leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
Files
6eab6d3f70f2dacd036fb561831dedb8ec37adea
SKELETONKEY/core/registry.h
T
leviathan 6eab6d3f70 Add cgroup_release_agent CVE-2022-0492 — FULL working exploit 
Universal container-escape LPE. Doesn't need msg_msg cross-cache groom,
no arch-specific shellcode, no version-specific offsets — bug is
structural (priv check in wrong namespace).

Mechanism:
  1. unshare(CLONE_NEWUSER | CLONE_NEWNS) → become 'root' in userns
  2. write uid_map/gid_map (deny setgroups first)
  3. mount cgroup v1 (rdma controller; memory fallback)
  4. mkdir /<mnt>/iamroot subgroup
  5. write payload-path → release_agent (in mount root)
  6. write '1' → notify_on_release (in subgroup)
  7. write our pid → cgroup.procs (in subgroup)
  8. exit → cgroup empties → kernel exec's payload as INIT-ns uid=0
  9. Payload drops /tmp/iamroot-cgroup-sh with setuid root
  10. Parent polls for the setuid-shell appearance + exec's it -p

- kernel_range: K < 5.17 mainline, backports across 4.9 / 4.14 / 4.19 /
  5.4 / 5.10 / 5.15 / 5.16 LTS branches.
- Detect probes user_ns+mount_ns clone via fork-isolated child.
- Cleanup removes /tmp/iamroot-cgroup-* + umount the workspace.
- Auditd: flag unshare + mount(cgroup) + /sys/fs/cgroup writes from
  non-root. Sigma rule for unshare+cgroup-mount chain.

Path buffers oversized to silence GCC -Wformat-truncation noise
(cgdir 384, ra_path 384, nor_path/cgproc_path 512).

Verified on Debian 6.12.86 (patched): detect reports OK; exploit
refuses cleanly. Module count = 19.
2026-05-16 21:09:34 -04:00

40 lines
1.3 KiB
C
Raw Blame History

/*
* IAMROOT — module registry
*
* Global list of registered modules. Each family contributes via
* register_<family>_modules() called from iamroot main() at startup.
*/
#ifndef IAMROOT_REGISTRY_H
#define IAMROOT_REGISTRY_H
#include "module.h"
void iamroot_register(const struct iamroot_module *m);
size_t iamroot_module_count(void);
const struct iamroot_module *iamroot_module_at(size_t i);
/* Find a module by name. Returns NULL if not found. */
const struct iamroot_module *iamroot_module_find(const char *name);
/* Each module family declares one of these in its public header. The
* top-level iamroot main() calls them in order at startup. */
void iamroot_register_copy_fail_family(void);
void iamroot_register_dirty_pipe(void);
void iamroot_register_entrybleed(void);
void iamroot_register_pwnkit(void);
void iamroot_register_nf_tables(void);
void iamroot_register_overlayfs(void);
void iamroot_register_cls_route4(void);
void iamroot_register_dirty_cow(void);
void iamroot_register_ptrace_traceme(void);
void iamroot_register_netfilter_xtcompat(void);
void iamroot_register_af_packet(void);
void iamroot_register_fuse_legacy(void);
void iamroot_register_stackrot(void);
void iamroot_register_af_packet2(void);
void iamroot_register_cgroup_release_agent(void);
#endif /* IAMROOT_REGISTRY_H */
Reference in New Issue View Git Blame Copy Permalink