leviathan
9d88b475c1
The README has been claiming "each module credits the original CVE
reporter and PoC author in its NOTICE.md" since v0.1.0, but only
copy_fail_family actually shipped one. Fixed.
modules/<name>/NOTICE.md (×19 new + 1 existing): per-module
research credit covering CVE ID, discoverer, original advisory
URL where public, upstream fix commit, IAMROOT's role.
iamroot.c: new --dump-offsets subcommand. Resolves kernel offsets
via the existing core/offsets.c four-source chain (env →
/proc/kallsyms → /boot/System.map → embedded table), then emits
a ready-to-paste C struct entry for kernel_table[]. Run once
as root on a target kernel build; upstream via PR. Eliminates
fabricating offsets — every shipped entry traces back to a
`iamroot --dump-offsets` invocation on a real kernel.
docs/OFFSETS.md: documents the --dump-offsets workflow.
CVES.md: notes the NOTICE.md convention + offset dump tool.
iamroot.c: bump IAMROOT_VERSION 0.3.0 → 0.3.1.
1.0 KiB
NOTICE — ptrace_traceme (CVE-2019-13272)
Vulnerability
CVE-2019-13272 — PTRACE_TRACEME on a parent that subsequently
execve's a setuid binary leaves the now-elevated process traceable by
the unprivileged child → cred escalation via ptrace shellcode inject.
Research credit
Discovered by Jann Horn (Google Project Zero), June 2019.
Project Zero issue: https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
Upstream fix: mainline 5.1.17 (commit 6994eefb0053, June 2019).
Branch backports: 4.4.182 / 4.9.182 / 4.14.131 / 4.19.58 / 5.0.20 / 5.1.17.
IAMROOT role
Full jannh-style chain: fork → child PTRACE_TRACEME → child
sleep+attach → parent execve setuid bin (pkexec/su/passwd
auto-selected) → child wins stale ptrace_link → POKETEXT x86_64
shellcode → root sh.
x86_64-only; ARM/other archs return PRECOND_FAIL cleanly. No exotic preconditions — doesn't need userns. Works on default-config systems including locked-down environments without unprivileged_userns_clone.