leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
Files
f1bd896ca8e69db5f43d8808add1fb0269d46e28
SKELETONKEY/CVES.md
T
leviathan f1bd896ca8 Phase 7: Pwnkit FULL exploit (Qualys-style PoC) + DEFENDERS.md 
Pwnkit: 🔵🟢
- Implements the canonical Qualys-style PoC end-to-end:
  1. Locate setuid pkexec
  2. mkdtemp working directory under /tmp
  3. Detect target's gcc/cc (fail-soft if absent)
  4. Write payload.c (gconv constructor: unsetenv hostile vars,
     setuid(0), execle /bin/sh -p with clean PATH)
  5. gcc -shared -fPIC payload.c -o pwnkit/PWNKIT.so
  6. Write gconv-modules cache pointing UTF-8// → PWNKIT//
  7. execve(pkexec, NULL_argv, envp{GCONV_PATH=workdir/pwnkit,
     PATH=GCONV_PATH=., CHARSET=PWNKIT, SHELL=pwnkit})
     → argc=0 triggers argv-overflow-into-envp; pkexec re-execs
     with PATH set to our tmpdir; libc's iconv loads PWNKIT.so
     as root; constructor pops /bin/sh with uid=0.
- Cleanup: removes /tmp/iamroot-pwnkit-* workdirs.
- Auto-refuses on patched hosts (re-runs detect() first).
- GCC -Wformat-truncation warnings fixed by sizing path buffers
  generously (1024/2048 bytes — way more than needed in practice).

Verified end-to-end on kctf-mgr (polkit 126 = patched):
  iamroot --exploit pwnkit --i-know
  → detect() says fixed → refuses cleanly. Correct behavior.
Vulnerable-kernel validation is Phase 4 CI matrix work.

docs/DEFENDERS.md — blue-team deployment guide:
- TL;DR: scan, deploy rules, mitigate, watch
- Operations cheat sheet (--list, --scan, --detect-rules, --mitigate)
- Audit-key table mapping rule keys to modules to caught behavior
- Fleet-scanning recipe (ssh + jq aggregation)
- Known false-positive shapes per rule with tuning hints

CVES.md: pwnkit row updated 🔵🟢.
ROADMAP.md: Phase 7 Pwnkit checkbox marked complete.
2026-05-16 20:13:11 -04:00

74 lines
5.5 KiB
Markdown
Raw Blame History

# CVE inventory
The curated list of CVEs IAMROOT exploits, with patch status and
module status. Updated as new modules land or as upstream patches
ship.
Status legend:
- 🟢 **WORKING** — module verified to land root on a vulnerable host
- 🟡 **PARTIAL** — module detects + exploits on some distros, not all
- 🔵 **DETECT-ONLY** — module fingerprints presence/absence but no
exploit (yet). Useful for blue teams.
-**PLANNED** — stub exists, work not started
- 🔴 **DEPRECATED** — fully patched everywhere relevant; kept for
historical reference only
## Inventory
| CVE | Name | Class | First patched | IAMROOT module | Status | Notes |
|---|---|---|---|---|---|---|
| CVE-2026-31431 | Copy Fail (algif_aead `authencesn` page-cache write) | LPE (page-cache write → /etc/passwd) | mainline 2026-04-22 | `copy_fail` | 🟢 | Verified on Ubuntu 26.04, Alma 9, Debian 13. Full AppArmor bypass. |
| CVE-2026-43284 (v4) | Dirty Frag — IPv4 xfrm-ESP page-cache write | LPE (same primitive shape as Copy Fail, different trigger) | mainline 2026-05-XX | `dirty_frag_esp` | 🟢 | Full PoC + active-probe scan |
| CVE-2026-43284 (v6) | Dirty Frag — IPv6 xfrm-ESP (`esp6`) | LPE | mainline 2026-05-XX | `dirty_frag_esp6` | 🟢 | V6 STORE shift auto-calibrated per kernel build |
| CVE-2026-43500 | Dirty Frag — RxRPC page-cache write | LPE | mainline 2026-05-XX | `dirty_frag_rxrpc` | 🟢 | |
| (variant, no CVE) | Copy Fail GCM variant — xfrm-ESP `rfc4106(gcm(aes))` page-cache write | LPE | n/a | `copy_fail_gcm` | 🟢 | Sibling primitive, same fix |
| CVE-2022-0847 | Dirty Pipe — pipe `PIPE_BUF_FLAG_CAN_MERGE` write | LPE (arbitrary file write into page cache) | mainline 5.17 (2022-02-23) | `dirty_pipe` | 🟢 | Full detect + exploit + cleanup. Detect: branch-backport ranges (5.10.102 / 5.15.25 / 5.16.11 / 5.17+). Exploit: page-cache write into /etc/passwd UID field followed by `su` to drop a root shell. Auto-refuses on patched kernels. Cleanup: drop_caches + POSIX_FADV_DONTNEED. CI-validation against a vulnerable kernel (e.g. Ubuntu 20.04 with stock 5.13) is Phase 4 work. |
| CVE-2023-0458 | EntryBleed — KPTI prefetchnta KASLR bypass | INFO-LEAK (kbase) | mainline (partial mitigations only) | `entrybleed` | 🟢 | Stage-1 leak brick. Working on lts-6.12.86 (verified 2026-05-16 via `iamroot --exploit entrybleed --i-know`). Default `entry_SYSCALL_64` slot offset matches lts-6.12.x; override via `IAMROOT_ENTRYBLEED_OFFSET=0x...`. Other modules can call `entrybleed_leak_kbase_lib()` as a library. x86_64 only. |
| CVE-2026-31402 | NFS replay-cache heap overflow | LPE (NFS server) | mainline 2026-04-03 | — | ⚪ | Candidate. Different audience (NFS servers) — TBD whether in-scope. |
| CVE-2021-4034 | Pwnkit — pkexec argv[0]=NULL → env-injection | LPE (userspace setuid binary) | polkit 0.121 (2022-01-25) | `pwnkit` | 🟢 | Full detect + exploit (canonical Qualys-style: gconv-modules + execve NULL-argv). Detect handles both polkit version formats (legacy "0.105" + modern "126"). Exploit compiles payload via target's gcc → falls back gracefully if no cc available. Cleanup nukes /tmp/iamroot-pwnkit-* workdirs. **First userspace LPE in IAMROOT**. Ships auditd + sigma rules. |
| CVE-TBD | Fragnesia (ESP shared-frag in-place encrypt) | LPE (page-cache write) | mainline TBD | `_stubs/fragnesia_TBD` | ⚪ | Stub. Per `findings/audit_leak_write_modprobe_backups_2026-05-16.md`, requires CAP_NET_ADMIN in userns netns — may or may not be in-scope depending on target environment. |
## Operations supported per module
Symbols: ✓ = supported, — = not applicable / no automated path.
| Module | --scan (detect) | --exploit | --mitigate | --cleanup | --detect-rules |
|---|---|---|---|---|---|
| copy_fail | ✓ | ✓ | ✓ (blacklist algif_aead + AA sysctl) | ✓ (revert mit or evict page cache) | ✓ (auditd + sigma) |
| copy_fail_gcm | ✓ | ✓ | ✓ (same family-wide) | ✓ | ✓ |
| dirty_frag_esp | ✓ | ✓ | ✓ (same family-wide) | ✓ | ✓ |
| dirty_frag_esp6 | ✓ | ✓ | ✓ (same family-wide) | ✓ | ✓ |
| dirty_frag_rxrpc | ✓ | ✓ | ✓ (same family-wide) | ✓ | ✓ |
| dirty_pipe | ✓ | ✓ | — (only fix is upgrade kernel) | ✓ (evict page cache) | ✓ (auditd + sigma) |
| entrybleed | ✓ | ✓ (leak kbase) | — (no canonical patch) | — | ✓ (sigma informational) |
## Pipeline for additions
1. Bug must be **patched in upstream mainline** (we don't bundle
0-days)
2. Either **CVE-assigned** or has clear advisory/patch reference
3. Affects a kernel version range with realistic deployment footprint
(we don't bundle exploits for kernels nobody runs)
4. PoC works on at least one distro+kernel in our CI matrix
5. Detection signature(s) shipped alongside the exploit
## Patch-status tracking
Each module's `kernel-range.json` (planned) declares the affected
range. CI verifies the exploit fails on the first-patched version
and succeeds below it. When a distro backports the fix into a kernel
version below the original first-patched, the matrix updates and
the relevant distro drops out of the "WORKING" list for that module.
## Why we exclude some things
- **0-days the maintainer found themselves**: those go through
responsible disclosure first, then enter IAMROOT after upstream patch
- **kCTF VRP submissions in flight**: same as above; disclosure
before bundling
- **Hardware-specific side channels** (Spectre/Meltdown variants):
out of scope; not page-cache or process-isolation primitives
- **Container-escape only**: unless it cleanly chains to host-root,
out of scope (separate tool space)
Reference in New Issue View Git Blame Copy Permalink