leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
29 Commits 1 Branch 20 Tags
3015e71ea3ea74b3526359c62707b2ec6f43f472
Commit Graph

4 Commits

Author SHA1 Message Date
leviathan a4b7238e4a Phase 7: nf_tables CVE-2024-1086 + active probe for dirty_pipe 
dirty_pipe detect: active sentinel probe (Phase 1.5-ish improvement)
- New dirty_pipe_active_probe(): creates a /tmp probe file with known
  sentinel bytes, fires the Dirty Pipe primitive against it, re-reads
  via the page cache, returns true if the poisoning landed.
- detect() gated on ctx->active_probe: --scan does version-only check
  (fast, no side effects); --scan --active fires the empirical probe
  and overrides version inference with the empirical verdict. Catches
  silent distro backports that don't bump uname() version.
- Three verdicts now distinguishable:
  (a) version says patched, no active probe → 'patched (version-only)'
  (b) version says vulnerable, --active fires + probe lands → CONFIRMED
  (c) version says vulnerable, --active fires + probe blocked → 'likely
      patched via distro backport'
- Probe is safe: only /tmp, no /etc/passwd.

nf_tables CVE-2024-1086 (detect-only, new module):
- Famous Notselwyn UAF in nft_verdict_init. Affects 5.14 ≤ K, fixed
  mainline 6.8 with backports landing in 5.4.269 / 5.10.210 / 5.15.149
  / 6.1.74 / 6.6.13 / 6.7.2.
- detect() checks: kernel version range, AND unprivileged user_ns clone
  availability (the exploit's reachability gate — kernel-vulnerable
  but userns-locked-down hosts report PRECOND_FAIL, signalling that
  the kernel still needs patching but unprivileged path is closed).
- Ships auditd + sigma detection rules: unshare(CLONE_NEWUSER) chained
  with setresuid(0,0,0) on a previously-non-root process is the
  exploit's canonical telltale.
- Full Notselwyn-style exploit (cross-cache UAF → arbitrary R/W → cred
  overwrite or modprobe_path hijack) is the next commit.

9 modules total now. CVES.md and ROADMAP.md updated.
 2026-05-16 20:19:11 -04:00
leviathan 5a0aef12d0 Phase 2 complete: Dirty Pipe full exploit (page-cache UID flip → su) 
- Implements the Dirty Pipe primitive: prepare_pipe() fills+drains a
  pipe to plant the stale PIPE_BUF_FLAG_CAN_MERGE flag in every
  pipe_buffer slot; dirty_pipe_write() splices 1 byte from the target
  file at offset-1 (seeding the slot with the file's page) then write()s
  the payload, which the buggy kernel merges back into the page cache.
- find_passwd_uid_field() + revert_passwd_page_cache() inlined in the
  module. Two-of-two duplication acceptable; extraction into core/host
  triggers when a third module needs the same helpers (Phase 1.5).
- dirty_pipe_exploit() resolves current euid via getpwuid, locates the
  user's UID field in /etc/passwd, replaces it with same-length zeros
  ('0000' for a 4-digit UID), then execlp's su <user> -c /bin/sh.
  Auto-refuses if detect() reports patched. --no-shell mode plants the
  write and returns. Cleanup mode evicts /etc/passwd from page cache.
- _GNU_SOURCE redefine warning fixed: cmdline -D already passes it.

Verified end-to-end on kernel 6.12.86 (patched):
  iamroot --scan      → dirty_pipe reports OK (patched)
  iamroot --exploit dirty_pipe --i-know → refuses cleanly
CI-validation against vulnerable kernel (Ubuntu 20.04 / 5.13) is Phase 4.

CVES.md: dirty_pipe 🔵🟢. ROADMAP.md: Phase 2 marked complete.
 2026-05-16 20:02:02 -04:00
leviathan cee368d5a4 Phase 5: --detect-rules export with dedup 
- core/module.h: struct iamroot_module gains detect_{auditd,sigma,yara,falco}
  fields. NULL = module doesn't ship a rule for that format.
  Embedded as C string literals in each module's iamroot_modules.c so
  the binary is self-contained (no data-dir install needed).
- iamroot.c: --detect-rules [--format=<f>] command. Walks module
  registry, deduplicates by pointer (family-shared rules emit once,
  siblings get a 'see family rules above' marker), writes to stdout
  for redirect into /etc/audit/rules.d/ or SIEM ingestion.
- Embedded rules for:
  - copy_fail_family (shared across 5 modules): auditd watches on
    passwd/shadow/sudoers/su + AF_ALG socket creation + xfrm setsockopt;
    Sigma rule covers the file-modification footprint.
  - dirty_pipe: auditd watches on same files + splice() syscalls;
    Sigma rule for non-root file modification.
  - entrybleed: Sigma INFORMATIONAL note (side-channel — no syscall
    trace; reliable detection needs perf-counter EDR).

Verified end-to-end on kctf-mgr:
  iamroot --detect-rules --format=auditd → 2 / 7 rules emit (deduped)
  iamroot --detect-rules --format=sigma  → 2 / 7 rules emit
 2026-05-16 19:58:26 -04:00
leviathan 1552a3bfcb Phase 2 (partial): Dirty Pipe DETECT-ONLY module + core/kernel_range 
- core/kernel_range.{c,h}: branch-aware patched-version comparison.
  Every future module needs 'is the host kernel in the affected
  range?'; centralized here. Models stable-branch backports
  (e.g. 5.10.102, 5.15.25) so a 5.15.20 host correctly reports
  VULNERABLE while a 5.15.50 host reports OK.

- modules/dirty_pipe_cve_2022_0847/ (promoted out of _stubs):
  - iamroot_modules.{c,h}: dirty_pipe module exposing detect() that
    parses /proc/version and compares against the four known patched
    branches (5.10.102, 5.15.25, 5.16.11, 5.17+ inherited). Returns
    IAMROOT_OK / IAMROOT_VULNERABLE / IAMROOT_TEST_ERROR with stderr
    hints in human-readable scan mode.
  - exploit() returns IAMROOT_PRECOND_FAIL with a 'not yet
    implemented' message; landing the actual exploit needs Phase 1.5
    extraction of passwd/su helpers into core/.
  - detect/auditd.rules: splice() syscall + passwd/shadow file watches
  - detect/sigma.yml: non-root modification of /etc/passwd|shadow|sudoers

- iamroot.c main() calls iamroot_register_dirty_pipe() alongside
  the copy_fail_family registration.

- Makefile gains the dirty_pipe family as a separate object set.

Verified end-to-end on kctf-mgr (kernel 6.12.86): build clean, 6
modules in --list, --scan correctly reports dirty_pipe as patched,
JSON output ingest-ready.
 2026-05-16 19:51:47 -04:00