SKELETONKEY

leviathan/SKELETONKEY

Fork 0

Commit Graph

Author	SHA1	Message	Date
leviathan	498bb36404	modules: port 5 detect-only modules to trigger+groom (Option B) Converts the 5 remaining detect-only network/fs LPE modules to fire the actual kernel primitive on a vulnerable host, with honest EXPLOIT_FAIL return values since none ship the per-kernel cred-overwrite finisher. af_packet (CVE-2017-7308): +444 LoC — TPACKET_V3 int-overflow + skb spray + best-effort cred race af_packet2 (CVE-2020-14386): +446 LoC — tp_reserve underflow + sendmmsg skb spray cls_route4 (CVE-2022-2588): +410 LoC — route4 dangling-filter UAF + msg_msg 1k spray + classify drive fuse_legacy (CVE-2022-0185): +420 LoC — fsconfig 4k OOB write + msg_msg cross-cache groom nf_tables (CVE-2024-1086): +613 LoC — hand-rolled nfnetlink batch builder + NFT_GOTO/DROP double-free + msg_msg groom skeleton All five share: - userns+netns reach (unshare(CLONE_NEWUSER\|CLONE_NEWNET)) - Detect-refuse-on-patched re-call from exploit() - geteuid()==0 short-circuit - Honest EXPLOIT_FAIL with continuation roadmap comments - macOS dev-build stubs via #ifdef __linux__ where needed Build verified clean on Debian 6.12.86 (kctf-mgr). All five refuse on the patched kernel.	2026-05-16 21:22:17 -04:00
leviathan	a52f5a657f	Phase 7: af_packet (CVE-2017-7308) + FUSE legacy (CVE-2022-0185) Two more famous LPEs broadening 'THE tool' coverage: af_packet CVE-2017-7308 (Andrey Konovalov, Mar 2017): - AF_PACKET TPACKET_V3 ring setup integer overflow → heap write-where - Fills 2017 coverage gap - kernel_range: 3.18.49 / 4.4.57 / 4.9.18 / 4.10.6 / mainline 4.11+ - Needs CAP_NET_RAW via user_ns clone - Famous as the canonical 'userns + AF_PACKET → root' research-era LPE fuse_legacy CVE-2022-0185 (William Liu / Crusaders-of-Rust, Jan 2022): - legacy_parse_param fsconfig heap OOB → cross-cache UAF → root - Container-escape angle — relevant to rootless docker/podman/snap (the system admin persona's nightmare) - kernel_range: 5.4.171 / 5.10.91 / 5.15.14 / 5.16.2 / mainline 5.17+ - Needs user_ns + mount_ns to reach legacy_load() code path - Originally reported as FUSE-specific but actually applies to any fs-mount path from userns (cgroup2, etc.) Both detect-only initially; full exploits in follow-ups. Coverage by year now: 2016: dirty_cow 🟢 2017: af_packet 🔵 2019: ptrace_traceme 🔵 2021: pwnkit, overlayfs, netfilter_xtcompat 🟢/🟢/🔵 2022: dirty_pipe, cls_route4, fuse_legacy 🟢/🔵/🔵 2023: entrybleed 🟢 2024: nf_tables 🔵 2026: copy_fail family (×5) 🟢 16 modules total. Build clean. Scan on kctf-mgr: 11 OK / 5 VULNERABLE.	2026-05-16 20:49:58 -04:00

Author

SHA1

Message

Date

leviathan

498bb36404

modules: port 5 detect-only modules to trigger+groom (Option B)

Converts the 5 remaining detect-only network/fs LPE modules to fire
the actual kernel primitive on a vulnerable host, with honest
EXPLOIT_FAIL return values since none ship the per-kernel cred-overwrite
finisher.

  af_packet (CVE-2017-7308):     +444 LoC — TPACKET_V3 int-overflow
                                  + skb spray + best-effort cred race
  af_packet2 (CVE-2020-14386):   +446 LoC — tp_reserve underflow
                                  + sendmmsg skb spray
  cls_route4 (CVE-2022-2588):    +410 LoC — route4 dangling-filter UAF
                                  + msg_msg 1k spray + classify drive
  fuse_legacy (CVE-2022-0185):   +420 LoC — fsconfig 4k OOB write
                                  + msg_msg cross-cache groom
  nf_tables (CVE-2024-1086):     +613 LoC — hand-rolled nfnetlink batch
                                  builder + NFT_GOTO/DROP double-free
                                  + msg_msg groom skeleton

All five share:
  - userns+netns reach (unshare(CLONE_NEWUSER|CLONE_NEWNET))
  - Detect-refuse-on-patched re-call from exploit()
  - geteuid()==0 short-circuit
  - Honest EXPLOIT_FAIL with continuation roadmap comments
  - macOS dev-build stubs via #ifdef __linux__ where needed

Build verified clean on Debian 6.12.86 (kctf-mgr). All five refuse on
the patched kernel.

2026-05-16 21:22:17 -04:00

leviathan

a52f5a657f

Phase 7: af_packet (CVE-2017-7308) + FUSE legacy (CVE-2022-0185)

Two more famous LPEs broadening 'THE tool' coverage:

af_packet CVE-2017-7308 (Andrey Konovalov, Mar 2017):
- AF_PACKET TPACKET_V3 ring setup integer overflow → heap write-where
- Fills 2017 coverage gap
- kernel_range: 3.18.49 / 4.4.57 / 4.9.18 / 4.10.6 / mainline 4.11+
- Needs CAP_NET_RAW via user_ns clone
- Famous as the canonical 'userns + AF_PACKET → root' research-era LPE

fuse_legacy CVE-2022-0185 (William Liu / Crusaders-of-Rust, Jan 2022):
- legacy_parse_param fsconfig heap OOB → cross-cache UAF → root
- **Container-escape angle** — relevant to rootless docker/podman/snap
  (the system admin persona's nightmare)
- kernel_range: 5.4.171 / 5.10.91 / 5.15.14 / 5.16.2 / mainline 5.17+
- Needs user_ns + mount_ns to reach legacy_load() code path
- Originally reported as FUSE-specific but actually applies to any
  fs-mount path from userns (cgroup2, etc.)

Both detect-only initially; full exploits in follow-ups.

Coverage by year now:
  2016: dirty_cow                                  🟢
  2017: af_packet                                  🔵
  2019: ptrace_traceme                             🔵
  2021: pwnkit, overlayfs, netfilter_xtcompat      🟢/🟢/🔵
  2022: dirty_pipe, cls_route4, fuse_legacy        🟢/🔵/🔵
  2023: entrybleed                                 🟢
  2024: nf_tables                                  🔵
  2026: copy_fail family (×5)                      🟢

16 modules total. Build clean. Scan on kctf-mgr: 11 OK / 5 VULNERABLE.

2026-05-16 20:49:58 -04:00

2 Commits