SKELETONKEY

leviathan/SKELETONKEY

Fork 0

Commit Graph

Author	SHA1	Message	Date
leviathan	5a0aef12d0	Phase 2 complete: Dirty Pipe full exploit (page-cache UID flip → su) - Implements the Dirty Pipe primitive: prepare_pipe() fills+drains a pipe to plant the stale PIPE_BUF_FLAG_CAN_MERGE flag in every pipe_buffer slot; dirty_pipe_write() splices 1 byte from the target file at offset-1 (seeding the slot with the file's page) then write()s the payload, which the buggy kernel merges back into the page cache. - find_passwd_uid_field() + revert_passwd_page_cache() inlined in the module. Two-of-two duplication acceptable; extraction into core/host triggers when a third module needs the same helpers (Phase 1.5). - dirty_pipe_exploit() resolves current euid via getpwuid, locates the user's UID field in /etc/passwd, replaces it with same-length zeros ('0000' for a 4-digit UID), then execlp's su <user> -c /bin/sh. Auto-refuses if detect() reports patched. --no-shell mode plants the write and returns. Cleanup mode evicts /etc/passwd from page cache. - _GNU_SOURCE redefine warning fixed: cmdline -D already passes it. Verified end-to-end on kernel 6.12.86 (patched): iamroot --scan → dirty_pipe reports OK (patched) iamroot --exploit dirty_pipe --i-know → refuses cleanly CI-validation against vulnerable kernel (Ubuntu 20.04 / 5.13) is Phase 4. CVES.md: dirty_pipe 🔵 → 🟢. ROADMAP.md: Phase 2 marked complete.	2026-05-16 20:02:02 -04:00
leviathan	cee368d5a4	Phase 5: --detect-rules export with dedup - core/module.h: struct iamroot_module gains detect_{auditd,sigma,yara,falco} fields. NULL = module doesn't ship a rule for that format. Embedded as C string literals in each module's iamroot_modules.c so the binary is self-contained (no data-dir install needed). - iamroot.c: --detect-rules [--format=<f>] command. Walks module registry, deduplicates by pointer (family-shared rules emit once, siblings get a 'see family rules above' marker), writes to stdout for redirect into /etc/audit/rules.d/ or SIEM ingestion. - Embedded rules for: - copy_fail_family (shared across 5 modules): auditd watches on passwd/shadow/sudoers/su + AF_ALG socket creation + xfrm setsockopt; Sigma rule covers the file-modification footprint. - dirty_pipe: auditd watches on same files + splice() syscalls; Sigma rule for non-root file modification. - entrybleed: Sigma INFORMATIONAL note (side-channel — no syscall trace; reliable detection needs perf-counter EDR). Verified end-to-end on kctf-mgr: iamroot --detect-rules --format=auditd → 2 / 7 rules emit (deduped) iamroot --detect-rules --format=sigma → 2 / 7 rules emit	2026-05-16 19:58:26 -04:00
leviathan	1552a3bfcb	Phase 2 (partial): Dirty Pipe DETECT-ONLY module + core/kernel_range - core/kernel_range.{c,h}: branch-aware patched-version comparison. Every future module needs 'is the host kernel in the affected range?'; centralized here. Models stable-branch backports (e.g. 5.10.102, 5.15.25) so a 5.15.20 host correctly reports VULNERABLE while a 5.15.50 host reports OK. - modules/dirty_pipe_cve_2022_0847/ (promoted out of _stubs): - iamroot_modules.{c,h}: dirty_pipe module exposing detect() that parses /proc/version and compares against the four known patched branches (5.10.102, 5.15.25, 5.16.11, 5.17+ inherited). Returns IAMROOT_OK / IAMROOT_VULNERABLE / IAMROOT_TEST_ERROR with stderr hints in human-readable scan mode. - exploit() returns IAMROOT_PRECOND_FAIL with a 'not yet implemented' message; landing the actual exploit needs Phase 1.5 extraction of passwd/su helpers into core/. - detect/auditd.rules: splice() syscall + passwd/shadow file watches - detect/sigma.yml: non-root modification of /etc/passwd\|shadow\|sudoers - iamroot.c main() calls iamroot_register_dirty_pipe() alongside the copy_fail_family registration. - Makefile gains the dirty_pipe family as a separate object set. Verified end-to-end on kctf-mgr (kernel 6.12.86): build clean, 6 modules in --list, --scan correctly reports dirty_pipe as patched, JSON output ingest-ready.	2026-05-16 19:51:47 -04:00

Author

SHA1

Message

Date

leviathan

5a0aef12d0

Phase 2 complete: Dirty Pipe full exploit (page-cache UID flip → su)

- Implements the Dirty Pipe primitive: prepare_pipe() fills+drains a
  pipe to plant the stale PIPE_BUF_FLAG_CAN_MERGE flag in every
  pipe_buffer slot; dirty_pipe_write() splices 1 byte from the target
  file at offset-1 (seeding the slot with the file's page) then write()s
  the payload, which the buggy kernel merges back into the page cache.
- find_passwd_uid_field() + revert_passwd_page_cache() inlined in the
  module. Two-of-two duplication acceptable; extraction into core/host
  triggers when a third module needs the same helpers (Phase 1.5).
- dirty_pipe_exploit() resolves current euid via getpwuid, locates the
  user's UID field in /etc/passwd, replaces it with same-length zeros
  ('0000' for a 4-digit UID), then execlp's su <user> -c /bin/sh.
  Auto-refuses if detect() reports patched. --no-shell mode plants the
  write and returns. Cleanup mode evicts /etc/passwd from page cache.
- _GNU_SOURCE redefine warning fixed: cmdline -D already passes it.

Verified end-to-end on kernel 6.12.86 (patched):
  iamroot --scan      → dirty_pipe reports OK (patched)
  iamroot --exploit dirty_pipe --i-know → refuses cleanly
CI-validation against vulnerable kernel (Ubuntu 20.04 / 5.13) is Phase 4.

CVES.md: dirty_pipe 🔵 → 🟢. ROADMAP.md: Phase 2 marked complete.

2026-05-16 20:02:02 -04:00

leviathan

cee368d5a4

Phase 5: --detect-rules export with dedup

- core/module.h: struct iamroot_module gains detect_{auditd,sigma,yara,falco}
  fields. NULL = module doesn't ship a rule for that format.
  Embedded as C string literals in each module's iamroot_modules.c so
  the binary is self-contained (no data-dir install needed).
- iamroot.c: --detect-rules [--format=<f>] command. Walks module
  registry, deduplicates by pointer (family-shared rules emit once,
  siblings get a 'see family rules above' marker), writes to stdout
  for redirect into /etc/audit/rules.d/ or SIEM ingestion.
- Embedded rules for:
  - copy_fail_family (shared across 5 modules): auditd watches on
    passwd/shadow/sudoers/su + AF_ALG socket creation + xfrm setsockopt;
    Sigma rule covers the file-modification footprint.
  - dirty_pipe: auditd watches on same files + splice() syscalls;
    Sigma rule for non-root file modification.
  - entrybleed: Sigma INFORMATIONAL note (side-channel — no syscall
    trace; reliable detection needs perf-counter EDR).

Verified end-to-end on kctf-mgr:
  iamroot --detect-rules --format=auditd → 2 / 7 rules emit (deduped)
  iamroot --detect-rules --format=sigma  → 2 / 7 rules emit

2026-05-16 19:58:26 -04:00

leviathan

1552a3bfcb

Phase 2 (partial): Dirty Pipe DETECT-ONLY module + core/kernel_range

- core/kernel_range.{c,h}: branch-aware patched-version comparison.
  Every future module needs 'is the host kernel in the affected
  range?'; centralized here. Models stable-branch backports
  (e.g. 5.10.102, 5.15.25) so a 5.15.20 host correctly reports
  VULNERABLE while a 5.15.50 host reports OK.

- modules/dirty_pipe_cve_2022_0847/ (promoted out of _stubs):
  - iamroot_modules.{c,h}: dirty_pipe module exposing detect() that
    parses /proc/version and compares against the four known patched
    branches (5.10.102, 5.15.25, 5.16.11, 5.17+ inherited). Returns
    IAMROOT_OK / IAMROOT_VULNERABLE / IAMROOT_TEST_ERROR with stderr
    hints in human-readable scan mode.
  - exploit() returns IAMROOT_PRECOND_FAIL with a 'not yet
    implemented' message; landing the actual exploit needs Phase 1.5
    extraction of passwd/su helpers into core/.
  - detect/auditd.rules: splice() syscall + passwd/shadow file watches
  - detect/sigma.yml: non-root modification of /etc/passwd|shadow|sudoers

- iamroot.c main() calls iamroot_register_dirty_pipe() alongside
  the copy_fail_family registration.

- Makefile gains the dirty_pipe family as a separate object set.

Verified end-to-end on kctf-mgr (kernel 6.12.86): build clean, 6
modules in --list, --scan correctly reports dirty_pipe as patched,
JSON output ingest-ready.

2026-05-16 19:51:47 -04:00

3 Commits