leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
Files
92396a0d6d2e71ca9b58445e630ac47dde0ff0ff
SKELETONKEY/tools/verify-vm/targets.yaml
T
leviathan 8ac041a295
release / build (arm64) (push) Waiting to run
Details
release / build (x86_64) (push) Waiting to run
Details
release / build (x86_64-static / musl) (push) Waiting to run
Details
release / build (arm64-static / musl) (push) Waiting to run
Details
release / release (push) Blocked by required conditions
Details
release v0.9.1: VM verification sweep 22 → 27 
Five more CVEs empirically confirmed end-to-end against real Linux VMs:
- CVE-2019-14287 sudo_runas_neg1 (Ubuntu 18.04 + sudoers grant)
- CVE-2020-29661 tioscpgrp        (Ubuntu 20.04 pinned to 5.4.0-26)
- CVE-2024-26581 nft_pipapo       (Ubuntu 22.04 + mainline 5.15.5)
- CVE-2025-32463 sudo_chwoot      (Ubuntu 22.04 + sudo 1.9.16p1 from source)
- CVE-2025-6019  udisks_libblockdev (Debian 12 + udisks2 + polkit rule)

Required real plumbing work:
- Per-module provisioner hook (tools/verify-vm/provisioners/<module>.sh)
- Two-phase provision in verify.sh (prep → reboot if needed → verify)
  fixes silent-fail where new kernel installed but VM never rebooted
- GRUB_DEFAULT pinning in both pin-kernel and pin-mainline blocks
  (kernel downgrades like 5.4.0-169 → 5.4.0-26 now actually boot the target)
- Old-mainline URL fallback in pin-mainline (≤ 4.15 debs at /v$KVER/ not /amd64/)

mutagen_astronomy marked manual: true — mainline 4.14.70 kernel-panics on
Ubuntu 18.04's rootfs ('Failed to execute /init (error -8)' — kernel config
mismatch). Genuinely needs a CentOS 6 / Debian 7 image.
2026-05-23 23:35:02 -04:00

287 lines
15 KiB
YAML
Raw Blame History

# tools/verify-vm/targets.yaml — VM verification targets per module
#
# For each module, the (box, kernel) pair the verifier should spin up to
# empirically confirm detect() + exploit() against a KNOWN-VULNERABLE
# kernel. Picked from Debian snapshot / kernel.ubuntu.com / Ubuntu HWE
# archives — every version below is fetch-able as a .deb package.
#
# Schema:
# <module_name>:
# box: vagrant box name (matches tools/verify-vm/boxes/<NAME>/)
# kernel_pkg: apt package name to install for the vulnerable kernel
# (omit / empty if the stock distro kernel is already vulnerable)
# kernel_version: expected /proc/version-style major.minor.patch
# expect_detect: what skeletonkey --explain should say on a confirmed-vulnerable
# target. One of: VULNERABLE | OK | PRECOND_FAIL.
# notes: short rationale for the target choice.
#
# Boxes available (matches tools/verify-vm/boxes/):
# debian11 — Debian 11 bullseye (5.10.0 stock)
# debian12 — Debian 12 bookworm (6.1.0 stock)
# ubuntu1804 — Ubuntu 18.04 LTS (4.15.0 stock; HWE up to 5.4)
# ubuntu2004 — Ubuntu 20.04 LTS (5.4.0 stock; HWE up to 5.15)
# ubuntu2204 — Ubuntu 22.04 LTS (5.15.0 stock; HWE up to 6.5)
#
# Adding a new target: pick the oldest LTS box whose stock or HWE kernel
# is below the module's kernel_range fix threshold; if no LTS works,
# install a pinned kernel from kernel.ubuntu.com / snapshot.debian.org
# via the kernel_pkg field.
#
# Modules where no fully-automatic vulnerable target exists (need manual
# kernel build or a special distro variant) are marked manual: true with
# a comment explaining the constraint.
af_packet:
box: ubuntu1804
kernel_pkg: "" # stock 4.15.0-213-generic — patch backported
kernel_version: "4.15.0"
expect_detect: OK
notes: "CVE-2017-7308; bug fixed mainline 4.10.6 + 4.9.18 backports. Ubuntu 18.04 stock kernel (4.15.0) is post-fix — detect() correctly returns OK. To validate the VULNERABLE path empirically would need a hand-built 4.4 or earlier kernel; deferred."
af_packet2:
box: ubuntu2004
kernel_pkg: linux-image-5.4.0-26-generic
kernel_version: "5.4.0-26"
expect_detect: VULNERABLE
notes: "CVE-2020-14386; fixed in 5.9 mainline + backports; 5.4.0-26 (Ubuntu 20.04 launch) is pre-fix."
af_unix_gc:
box: ubuntu2204
kernel_pkg: ""
mainline_version: "5.15.5" # kernel.ubuntu.com/mainline/v5.15.5/ — below 5.15.130 backport
kernel_version: "5.15.5"
expect_detect: VULNERABLE
notes: "CVE-2023-4622; fix mainline 6.5 + backports 5.15.130/6.1.51/etc. Mainline 5.15.5 (Nov 2021) predates all backports and any silent distro patching. Installed via kernel.ubuntu.com/mainline/v5.15.5/."
cgroup_release_agent:
box: debian11
kernel_pkg: "" # 5.10.0 stock is pre-fix (fix 5.17)
kernel_version: "5.10.0"
expect_detect: VULNERABLE
notes: "CVE-2022-0492; fix landed 5.17 mainline + 5.16.9 stable; 5.10.0 is below."
cls_route4:
box: ubuntu2004
kernel_pkg: linux-image-5.15.0-43-generic
kernel_version: "5.15.0-43"
expect_detect: VULNERABLE
notes: "CVE-2022-2588; fix landed 5.19 / backports 5.10.143 / 5.15.67; 5.15.0-43 is below."
dirty_cow:
box: ubuntu1804
kernel_pkg: "" # 4.15.0 has the COW race fix; need older kernel
kernel_version: "4.4.0"
expect_detect: OK
notes: "CVE-2016-5195; ALL 4.4+ kernels have the fix backported. Ubuntu 18.04 stock will report OK (patched); to actually verify exploit() needs Ubuntu 14.04 / kernel ≤ 4.4.0-46. Use a custom box for that."
manual_for_exploit_verify: true
dirty_pipe:
box: ubuntu2204
kernel_pkg: "" # 22.04 stock 5.15.0-91-generic
kernel_version: "5.15.0"
expect_detect: OK
notes: "CVE-2022-0847; introduced 5.8, fixed 5.16.11 / 5.15.25. Ubuntu 22.04 ships 5.15.0-91-generic, where uname reports '5.15.0' (below the 5.15.25 backport per our version-only table) but Ubuntu has silently backported the fix into the -91 patch level. Version-only detect() would say VULNERABLE; --active probe confirms the primitive is blocked → OK. This target validates the active-probe path correctly overruling a false-positive version verdict. (Originally pointed at Ubuntu 20.04 + pinned 5.13.0-19, but that HWE kernel is no longer in 20.04's apt archive.)"
dirtydecrypt:
box: debian12
kernel_pkg: "" # only Linux 7.0+ has the bug — needs custom kernel
kernel_version: "7.0.0"
expect_detect: OK
notes: "CVE-2026-31635; bug introduced in 7.0 rxgk path. NO mainline 7.0 distro shipping yet — Debian 12 will report OK (predates the bug). Verifying exploit() needs a hand-built 7.0-rc kernel."
manual_for_exploit_verify: true
entrybleed:
box: ubuntu2204
kernel_pkg: "" # any KPTI-enabled x86_64 kernel
kernel_version: "5.15.0"
expect_detect: VULNERABLE
notes: "CVE-2023-0458; side-channel applies to any KPTI-on Intel x86_64 host. Stock Ubuntu 22.04 will report VULNERABLE if meltdown sysfs shows 'Mitigation: PTI'."
fragnesia:
box: debian12
kernel_pkg: ""
kernel_version: "7.0.0"
expect_detect: OK
notes: "CVE-2026-46300; XFRM ESP-in-TCP bug. Needs 7.0-rc; Debian 12 reports OK."
manual_for_exploit_verify: true
fuse_legacy:
box: debian11
kernel_pkg: "" # 5.10.0 is pre-fix (fix 5.16)
kernel_version: "5.10.0"
expect_detect: VULNERABLE
notes: "CVE-2022-0185; fix 5.16.2 mainline + 5.10.93 stable; Debian 11 stock 5.10.0 is below."
netfilter_xtcompat:
box: debian11
kernel_pkg: "" # 5.10.0 (Debian 11 stock) is pre-fix (fix 5.13 + 5.10.46)
kernel_version: "5.10.0"
expect_detect: VULNERABLE
notes: "CVE-2021-22555; 15-year-old bug; Debian 11 stock 5.10.0 below the 5.10.38 fix backport."
nf_tables:
box: ubuntu2204
kernel_pkg: ""
mainline_version: "5.15.5"
kernel_version: "5.15.5"
expect_detect: VULNERABLE
notes: "CVE-2024-1086; bug introduced 5.14; fix mainline 6.8 + 5.15.149/6.1.74 backports. Mainline 5.15.5 (Nov 2021) is well below 5.15.149 — empirically vulnerable. Installed via kernel.ubuntu.com/mainline/v5.15.5/."
nft_fwd_dup:
box: debian11
kernel_pkg: "" # 5.10.0 below the 5.10.103 backport
kernel_version: "5.10.0"
expect_detect: VULNERABLE
notes: "CVE-2022-25636; fix 5.17 mainline + 5.10.103 backport; Debian 11 stock 5.10.0 below."
nft_payload:
box: ubuntu2004
kernel_pkg: linux-image-5.15.0-43-generic
kernel_version: "5.15.0-43"
expect_detect: VULNERABLE
notes: "CVE-2023-0179; fix 6.2 mainline + 5.15.91 / 5.10.162 backports; 5.15.0-43 is below."
nft_set_uaf:
box: ubuntu2204
kernel_pkg: ""
mainline_version: "5.15.5"
kernel_version: "5.15.5"
expect_detect: VULNERABLE
notes: "CVE-2023-32233; bug introduced 5.1; fix mainline 6.4-rc4 + 6.1.27/5.15.110 backports. Mainline 5.15.5 (Nov 2021) is below 5.15.110 — empirically vulnerable. Installed via kernel.ubuntu.com/mainline/v5.15.5/."
overlayfs:
box: ubuntu2004
kernel_pkg: "" # Ubuntu-specific bug; stock 5.4 is pre-fix
kernel_version: "5.4.0"
expect_detect: VULNERABLE
notes: "CVE-2021-3493; Ubuntu-specific overlayfs userns capability injection. Stock 5.4.0 in Ubuntu 20.04 is below the fixed package."
overlayfs_setuid:
box: ubuntu2204
kernel_pkg: "" # 5.15.0 stock is pre-fix (5.15.110 backport)
kernel_version: "5.15.0"
expect_detect: VULNERABLE
notes: "CVE-2023-0386; fix 6.3 + 6.1.11 / 5.15.110 / 5.10.179; 5.15.0 stock is below."
pack2theroot:
box: debian12
kernel_pkg: "" # PackageKit-version bug, not kernel
kernel_version: "6.1.0"
expect_detect: PRECOND_FAIL
notes: "CVE-2026-41651; needs PackageKit ≤ 1.3.5 + polkit + an active D-Bus session bus. Debian 12's generic cloud image is server-oriented and does NOT install PackageKit (the bug's target daemon), so detect() correctly returns PRECOND_FAIL ('PackageKit daemon not registered on the system bus'). To validate the VULNERABLE path empirically, install packagekit in the VM before verifying ('apt install -y packagekit' + 'systemctl start packagekit'); deferred to a follow-up provisioner."
ptrace_traceme:
box: ubuntu1804
kernel_pkg: "" # 4.15.0 stock is below the 5.1.17 fix
kernel_version: "4.15.0"
expect_detect: VULNERABLE
notes: "CVE-2019-13272; fix 5.1.17 mainline; Ubuntu 18.04 stock 4.15 is below."
pwnkit:
box: ubuntu2004
kernel_pkg: "" # polkit 0.105 ships in Ubuntu 20.04 → vulnerable
kernel_version: "5.4.0"
expect_detect: VULNERABLE
notes: "CVE-2021-4034; polkit ≤ 0.120 vulnerable. Ubuntu 20.04 ships polkit 0.105."
sequoia:
box: ubuntu2004
kernel_pkg: linux-image-5.4.0-26-generic
kernel_version: "5.4.0-26"
expect_detect: VULNERABLE
notes: "CVE-2021-33909; fix 5.13.4 / 5.10.52 / 5.4.135; 5.4.0-26 is below."
stackrot:
box: ubuntu2204
kernel_pkg: ""
mainline_version: "6.1.10" # below the 6.1.37 backport
kernel_version: "6.1.10"
expect_detect: VULNERABLE
notes: "CVE-2023-3269; bug introduced 6.1; fix mainline 6.4 + 6.1.37/6.3.10 backports. Mainline 6.1.10 (Feb 2023) is below 6.1.37 — empirically vulnerable. Installed via kernel.ubuntu.com/mainline/v6.1.10/."
sudo_samedit:
box: ubuntu1804
kernel_pkg: "" # ubuntu 18.04 ships sudo 1.8.21 — vulnerable to 1.9.5p1
kernel_version: "4.15.0"
expect_detect: VULNERABLE
notes: "CVE-2021-3156; sudo 1.8.21 vulnerable; Ubuntu 18.04 ships 1.8.21p2."
sudoedit_editor:
box: ubuntu2204
kernel_pkg: "" # sudo 1.9.9 in Ubuntu 22.04 is vulnerable
kernel_version: "5.15.0"
expect_detect: PRECOND_FAIL
notes: "CVE-2023-22809; sudo ≤ 1.9.12p2 vulnerable, Ubuntu 22.04 ships 1.9.9 — version-wise vulnerable. BUT the default Vagrant 'vagrant' user has no sudoedit grant in /etc/sudoers, so detect() short-circuits to PRECOND_FAIL ('vuln version present, no grant to abuse'). This is correct and documented behaviour. To validate the VULNERABLE-by-version path empirically, provision a sudoers grant (e.g. `vagrant ALL=(ALL) sudoedit /tmp/probe`) before verifying — currently the Vagrantfile doesn't."
vmwgfx:
box: "" # vmware-guest only; no useful Vagrant box
kernel_pkg: ""
kernel_version: ""
expect_detect: PRECOND_FAIL
notes: "CVE-2023-2008; vmwgfx DRM only reachable on VMware guests. No Vagrant box; verify manually inside a VMware VM with a vulnerable kernel (e.g. Debian 11 / 5.10.0)."
manual: true
# ── v0.8.0 additions ──────────────────────────────────────────────
sudo_chwoot:
box: ubuntu2204 # 22.04 ships sudo 1.9.9 — provisioner builds 1.9.16p1 over it
kernel_pkg: "" # this bug is sudo-version-gated, not kernel
kernel_version: "5.15.0"
expect_detect: VULNERABLE
notes: "CVE-2025-32463; sudo --chroot NSS shim. Vulnerable range is sudo [1.9.14, 1.9.17p0]. provisioners/sudo_chwoot.sh builds sudo 1.9.16p1 from upstream sources into /usr/local/bin (which precedes /usr/bin in PATH so plain `sudo` resolves to the vulnerable binary)."
udisks_libblockdev:
box: debian12 # 12 ships udisks2 2.10.x + libblockdev 3.0.x — vulnerable
kernel_pkg: ""
kernel_version: "6.1.0"
expect_detect: VULNERABLE
notes: "CVE-2025-6019; udisks/libblockdev SUID-on-mount. provisioners/udisks_libblockdev.sh installs udisks2 + libblockdev-utils3 and drops a polkit rule allowing the vagrant user to invoke loop-setup/filesystem-mount — simulating the trust polkit would give a logged-in workstation user (the real-world bug-path). Without that rule, the SSH session is not 'active' per polkit and the D-Bus call short-circuits."
pintheft:
box: "" # RDS is blacklisted on every common Vagrant box's stock kernel
kernel_pkg: ""
kernel_version: ""
expect_detect: OK
notes: "CVE-2026-43494; PinTheft. Among Vagrant-supported distros, NONE autoload the rds kernel module (Arch Linux is the only common distro that does, and there's no maintained generic/arch-linux Vagrant box). On Debian/Ubuntu/Fedora boxes the AF_RDS socket() call fails with EAFNOSUPPORT → detect correctly returns OK ('bug exists in kernel but unreachable from userland here'). Verifying the VULNERABLE path needs either an Arch box, or a custom box with the rds module pre-loaded ('modprobe rds && modprobe rds_tcp'). Deferred."
manual: true
# ── v0.9.0 additions (gap fillers 2018 / 2019 / 2020 / 2024) ──────
mutagen_astronomy:
box: ""
kernel_pkg: ""
kernel_version: ""
expect_detect: ""
manual: true
notes: "CVE-2018-14634; Qualys Mutagen Astronomy. No good Vagrant verification environment: stock Ubuntu 18.04 (4.15.0-213) returns detect()=VULNERABLE because the module's kernel_range table has no entry for the 4.15.x series (Ubuntu's HWE backports are not modeled), but the kernel IS actually patched — false-positive of the conservative module logic. Mainline 4.14.70 (target VULNERABLE kernel) panics on Ubuntu 18.04's rootfs with 'Failed to execute /init (error -8)' — kernel config mismatch (binfmt_elf as module rather than baked-in). Genuinely vulnerable verification needs a contemporary CentOS 6 / Debian 7 image with original-vintage kernel; deferred to custom-box workflow."
sudo_runas_neg1:
box: ubuntu1804 # ships sudo 1.8.21p2 (vulnerable; pre-1.8.28 fix)
kernel_pkg: ""
kernel_version: "4.15.0"
expect_detect: VULNERABLE
notes: "CVE-2019-14287; sudo Runas -u#-1. Ubuntu 18.04 ships sudo 1.8.21p2 (vulnerable). provisioners/sudo_runas_neg1.sh adds 'vagrant ALL=(ALL,!root) NOPASSWD: /bin/vi' to /etc/sudoers.d/ so find_runas_blacklist_grant() has a grant to abuse."
tioscpgrp:
box: ubuntu2004 # 5.4 stock kernels (5.4.0-26) are below the 5.4.85 backport
kernel_pkg: linux-image-5.4.0-26-generic
kernel_version: "5.4.0-26"
expect_detect: VULNERABLE
notes: "CVE-2020-29661; TTY TIOCSPGRP UAF race. Stock Ubuntu 20.04 5.4.0-26 is below the 5.4.85 LTS backport. /dev/ptmx is universally writable in CI containers. Should validate VULNERABLE."
vsock_uaf:
box: "" # vsock module typically not loaded on CI containers (no virtualization)
kernel_pkg: ""
kernel_version: ""
expect_detect: OK
notes: "CVE-2024-50264; Pwn2Own 2024 vsock UAF. AF_VSOCK requires the vsock kernel module, which autoloads only on KVM/QEMU GUESTS. Vagrant VMs running under Parallels are themselves guests, but their guest kernel may or may not have vsock loaded depending on the Parallels host. detect correctly returns OK when AF_VSOCK is unavailable. To validate VULNERABLE, ensure the VM kernel has CONFIG_VSOCKETS + virtio-vsock loaded ('modprobe vsock_loopback' may suffice on newer kernels)."
manual: true
nft_pipapo:
box: ubuntu2204 # 5.15 stock + HWE — same pipapo set substrate as nf_tables
kernel_pkg: ""
mainline_version: "5.15.5"
kernel_version: "5.15.5"
expect_detect: VULNERABLE
notes: "CVE-2024-26581; nft_pipapo destroy-race (Notselwyn II). Same mainline 5.15.5 target as nf_tables works here — 5.15.5 is below the 5.15.149 backport. (Switched from apt-pinned 5.15.0-43 after that package was removed from Ubuntu repos.) Userns gate must be open (sysctl kernel.unprivileged_userns_clone=1)."
Reference in New Issue View Git Blame Copy Permalink