leviathan
9a4cc91619
Adds the third ported module — Pack2TheRoot, a userspace PackageKit
D-Bus TOCTOU LPE — and spends real effort hardening --auto so its
detect step gives an accurate, robust verdict before deploying.
pack2theroot (CVE-2026-41651):
- Ported from the public Vozec PoC
(github.com/Vozec/CVE-2026-41651). Original disclosure by the
Deutsche Telekom security team.
- Two back-to-back InstallFiles D-Bus calls (SIMULATE then NONE)
overwrite the cached transaction flags between polkit auth and
dispatch. GLib priority ordering makes the overwrite deterministic,
not a timing race; postinst of the malicious .deb drops a SUID bash
in /tmp.
- detect() reads PackageKit's VersionMajor/Minor/Micro directly over
D-Bus and compares against the pinned fix release 1.3.5 (commit
76cfb675). This is a high-confidence verdict, not precondition-only.
- Debian-family only (PoC builds its own .deb in pure C; ar/ustar/
gzip-stored inline). Cleanup removes /tmp .debs + best-effort
unlinks /tmp/.suid_bash + sudo -n dpkg -r the staging packages.
- Adds an optional GLib/GIO build dependency. The top-level Makefile
autodetects via `pkg-config gio-2.0`; when absent the module
compiles as a stub returning PRECOND_FAIL.
- Embedded auditd + sigma rules cover the file-side footprint
(/tmp/.suid_bash, /tmp/.pk-*.deb, non-root dpkg/apt execve).
--auto accuracy improvements:
- Auto-enables --active before the scan. Per-module sentinel probes
(page-cache /tmp files, fork-isolated namespace mounts) turn
version-only checks into definitive verdicts, so silent distro
backports don't fool the scan and --auto won't pick blind on
TEST_ERROR.
- Per-module verdict printing — every module's result is shown
(VULNERABLE / patched / precondition / indeterminate), not just
VULNERABLE rows. Operator sees the full picture.
- Scan-end summary line: "N vulnerable, M patched/n.a., K
precondition-fail, L indeterminate" with a separate callout when
modules crashed.
- Distro fingerprint added to the auto banner (ID + VERSION_ID from
/etc/os-release alongside kernel/arch).
- Fork-isolated detect() — each detector runs in a child process so
a SIGILL/SIGSEGV in one module's probe is contained and the scan
continues. Surfaced live while testing: entrybleed's prefetchnta
KASLR sweep SIGILLs on emulated CPUs (linuxkit on darwin); without
isolation the whole --auto died at module 7 of 31. With isolation
the scan reports "detect() crashed (signal 4) — continuing" and
finishes cleanly.
module_safety_rank additions:
- pack2theroot: 95 (userspace D-Bus TOCTOU; dpkg + /tmp SUID footprint
— clean but heavier than pwnkit's gconv-modules-only path).
- dirtydecrypt / fragnesia: 86 (page-cache writes; one step below the
verified copy_fail/dirty_frag family at 88 to prefer verified
modules when both apply).
Docs:
- README badge / tagline / tier table / ⚪ block / example output /
v0.5.0 status — all updated to "28 verified + 3 ported".
- CVES.md counts line, the ported-modules note (now calling out
pack2theroot's high-confidence detect vs. precondition-only for
the page-cache pair), inventory row, operations table row.
- ROADMAP Phase 7+: pack2theroot moved out of carry-overs into the
"landed (ported, pending VM verification)" group; added a new
"--auto accuracy work" subsection documenting the dispatcher
hardening landed in this commit.
- docs/index.html: scanning-count example bumped to 31, status line
updated to mention 3 ported modules.
Build verification: full `make clean && make` in `docker gcc:latest`
with libglib2.0-dev installed: links into a 31-module skeletonkey
ELF (413KB), `--list` shows all modules including pack2theroot,
`--detect-rules --format=auditd` emits the new pack2theroot section,
`--auto --i-know --no-shell` exercises the new banner + active
probes + verdict table + fork isolation + scan summary end-to-end.
Only build warning is the pre-existing
`-Wunterminated-string-initialization` in dirty_pipe (not introduced
here).
2.1 KiB
NOTICE — pack2theroot
Vulnerability
CVE-2026-41651 — Pack2TheRoot. PackageKit TOCTOU local privilege
escalation in src/pk-transaction.c: two cooperating bugs allow
cached_transaction_flags and cached_full_paths to be overwritten
between polkit authorisation and dispatch, and a third bug causes the
dispatcher to read those cached values at fire time rather than at
authorisation time. GLib's D-Bus-vs-idle priority ordering makes the
overwrite deterministic, not a timing race.
CVSS 8.1. Affects PackageKit 1.0.2 through 1.3.4 (over a decade
of releases). Fixed in PackageKit 1.3.5 (upstream commit
76cfb675, 2026-04-22).
Research credit
Discovered and disclosed by the Deutsche Telekom security team.
Telekom advisory: https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html Upstream advisory: https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv
The standalone proof-of-concept exploit the SKELETONKEY module is ported from is by Vozec:
Reference PoC: https://github.com/Vozec/CVE-2026-41651
The Vozec repository carries no LICENSE file at the time of porting;
the SKELETONKEY-distributed skeletonkey_modules.c is original
SKELETONKEY-licensed code (MIT) that reproduces the PoC's deb-builder
(ar / ustar / gzip-stored) and D-Bus call sequence. Independent
research credit belongs to the people above.
A CTF-style lab by dinosn (Dockerised PackageKit 1.3.4 build with the exploit pre-set) is a useful reference bench:
SKELETONKEY role
skeletonkey_modules.c wraps the PoC in the standard
skeletonkey_module detect / exploit / cleanup interface, adds the
embedded auditd + sigma rules, and reads PackageKit's
VersionMajor/Minor/Micro D-Bus properties so detect() can give a
high-confidence verdict (the fix release 1.3.5 is officially pinned —
no version-fabrication caveat).
Verification status
Ported, not yet validated end-to-end on a vulnerable host. See
MODULE.md for the recommended verification path (Vozec's Dockerised
PackageKit-1.3.4 bench).