SKELETONKEY

Author	SHA1	Message	Date
leviathan	5d48a7b0b5	release v0.7.1: arm64-static binary + per-module arch_support Two additions on top of v0.7.0: 1. skeletonkey-arm64-static is now published alongside the existing x86_64-static binary. Built native-arm64 in Alpine via GitHub's ubuntu-24.04-arm runner pool (free for public repos as of 2024). install.sh auto-picks it based on 'uname -m'; SKELETONKEY_DYNAMIC=1 fetches the dynamic build instead. Works on Raspberry Pi 4+, Apple Silicon Linux VMs, AWS Graviton, Oracle Ampere, Hetzner ARM, etc. .github/workflows/release.yml refactor: the previous single build-static-x86_64 job becomes a build-static matrix with two entries (x86_64-static on ubuntu-latest, arm64-static on ubuntu-24.04-arm). Both share the same Alpine container + build recipe. 2. .arch_support field on struct skeletonkey_module — honest per-module labeling of which architectures the exploit() body has been verified on. Three categories: 'any' (4 modules): pwnkit, sudo_samedit, sudoedit_editor, pack2theroot. Purely userspace; arch-independent. 'x86_64' (1 module): entrybleed. KPTI prefetchnta side-channel; x86-only by physics. Already source-gated (returns PRECOND_FAIL on non-x86_64). 'x86_64+unverified-arm64' (26 modules): kernel exploitation code. The bug class is generic but the exploit primitives (msg_msg sprays, finisher chain, struct offsets) haven't been confirmed on arm64. detect() still works (just reads ctx->host); only the --exploit path is in question. --list now has an ARCH column (any / x64 / x64?) and the footer prints 'N arch-independent (any)'. --module-info prints 'arch support: <value>'. --scan --json adds 'arch_support' to each module record. This is the honest 'arm64 works for detection on every module + exploitation on 4 of them today; the rest await empirical arm64 sweep' framing — not pretending the kernel exploits already work there, but not blocking the arm64 binary on that either. arm64 users get the full triage workflow + a handful of userspace exploits out of the box, plus a clear roadmap for the rest. Future work to promote modules from 'x86_64+unverified-arm64' to 'any': add an arm64 Vagrant box (generic/debian12-arm64 etc.) to tools/verify-vm/ and run a verification sweep on Apple Silicon / ARM Linux hardware.	2026-05-23 21:10:54 -04:00
leviathan	39ce4dff09	modules: per-module OPSEC notes — telemetry footprint per exploit Adds .opsec_notes to every module's struct skeletonkey_module (31 entries across 26 module files). One paragraph per exploit describing the runtime footprint a defender/SOC would see: - file artifacts created/modified (exact paths from source) - syscall observables (the unshare / socket / setsockopt / splice / msgsnd patterns the embedded detection rules look for) - dmesg signatures (silent on success vs KASAN oops on miss) - network activity (loopback-only vs none) - persistence side-effects (/etc/passwd modification, dropped setuid binaries, backdoors) - cleanup behaviour (callback present? what it restores?) Each note is grounded in the module's source code + its existing auditd/sigma/yara/falco detection rules — the OPSEC notes are literally the inverse of those rules (the rules describe what to look for; the notes describe what the exploit triggers). Three intelligence agents researched the modules in parallel, reading source + MODULE.md, then their proposals were embedded verbatim via tools/inject_opsec.py (one-shot script, not retained). Where surfaced: - --module-info <name>: '--- opsec notes ---' section between detect-rules summary and the embedded auditd/sigma rule bodies. - --module-info / --scan --json: 'opsec_notes' top-level string. Audience uses: - Red team: see what footprint each exploit leaves so they pick chains that match the host's telemetry posture. - Blue team: the notes mirror the existing detection rules from the attacker side — easy diff to find gaps in their SIEM coverage. - Researchers: per-exploit footprint catalog for technique analysis. copy_fail_family gets one shared note across all 5 register entries (copy_fail, copy_fail_gcm, dirty_frag_esp, dirty_frag_esp6, dirty_frag_rxrpc) since they share exploit infrastructure. Verification: - macOS local: clean build, --module-info nf_tables shows full opsec section + CWE + ATT&CK + KEV row from previous commit. - Linux (docker gcc:latest): 33 + 54 = 87 passes, 0 fails. Next: --explain mode (uses these notes + the triage metadata to render a single 'why is this verdict, what would patch fix it, and what would the SOC see' page per module).	2026-05-23 10:45:38 -04:00
leviathan	8938a74d04	detection rules: YARA + Falco for the 6 highest-rank modules + playbook Closes the 'rules in the box' gap — the README has claimed YARA + Falco coverage but detect_yara and detect_falco were NULL on every module. This commit lights up both formats for the 6 highest-value modules (covering 10 of 31 registered modules via family-shared rules), and the existing operational playbook gains the format-specific deployment recipes + the cross-format correlation table. YARA rules (8 rules, 9 module-headers, 152 lines): - copy_fail_family — etc_passwd_uid_flip + etc_passwd_root_no_password (shared across copy_fail / copy_fail_gcm / dirty_frag_esp / dirty_frag_esp6 / dirty_frag_rxrpc) - dirty_pipe — passwd UID flip pattern, dirty-pipe-specific tag - dirtydecrypt — 28-byte ELF prefix match on tiny_elf[] + setuid+execve shellcode tail, detects the page-cache overlay landing - fragnesia — 28-byte ELF prefix on shell_elf[] + setuid+setgid+seteuid cascade, detects the 192-byte page-cache overlay - pwnkit — gconv-modules cache file format (small text file with module UTF-8// X// /tmp/...) - pack2theroot — malicious .deb (ar archive + SUID-bash postinst) + /tmp/.suid_bash artifact scan Falco rules (13 rules, 9 module-headers, 219 lines): - pwnkit — pkexec with empty argv + GCONV_PATH/CHARSET env from non-root - copy_fail_family — AF_ALG socket from non-root + NETLINK_XFRM from unprivileged userns + /etc/passwd modified by non-root - dirty_pipe — splice() of setuid/credential file by non-root - dirtydecrypt — AF_RXRPC socket + add_key(rxrpc) by non-root - fragnesia — TCP_ULP=espintcp from non-root + splice of setuid binary - pack2theroot — SUID bit set on /tmp/.suid_bash + dpkg invoked by packagekitd with /tmp/.pk-*.deb + 2x InstallFiles on same transaction Wiring: each module's .detect_yara and .detect_falco struct fields now point at the embedded string. The dispatcher dedups by pointer, so family-shared rules emit once across the 5 sub-modules. docs/DETECTION_PLAYBOOK.md augmented (302 -> 456 lines): - New 'YARA artifact scanning' subsection under SIEM integration with scheduled-scan cron pattern + per-rule trigger table - New 'Falco runtime detection' subsection with deploy + per-rule trigger table - New 'Per-module detection coverage' table — 4-format matrix - New 'Correlation across formats' section — multi-format incident signature per exploit (the 3-of-4 signal pattern) - New 'Worked example: catching DirtyDecrypt end-to-end' walkthrough from Falco page through yara confirmation, recovery, hunt + patch The existing operational lifecycle / SIEM patterns / FP tuning content is preserved unchanged — this commit only adds. Final stats: - auditd: 109 rule statements across 27 modules - sigma: 16 sigma rules across 19 modules - yara: 8 yara rules across 9 module headers (5 family + 4 distinct) - falco: 13 falco rules across 9 module headers The remaining 21 modules can gain YARA / Falco coverage incrementally by populating their detect_yara / detect_falco struct fields.	2026-05-23 00:47:13 -04:00
leviathan	150f16bc97	pwnkit + sudoedit_editor: ctx->host migration + 4 more tests (39 total) pwnkit: migrate detect() to consult ctx->host->polkit_version with the same graceful-fallback pattern as the sudo modules. The version is populated once at startup by core/host.c (via pkexec --version); detect() skips the per-scan popen when the host fingerprint has the version. Falls back to the inline popen path when ctx->host is missing the version (degenerate test contexts). sudoedit_editor: already migrated; this commit adds direct test coverage. tests/test_detect.c expansion (35 → 39): - pwnkit: polkit_version='0.105' -> VULNERABLE (pre-0.121 fix) - pwnkit: polkit_version='0.121' -> OK (fix release) - sudoedit_editor: vuln sudo + no sudoers grant -> PRECOND_FAIL (documented behaviour: vulnerable version, but the dispatcher has no usable sudoedit grant on the host) - sudoedit_editor: fixed sudo (1.9.13p1) -> OK The sudoedit_editor 'vuln + no grant' case is the first test to exercise the second-level precondition gate AFTER the version check passes — proves the version-pinned detect logic AND the sudo -ln target-discovery short-circuit both work as intended. The h_vuln_sudo / h_fixed_sudo synthetic fingerprints gained the .polkit_version field alongside .sudo_version so a single fingerprint exercises both pwnkit and the sudo modules. Verification: 39/39 pass on Linux (docker gcc:latest + libglib2.0-dev + sudo, non-root user skeletonkeyci). macOS dev box still reports 'skipped — Linux-only' as designed.	2026-05-23 00:15:01 -04:00
leviathan	36814f272d	modules: migrate remaining 22 modules to ctx->host fingerprint Completes the host-fingerprint refactor that started in `c00c3b4`. Every module now consults the shared ctx->host (populated once at startup by core/host.c) instead of re-doing uname / geteuid / /etc/os-release parsing / fork+unshare(CLONE_NEWUSER) probes per detect(). Migrations applied per module (mechanical, no exploit logic touched): 1. #include "../../core/host.h" inside each module's #ifdef __linux__. 2. kernel_version_current(&v) -> ctx->host->kernel (with the v -> v-> arrow-vs-dot fix for all later usage). Drops ~20 redundant uname() calls across the corpus. 3. geteuid() == 0 (the 'already root, nothing to escalate' gate) -> bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0); This is the key change that lets the unit test suite construct non-root fingerprints regardless of the test process's actual euid. 4. Per-detect fork+unshare(CLONE_NEWUSER) probe helpers (named can_unshare_userns / can_unshare_userns_mount across the corpus) are removed wholesale; their call sites now consult ctx->host->unprivileged_userns_allowed, which was probed once at startup. Removes ~10 per-scan fork()s. Modules touched by this commit (22): Batch A (7): dirty_pipe, dirty_cow, ptrace_traceme, pwnkit, cgroup_release_agent, overlayfs_setuid, and entrybleed (no migration target — KPTI gate stays as direct sysfs read; documented as 'no applicable pattern'). Batch B (7): nf_tables, cls_route4, netfilter_xtcompat, af_packet, af_packet2, af_unix_gc, fuse_legacy. Batch C (8): stackrot, nft_set_uaf, nft_fwd_dup, nft_payload, sudo_samedit, sequoia, sudoedit_editor, vmwgfx. Combined with the 4 modules already migrated (dirtydecrypt, fragnesia, pack2theroot, overlayfs) and the 5-module copy_fail_family bridge, the entire registered corpus now goes through ctx->host. The 4 'fork+unshare per detect()' helpers that existed across nf_tables, cls_route4, netfilter_xtcompat, af_packet, af_packet2, fuse_legacy, nft_set_uaf, nft_fwd_dup, nft_payload, sequoia, cgroup_release_agent, and overlayfs_setuid are now gone — replaced by the single startup probe in core/host.c. Verification: - Linux (docker gcc:latest + libglib2.0-dev): full clean build links 31 modules; tests/test_detect.c: 8/8 pass. - macOS (local): full clean build links 31 modules (Mach-O, 172KB); test suite reports skipped as designed on non-Linux. Subsequent commits can add more EXPECT_DETECT cases in tests/test_detect.c — the host-fingerprint paths in every module are now uniformly testable via synthetic struct skeletonkey_host instances.	2026-05-22 23:43:20 -04:00
leviathan	9593d90385	rename: IAMROOT → SKELETONKEY across the entire project release / build (arm64) (push) Waiting to run Details release / build (x86_64) (push) Waiting to run Details release / release (push) Blocked by required conditions Details Breaking change. Tool name, binary name, function/type names, constant names, env vars, header guards, file paths, and GitHub repo URL all rebrand IAMROOT → SKELETONKEY. Changes: - All "IAMROOT" → "SKELETONKEY" (constants, env vars, enum values, docs, comments) - All "iamroot" → "skeletonkey" (functions, types, paths, CLI) - iamroot.c → skeletonkey.c - modules//iamroot_modules.{c,h} → modules//skeletonkey_modules.{c,h} - tools/iamroot-fleet-scan.sh → tools/skeletonkey-fleet-scan.sh - Binary "iamroot" → "skeletonkey" - GitHub URL KaraZajac/IAMROOT → KaraZajac/SKELETONKEY - .gitignore now expects build output named "skeletonkey" - /tmp/iamroot-* tmpfiles → /tmp/skeletonkey-* - Env vars IAMROOT_MODPROBE_PATH etc. → SKELETONKEY_* New ASCII skeleton-key banner (horizontal key icon + ANSI Shadow SKELETONKEY block letters) replaces the IAMROOT banner in skeletonkey.c and README.md. VERSION: 0.3.1 → 0.4.0 (breaking). Build clean on Debian 6.12.86. `skeletonkey --version` → 0.4.0. All 24 modules still register; no functional code changes — pure rename + banner refresh.	2026-05-16 22:43:49 -04:00
leviathan	9d88b475c1	v0.3.1: --dump-offsets tool + NOTICE.md per module release / build (arm64) (push) Waiting to run Details release / build (x86_64) (push) Waiting to run Details release / release (push) Blocked by required conditions Details The README has been claiming "each module credits the original CVE reporter and PoC author in its NOTICE.md" since v0.1.0, but only copy_fail_family actually shipped one. Fixed. modules/<name>/NOTICE.md (×19 new + 1 existing): per-module research credit covering CVE ID, discoverer, original advisory URL where public, upstream fix commit, IAMROOT's role. iamroot.c: new --dump-offsets subcommand. Resolves kernel offsets via the existing core/offsets.c four-source chain (env → /proc/kallsyms → /boot/System.map → embedded table), then emits a ready-to-paste C struct entry for kernel_table[]. Run once as root on a target kernel build; upstream via PR. Eliminates fabricating offsets — every shipped entry traces back to a `iamroot --dump-offsets` invocation on a real kernel. docs/OFFSETS.md: documents the --dump-offsets workflow. CVES.md: notes the NOTICE.md convention + offset dump tool. iamroot.c: bump IAMROOT_VERSION 0.3.0 → 0.3.1.	2026-05-16 22:33:43 -04:00
leviathan	f1bd896ca8	Phase 7: Pwnkit FULL exploit (Qualys-style PoC) + DEFENDERS.md Pwnkit: 🔵 → 🟢 - Implements the canonical Qualys-style PoC end-to-end: 1. Locate setuid pkexec 2. mkdtemp working directory under /tmp 3. Detect target's gcc/cc (fail-soft if absent) 4. Write payload.c (gconv constructor: unsetenv hostile vars, setuid(0), execle /bin/sh -p with clean PATH) 5. gcc -shared -fPIC payload.c -o pwnkit/PWNKIT.so 6. Write gconv-modules cache pointing UTF-8// → PWNKIT// 7. execve(pkexec, NULL_argv, envp{GCONV_PATH=workdir/pwnkit, PATH=GCONV_PATH=., CHARSET=PWNKIT, SHELL=pwnkit}) → argc=0 triggers argv-overflow-into-envp; pkexec re-execs with PATH set to our tmpdir; libc's iconv loads PWNKIT.so as root; constructor pops /bin/sh with uid=0. - Cleanup: removes /tmp/iamroot-pwnkit-* workdirs. - Auto-refuses on patched hosts (re-runs detect() first). - GCC -Wformat-truncation warnings fixed by sizing path buffers generously (1024/2048 bytes — way more than needed in practice). Verified end-to-end on kctf-mgr (polkit 126 = patched): iamroot --exploit pwnkit --i-know → detect() says fixed → refuses cleanly. Correct behavior. Vulnerable-kernel validation is Phase 4 CI matrix work. docs/DEFENDERS.md — blue-team deployment guide: - TL;DR: scan, deploy rules, mitigate, watch - Operations cheat sheet (--list, --scan, --detect-rules, --mitigate) - Audit-key table mapping rule keys to modules to caught behavior - Fleet-scanning recipe (ssh + jq aggregation) - Known false-positive shapes per rule with tuning hints CVES.md: pwnkit row updated 🔵 → 🟢. ROADMAP.md: Phase 7 Pwnkit checkbox marked complete.	2026-05-16 20:13:11 -04:00
leviathan	43e290b224	Phase 7: Pwnkit (CVE-2021-4034) detect-only module First USERSPACE LPE in IAMROOT (every prior module is kernel). Same iamroot_module interface — the difference is the affected-version check is package-version-based rather than kernel-version-based. - modules/pwnkit_cve_2021_4034/: - iamroot_modules.{c,h}: detect() locates setuid pkexec (one of /usr/bin/pkexec, /usr/sbin/pkexec, /bin/pkexec, /sbin/pkexec, /usr/local/bin/pkexec) and parses 'pkexec --version' output. Handles BOTH version-string formats: legacy '0.105'/'0.120' (older polkit) AND modern bare-integer '121'/'126' (post-0.121 rename to single-number scheme). Reports VULNERABLE on parse failure (conservative). - exploit() returns IAMROOT_PRECOND_FAIL with a 'not yet implemented' message; full Qualys-PoC follow-up is the next commit. ~200 lines including embedded .so generator. - MODULE.md documents the bug, affected ranges, distro backport landscape (RHEL 7/8, Ubuntu focal/impish, Debian buster/bullseye each have their own backported polkit version). - Embedded auditd + sigma detection rules: auditd: pkexec watch + execve audit sigma: pkexec invocation + suspicious env (GCONV_PATH, CHARSET) - core/registry.h adds iamroot_register_pwnkit() declaration. - iamroot.c main() registers pwnkit. - Makefile gains the pwnkit family as a separate object set. Verified end-to-end on kctf-mgr (modern polkit 126): iamroot --list → 8 modules iamroot --scan → pwnkit reports 'version 126 ≥ 0.121 (fixed)' iamroot --detect-rules --format=auditd \| grep pwnkit → emits	2026-05-16 20:07:40 -04:00

9 Commits