leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
Files
cee368d5a4db81c2b0b84caea4326965feaf7d10
SKELETONKEY/CVES.md
T
leviathan f03efbff13 Phase 3: EntryBleed module — working stage-1 kbase leak brick 
- modules/entrybleed_cve_2023_0458/ (promoted out of _stubs):
  - iamroot_modules.{c,h}: full EntryBleed primitive (rdtsc_start/end
    + prefetchnta + KASLR-slot timing sweep) wired into the standard
    iamroot_module interface. x86_64 only; ARM/other gracefully
    return IAMROOT_PRECOND_FAIL.
  - detect(): reads /sys/.../vulnerabilities/meltdown to decide
    KPTI status. Mitigation: PTI → VULNERABLE. Not affected → OK.
  - exploit(): sweeps the 16MiB KASLR range, prints leaked kbase
    (and KASLR slide). JSON-mode emits {"kbase":"0x..."} to stdout.
  - entrybleed_leak_kbase_lib(off) declared as a public library
    helper so future LPE chains needing a stage-1 leak can just
    #include the module's header and call it.
  - entry_SYSCALL_64 slot offset overridable via
    IAMROOT_ENTRYBLEED_OFFSET (default 0x5600000 for lts-6.12.x).

- __always_inline fallback added since glibc/Linux-kernel macro
  isn't universal; module now builds clean under macOS clangd lint
  and on musl.

- iamroot.c registers entrybleed alongside the other families;
  Makefile gains it as a separate object set.

Verified end-to-end on kctf-mgr (Debian 6.12.86):
  iamroot --exploit entrybleed --i-know
  → [+] entrybleed: leaked kbase = 0xffffffff8d800000

This is the FIRST WORKING-EXPLOIT module in IAMROOT (5
copy_fail_family modules wrap existing code from DIRTYFAIL;
dirty_pipe is detect-only). EntryBleed is x86_64 stage-1 brick
that future chains can compose.
2026-05-16 19:55:22 -04:00

4.1 KiB
Raw Blame History

CVE inventory

The curated list of CVEs IAMROOT exploits, with patch status and module status. Updated as new modules land or as upstream patches ship.

Status legend:

  • 🟢 WORKING — module verified to land root on a vulnerable host
  • 🟡 PARTIAL — module detects + exploits on some distros, not all
  • 🔵 DETECT-ONLY — module fingerprints presence/absence but no exploit (yet). Useful for blue teams.
  • PLANNED — stub exists, work not started
  • 🔴 DEPRECATED — fully patched everywhere relevant; kept for historical reference only

Inventory

CVE Name Class First patched IAMROOT module Status Notes
CVE-2026-31431 Copy Fail (algif_aead authencesn page-cache write) LPE (page-cache write → /etc/passwd) mainline 2026-04-22 copy_fail 🟢 Verified on Ubuntu 26.04, Alma 9, Debian 13. Full AppArmor bypass.
CVE-2026-43284 (v4) Dirty Frag — IPv4 xfrm-ESP page-cache write LPE (same primitive shape as Copy Fail, different trigger) mainline 2026-05-XX dirty_frag_esp 🟢 Full PoC + active-probe scan
CVE-2026-43284 (v6) Dirty Frag — IPv6 xfrm-ESP (esp6) LPE mainline 2026-05-XX dirty_frag_esp6 🟢 V6 STORE shift auto-calibrated per kernel build
CVE-2026-43500 Dirty Frag — RxRPC page-cache write LPE mainline 2026-05-XX dirty_frag_rxrpc 🟢
(variant, no CVE) Copy Fail GCM variant — xfrm-ESP rfc4106(gcm(aes)) page-cache write LPE n/a copy_fail_gcm 🟢 Sibling primitive, same fix
CVE-2022-0847 Dirty Pipe — pipe PIPE_BUF_FLAG_CAN_MERGE write LPE (arbitrary file write into page cache) mainline 5.17 (2022-02-23) dirty_pipe 🔵 Detect-only as of 2026-05-16. Verifies kernel version + branch-backport ranges: 5.10.102 / 5.15.25 / 5.16.11 / 5.17+. Exploit deferred to Phase 1.5 (needs shared passwd/su helpers in core/). Ships auditd + sigma detection rules.
CVE-2023-0458 EntryBleed — KPTI prefetchnta KASLR bypass INFO-LEAK (kbase) mainline (partial mitigations only) entrybleed 🟢 Stage-1 leak brick. Working on lts-6.12.86 (verified 2026-05-16 via iamroot --exploit entrybleed --i-know). Default entry_SYSCALL_64 slot offset matches lts-6.12.x; override via IAMROOT_ENTRYBLEED_OFFSET=0x.... Other modules can call entrybleed_leak_kbase_lib() as a library. x86_64 only.
CVE-2026-31402 NFS replay-cache heap overflow LPE (NFS server) mainline 2026-04-03 Candidate. Different audience (NFS servers) — TBD whether in-scope.
CVE-TBD Fragnesia (ESP shared-frag in-place encrypt) LPE (page-cache write) mainline TBD _stubs/fragnesia_TBD Stub. Per findings/audit_leak_write_modprobe_backups_2026-05-16.md, requires CAP_NET_ADMIN in userns netns — may or may not be in-scope depending on target environment.

Pipeline for additions

  1. Bug must be patched in upstream mainline (we don't bundle 0-days)
  2. Either CVE-assigned or has clear advisory/patch reference
  3. Affects a kernel version range with realistic deployment footprint (we don't bundle exploits for kernels nobody runs)
  4. PoC works on at least one distro+kernel in our CI matrix
  5. Detection signature(s) shipped alongside the exploit

Patch-status tracking

Each module's kernel-range.json (planned) declares the affected range. CI verifies the exploit fails on the first-patched version and succeeds below it. When a distro backports the fix into a kernel version below the original first-patched, the matrix updates and the relevant distro drops out of the "WORKING" list for that module.

Why we exclude some things

  • 0-days the maintainer found themselves: those go through responsible disclosure first, then enter IAMROOT after upstream patch
  • kCTF VRP submissions in flight: same as above; disclosure before bundling
  • Hardware-specific side channels (Spectre/Meltdown variants): out of scope; not page-cache or process-isolation primitives
  • Container-escape only: unless it cleanly chains to host-root, out of scope (separate tool space)
Reference in New Issue View Git Blame Copy Permalink