leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
Files
ea1744e6f094e1a1a874e78f9df0cdf45b0dc8b6
SKELETONKEY/modules/dirty_pipe_cve_2022_0847/MODULE.md
T
leviathan 9593d90385
release / build (arm64) (push) Waiting to run
Details
release / build (x86_64) (push) Waiting to run
Details
release / release (push) Blocked by required conditions
Details
rename: IAMROOT → SKELETONKEY across the entire project 
Breaking change. Tool name, binary name, function/type names,
constant names, env vars, header guards, file paths, and GitHub
repo URL all rebrand IAMROOT → SKELETONKEY.

Changes:
  - All "IAMROOT" → "SKELETONKEY" (constants, env vars, enum
    values, docs, comments)
  - All "iamroot" → "skeletonkey" (functions, types, paths, CLI)
  - iamroot.c → skeletonkey.c
  - modules/*/iamroot_modules.{c,h} → modules/*/skeletonkey_modules.{c,h}
  - tools/iamroot-fleet-scan.sh → tools/skeletonkey-fleet-scan.sh
  - Binary "iamroot" → "skeletonkey"
  - GitHub URL KaraZajac/IAMROOT → KaraZajac/SKELETONKEY
  - .gitignore now expects build output named "skeletonkey"
  - /tmp/iamroot-* tmpfiles → /tmp/skeletonkey-*
  - Env vars IAMROOT_MODPROBE_PATH etc. → SKELETONKEY_*

New ASCII skeleton-key banner (horizontal key icon + ANSI Shadow
SKELETONKEY block letters) replaces the IAMROOT banner in
skeletonkey.c and README.md.

VERSION: 0.3.1 → 0.4.0 (breaking).

Build clean on Debian 6.12.86. `skeletonkey --version` → 0.4.0.
All 24 modules still register; no functional code changes — pure
rename + banner refresh.
2026-05-16 22:43:49 -04:00

48 lines
1.4 KiB
Markdown
Raw Blame History

# Dirty Pipe — CVE-2022-0847
> ⚪ **PLANNED** module. See [`../../ROADMAP.md`](../../ROADMAP.md)
> Phase 2.
## Summary
Pipe-buffer `PIPE_BUF_FLAG_CAN_MERGE` was incorrectly inherited by
`copy_page_to_iter_pipe()` and `push_pipe()` paths, allowing an
unprivileged user to write into the page cache of any file readable
by them.
## Affected kernels
- ≤ 5.16.11
- ≤ 5.15.25 LTS
- ≤ 5.10.102 LTS
## Upstream patch
`9d2231c5d74e13b2a0546fee6737ee4446017903` ("lib/iov_iter: initialize
"flags" in new pipe_buffer")
## Why this module is here
Even in 2026, many production deployments still run vulnerable
kernels (RHEL 7/8, older Ubuntu LTS, embedded). Bundling Dirty Pipe
makes SKELETONKEY useful as a "historical sweep" tool on long-tail
systems.
## Implementation plan
- C exploit ported from public PoCs (credit upstream authors in
`NOTICE.md` when implemented)
- `detect()`: kernel version check + `/proc/version` parse + test
for fixed-version backports
- `exploit()`: writes `skeletonkey::0:0:dirtypipe:/:/bin/bash` into
`/etc/passwd`, then `su skeletonkey` — same shape as copy_fail's
backdoor mode
- Detection rules: auditd on splice() calls + pipe write patterns,
filesystem audit on `/etc/passwd` modification by non-root
## Not started yet
Pick this up after Phase 1 (module-interface refactor of the
copy_fail family) so this module can use the standard
`skeletonkey_module` shape from the start.
Reference in New Issue View Git Blame Copy Permalink