0xVoodoo
1.3 KiB
CopyFail | CVE-2026-31431 - Linux Privilege Escalation via Authencesn Scratch-Write Bug
Full writeup @ my blog | OG Writeup here
This exploit has caused quite the panic among defenders, so I re-wrote/unminified the original PoC to more easily look at detection opportunities.
In short, this exploit abuses the way splice() works and the AF_ALG socket type within authencesn.c from the Linux crypto libraries. More or less, it allows the attacker to write 4 bytes of memory at a time to pagefiles, leading to the overwrite of the in-cache version of open files. When this is done with a SUID binary, like /bin/su the attacker is able to then execute the binary, which will pulls from the cache. This leaves the legit version of the overwritten binary in place while allowing arbitrary non-privileged users to gain root perms.
Note - this version needs at least Python 3.10
License
GPL v3.0 - as all good software should be
Only use with explicit permission from the target system owner.
Remember - don't be a skid :)