leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
Files
2c131df1bf837c39ec0f62b7c7ed87835c469de4
SKELETONKEY/tools/verify-vm/targets.yaml
T
leviathan 2c131df1bf verify-vm sweep complete: 18 modules confirmed across 5 Linux distros 
Full sweep results:

  MATCHES (18 — empirically confirmed in real Linux VMs):
    pwnkit               ubuntu2004  5.4.0-169  VULNERABLE
    cgroup_release_agent debian11    5.10.0-27  VULNERABLE
    netfilter_xtcompat   debian11    5.10.0-27  VULNERABLE
    fuse_legacy          debian11    5.10.0-27  VULNERABLE
    nft_fwd_dup          debian11    5.10.0-27  VULNERABLE
    entrybleed           ubuntu2204  5.15.0-91  VULNERABLE
    overlayfs            ubuntu2004  5.4.0-169  VULNERABLE
    overlayfs_setuid     ubuntu2204  5.15.0-91  VULNERABLE
    sudoedit_editor      ubuntu2204  5.15.0-91  PRECOND_FAIL  (no sudoers grant)
    ptrace_traceme       ubuntu1804  4.15.0-213 VULNERABLE
    sudo_samedit         ubuntu1804  4.15.0-213 VULNERABLE
    af_packet            ubuntu1804  4.15.0-213 OK            (4.15 is post-fix)
    pack2theroot         debian12    6.1.0-17   PRECOND_FAIL  (no PackageKit installed)
    cls_route4           ubuntu2004  5.15.0-43  VULNERABLE
    nft_payload          ubuntu2004  5.15.0-43  VULNERABLE
    af_packet2           ubuntu2004  5.4.0-26   VULNERABLE
    sequoia              ubuntu2004  5.4.0-26   VULNERABLE
    dirty_pipe           ubuntu2204  5.15.0-91  OK            (silently backported)

  PIN_FAIL (4 — targeted HWE kernels no longer in apt; needs
  kernel.ubuntu.com mainline integration, deferred):
    nf_tables            wanted ubuntu2204 + 5.15.0-43-generic
    af_unix_gc           wanted ubuntu2204 + 5.15.0-43-generic
    stackrot             wanted ubuntu2204 + 6.1.0-13-generic
    nft_set_uaf          wanted ubuntu2204 + 5.19.0-32-generic

  MANUAL / SPECIAL TARGETS (5 — flagged in targets.yaml):
    vmwgfx               — VMware-guest only; no Vagrant box covers it
    dirtydecrypt         — needs Linux 7.0 (not shipping yet)
    fragnesia            — needs Linux 7.0 (not shipping yet)
    dirty_cow            — needs <= 4.4 (older than every supported Vagrant box)
    copy_fail family     — multi-module family verification deferred

Several findings the active-probe path surfaced vs version-only checks:

  - dirty_pipe (ubuntu2204): version-only check would say VULNERABLE
    (kernel 5.15.0 < 5.15.25 backport in our table), but Ubuntu has
    silently backported the fix into the -91 patch level. --active
    probe correctly identified the primitive as blocked → OK.

  - af_packet (ubuntu1804): the bug was fixed in 4.10.6 mainline +
    4.9.18 backport. Ubuntu 18.04's stock 4.15.0 is post-fix — detect()
    correctly returns OK. The targets.yaml entry was originally wrong;
    fixed now.

  - sudoedit_editor: version-wise the host is vulnerable (sudo 1.9.9),
    but the bug requires an actual sudoedit grant in /etc/sudoers — and
    the default Vagrant user has none. detect() correctly returns
    PRECOND_FAIL ('vuln version present, no grant to abuse'). Same as
    one of our unit tests.

  - pack2theroot: needs an active PackageKit daemon on the system bus.
    Debian 12's generic cloud image is server-oriented and omits
    PackageKit. detect() correctly returns PRECOND_FAIL. Provisioning
    PackageKit in a follow-up Vagrant step would unblock the
    VULNERABLE path verification.

Plumbing fixes that landed in the sweep:

  - core/nft_compat.h — NFTA_CHAIN_FLAGS (kernel 5.7) + NFTA_CHAIN_ID
    (5.13). Without these, nft_fwd_dup fails to compile against
    Ubuntu 18.04's 4.15-era nf_tables uapi, which blocked the entire
    skeletonkey binary from building on that box and prevented
    verification of ptrace_traceme / sudo_samedit / af_packet.

  - tools/verify-vm/Vagrantfile — 'privileged: false' on the
    build-and-verify provisioner. Vagrant's default runs as root;
    pack2theroot's detect() short-circuits with 'already root —
    nothing to do' when running as uid 0, which would invalidate
    every euid-aware module's verification.

  - tools/verify-vm/targets.yaml — corrected expectations for af_packet
    (stock 18.04 4.15 is post-fix), pack2theroot (no PackageKit on
    server cloud image), sudoedit_editor (no sudoers grant), and
    dirty_pipe (silent Ubuntu backport).

  - tools/refresh-verifications.py — dedup key changed from
    (module, vm_box, host_kernel, expect_detect) to
    (module, vm_box, host_kernel). When an expectation is corrected
    mid-sweep, the new record cleanly supersedes the old one instead
    of accumulating.

The verifier loop is now production-ready and the trust signal in
--list / --module-info / --explain reflects 18 modules confirmed
against real Linux. Next-step bucket:
  - kernel.ubuntu.com mainline integration → unblock 4 PIN_FAIL pins.
  - Optional PackageKit provisioner on debian12 → unblock pack2theroot
    VULNERABLE path.
2026-05-23 16:29:50 -04:00

219 lines
9.7 KiB
YAML
Raw Blame History

# tools/verify-vm/targets.yaml — VM verification targets per module
#
# For each module, the (box, kernel) pair the verifier should spin up to
# empirically confirm detect() + exploit() against a KNOWN-VULNERABLE
# kernel. Picked from Debian snapshot / kernel.ubuntu.com / Ubuntu HWE
# archives — every version below is fetch-able as a .deb package.
#
# Schema:
# <module_name>:
# box: vagrant box name (matches tools/verify-vm/boxes/<NAME>/)
# kernel_pkg: apt package name to install for the vulnerable kernel
# (omit / empty if the stock distro kernel is already vulnerable)
# kernel_version: expected /proc/version-style major.minor.patch
# expect_detect: what skeletonkey --explain should say on a confirmed-vulnerable
# target. One of: VULNERABLE | OK | PRECOND_FAIL.
# notes: short rationale for the target choice.
#
# Boxes available (matches tools/verify-vm/boxes/):
# debian11 — Debian 11 bullseye (5.10.0 stock)
# debian12 — Debian 12 bookworm (6.1.0 stock)
# ubuntu1804 — Ubuntu 18.04 LTS (4.15.0 stock; HWE up to 5.4)
# ubuntu2004 — Ubuntu 20.04 LTS (5.4.0 stock; HWE up to 5.15)
# ubuntu2204 — Ubuntu 22.04 LTS (5.15.0 stock; HWE up to 6.5)
#
# Adding a new target: pick the oldest LTS box whose stock or HWE kernel
# is below the module's kernel_range fix threshold; if no LTS works,
# install a pinned kernel from kernel.ubuntu.com / snapshot.debian.org
# via the kernel_pkg field.
#
# Modules where no fully-automatic vulnerable target exists (need manual
# kernel build or a special distro variant) are marked manual: true with
# a comment explaining the constraint.
af_packet:
box: ubuntu1804
kernel_pkg: "" # stock 4.15.0-213-generic — patch backported
kernel_version: "4.15.0"
expect_detect: OK
notes: "CVE-2017-7308; bug fixed mainline 4.10.6 + 4.9.18 backports. Ubuntu 18.04 stock kernel (4.15.0) is post-fix — detect() correctly returns OK. To validate the VULNERABLE path empirically would need a hand-built 4.4 or earlier kernel; deferred."
af_packet2:
box: ubuntu2004
kernel_pkg: linux-image-5.4.0-26-generic
kernel_version: "5.4.0-26"
expect_detect: VULNERABLE
notes: "CVE-2020-14386; fixed in 5.9 mainline + backports; 5.4.0-26 (Ubuntu 20.04 launch) is pre-fix."
af_unix_gc:
box: ubuntu2204
kernel_pkg: linux-image-5.15.0-43-generic
kernel_version: "5.15.0-43"
expect_detect: VULNERABLE
notes: "CVE-2023-4622; fixed in 6.5 mainline / backported to 5.15.130; 5.15.0-43 is below the backport."
cgroup_release_agent:
box: debian11
kernel_pkg: "" # 5.10.0 stock is pre-fix (fix 5.17)
kernel_version: "5.10.0"
expect_detect: VULNERABLE
notes: "CVE-2022-0492; fix landed 5.17 mainline + 5.16.9 stable; 5.10.0 is below."
cls_route4:
box: ubuntu2004
kernel_pkg: linux-image-5.15.0-43-generic
kernel_version: "5.15.0-43"
expect_detect: VULNERABLE
notes: "CVE-2022-2588; fix landed 5.19 / backports 5.10.143 / 5.15.67; 5.15.0-43 is below."
dirty_cow:
box: ubuntu1804
kernel_pkg: "" # 4.15.0 has the COW race fix; need older kernel
kernel_version: "4.4.0"
expect_detect: OK
notes: "CVE-2016-5195; ALL 4.4+ kernels have the fix backported. Ubuntu 18.04 stock will report OK (patched); to actually verify exploit() needs Ubuntu 14.04 / kernel ≤ 4.4.0-46. Use a custom box for that."
manual_for_exploit_verify: true
dirty_pipe:
box: ubuntu2204
kernel_pkg: "" # 22.04 stock 5.15.0-91-generic
kernel_version: "5.15.0"
expect_detect: OK
notes: "CVE-2022-0847; introduced 5.8, fixed 5.16.11 / 5.15.25. Ubuntu 22.04 ships 5.15.0-91-generic, where uname reports '5.15.0' (below the 5.15.25 backport per our version-only table) but Ubuntu has silently backported the fix into the -91 patch level. Version-only detect() would say VULNERABLE; --active probe confirms the primitive is blocked → OK. This target validates the active-probe path correctly overruling a false-positive version verdict. (Originally pointed at Ubuntu 20.04 + pinned 5.13.0-19, but that HWE kernel is no longer in 20.04's apt archive.)"
dirtydecrypt:
box: debian12
kernel_pkg: "" # only Linux 7.0+ has the bug — needs custom kernel
kernel_version: "7.0.0"
expect_detect: OK
notes: "CVE-2026-31635; bug introduced in 7.0 rxgk path. NO mainline 7.0 distro shipping yet — Debian 12 will report OK (predates the bug). Verifying exploit() needs a hand-built 7.0-rc kernel."
manual_for_exploit_verify: true
entrybleed:
box: ubuntu2204
kernel_pkg: "" # any KPTI-enabled x86_64 kernel
kernel_version: "5.15.0"
expect_detect: VULNERABLE
notes: "CVE-2023-0458; side-channel applies to any KPTI-on Intel x86_64 host. Stock Ubuntu 22.04 will report VULNERABLE if meltdown sysfs shows 'Mitigation: PTI'."
fragnesia:
box: debian12
kernel_pkg: ""
kernel_version: "7.0.0"
expect_detect: OK
notes: "CVE-2026-46300; XFRM ESP-in-TCP bug. Needs 7.0-rc; Debian 12 reports OK."
manual_for_exploit_verify: true
fuse_legacy:
box: debian11
kernel_pkg: "" # 5.10.0 is pre-fix (fix 5.16)
kernel_version: "5.10.0"
expect_detect: VULNERABLE
notes: "CVE-2022-0185; fix 5.16.2 mainline + 5.10.93 stable; Debian 11 stock 5.10.0 is below."
netfilter_xtcompat:
box: debian11
kernel_pkg: "" # 5.10.0 (Debian 11 stock) is pre-fix (fix 5.13 + 5.10.46)
kernel_version: "5.10.0"
expect_detect: VULNERABLE
notes: "CVE-2021-22555; 15-year-old bug; Debian 11 stock 5.10.0 below the 5.10.38 fix backport."
nf_tables:
box: ubuntu2204
kernel_pkg: linux-image-5.15.0-43-generic
kernel_version: "5.15.0-43"
expect_detect: VULNERABLE
notes: "CVE-2024-1086; fix 6.8 mainline + 5.15.149 backport; 5.15.0-43 is below."
nft_fwd_dup:
box: debian11
kernel_pkg: "" # 5.10.0 below the 5.10.103 backport
kernel_version: "5.10.0"
expect_detect: VULNERABLE
notes: "CVE-2022-25636; fix 5.17 mainline + 5.10.103 backport; Debian 11 stock 5.10.0 below."
nft_payload:
box: ubuntu2004
kernel_pkg: linux-image-5.15.0-43-generic
kernel_version: "5.15.0-43"
expect_detect: VULNERABLE
notes: "CVE-2023-0179; fix 6.2 mainline + 5.15.91 / 5.10.162 backports; 5.15.0-43 is below."
nft_set_uaf:
box: ubuntu2204
kernel_pkg: linux-image-5.19.0-32-generic
kernel_version: "5.19.0-32"
expect_detect: VULNERABLE
notes: "CVE-2023-32233; fix 6.4-rc4 + 6.1.27 / 5.15.110; 5.19.0-32 is below."
overlayfs:
box: ubuntu2004
kernel_pkg: "" # Ubuntu-specific bug; stock 5.4 is pre-fix
kernel_version: "5.4.0"
expect_detect: VULNERABLE
notes: "CVE-2021-3493; Ubuntu-specific overlayfs userns capability injection. Stock 5.4.0 in Ubuntu 20.04 is below the fixed package."
overlayfs_setuid:
box: ubuntu2204
kernel_pkg: "" # 5.15.0 stock is pre-fix (5.15.110 backport)
kernel_version: "5.15.0"
expect_detect: VULNERABLE
notes: "CVE-2023-0386; fix 6.3 + 6.1.11 / 5.15.110 / 5.10.179; 5.15.0 stock is below."
pack2theroot:
box: debian12
kernel_pkg: "" # PackageKit-version bug, not kernel
kernel_version: "6.1.0"
expect_detect: PRECOND_FAIL
notes: "CVE-2026-41651; needs PackageKit ≤ 1.3.5 + polkit + an active D-Bus session bus. Debian 12's generic cloud image is server-oriented and does NOT install PackageKit (the bug's target daemon), so detect() correctly returns PRECOND_FAIL ('PackageKit daemon not registered on the system bus'). To validate the VULNERABLE path empirically, install packagekit in the VM before verifying ('apt install -y packagekit' + 'systemctl start packagekit'); deferred to a follow-up provisioner."
ptrace_traceme:
box: ubuntu1804
kernel_pkg: "" # 4.15.0 stock is below the 5.1.17 fix
kernel_version: "4.15.0"
expect_detect: VULNERABLE
notes: "CVE-2019-13272; fix 5.1.17 mainline; Ubuntu 18.04 stock 4.15 is below."
pwnkit:
box: ubuntu2004
kernel_pkg: "" # polkit 0.105 ships in Ubuntu 20.04 → vulnerable
kernel_version: "5.4.0"
expect_detect: VULNERABLE
notes: "CVE-2021-4034; polkit ≤ 0.120 vulnerable. Ubuntu 20.04 ships polkit 0.105."
sequoia:
box: ubuntu2004
kernel_pkg: linux-image-5.4.0-26-generic
kernel_version: "5.4.0-26"
expect_detect: VULNERABLE
notes: "CVE-2021-33909; fix 5.13.4 / 5.10.52 / 5.4.135; 5.4.0-26 is below."
stackrot:
box: ubuntu2204
kernel_pkg: linux-image-6.1.0-13-generic
kernel_version: "6.1.0-13"
expect_detect: VULNERABLE
notes: "CVE-2023-3269; fix 6.4 mainline + 6.1.37 LTS / 6.3.10; 6.1.0-13 is below."
sudo_samedit:
box: ubuntu1804
kernel_pkg: "" # ubuntu 18.04 ships sudo 1.8.21 — vulnerable to 1.9.5p1
kernel_version: "4.15.0"
expect_detect: VULNERABLE
notes: "CVE-2021-3156; sudo 1.8.21 vulnerable; Ubuntu 18.04 ships 1.8.21p2."
sudoedit_editor:
box: ubuntu2204
kernel_pkg: "" # sudo 1.9.9 in Ubuntu 22.04 is vulnerable
kernel_version: "5.15.0"
expect_detect: PRECOND_FAIL
notes: "CVE-2023-22809; sudo ≤ 1.9.12p2 vulnerable, Ubuntu 22.04 ships 1.9.9 — version-wise vulnerable. BUT the default Vagrant 'vagrant' user has no sudoedit grant in /etc/sudoers, so detect() short-circuits to PRECOND_FAIL ('vuln version present, no grant to abuse'). This is correct and documented behaviour. To validate the VULNERABLE-by-version path empirically, provision a sudoers grant (e.g. `vagrant ALL=(ALL) sudoedit /tmp/probe`) before verifying — currently the Vagrantfile doesn't."
vmwgfx:
box: "" # vmware-guest only; no useful Vagrant box
kernel_pkg: ""
kernel_version: ""
expect_detect: PRECOND_FAIL
notes: "CVE-2023-2008; vmwgfx DRM only reachable on VMware guests. No Vagrant box; verify manually inside a VMware VM with a vulnerable kernel (e.g. Debian 11 / 5.10.0)."
manual: true
Reference in New Issue View Git Blame Copy Permalink