leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
Files
main
SKELETONKEY/modules/dirtydecrypt_cve_2026_31635/NOTICE.md
T
leviathan ac557b67d0 review pass: fidelity + credits + count consistency for ported modules 
Three-agent rigorous review of the dirtydecrypt + fragnesia ports plus
repo-wide doc consistency, followed by a full Linux build verification.

dirtydecrypt (NOTICE + detection rules):
- NOTICE.md: removed an unsupported "Zellic co-founder" detail and a
  fabricated disclosure-date narrative; tightened phrasing of the
  Zellic + V12 credit; noted that upstream poc.c carries no
  author/license header of its own.
- Embedded auditd + sigma rules and detect/sigma.yml broadened to
  cover every binary in dd_targets[] (added /usr/bin/mount,
  /usr/bin/passwd, /usr/bin/chsh) and added the b32 splice rule, so
  the embedded ruleset matches the on-disk reference and the carrier
  list the exploit actually targets.
- Exploit primitive verified byte-for-byte against the V12 PoC
  (tiny_elf[] identical, all rxgk/XDR/fire/pagecache_write logic
  token-identical). docker gcc:latest compile of the Linux path:
  COMPILE_OK, zero warnings.

fragnesia: review found no defects. Exploit primitive byte-identical
to the V12 PoC (shell_elf[] 192 bytes identical, AF_ALG GCM keystream
table + userns/netns/XFRM + receiver/sender/run_trigger_pair all
faithful). The deliberate omissions (ANSI TUI, CLI arg parsing) drop
nothing exploit-critical. docker gcc:latest compile: COMPILE_OK; full
project build links into a working skeletonkey ELF and --list shows
the module registered correctly.

Repo docs (README.md / CVES.md / ROADMAP.md):
- Chose to keep "28 verified" as the headline; the two ported
  modules are represented as a separate clearly-labelled tier
  ("ported-but-unverified") that is explicitly excluded from the
  28-module verified counts. README + CVES.md + ROADMAP.md now tell
  one consistent story.
- Filled a pre-existing documentation gap: sudo_samedit, sequoia,
  sudoedit_editor, vmwgfx were registered + built but absent from
  CVES.md's inventory + operations tables. Added rows synthesized
  from each module's .cve / .summary / .kernel_range fields.
- ROADMAP Phase 8 "7 🟡 PRIMITIVE modules" → "14"; added a "Landed
  since v0.1.0" group; moved vmwgfx out of the stale carry-overs.

docs site (docs/index.html):
- Stat box "28 / total modules" → "28 / verified modules" (the 14+14
  breakdown now sums to the headline consistently).
- Terminal example "scanning 28 modules" → "scanning 30 modules"
  (was factually wrong — the binary literally prints module_count()
  which is 30).
- Status line: updated to mention the 2 ported-but-unverified
  modules and mirror the README phrasing.
- docs/LAUNCH.md left as a dated v0.5.0 launch snapshot.

Build verification: `docker run gcc:latest make clean && make` —
links into a 30-module skeletonkey ELF on Linux. macOS dev box still
hits the pre-existing dirty_pipe header gap; unchanged.

.gitignore: added /skeletonkey to exclude the top-level build
artifact (the existing modules/*/skeletonkey only covered per-module
binaries; the root one was getting picked up by `git add -A`).
2026-05-22 18:41:37 -04:00

48 lines
2.0 KiB
Markdown
Raw Permalink Blame History

# NOTICE — dirtydecrypt
## Vulnerability
**CVE-2026-31635** — "DirtyDecrypt" / "DirtyCBC". Missing copy-on-write
guard in `rxgk_decrypt_skb()` (`net/rxrpc/rxgk_common.h`). The function
calls `skb_to_sgvec()` then `crypto_krb5_decrypt()` with no
`skb_cow_data()`; the `krb5enc` AEAD template (`crypto/krb5enc.c`)
decrypts **in place** before verifying the HMAC. When the skb fragment
pages are page-cache pages (spliced in via `MSG_SPLICE_PAGES` over
loopback), the in-place decrypt corrupts the page cache of a read-only
file. The same pattern exists in rxkad (`rxkad_verify_packet_2`).
Sibling of Copy Fail (CVE-2026-31431) and Dirty Frag
(CVE-2026-43284 / CVE-2026-43500) — all are page-cache write
primitives that abuse a missing COW boundary.
## Research credit
Discovered and reported by **Zellic** and the **V12 security** team.
Public proof-of-concept by **Luna Tong** ("cts" / "gf_256") of the
V12 security team.
> Reference PoC: <https://github.com/v12-security/pocs/tree/main/dirtydecrypt>
The upstream PoC file (`poc.c`) carries no author, project, or
`LICENSE` header of its own — its header is a purely technical
description of the bug. The credit above is from the public
disclosure, not from the file. CVE-2026-31635 was assigned for the
flaw; its fix commit is not pinned in this module (see below).
## SKELETONKEY role
`skeletonkey_modules.c` is a port of the V12 PoC into the
`skeletonkey_module` interface. The exploit primitive — the
`fire()` / `pagecache_write()` sliding-window machinery, the rxgk XDR
token builder, the 120-byte ET_DYN ELF payload — is reproduced from
that PoC. SKELETONKEY adds the detect/cleanup lifecycle, an `--active`
sentinel probe, `--no-shell` support, and the embedded detection
rules. Research credit belongs to the people above.
## Verification status
**Ported, not yet validated end-to-end on a vulnerable-kernel VM.**
The CVE-2026-31635 fix commit is not yet pinned in this module, so
`detect()` does not perform a kernel-version patched/vulnerable
verdict — see `MODULE.md`.
Reference in New Issue View Git Blame Copy Permalink