leviathan
9593d90385
Breaking change. Tool name, binary name, function/type names,
constant names, env vars, header guards, file paths, and GitHub
repo URL all rebrand IAMROOT → SKELETONKEY.
Changes:
- All "IAMROOT" → "SKELETONKEY" (constants, env vars, enum
values, docs, comments)
- All "iamroot" → "skeletonkey" (functions, types, paths, CLI)
- iamroot.c → skeletonkey.c
- modules/*/iamroot_modules.{c,h} → modules/*/skeletonkey_modules.{c,h}
- tools/iamroot-fleet-scan.sh → tools/skeletonkey-fleet-scan.sh
- Binary "iamroot" → "skeletonkey"
- GitHub URL KaraZajac/IAMROOT → KaraZajac/SKELETONKEY
- .gitignore now expects build output named "skeletonkey"
- /tmp/iamroot-* tmpfiles → /tmp/skeletonkey-*
- Env vars IAMROOT_MODPROBE_PATH etc. → SKELETONKEY_*
New ASCII skeleton-key banner (horizontal key icon + ANSI Shadow
SKELETONKEY block letters) replaces the IAMROOT banner in
skeletonkey.c and README.md.
VERSION: 0.3.1 → 0.4.0 (breaking).
Build clean on Debian 6.12.86. `skeletonkey --version` → 0.4.0.
All 24 modules still register; no functional code changes — pure
rename + banner refresh.
775 B
775 B
NOTICE — pwnkit
Vulnerability
CVE-2021-4034 — pkexec argv[0]=NULL → environment-variable injection → arbitrary code execution as root.
Research credit
Discovered and disclosed by the Qualys Research Team, January 2022.
Original advisory: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Upstream fix: polkit 0.121 (Jan 2022).
SKELETONKEY role
The exploit module follows the canonical Qualys-style chain: writes payload.c + gconv-modules cache, compiles via the target's gcc, execve's pkexec with NULL argv and crafted envp. Handles both the legacy ("0.105") and modern ("126") polkit version string formats. Falls back gracefully on hosts without a compiler.
This is SKELETONKEY's first userspace LPE — not a kernel bug.