-only). EntryBleed is x86_64 stage-1 brick
that future chains can compose.
 2026-05-16 19:55:22 -04:00
leviathan 1552a3bfcb Phase 2 (partial): Dirty Pipe DETECT-ONLY module + core/kernel_range 
- core/kernel_range.{c,h}: branch-aware patched-version comparison.
  Every future module needs 'is the host kernel in the affected
  range?'; centralized here. Models stable-branch backports
  (e.g. 5.10.102, 5.15.25) so a 5.15.20 host correctly reports
  VULNERABLE while a 5.15.50 host reports OK.

- modules/dirty_pipe_cve_2022_0847/ (promoted out of _stubs):
  - iamroot_modules.{c,h}: dirty_pipe module exposing detect() that
    parses /proc/version and compares against the four known patched
    branches (5.10.102, 5.15.25, 5.16.11, 5.17+ inherited). Returns
    IAMROOT_OK / IAMROOT_VULNERABLE / IAMROOT_TEST_ERROR with stderr
    hints in human-readable scan mode.
  - exploit() returns IAMROOT_PRECOND_FAIL with a 'not yet
    implemented' message; landing the actual exploit needs Phase 1.5
    extraction of passwd/su helpers into core/.
  - detect/auditd.rules: splice() syscall + passwd/shadow file watches
  - detect/sigma.yml: non-root modification of /etc/passwd|shadow|sudoers

- iamroot.c main() calls iamroot_register_dirty_pipe() alongside
  the copy_fail_family registration.

- Makefile gains the dirty_pipe family as a separate object set.

Verified end-to-end on kctf-mgr (kernel 6.12.86): build clean, 6
modules in --list, --scan correctly reports dirty_pipe as patched,
JSON output ingest-ready.
 2026-05-16 19:51:47 -04:00
leviathan 52e8c99022 Phase 1: module interface + registry + top-level dispatcher 
- core/module.h: struct iamroot_module + iamroot_result_t
- core/registry.{h,c}: flat-array module registry with find-by-name
- modules/copy_fail_family/iamroot_modules.{h,c}: bridge layer
  exposing 5 modules (copy_fail, copy_fail_gcm, dirty_frag_esp,
  dirty_frag_esp6, dirty_frag_rxrpc) wired to the absorbed DIRTYFAIL
  detect/exploit functions; df_result_t/iamroot_result_t share numeric
  values intentionally for zero-cost translation
- iamroot.c: top-level CLI dispatcher with --scan / --list / --exploit /
  --mitigate / --cleanup, JSON output, --i-know gate
- Restored modules/copy_fail_family/src/ structure (DIRTYFAIL Makefile
  expects it; the initial flat copy broke that contract)
- Top-level Makefile builds one binary; filters out DIRTYFAIL's
  original dirtyfail.c main so it doesn't conflict with iamroot.c

Verified end-to-end on kctf-mgr (Linux): clean compile, 5 modules
register, --scan --json output ingest-ready, exit codes propagate.
 2026-05-16 19:32:11 -04:00