ssh-keysign-pwn stealing SSH host keys and /etc/shadow via p...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn
• Blog Title: ssh-keysign-pwn: stealing SSH host keys and /etc/shadow via pidfd_getfd and the ptrace_may_access mm-NULL bypass
• Suggested Section: Linux Hardening -> Linux Privilege Escalation -> pidfd_getfd exiting-process file descriptor theft / CVE-2026-46333

🎯 Content Summary

ssh-keysign-pwn is a public Linux local exploit/PoC repository for CVE-2026-46333. It demonstrates how an unprivileged local user can read root-owned files by abusing a Linux kernel authorization flaw in __ptrace_may_access() together with pidfd_getfd(2). The repository targets kernels before commit 31e62c2ebbfd, described as affecting all stable kernels as of 2026-05-14. The repository links the issue to the NVD entry at pidfd_getfd(2) to duplicate file descriptors that would normally be protected.

Abusing setuid helpers that open privileged files before dropping privileges: The reusable exploitation pattern is to find a setuid-root or privileged helper that opens a root-only file first, then fully drops privileges to the caller's UID while keeping the fd open until exit. Once the process UID matches the attacker's UID, the kernel bug allows the attacker to duplicate the privileged fd du...

🤖 Agent Actions

Done.

Updated:

• src/linux-hardening/privilege-escalation/README.md

What I added:

• A new subsection on exiting-process FD theft with pidfd_getfd(2)
• The reusable technique:
  • privileged helper opens sensitive file
  • helper drops to attacker UID
  • attacker races exit_mm() before exit_files()
  • attacker duplicates the still-open FD
• Practical examples:
  • chage -l <user> disclosing /etc/shadow
  • ssh-keysign leaking /etc/ssh/ssh_host_*_key
• Audit guidance for finding similar helpers
• References to the PoC repo, Qualys advisory, fix commit, and Ubuntu CVE tracker

Validation:

• git diff --check passed
• mdbook build could not be run because mdbook is not installed in this environment

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn

Content Categories: Based on the analysis, this content was categorized under "Linux Hardening -> Linux Privilege Escalation -> pidfd_getfd exiting-process file descriptor theft / CVE-2026-46333".

Repository Maintenance:

• MD Files Formatting: 974 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0