leviathan
ac557b67d0
Three-agent rigorous review of the dirtydecrypt + fragnesia ports plus
repo-wide doc consistency, followed by a full Linux build verification.
dirtydecrypt (NOTICE + detection rules):
- NOTICE.md: removed an unsupported "Zellic co-founder" detail and a
fabricated disclosure-date narrative; tightened phrasing of the
Zellic + V12 credit; noted that upstream poc.c carries no
author/license header of its own.
- Embedded auditd + sigma rules and detect/sigma.yml broadened to
cover every binary in dd_targets[] (added /usr/bin/mount,
/usr/bin/passwd, /usr/bin/chsh) and added the b32 splice rule, so
the embedded ruleset matches the on-disk reference and the carrier
list the exploit actually targets.
- Exploit primitive verified byte-for-byte against the V12 PoC
(tiny_elf[] identical, all rxgk/XDR/fire/pagecache_write logic
token-identical). docker gcc:latest compile of the Linux path:
COMPILE_OK, zero warnings.
fragnesia: review found no defects. Exploit primitive byte-identical
to the V12 PoC (shell_elf[] 192 bytes identical, AF_ALG GCM keystream
table + userns/netns/XFRM + receiver/sender/run_trigger_pair all
faithful). The deliberate omissions (ANSI TUI, CLI arg parsing) drop
nothing exploit-critical. docker gcc:latest compile: COMPILE_OK; full
project build links into a working skeletonkey ELF and --list shows
the module registered correctly.
Repo docs (README.md / CVES.md / ROADMAP.md):
- Chose to keep "28 verified" as the headline; the two ported
modules are represented as a separate clearly-labelled tier
("ported-but-unverified") that is explicitly excluded from the
28-module verified counts. README + CVES.md + ROADMAP.md now tell
one consistent story.
- Filled a pre-existing documentation gap: sudo_samedit, sequoia,
sudoedit_editor, vmwgfx were registered + built but absent from
CVES.md's inventory + operations tables. Added rows synthesized
from each module's .cve / .summary / .kernel_range fields.
- ROADMAP Phase 8 "7 🟡 PRIMITIVE modules" → "14"; added a "Landed
since v0.1.0" group; moved vmwgfx out of the stale carry-overs.
docs site (docs/index.html):
- Stat box "28 / total modules" → "28 / verified modules" (the 14+14
breakdown now sums to the headline consistently).
- Terminal example "scanning 28 modules" → "scanning 30 modules"
(was factually wrong — the binary literally prints module_count()
which is 30).
- Status line: updated to mention the 2 ported-but-unverified
modules and mirror the README phrasing.
- docs/LAUNCH.md left as a dated v0.5.0 launch snapshot.
Build verification: `docker run gcc:latest make clean && make` —
links into a 30-module skeletonkey ELF on Linux. macOS dev box still
hits the pre-existing dirty_pipe header gap; unchanged.
.gitignore: added /skeletonkey to exclude the top-level build
artifact (the existing modules/*/skeletonkey only covered per-module
binaries; the root one was getting picked up by `git add -A`).
33 lines
873 B
YAML
33 lines
873 B
YAML
title: Possible DirtyDecrypt exploitation (CVE-2026-31635)
|
|
id: 7c1e9a40-skeletonkey-dirtydecrypt
|
|
status: experimental
|
|
description: |
|
|
Detects the file-modification footprint of the rxgk page-cache write
|
|
(DirtyDecrypt / DirtyCBC, CVE-2026-31635): non-root creation of
|
|
AF_RXRPC sockets followed by modification of a setuid-root binary or
|
|
a credential file.
|
|
references:
|
|
- https://github.com/v12-security/pocs/tree/main/dirtydecrypt
|
|
logsource:
|
|
product: linux
|
|
service: auditd
|
|
detection:
|
|
modification:
|
|
type: 'PATH'
|
|
name|startswith:
|
|
- '/usr/bin/su'
|
|
- '/bin/su'
|
|
- '/usr/bin/mount'
|
|
- '/usr/bin/passwd'
|
|
- '/usr/bin/chsh'
|
|
- '/etc/passwd'
|
|
- '/etc/shadow'
|
|
not_root:
|
|
auid|expression: '!= 0'
|
|
condition: modification and not_root
|
|
level: high
|
|
tags:
|
|
- attack.privilege_escalation
|
|
- attack.t1068
|
|
- cve.2026.31635
|