Adding CopyFail - CVE-2026-31431
This commit is contained in:
0xVoodoo
@@ -0,0 +1,18 @@
|
||||
# CopyFail | CVE-2026-31431 - Linux Privilege Escalation via Authencesn Scratch-Write Bug
|
||||
|
||||
Full writeup @ [my blog](https://0xvoodoo.sh/articles/copyfail/) | OG Writeup [here](https://xint.io/blog/copy-fail-linux-distributions#the-root-cause-page-cache-pages-in-the-writable-scatterlist-1)
|
||||
|
||||
This exploit has caused quite the panic among defenders, so I re-wrote/unminified [the original PoC](https://github.com/theori-io/copy-fail-CVE-2026-31431) to more easily look at detection opportunities.
|
||||
|
||||
In short, this exploit abuses the way `splice()` works and the AF_ALG socket type within [authencesn.c](https://github.com/torvalds/linux/blob/26fd6bff2c050196005312d1d306889220952a99/crypto/authencesn.c#L3) from the Linux crypto libraries. More or less, it allows the attacker to write 4 bytes of memory at a time to pagefiles, leading to the overwrite of the in-cache version of open files. When this is done with a SUID binary, like `/bin/su` the attacker is able to then execute the binary, which will pulls from the cache. This leaves the legit version of the overwritten binary in place while allowing arbitrary non-privileged users to gain root perms.
|
||||
|
||||
*Note* - this version needs at least Python 3.10
|
||||
|
||||
# License
|
||||
|
||||
GPL v3.0 - as all good software should be
|
||||
|
||||
Only use with explicit permission from the target system owner.
|
||||
|
||||
Remember - don't be a skid :)
|
||||
|
||||
Reference in New Issue
Block a user