leviathan
a8c8d5ef1f
Two new page-cache-write LPE modules, both ported from the public V12 security PoCs (github.com/v12-security/pocs): - dirtydecrypt (CVE-2026-31635): rxgk missing-COW in-place decrypt. rxgk_decrypt_skb() decrypts spliced page-cache pages before the HMAC check, corrupting the page cache of a read-only file. Sibling of Copy Fail / Dirty Frag in the rxrpc subsystem. - fragnesia (CVE-2026-46300): XFRM ESP-in-TCP skb_try_coalesce() loses the SHARED_FRAG marker, so the ESP-in-TCP receive path decrypts page-cache pages in place. A latent bug exposed by the Dirty Frag fix (f4c50a4034e6). Retires the old _stubs/fragnesia_TBD stub. Both wrap the PoC exploit primitive in the skeletonkey_module interface: detect/exploit/cleanup, an --active /tmp sentinel probe, --no-shell support, and embedded auditd + sigma rules. The exploit body runs in a forked child so the PoC's exit()/die() paths cannot tear down the dispatcher. The fragnesia port drops the upstream PoC's ANSI TUI (incompatible with a shared dispatcher); the exploit mechanism is reproduced faithfully. Linux-only code is guarded with #ifdef __linux__ so the modules still compile on non-Linux dev boxes. VERIFICATION: ported, NOT yet validated end-to-end on a vulnerable-kernel VM. The CVE fix commits are not pinned, so detect() is precondition-only (PRECOND_FAIL / TEST_ERROR, never a blind VULNERABLE) and --auto will not fire them unless --active confirms. macOS stub-path compiles verified locally; the Linux exploit-path build is covered by CI (build.yml, ubuntu) only. See each MODULE.md. Wiring: core/registry.h, skeletonkey.c, Makefile, CVES.md, ROADMAP.md.
29 lines
1.3 KiB
Plaintext
29 lines
1.3 KiB
Plaintext
# DirtyDecrypt (CVE-2026-31635) — auditd detection rules
|
|
#
|
|
# The rxgk in-place decrypt corrupts the page cache of a read-only
|
|
# file. These rules flag the syscall surface the exploit drives and
|
|
# writes to the setuid binaries it targets.
|
|
#
|
|
# Install: copy into /etc/audit/rules.d/ and `augenrules --load`, or
|
|
# skeletonkey --detect-rules --format=auditd | sudo tee \
|
|
# /etc/audit/rules.d/99-skeletonkey.rules
|
|
|
|
# Modification of common payload carriers / credential files
|
|
-w /usr/bin/su -p wa -k skeletonkey-dirtydecrypt
|
|
-w /bin/su -p wa -k skeletonkey-dirtydecrypt
|
|
-w /usr/bin/mount -p wa -k skeletonkey-dirtydecrypt
|
|
-w /usr/bin/passwd -p wa -k skeletonkey-dirtydecrypt
|
|
-w /usr/bin/chsh -p wa -k skeletonkey-dirtydecrypt
|
|
-w /etc/passwd -p wa -k skeletonkey-dirtydecrypt
|
|
-w /etc/shadow -p wa -k skeletonkey-dirtydecrypt
|
|
|
|
# AF_RXRPC socket creation (family 33) — core of the rxgk trigger
|
|
-a always,exit -F arch=b64 -S socket -F a0=33 -k skeletonkey-dirtydecrypt-rxrpc
|
|
|
|
# rxrpc security keys added to the process keyring
|
|
-a always,exit -F arch=b64 -S add_key -k skeletonkey-dirtydecrypt-key
|
|
|
|
# splice() drives page-cache pages into the forged DATA packet
|
|
-a always,exit -F arch=b64 -S splice -k skeletonkey-dirtydecrypt-splice
|
|
-a always,exit -F arch=b32 -S splice -k skeletonkey-dirtydecrypt-splice
|