[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-75913":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":16,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":14,"compositeScore":18,"rankGlobal":9,"rankLanguage":9,"license":9,"archived":19,"fork":19,"defaultBranch":20,"hasWiki":21,"hasPages":19,"topics":22,"createdAt":9,"pushedAt":9,"updatedAt":23,"readmeContent":24,"aiSummary":25,"trendingCount":15,"starSnapshotCount":15,"syncStatus":14,"lastSyncTime":26,"discoverSource":27},75913,"ssh-keysign-pwn","0xdeadbeefnetwork\u002Fssh-keysign-pwn","0xdeadbeefnetwork","Steal SSH host private keys and \u002Fetc\u002Fshadow via the ptrace_may_access mm-NULL bypass + pidfd_getfd. Pre-31e62c2ebbfd kernels.",null,"C",734,94,10,2,0,6,155,9.93,false,"main",true,[],"2026-06-12 02:03:37","# ssh-keysign-pwn\n\n> \"It is a fearful thing to fall into the hands of the living God.\" — Hebrews 10:31\n\nRead root-owned files as an unprivileged user. Pre-`31e62c2ebbfd` kernels (everything in stable as of 2026-05-14).\n\n![demo](demo.gif)\n\n## The bug\n\n`__ptrace_may_access()` skips the dumpable check when `task->mm == NULL`. `do_exit()` runs `exit_mm()` before `exit_files()` — no mm, fds still there. `pidfd_getfd(2)` succeeds in that window when the caller's uid matches the target's.\n\nReported by Qualys, fixed by Linus 2026-05-14. Jann Horn flagged the FD-theft shape in [October 2020](https:\u002F\u002Flore.kernel.org\u002Fall\u002F20201016230915.1972840-1-jannh@google.com\u002F). Six years.\n\n## Targets\n\n**`sshkeysign_pwn`** — pulls `\u002Fetc\u002Fssh\u002Fssh_host_{ecdsa,ed25519,rsa}_key`. `ssh-keysign.c` opens them (mode 0600) before `permanently_set_uid()`, then bails on `EnableSSHKeysign=no` with the fds still open. Same shape since 2002.\n\n**`chage_pwn`** — pulls `\u002Fetc\u002Fshadow`. `chage -l \u003Cuser>` calls `spw_open(O_RDONLY)` then `setreuid(ruid, ruid)`. Both args set means uid=euid=suid=ruid: full drop. Race the exit, lift the shadow fd, crack the root hash offline.\n\n## Build and run\n\n```sh\nmake\n.\u002Fsshkeysign_pwn          # host keys\n.\u002Fchage_pwn root          # \u002Fetc\u002Fshadow content\n```\n\nEither prints the file on stdout. Hits in 100–2000 spawns.\n\n## Confirmed\n\nRaspberry Pi OS Bookworm 6.12.75, Debian 13, Ubuntu 22.04 \u002F 24.04 \u002F 26.04, Arch, CentOS 9.\n\n## Controlled-target PoC\n\n`vuln_target.c` opens `\u002Fetc\u002Fshadow` then drops. `exploit_vuln_target.c` shows `EPERM` while it's alive and the steal post-`SIGKILL`.\n\n```sh\nsudo install -m 4755 vuln_target \u002Fusr\u002Flocal\u002Fbin\u002Fvuln_target\n.\u002Fexploit_vuln_target \u002Fusr\u002Flocal\u002Fbin\u002Fvuln_target\n```\n\n```\nhttps:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-46333\n```\n","该项目通过利用特定内核漏洞来窃取SSH主机私钥和\u002Fetc\u002Fshadow文件。核心功能在于利用`ptrace_may_access`函数在`mm-NULL`情况下的绕过机制，结合`pidfd_getfd`技术，在目标进程退出前的短暂窗口期内获取文件描述符，从而允许非特权用户读取root权限下的敏感文件。适用于测试或研究基于Linux系统的安全性和漏洞利用场景，特别是针对2026年5月14日之前发布的内核版本。此项目提供了具体的示例代码，可以用来演示如何从系统中提取指定的安全关键文件，并且已在多个流行的Linux发行版上验证有效。","2026-06-11 03:53:41","CREATED_QUERY"]