leviathan
9d88b475c1
The README has been claiming "each module credits the original CVE
reporter and PoC author in its NOTICE.md" since v0.1.0, but only
copy_fail_family actually shipped one. Fixed.
modules/<name>/NOTICE.md (×19 new + 1 existing): per-module
research credit covering CVE ID, discoverer, original advisory
URL where public, upstream fix commit, IAMROOT's role.
iamroot.c: new --dump-offsets subcommand. Resolves kernel offsets
via the existing core/offsets.c four-source chain (env →
/proc/kallsyms → /boot/System.map → embedded table), then emits
a ready-to-paste C struct entry for kernel_table[]. Run once
as root on a target kernel build; upstream via PR. Eliminates
fabricating offsets — every shipped entry traces back to a
`iamroot --dump-offsets` invocation on a real kernel.
docs/OFFSETS.md: documents the --dump-offsets workflow.
CVES.md: notes the NOTICE.md convention + offset dump tool.
iamroot.c: bump IAMROOT_VERSION 0.3.0 → 0.3.1.
767 B
767 B
NOTICE — pwnkit
Vulnerability
CVE-2021-4034 — pkexec argv[0]=NULL → environment-variable injection → arbitrary code execution as root.
Research credit
Discovered and disclosed by the Qualys Research Team, January 2022.
Original advisory: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Upstream fix: polkit 0.121 (Jan 2022).
IAMROOT role
The exploit module follows the canonical Qualys-style chain: writes payload.c + gconv-modules cache, compiles via the target's gcc, execve's pkexec with NULL argv and crafted envp. Handles both the legacy ("0.105") and modern ("126") polkit version string formats. Falls back gracefully on hosts without a compiler.
This is IAMROOT's first userspace LPE — not a kernel bug.