leviathan
a8c8d5ef1f
Two new page-cache-write LPE modules, both ported from the public V12 security PoCs (github.com/v12-security/pocs): - dirtydecrypt (CVE-2026-31635): rxgk missing-COW in-place decrypt. rxgk_decrypt_skb() decrypts spliced page-cache pages before the HMAC check, corrupting the page cache of a read-only file. Sibling of Copy Fail / Dirty Frag in the rxrpc subsystem. - fragnesia (CVE-2026-46300): XFRM ESP-in-TCP skb_try_coalesce() loses the SHARED_FRAG marker, so the ESP-in-TCP receive path decrypts page-cache pages in place. A latent bug exposed by the Dirty Frag fix (f4c50a4034e6). Retires the old _stubs/fragnesia_TBD stub. Both wrap the PoC exploit primitive in the skeletonkey_module interface: detect/exploit/cleanup, an --active /tmp sentinel probe, --no-shell support, and embedded auditd + sigma rules. The exploit body runs in a forked child so the PoC's exit()/die() paths cannot tear down the dispatcher. The fragnesia port drops the upstream PoC's ANSI TUI (incompatible with a shared dispatcher); the exploit mechanism is reproduced faithfully. Linux-only code is guarded with #ifdef __linux__ so the modules still compile on non-Linux dev boxes. VERIFICATION: ported, NOT yet validated end-to-end on a vulnerable-kernel VM. The CVE fix commits are not pinned, so detect() is precondition-only (PRECOND_FAIL / TEST_ERROR, never a blind VULNERABLE) and --auto will not fire them unless --active confirms. macOS stub-path compiles verified locally; the Linux exploit-path build is covered by CI (build.yml, ubuntu) only. See each MODULE.md. Wiring: core/registry.h, skeletonkey.c, Makefile, CVES.md, ROADMAP.md.
32 lines
1.4 KiB
Plaintext
32 lines
1.4 KiB
Plaintext
# Fragnesia (CVE-2026-46300) — auditd detection rules
|
|
#
|
|
# The XFRM ESP-in-TCP coalesce bug corrupts the page cache of a
|
|
# read-only file. These rules flag the syscall surface the exploit
|
|
# drives and writes to the setuid binaries it targets.
|
|
#
|
|
# Install: copy into /etc/audit/rules.d/ and `augenrules --load`, or
|
|
# skeletonkey --detect-rules --format=auditd | sudo tee \
|
|
# /etc/audit/rules.d/99-skeletonkey.rules
|
|
|
|
# Modification of common payload carriers / credential files
|
|
-w /usr/bin/su -p wa -k skeletonkey-fragnesia
|
|
-w /bin/su -p wa -k skeletonkey-fragnesia
|
|
-w /usr/bin/mount -p wa -k skeletonkey-fragnesia
|
|
-w /usr/bin/passwd -p wa -k skeletonkey-fragnesia
|
|
-w /usr/bin/chsh -p wa -k skeletonkey-fragnesia
|
|
-w /etc/passwd -p wa -k skeletonkey-fragnesia
|
|
-w /etc/shadow -p wa -k skeletonkey-fragnesia
|
|
|
|
# AF_ALG socket creation (family 38) — builds the GCM keystream table
|
|
-a always,exit -F arch=b64 -S socket -F a0=38 -k skeletonkey-fragnesia-afalg
|
|
|
|
# XFRM state setup over NETLINK_XFRM
|
|
-a always,exit -F arch=b64 -S sendto -k skeletonkey-fragnesia-xfrm
|
|
|
|
# TCP_ULP espintcp + ESP setsockopt surface
|
|
-a always,exit -F arch=b64 -S setsockopt -k skeletonkey-fragnesia-sockopt
|
|
|
|
# splice() drives page-cache pages into the ESP-in-TCP stream
|
|
-a always,exit -F arch=b64 -S splice -k skeletonkey-fragnesia-splice
|
|
-a always,exit -F arch=b32 -S splice -k skeletonkey-fragnesia-splice
|