- Implements the Dirty Pipe primitive: prepare_pipe() fills+drains a
pipe to plant the stale PIPE_BUF_FLAG_CAN_MERGE flag in every
pipe_buffer slot; dirty_pipe_write() splices 1 byte from the target
file at offset-1 (seeding the slot with the file's page) then write()s
the payload, which the buggy kernel merges back into the page cache.
- find_passwd_uid_field() + revert_passwd_page_cache() inlined in the
module. Two-of-two duplication acceptable; extraction into core/host
triggers when a third module needs the same helpers (Phase 1.5).
- dirty_pipe_exploit() resolves current euid via getpwuid, locates the
user's UID field in /etc/passwd, replaces it with same-length zeros
('0000' for a 4-digit UID), then execlp's su <user> -c /bin/sh.
Auto-refuses if detect() reports patched. --no-shell mode plants the
write and returns. Cleanup mode evicts /etc/passwd from page cache.
- _GNU_SOURCE redefine warning fixed: cmdline -D already passes it.
Verified end-to-end on kernel 6.12.86 (patched):
iamroot --scan → dirty_pipe reports OK (patched)
iamroot --exploit dirty_pipe --i-know → refuses cleanly
CI-validation against vulnerable kernel (Ubuntu 20.04 / 5.13) is Phase 4.
CVES.md: dirty_pipe 🔵 → 🟢. ROADMAP.md: Phase 2 marked complete.
- modules/entrybleed_cve_2023_0458/ (promoted out of _stubs):
- iamroot_modules.{c,h}: full EntryBleed primitive (rdtsc_start/end
+ prefetchnta + KASLR-slot timing sweep) wired into the standard
iamroot_module interface. x86_64 only; ARM/other gracefully
return IAMROOT_PRECOND_FAIL.
- detect(): reads /sys/.../vulnerabilities/meltdown to decide
KPTI status. Mitigation: PTI → VULNERABLE. Not affected → OK.
- exploit(): sweeps the 16MiB KASLR range, prints leaked kbase
(and KASLR slide). JSON-mode emits {"kbase":"0x..."} to stdout.
- entrybleed_leak_kbase_lib(off) declared as a public library
helper so future LPE chains needing a stage-1 leak can just
#include the module's header and call it.
- entry_SYSCALL_64 slot offset overridable via
IAMROOT_ENTRYBLEED_OFFSET (default 0x5600000 for lts-6.12.x).
- __always_inline fallback added since glibc/Linux-kernel macro
isn't universal; module now builds clean under macOS clangd lint
and on musl.
- iamroot.c registers entrybleed alongside the other families;
Makefile gains it as a separate object set.
Verified end-to-end on kctf-mgr (Debian 6.12.86):
iamroot --exploit entrybleed --i-know
→ [+] entrybleed: leaked kbase = 0xffffffff8d800000
This is the FIRST WORKING-EXPLOIT module in IAMROOT (5
copy_fail_family modules wrap existing code from DIRTYFAIL;
dirty_pipe is detect-only). EntryBleed is x86_64 stage-1 brick
that future chains can compose.
- core/kernel_range.{c,h}: branch-aware patched-version comparison.
Every future module needs 'is the host kernel in the affected
range?'; centralized here. Models stable-branch backports
(e.g. 5.10.102, 5.15.25) so a 5.15.20 host correctly reports
VULNERABLE while a 5.15.50 host reports OK.
- modules/dirty_pipe_cve_2022_0847/ (promoted out of _stubs):
- iamroot_modules.{c,h}: dirty_pipe module exposing detect() that
parses /proc/version and compares against the four known patched
branches (5.10.102, 5.15.25, 5.16.11, 5.17+ inherited). Returns
IAMROOT_OK / IAMROOT_VULNERABLE / IAMROOT_TEST_ERROR with stderr
hints in human-readable scan mode.
- exploit() returns IAMROOT_PRECOND_FAIL with a 'not yet
implemented' message; landing the actual exploit needs Phase 1.5
extraction of passwd/su helpers into core/.
- detect/auditd.rules: splice() syscall + passwd/shadow file watches
- detect/sigma.yml: non-root modification of /etc/passwd|shadow|sudoers
- iamroot.c main() calls iamroot_register_dirty_pipe() alongside
the copy_fail_family registration.
- Makefile gains the dirty_pipe family as a separate object set.
Verified end-to-end on kctf-mgr (kernel 6.12.86): build clean, 6
modules in --list, --scan correctly reports dirty_pipe as patched,
JSON output ingest-ready.
leviathan