leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
105 Commits 1 Branch 20 Tags
v0.7.1
Commit Graph

25 Commits

Author SHA1 Message Date
leviathan a26f471ecf dirtydecrypt + fragnesia: pin CVE fix commits, version-based detect() 
Both modules' detect() was precondition-only because we didn't know the
mainline fix commits at port time. Debian's security tracker now
provides them — pinning here turns detect() into a proper version-
based verdict (still with --active for empirical override).

dirtydecrypt (CVE-2026-31635):
- Fix commit a2567217ade970ecc458144b6be469bc015b23e5 in mainline 7.0
  ('rxrpc: fix oversized RESPONSE authenticator length check').
- Debian tracker confirms older stable branches (5.10 / 6.1 / 6.12) as
  <not-affected, vulnerable code not present>: the rxgk RESPONSE-
  handling code was added in 7.0.
- kernel_range table: { {7, 0, 0} }
- detect() pre-checks 'kernel < 7.0 -> SKELETONKEY_OK (predates)' then
  consults the table. With --active, the /tmp sentinel probe overrides
  empirically (catches pre-fix 7.0-rc kernels the version check
  reports as patched).

fragnesia (CVE-2026-46300):
- Fix in mainline 7.0.9 per Debian tracker ('linux unstable: 7.0.9-1
  fixed'). Older Debian-stable branches (bullseye 5.10 / bookworm 6.1
  / trixie 6.12) are still marked vulnerable as of 2026-05-22 - no
  backports yet.
- kernel_range table: { {7, 0, 9} }
- detect() keeps the userns + carrier preconditions, then consults
  the table: 7.0.9+ -> OK; older branches without an explicit backport
  entry -> VULNERABLE (version-only). --active confirms empirically.
- Table is intentionally minimal so distros that DO backport in the
  future flow into 'patched' once their branch lands an entry; until
  then, the conservative VULNERABLE verdict on unfixed branches is
  correct.

Other changes:
- module struct .kernel_range strings updated from 'fix commit not
  yet pinned' to the actual pinned-version prose.
- module_safety_rank bumped 86 -> 87 for both modules (version-pinned
  detect is now real; still below the verified copy_fail family at
  88 so --auto prefers verified modules when both apply).
- Both modules now #include core/kernel_range.h inside their
  #ifdef __linux__ block.
- MODULE.md verification-status sections rewritten: detect() is now
  version-pinned; only the exploit body remains unverified.
- CVES.md note + inventory rows updated: dropped the 'precondition-
  only' language for the pair; all three ported modules now have
  pinned fix references.
- README  tier description + module list aligned to the new state.

Both detect()s smoke-tested in docker gcc:latest on kernel 6.12.76-
linuxkit: dirtydecrypt correctly reports OK ('predates the rxgk code
added in 7.0'); fragnesia + pack2theroot correctly report
PRECOND_FAIL (no userns / no D-Bus in container). Local macOS + Linux
builds both clean.
 2026-05-22 23:06:15 -04:00
leviathan 9a4cc91619 pack2theroot (CVE-2026-41651) + --auto accuracy work 
Adds the third ported module — Pack2TheRoot, a userspace PackageKit
D-Bus TOCTOU LPE — and spends real effort hardening --auto so its
detect step gives an accurate, robust verdict before deploying.

pack2theroot (CVE-2026-41651):
- Ported from the public Vozec PoC
  (github.com/Vozec/CVE-2026-41651). Original disclosure by the
  Deutsche Telekom security team.
- Two back-to-back InstallFiles D-Bus calls (SIMULATE then NONE)
  overwrite the cached transaction flags between polkit auth and
  dispatch. GLib priority ordering makes the overwrite deterministic,
  not a timing race; postinst of the malicious .deb drops a SUID bash
  in /tmp.
- detect() reads PackageKit's VersionMajor/Minor/Micro directly over
  D-Bus and compares against the pinned fix release 1.3.5 (commit
  76cfb675). This is a high-confidence verdict, not precondition-only.
- Debian-family only (PoC builds its own .deb in pure C; ar/ustar/
  gzip-stored inline). Cleanup removes /tmp .debs + best-effort
  unlinks /tmp/.suid_bash + sudo -n dpkg -r the staging packages.
- Adds an optional GLib/GIO build dependency. The top-level Makefile
  autodetects via `pkg-config gio-2.0`; when absent the module
  compiles as a stub returning PRECOND_FAIL.
- Embedded auditd + sigma rules cover the file-side footprint
  (/tmp/.suid_bash, /tmp/.pk-*.deb, non-root dpkg/apt execve).

--auto accuracy improvements:
- Auto-enables --active before the scan. Per-module sentinel probes
  (page-cache /tmp files, fork-isolated namespace mounts) turn
  version-only checks into definitive verdicts, so silent distro
  backports don't fool the scan and --auto won't pick blind on
  TEST_ERROR.
- Per-module verdict printing — every module's result is shown
  (VULNERABLE / patched / precondition / indeterminate), not just
  VULNERABLE rows. Operator sees the full picture.
- Scan-end summary line: "N vulnerable, M patched/n.a., K
  precondition-fail, L indeterminate" with a separate callout when
  modules crashed.
- Distro fingerprint added to the auto banner (ID + VERSION_ID from
  /etc/os-release alongside kernel/arch).
- Fork-isolated detect() — each detector runs in a child process so
  a SIGILL/SIGSEGV in one module's probe is contained and the scan
  continues. Surfaced live while testing: entrybleed's prefetchnta
  KASLR sweep SIGILLs on emulated CPUs (linuxkit on darwin); without
  isolation the whole --auto died at module 7 of 31. With isolation
  the scan reports "detect() crashed (signal 4) — continuing" and
  finishes cleanly.

module_safety_rank additions:
- pack2theroot: 95 (userspace D-Bus TOCTOU; dpkg + /tmp SUID footprint
  — clean but heavier than pwnkit's gconv-modules-only path).
- dirtydecrypt / fragnesia: 86 (page-cache writes; one step below the
  verified copy_fail/dirty_frag family at 88 to prefer verified
  modules when both apply).

Docs:
- README badge / tagline / tier table /  block / example output /
  v0.5.0 status — all updated to "28 verified + 3 ported".
- CVES.md counts line, the ported-modules note (now calling out
  pack2theroot's high-confidence detect vs. precondition-only for
  the page-cache pair), inventory row, operations table row.
- ROADMAP Phase 7+: pack2theroot moved out of carry-overs into the
  "landed (ported, pending VM verification)" group; added a new
  "--auto accuracy work" subsection documenting the dispatcher
  hardening landed in this commit.
- docs/index.html: scanning-count example bumped to 31, status line
  updated to mention 3 ported modules.

Build verification: full `make clean && make` in `docker gcc:latest`
with libglib2.0-dev installed: links into a 31-module skeletonkey
ELF (413KB), `--list` shows all modules including pack2theroot,
`--detect-rules --format=auditd` emits the new pack2theroot section,
`--auto --i-know --no-shell` exercises the new banner + active
probes + verdict table + fork isolation + scan summary end-to-end.
Only build warning is the pre-existing
`-Wunterminated-string-initialization` in dirty_pipe (not introduced
here).
 2026-05-22 22:42:07 -04:00
leviathan ac557b67d0 review pass: fidelity + credits + count consistency for ported modules 
Three-agent rigorous review of the dirtydecrypt + fragnesia ports plus
repo-wide doc consistency, followed by a full Linux build verification.

dirtydecrypt (NOTICE + detection rules):
- NOTICE.md: removed an unsupported "Zellic co-founder" detail and a
  fabricated disclosure-date narrative; tightened phrasing of the
  Zellic + V12 credit; noted that upstream poc.c carries no
  author/license header of its own.
- Embedded auditd + sigma rules and detect/sigma.yml broadened to
  cover every binary in dd_targets[] (added /usr/bin/mount,
  /usr/bin/passwd, /usr/bin/chsh) and added the b32 splice rule, so
  the embedded ruleset matches the on-disk reference and the carrier
  list the exploit actually targets.
- Exploit primitive verified byte-for-byte against the V12 PoC
  (tiny_elf[] identical, all rxgk/XDR/fire/pagecache_write logic
  token-identical). docker gcc:latest compile of the Linux path:
  COMPILE_OK, zero warnings.

fragnesia: review found no defects. Exploit primitive byte-identical
to the V12 PoC (shell_elf[] 192 bytes identical, AF_ALG GCM keystream
table + userns/netns/XFRM + receiver/sender/run_trigger_pair all
faithful). The deliberate omissions (ANSI TUI, CLI arg parsing) drop
nothing exploit-critical. docker gcc:latest compile: COMPILE_OK; full
project build links into a working skeletonkey ELF and --list shows
the module registered correctly.

Repo docs (README.md / CVES.md / ROADMAP.md):
- Chose to keep "28 verified" as the headline; the two ported
  modules are represented as a separate clearly-labelled tier
  ("ported-but-unverified") that is explicitly excluded from the
  28-module verified counts. README + CVES.md + ROADMAP.md now tell
  one consistent story.
- Filled a pre-existing documentation gap: sudo_samedit, sequoia,
  sudoedit_editor, vmwgfx were registered + built but absent from
  CVES.md's inventory + operations tables. Added rows synthesized
  from each module's .cve / .summary / .kernel_range fields.
- ROADMAP Phase 8 "7 🟡 PRIMITIVE modules" → "14"; added a "Landed
  since v0.1.0" group; moved vmwgfx out of the stale carry-overs.

docs site (docs/index.html):
- Stat box "28 / total modules" → "28 / verified modules" (the 14+14
  breakdown now sums to the headline consistently).
- Terminal example "scanning 28 modules" → "scanning 30 modules"
  (was factually wrong — the binary literally prints module_count()
  which is 30).
- Status line: updated to mention the 2 ported-but-unverified
  modules and mirror the README phrasing.
- docs/LAUNCH.md left as a dated v0.5.0 launch snapshot.

Build verification: `docker run gcc:latest make clean && make` —
links into a 30-module skeletonkey ELF on Linux. macOS dev box still
hits the pre-existing dirty_pipe header gap; unchanged.

.gitignore: added /skeletonkey to exclude the top-level build
artifact (the existing modules/*/skeletonkey only covered per-module
binaries; the root one was getting picked up by `git add -A`).
 2026-05-22 18:41:37 -04:00
leviathan a8c8d5ef1f modules: add dirtydecrypt (CVE-2026-31635) + fragnesia (CVE-2026-46300) 
Two new page-cache-write LPE modules, both ported from the public V12
security PoCs (github.com/v12-security/pocs):

- dirtydecrypt (CVE-2026-31635): rxgk missing-COW in-place decrypt.
  rxgk_decrypt_skb() decrypts spliced page-cache pages before the HMAC
  check, corrupting the page cache of a read-only file. Sibling of
  Copy Fail / Dirty Frag in the rxrpc subsystem.

- fragnesia (CVE-2026-46300): XFRM ESP-in-TCP skb_try_coalesce() loses
  the SHARED_FRAG marker, so the ESP-in-TCP receive path decrypts
  page-cache pages in place. A latent bug exposed by the Dirty Frag
  fix (f4c50a4034e6). Retires the old _stubs/fragnesia_TBD stub.

Both wrap the PoC exploit primitive in the skeletonkey_module
interface: detect/exploit/cleanup, an --active /tmp sentinel probe,
--no-shell support, and embedded auditd + sigma rules. The exploit
body runs in a forked child so the PoC's exit()/die() paths cannot
tear down the dispatcher. The fragnesia port drops the upstream PoC's
ANSI TUI (incompatible with a shared dispatcher); the exploit
mechanism is reproduced faithfully. Linux-only code is guarded with
#ifdef __linux__ so the modules still compile on non-Linux dev boxes.

VERIFICATION: ported, NOT yet validated end-to-end on a
vulnerable-kernel VM. The CVE fix commits are not pinned, so detect()
is precondition-only (PRECOND_FAIL / TEST_ERROR, never a blind
VULNERABLE) and --auto will not fire them unless --active confirms.
macOS stub-path compiles verified locally; the Linux exploit-path
build is covered by CI (build.yml, ubuntu) only. See each MODULE.md.

Wiring: core/registry.h, skeletonkey.c, Makefile, CVES.md, ROADMAP.md.
 2026-05-22 18:22:30 -04:00
leviathan 9593d90385 rename: IAMROOT → SKELETONKEY across the entire project
release / build (arm64) (push) Waiting to run
Details
release / build (x86_64) (push) Waiting to run
Details
release / release (push) Blocked by required conditions
Details 
Breaking change. Tool name, binary name, function/type names,
constant names, env vars, header guards, file paths, and GitHub
repo URL all rebrand IAMROOT → SKELETONKEY.

Changes:
  - All "IAMROOT" → "SKELETONKEY" (constants, env vars, enum
    values, docs, comments)
  - All "iamroot" → "skeletonkey" (functions, types, paths, CLI)
  - iamroot.c → skeletonkey.c
  - modules/*/iamroot_modules.{c,h} → modules/*/skeletonkey_modules.{c,h}
  - tools/iamroot-fleet-scan.sh → tools/skeletonkey-fleet-scan.sh
  - Binary "iamroot" → "skeletonkey"
  - GitHub URL KaraZajac/IAMROOT → KaraZajac/SKELETONKEY
  - .gitignore now expects build output named "skeletonkey"
  - /tmp/iamroot-* tmpfiles → /tmp/skeletonkey-*
  - Env vars IAMROOT_MODPROBE_PATH etc. → SKELETONKEY_*

New ASCII skeleton-key banner (horizontal key icon + ANSI Shadow
SKELETONKEY block letters) replaces the IAMROOT banner in
skeletonkey.c and README.md.

VERSION: 0.3.1 → 0.4.0 (breaking).

Build clean on Debian 6.12.86. `skeletonkey --version` → 0.4.0.
All 24 modules still register; no functional code changes — pure
rename + banner refresh.
 2026-05-16 22:43:49 -04:00
leviathan 9d88b475c1 v0.3.1: --dump-offsets tool + NOTICE.md per module
release / build (arm64) (push) Waiting to run
Details
release / build (x86_64) (push) Waiting to run
Details
release / release (push) Blocked by required conditions
Details 
The README has been claiming "each module credits the original CVE
reporter and PoC author in its NOTICE.md" since v0.1.0, but only
copy_fail_family actually shipped one. Fixed.

  modules/<name>/NOTICE.md (×19 new + 1 existing): per-module
    research credit covering CVE ID, discoverer, original advisory
    URL where public, upstream fix commit, IAMROOT's role.

  iamroot.c: new --dump-offsets subcommand. Resolves kernel offsets
    via the existing core/offsets.c four-source chain (env →
    /proc/kallsyms → /boot/System.map → embedded table), then emits
    a ready-to-paste C struct entry for kernel_table[]. Run once
    as root on a target kernel build; upstream via PR. Eliminates
    fabricating offsets — every shipped entry traces back to a
    `iamroot --dump-offsets` invocation on a real kernel.

  docs/OFFSETS.md: documents the --dump-offsets workflow.
  CVES.md: notes the NOTICE.md convention + offset dump tool.

  iamroot.c: bump IAMROOT_VERSION 0.3.0 → 0.3.1.
 2026-05-16 22:33:43 -04:00
leviathan 1bcfdd0c9f release: v0.3.0 — 4 new CVE modules (24 total)
release / build (arm64) (push) Waiting to run
Details
release / build (x86_64) (push) Waiting to run
Details
release / release (push) Blocked by required conditions
Details 
iamroot.c: bump IAMROOT_VERSION 0.2.0 → 0.3.0
  CVES.md: add inventory entries for nft_set_uaf, af_unix_gc,
           nft_fwd_dup, nft_payload; extend operations table;
           bump counts (🟢 13 · 🟡 11 · 🔵 0 ·  1).
  README.md: update Status to 24 modules, list all 11 🟡 modules.

Module families now spanning:
  - copy_fail_family (page-cache write)
  - nf_tables (4 modules: nf_tables, nft_set_uaf, nft_fwd_dup, nft_payload)
  - af_packet (2 modules: af_packet, af_packet2)
  - overlayfs (2 modules: overlayfs CVE-2021-3493, overlayfs_setuid)
  - af_unix (new in v0.3.0)
  - plus 10 single-CVE families
 2026-05-16 22:25:15 -04:00
leviathan e2a3d6e94f release: v0.2.0 — --full-chain root-pop opt-in across 7 🟡 modules
release / build (arm64) (push) Waiting to run
Details
release / build (x86_64) (push) Waiting to run
Details
release / release (push) Blocked by required conditions
Details 
iamroot.c: bump IAMROOT_VERSION 0.1.0 → 0.2.0
  CVES.md: redefine 🟡 to note --full-chain capability + docs/OFFSETS.md
  README.md: update Status section for v0.2.0
  docs/OFFSETS.md: new doc — env-var/kallsyms/System.map/embedded-table
                   resolution chain + operator workflow for populating
                   offsets per kernel build + sentinel-based success
                   arbitration.

All 7 🟡 modules now expose `--full-chain`. Default behavior unchanged.
 2026-05-16 22:06:14 -04:00
leviathan dce158e33a release: v0.1.0 — 20-module corpus, 13 root-pop + 7 primitive 
iamroot.c: bump IAMROOT_VERSION from 0.1.0-phase1 → 0.1.0
  README.md: replace "bootstrap phase" status with v0.1.0 corpus
             breakdown (13🟢 / 7🟡 across 2016→2026 timeline)
  CVES.md:   redefine 🟡 to mean "primitive fires + groom + witness,
             stops short of cred-overwrite chain — refuses to claim
             root unless empirically demonstrated"; flip 7 entries
             from 🔵🟡; add the two missing 🟢 entries
             (cgroup_release_agent, overlayfs_setuid); extend the
             operations matrix from 7 → 20 rows.
  ROADMAP.md: mark all Phase-7 items landed; add Phase 8 covering
              full-chain promotions (nf_tables / xtcompat / af_packet
              prioritized — each has a public reference exploit;
              IAMROOT's no-fabricated-offsets rule means each needs
              an env-var offset table or System.map auto-resolve).

Build clean on Debian 6.12.86; iamroot --version reports 0.1.0.
 2026-05-16 21:40:51 -04:00
leviathan 7387ffd3bd Add stackrot (CVE-2023-3269) + af_packet2 (CVE-2020-14386) modules 
Two more for 'THE tool' coverage breadth.

stackrot CVE-2023-3269 (Ruihan Li, Jul 2023):
- maple-tree VMA-split UAF — kernel R/W via use-after-RCU
- **Different bug class than the netfilter-heavy 2022-2024 modules**
  (mm-class, broadens corpus shape)
- kernel_range: 6.1 ≤ K < 6.4-rc4, backports: 6.1.37 / 6.3.10 /
  mainline 6.4
- Pre-6.1 immune (no maple tree); 6.5+ patched
- Affects 6.1 LTS still widely deployed
- ~1000-line public PoC deferred for port

af_packet2 CVE-2020-14386 (Or Cohen, Sep 2020):
- AF_PACKET tpacket_rcv VLAN integer underflow → heap OOB
- Sibling of CVE-2017-7308; same subsystem, different code path
- kernel_range: 4.6 ≤ K, backports across 4.9 / 4.14 / 4.19 / 5.4 / 5.7 / 5.8
- Family-shared 'iamroot-af-packet' audit key (one ausearch covers both
  CVEs from one rule deployment)

Era coverage now (1 gap year remaining: 2018):
  2016: dirty_cow                              🟢
  2017: af_packet                              🔵
  2019: ptrace_traceme                         🟢
  2020: af_packet2                             🔵
  2021: pwnkit, overlayfs, netfilter_xtcompat  🟢/🟢/🔵
  2022: dirty_pipe, cls_route4, fuse_legacy    🟢/🔵/🔵
  2023: entrybleed, stackrot                   🟢/🔵
  2024: nf_tables                              🔵
  2026: copy_fail family (×5)                  🟢

18 modules total. Build clean. Scan on Debian 6.12.86: 13 OK / 5 VULN.
 2026-05-16 21:03:36 -04:00
leviathan 541aac6993 Phase 7: ptrace_traceme CVE-2019-13272 — port FULL jannh-style exploit 
Convert ptrace_traceme from 🔵🟢. Real working PoC following Jann
Horn's Project Zero issue #1903 technique.

Mechanism:
  1. fork() — child becomes our traced target via PTRACE_TRACEME
  2. child sleeps 500ms (lets parent execve start)
  3. parent execve's setuid binary (pkexec / su / passwd / sudo —
     auto-selected via find_setuid_target())
  4. Kernel elevates parent's creds to root but the stale
     ptrace_link from step 1 isn't invalidated (the bug)
  5. child PTRACE_ATTACH's to the now-privileged parent
  6. child PTRACE_POKETEXT's x86_64 shellcode at parent's RIP
  7. child PTRACE_DETACH — parent runs shellcode:
     setuid(0); setgid(0); execve('/bin/sh', ...) → root shell

Implementation notes:
- x86_64-only (shellcode is arch-specific). ARM/other arch returns
  IAMROOT_PRECOND_FAIL gracefully.
- Shellcode is the canonical 33-byte setuid(0)+execve('/bin/sh')
  inline asm sequence.
- Setuid binary selection: pkexec preferred (almost universal),
  then su/sudo/passwd as fallbacks. Refuses if none available.
- Auto-refuses on patched kernels (re-runs detect() at start).
- No cleanup applies — exploit replaces our process image on success.

Verified on Debian 6.12.86 (patched):
  iamroot --exploit ptrace_traceme --i-know
  → detect() says patched → refuses cleanly. Correct.

CVES.md: ptrace_traceme 🔵🟢.

5 detect-only modules remain (cls_route4, nf_tables, netfilter_xtcompat,
af_packet, fuse_legacy). Each is 200-400 line msg_msg/sk_buff
cross-cache groom — substantial individual commits. Next push or
strategic pivot per session priorities.
 2026-05-16 20:57:44 -04:00
leviathan a52f5a657f Phase 7: af_packet (CVE-2017-7308) + FUSE legacy (CVE-2022-0185) 
Two more famous LPEs broadening 'THE tool' coverage:

af_packet CVE-2017-7308 (Andrey Konovalov, Mar 2017):
- AF_PACKET TPACKET_V3 ring setup integer overflow → heap write-where
- Fills 2017 coverage gap
- kernel_range: 3.18.49 / 4.4.57 / 4.9.18 / 4.10.6 / mainline 4.11+
- Needs CAP_NET_RAW via user_ns clone
- Famous as the canonical 'userns + AF_PACKET → root' research-era LPE

fuse_legacy CVE-2022-0185 (William Liu / Crusaders-of-Rust, Jan 2022):
- legacy_parse_param fsconfig heap OOB → cross-cache UAF → root
- **Container-escape angle** — relevant to rootless docker/podman/snap
  (the system admin persona's nightmare)
- kernel_range: 5.4.171 / 5.10.91 / 5.15.14 / 5.16.2 / mainline 5.17+
- Needs user_ns + mount_ns to reach legacy_load() code path
- Originally reported as FUSE-specific but actually applies to any
  fs-mount path from userns (cgroup2, etc.)

Both detect-only initially; full exploits in follow-ups.

Coverage by year now:
  2016: dirty_cow                                  🟢
  2017: af_packet                                  🔵
  2019: ptrace_traceme                             🔵
  2021: pwnkit, overlayfs, netfilter_xtcompat      🟢/🟢/🔵
  2022: dirty_pipe, cls_route4, fuse_legacy        🟢/🔵/🔵
  2023: entrybleed                                 🟢
  2024: nf_tables                                  🔵
  2026: copy_fail family (×5)                      🟢

16 modules total. Build clean. Scan on kctf-mgr: 11 OK / 5 VULNERABLE.
 2026-05-16 20:49:58 -04:00
leviathan 102b117d4e Phase 7: PTRACE_TRACEME (CVE-2019-13272) + xt_compat (CVE-2021-22555) 
Two famous 2017-2020-era LPEs to broaden 'THE tool for folks'
coverage. Both detect-only initially; exploit ports as follow-ups.

ptrace_traceme (CVE-2019-13272 — jannh @ Google P0, Jun 2019):
- Famous because works on default-config systems with no user_ns
  required — locked-down environments were still vulnerable.
- kernel_range thresholds: 4.4.182 / 4.9.182 / 4.14.131 / 4.19.58 /
  5.0.20 / 5.1.17 / mainline 5.2+
- Exploit shape (deferred): fork → child PTRACE_TRACEME → parent
  execve setuid binary → child ptrace-injects shellcode → root.
- Auditd: flag PTRACE_TRACEME (request 0) — false positives via
  gdb/strace; tune by exclusion.

netfilter_xtcompat (CVE-2021-22555 — Andy Nguyen @ Google P0):
- Bug existed since 2.6.19 (2006) — 15 years of latent vuln. Famous
  for that age + default-config reachability via unprivileged_userns.
- kernel_range thresholds: 4.4.266 / 4.9.266 / 4.14.230 / 4.19.185
  / 5.4.110 / 5.10.27 / 5.11.10 / mainline 5.12+
- detect() probes user_ns+net_ns clone; locked-down → PRECOND_FAIL.
- Exploit shape (deferred): heap massage via msg_msg + sk_buff cross-
  cache groom → kernel R/W → cred or modprobe_path overwrite. ~400
  lines port from Andy's public exploit.c.
- Auditd: unshare + iptables-style setsockopt + msgsnd — combined,
  the canonical exploit footprint.

Both wired into iamroot.c, core/registry.h, Makefile. CVES.md rows
added with detailed status.

Coverage by year now:
  2016: dirty_cow                              🟢
  2019: ptrace_traceme                         🔵
  2021: pwnkit, overlayfs, netfilter_xtcompat  🟢/🟢/🔵
  2022: dirty_pipe, cls_route4                 🟢/🔵
  2023: entrybleed                             🟢
  2024: nf_tables                              🔵
  2026: copy_fail family (×5)                  🟢

Module count: 14. Build clean (no warnings).
 2026-05-16 20:47:24 -04:00
leviathan cb39cc5119 Phase 7: Dirty COW (CVE-2016-5195) FULL module — old-systems coverage 
The iconic 2016 LPE. Fills the 10-year coverage gap (now spanning
2016 → 2026): RHEL 6/7, Ubuntu 14.04, Ubuntu 16.04, embedded boxes,
IoT — many still in production with kernels predating the 4.9 fix.

- modules/dirty_cow_cve_2016_5195/iamroot_modules.{c,h}:
  - kernel_range: backport thresholds for 2.6 / 3.2 / 3.10 / 3.12 /
    3.16 / 3.18 / 4.4 / 4.7 / 4.8 / mainline 4.9
  - dirty_cow_write(): Phil-Oester-style two-thread race
    - mmap /etc/passwd MAP_PRIVATE (writes go COW)
    - writer thread: pwrite to /proc/self/mem at COW page offset
    - madviser thread: madvise(MADV_DONTNEED) to drop COW copy
    - poll-read /etc/passwd via separate fd to check if payload landed
    - 3-second timeout (race usually wins in ms on vulnerable kernels)
  - dirty_cow_exploit(): getpwuid → find_passwd_uid_field → race
    → execlp(su)
  - dirty_cow_cleanup(): POSIX_FADV_DONTNEED + drop_caches
  - Auditd rule: /proc/self/mem writes + madvise MADV_DONTNEED
  - Sigma rule: non-root /proc/self/mem open → high
- Makefile: -lpthread added to LDFLAGS for the binary link.
- iamroot.c + core/registry.h wired.
- CVES.md row added with detailed status; legend updated.

Verified end-to-end on kctf-mgr (6.12.86 — patched):
  iamroot --scan       → 'dirty_cow: kernel is patched' (OK)
  iamroot --exploit dirty_cow --i-know
                       → 'detect() says not vulnerable; refusing'
Module count = 12.
 2026-05-16 20:38:46 -04:00
leviathan 3ad1446489 Add cls_route4 CVE-2022-2588 module (detect-only) 
11th module. net/sched cls_route4 handle-zero dead UAF — discovered
by kylebot Aug 2022, fixed mainline 5.20 (commit 9efd23297cca).
Bug existed since 2.6.39 → very wide attack surface.

- modules/cls_route4_cve_2022_2588/iamroot_modules.{c,h}:
  - kernel_range thresholds: 5.4.213 / 5.10.143 / 5.15.69 / 5.18.18 /
    5.19.7 / mainline 5.20+
  - can_unshare_userns() probes user_ns+net_ns clone availability
    (the exploit's CAP_NET_ADMIN-in-userns gate)
  - cls_route4_module_available() checks /proc/modules
  - Reports VULNERABLE if kernel in range AND user_ns allowed;
    PRECOND_FAIL if user_ns denied; OK if patched.
  - Exploit stub returns IAMROOT_PRECOND_FAIL with reference to
    kylebot's public PoC.
  - Auditd rule: tc-style sendto syscalls (rough; legit traffic
    shaping will trip — tune by user).

iamroot.c + Makefile + core/registry.h wired. CVES.md row added.

Verified on kctf-mgr (6.12.86): module reports OK, total module
count = 11.
 2026-05-16 20:33:14 -04:00
leviathan 3eeee01f06 Phase 7: overlayfs CVE-2021-3493 module (Ubuntu userns LPE) — detect-only 
10th module. Ubuntu-specific userns + overlayfs LPE that injects file
capabilities cross-namespace.

- modules/overlayfs_cve_2021_3493/iamroot_modules.{c,h}:
  - is_ubuntu() — parses /etc/os-release for ID=ubuntu or
    ID_LIKE=ubuntu. Non-Ubuntu hosts get IAMROOT_OK immediately (the
    bug is specific to Ubuntu's modified overlayfs).
  - unprivileged_userns_clone gate — sysctl=0 → PRECOND_FAIL
  - Active probe (--active): forks a child that enters userns +
    mountns and attempts the overlayfs mount inside /tmp. Mount
    success on Ubuntu = VULNERABLE. Mount denied = patched / AppArmor
    block. Child-isolated so parent's namespace state is untouched.
  - Version fallback: kernel < 5.13 = vulnerable-by-inference for
    Ubuntu kernels; recommend --active for confirmation.
  - Exploit: detect-only stub. Reference vsh's exploit-cve-2021-3493
    for full version (mount overlayfs in userns, drop binary with
    cap_setuid+ep into upper layer, re-exec outside ns).
  - Embedded auditd rules: mount(overlay) syscall + security.capability
    xattr writes (the exploit's two-step footprint).

Verified end-to-end on kctf-mgr (Debian):
  iamroot --scan → 'not Ubuntu — bug is Ubuntu-specific' → IAMROOT_OK

Module count: 10. Active-probe pattern now applies to dirty_pipe,
entrybleed, and overlayfs (and copy_fail_family via existing
dirtyfail_active_probes global). Detect quality across the corpus
materially improved this session.
 2026-05-16 20:22:32 -04:00
leviathan a4b7238e4a Phase 7: nf_tables CVE-2024-1086 + active probe for dirty_pipe 
dirty_pipe detect: active sentinel probe (Phase 1.5-ish improvement)
- New dirty_pipe_active_probe(): creates a /tmp probe file with known
  sentinel bytes, fires the Dirty Pipe primitive against it, re-reads
  via the page cache, returns true if the poisoning landed.
- detect() gated on ctx->active_probe: --scan does version-only check
  (fast, no side effects); --scan --active fires the empirical probe
  and overrides version inference with the empirical verdict. Catches
  silent distro backports that don't bump uname() version.
- Three verdicts now distinguishable:
  (a) version says patched, no active probe → 'patched (version-only)'
  (b) version says vulnerable, --active fires + probe lands → CONFIRMED
  (c) version says vulnerable, --active fires + probe blocked → 'likely
      patched via distro backport'
- Probe is safe: only /tmp, no /etc/passwd.

nf_tables CVE-2024-1086 (detect-only, new module):
- Famous Notselwyn UAF in nft_verdict_init. Affects 5.14 ≤ K, fixed
  mainline 6.8 with backports landing in 5.4.269 / 5.10.210 / 5.15.149
  / 6.1.74 / 6.6.13 / 6.7.2.
- detect() checks: kernel version range, AND unprivileged user_ns clone
  availability (the exploit's reachability gate — kernel-vulnerable
  but userns-locked-down hosts report PRECOND_FAIL, signalling that
  the kernel still needs patching but unprivileged path is closed).
- Ships auditd + sigma detection rules: unshare(CLONE_NEWUSER) chained
  with setresuid(0,0,0) on a previously-non-root process is the
  exploit's canonical telltale.
- Full Notselwyn-style exploit (cross-cache UAF → arbitrary R/W → cred
  overwrite or modprobe_path hijack) is the next commit.

9 modules total now. CVES.md and ROADMAP.md updated.
 2026-05-16 20:19:11 -04:00
leviathan f1bd896ca8 Phase 7: Pwnkit FULL exploit (Qualys-style PoC) + DEFENDERS.md 
Pwnkit: 🔵🟢
- Implements the canonical Qualys-style PoC end-to-end:
  1. Locate setuid pkexec
  2. mkdtemp working directory under /tmp
  3. Detect target's gcc/cc (fail-soft if absent)
  4. Write payload.c (gconv constructor: unsetenv hostile vars,
     setuid(0), execle /bin/sh -p with clean PATH)
  5. gcc -shared -fPIC payload.c -o pwnkit/PWNKIT.so
  6. Write gconv-modules cache pointing UTF-8// → PWNKIT//
  7. execve(pkexec, NULL_argv, envp{GCONV_PATH=workdir/pwnkit,
     PATH=GCONV_PATH=., CHARSET=PWNKIT, SHELL=pwnkit})
     → argc=0 triggers argv-overflow-into-envp; pkexec re-execs
     with PATH set to our tmpdir; libc's iconv loads PWNKIT.so
     as root; constructor pops /bin/sh with uid=0.
- Cleanup: removes /tmp/iamroot-pwnkit-* workdirs.
- Auto-refuses on patched hosts (re-runs detect() first).
- GCC -Wformat-truncation warnings fixed by sizing path buffers
  generously (1024/2048 bytes — way more than needed in practice).

Verified end-to-end on kctf-mgr (polkit 126 = patched):
  iamroot --exploit pwnkit --i-know
  → detect() says fixed → refuses cleanly. Correct behavior.
Vulnerable-kernel validation is Phase 4 CI matrix work.

docs/DEFENDERS.md — blue-team deployment guide:
- TL;DR: scan, deploy rules, mitigate, watch
- Operations cheat sheet (--list, --scan, --detect-rules, --mitigate)
- Audit-key table mapping rule keys to modules to caught behavior
- Fleet-scanning recipe (ssh + jq aggregation)
- Known false-positive shapes per rule with tuning hints

CVES.md: pwnkit row updated 🔵🟢.
ROADMAP.md: Phase 7 Pwnkit checkbox marked complete.
 2026-05-16 20:13:11 -04:00
leviathan 43e290b224 Phase 7: Pwnkit (CVE-2021-4034) detect-only module 
First USERSPACE LPE in IAMROOT (every prior module is kernel). Same
iamroot_module interface — the difference is the affected-version
check is package-version-based rather than kernel-version-based.

- modules/pwnkit_cve_2021_4034/:
  - iamroot_modules.{c,h}: detect() locates setuid pkexec (one of
    /usr/bin/pkexec, /usr/sbin/pkexec, /bin/pkexec, /sbin/pkexec,
    /usr/local/bin/pkexec) and parses 'pkexec --version' output.
    Handles BOTH version-string formats: legacy '0.105'/'0.120'
    (older polkit) AND modern bare-integer '121'/'126' (post-0.121
    rename to single-number scheme). Reports VULNERABLE on parse
    failure (conservative).
  - exploit() returns IAMROOT_PRECOND_FAIL with a 'not yet
    implemented' message; full Qualys-PoC follow-up is the next
    commit. ~200 lines including embedded .so generator.
  - MODULE.md documents the bug, affected ranges, distro backport
    landscape (RHEL 7/8, Ubuntu focal/impish, Debian buster/bullseye
    each have their own backported polkit version).
  - Embedded auditd + sigma detection rules:
    auditd: pkexec watch + execve audit
    sigma:  pkexec invocation + suspicious env (GCONV_PATH, CHARSET)

- core/registry.h adds iamroot_register_pwnkit() declaration.
- iamroot.c main() registers pwnkit.
- Makefile gains the pwnkit family as a separate object set.

Verified end-to-end on kctf-mgr (modern polkit 126):
  iamroot --list  → 8 modules
  iamroot --scan  → pwnkit reports 'version 126 ≥ 0.121 (fixed)'
  iamroot --detect-rules --format=auditd | grep pwnkit → emits
 2026-05-16 20:07:40 -04:00
leviathan 28ad566964 Phase 6 (partial): --mitigate bridged for copy_fail_family 
- copy_fail_family/iamroot_modules.c: two new bridge functions
  - copy_fail_family_mitigate: calls existing mitigate_apply() which
    blacklists algif_aead + esp4 + esp6 + rxrpc, sets
    kernel.apparmor_restrict_unprivileged_userns=1, drops caches.
  - copy_fail_family_cleanup: heuristic-routed cleanup. If the
    mitigation conf file (/etc/modprobe.d/dirtyfail-mitigations.conf)
    exists → mitigate_revert(). Otherwise → try_revert_passwd_page_cache()
    to evict /etc/passwd from page cache.
- All 5 copy_fail_family modules' .mitigate and .cleanup fields now
  point at these shared family-wide handlers (the mitigation is
  family-wide, not per-CVE).
- dirty_pipe and entrybleed: no --mitigate offered (no canonical
  patches / only-fix-is-upgrade). Documented in ROADMAP.

Verified end-to-end on kctf-mgr as non-root user:
  iamroot --mitigate copy_fail → 'mitigate requires root' (correct)
  iamroot --cleanup  copy_fail → 'no mitigation conf; evicting page cache'

CVES.md gains a per-module ops table; ROADMAP.md marks Phase 6 partial.
 2026-05-16 20:04:32 -04:00
leviathan 5a0aef12d0 Phase 2 complete: Dirty Pipe full exploit (page-cache UID flip → su) 
- Implements the Dirty Pipe primitive: prepare_pipe() fills+drains a
  pipe to plant the stale PIPE_BUF_FLAG_CAN_MERGE flag in every
  pipe_buffer slot; dirty_pipe_write() splices 1 byte from the target
  file at offset-1 (seeding the slot with the file's page) then write()s
  the payload, which the buggy kernel merges back into the page cache.
- find_passwd_uid_field() + revert_passwd_page_cache() inlined in the
  module. Two-of-two duplication acceptable; extraction into core/host
  triggers when a third module needs the same helpers (Phase 1.5).
- dirty_pipe_exploit() resolves current euid via getpwuid, locates the
  user's UID field in /etc/passwd, replaces it with same-length zeros
  ('0000' for a 4-digit UID), then execlp's su <user> -c /bin/sh.
  Auto-refuses if detect() reports patched. --no-shell mode plants the
  write and returns. Cleanup mode evicts /etc/passwd from page cache.
- _GNU_SOURCE redefine warning fixed: cmdline -D already passes it.

Verified end-to-end on kernel 6.12.86 (patched):
  iamroot --scan      → dirty_pipe reports OK (patched)
  iamroot --exploit dirty_pipe --i-know → refuses cleanly
CI-validation against vulnerable kernel (Ubuntu 20.04 / 5.13) is Phase 4.

CVES.md: dirty_pipe 🔵🟢. ROADMAP.md: Phase 2 marked complete.
 2026-05-16 20:02:02 -04:00
leviathan f03efbff13 Phase 3: EntryBleed module — working stage-1 kbase leak brick 
- modules/entrybleed_cve_2023_0458/ (promoted out of _stubs):
  - iamroot_modules.{c,h}: full EntryBleed primitive (rdtsc_start/end
    + prefetchnta + KASLR-slot timing sweep) wired into the standard
    iamroot_module interface. x86_64 only; ARM/other gracefully
    return IAMROOT_PRECOND_FAIL.
  - detect(): reads /sys/.../vulnerabilities/meltdown to decide
    KPTI status. Mitigation: PTI → VULNERABLE. Not affected → OK.
  - exploit(): sweeps the 16MiB KASLR range, prints leaked kbase
    (and KASLR slide). JSON-mode emits {"kbase":"0x..."} to stdout.
  - entrybleed_leak_kbase_lib(off) declared as a public library
    helper so future LPE chains needing a stage-1 leak can just
    #include the module's header and call it.
  - entry_SYSCALL_64 slot offset overridable via
    IAMROOT_ENTRYBLEED_OFFSET (default 0x5600000 for lts-6.12.x).

- __always_inline fallback added since glibc/Linux-kernel macro
  isn't universal; module now builds clean under macOS clangd lint
  and on musl.

- iamroot.c registers entrybleed alongside the other families;
  Makefile gains it as a separate object set.

Verified end-to-end on kctf-mgr (Debian 6.12.86):
  iamroot --exploit entrybleed --i-know
  → [+] entrybleed: leaked kbase = 0xffffffff8d800000

This is the FIRST WORKING-EXPLOIT module in IAMROOT (5
copy_fail_family modules wrap existing code from DIRTYFAIL;
dirty_pipe is detect-only). EntryBleed is x86_64 stage-1 brick
that future chains can compose.
 2026-05-16 19:55:22 -04:00
leviathan 1552a3bfcb Phase 2 (partial): Dirty Pipe DETECT-ONLY module + core/kernel_range 
- core/kernel_range.{c,h}: branch-aware patched-version comparison.
  Every future module needs 'is the host kernel in the affected
  range?'; centralized here. Models stable-branch backports
  (e.g. 5.10.102, 5.15.25) so a 5.15.20 host correctly reports
  VULNERABLE while a 5.15.50 host reports OK.

- modules/dirty_pipe_cve_2022_0847/ (promoted out of _stubs):
  - iamroot_modules.{c,h}: dirty_pipe module exposing detect() that
    parses /proc/version and compares against the four known patched
    branches (5.10.102, 5.15.25, 5.16.11, 5.17+ inherited). Returns
    IAMROOT_OK / IAMROOT_VULNERABLE / IAMROOT_TEST_ERROR with stderr
    hints in human-readable scan mode.
  - exploit() returns IAMROOT_PRECOND_FAIL with a 'not yet
    implemented' message; landing the actual exploit needs Phase 1.5
    extraction of passwd/su helpers into core/.
  - detect/auditd.rules: splice() syscall + passwd/shadow file watches
  - detect/sigma.yml: non-root modification of /etc/passwd|shadow|sudoers

- iamroot.c main() calls iamroot_register_dirty_pipe() alongside
  the copy_fail_family registration.

- Makefile gains the dirty_pipe family as a separate object set.

Verified end-to-end on kctf-mgr (kernel 6.12.86): build clean, 6
modules in --list, --scan correctly reports dirty_pipe as patched,
JSON output ingest-ready.
 2026-05-16 19:51:47 -04:00
leviathan 19b9162b1d ROADMAP: mark Phase 1 done; CVES: use new short module names 2026-05-16 19:32:52 -04:00
leviathan cf30b249de Initial skeleton: README, CVE inventory, roadmap, ARCH, ethics + copy_fail_family module absorbed from DIRTYFAIL 2026-05-16 19:26:24 -04:00