Holy. Fucking. Fuckballs.
-
Holy. Fucking. Fuckballs.
This exploit is... insane.
> An unprivileged local user can write 4 controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root
Copy Fail — 732 Bytes to Root
Copy Fail (CVE-2026-31431): a 732-byte Linux LPE — straight-line, no race, no per-distro offsets. Same Python script roots Ubuntu, Amazon Linux, RHEL, SUSE since 2017. Page-cache write bypasses on-disk file-integrity tools and crosses container boundaries. Found by Xint Code.
Xint (copy.fail)
-
R relay@relay.infosec.exchange shared this topic
-
Holy. Fucking. Fuckballs.
This exploit is... insane.
> An unprivileged local user can write 4 controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root
Copy Fail — 732 Bytes to Root
Copy Fail (CVE-2026-31431): a 732-byte Linux LPE — straight-line, no race, no per-distro offsets. Same Python script roots Ubuntu, Amazon Linux, RHEL, SUSE since 2017. Page-cache write bypasses on-disk file-integrity tools and crosses container boundaries. Found by Xint Code.
Xint (copy.fail)
@darkrat It's weird how the code they want you to curl and run is minified and has a binary section in it.... just weird....
edit: tbc, my friend said this, I hadn't checked it yet.
He said that this is not normally how proof of concepts are writtenI really hope someone on fedi who knows this stuff can verify this cause I'm not boosting it without seeing that
-
@darkrat It's weird how the code they want you to curl and run is minified and has a binary section in it.... just weird....
edit: tbc, my friend said this, I hadn't checked it yet.
He said that this is not normally how proof of concepts are writtenI really hope someone on fedi who knows this stuff can verify this cause I'm not boosting it without seeing that
@thibaultmol @darkrat It's needlessly obfuscated. And the "curl pipe bash" construction is just bullshit.
That said, a few of us tested it and it didn't work on our boxen.
-
@thibaultmol @darkrat It's needlessly obfuscated. And the "curl pipe bash" construction is just bullshit.
That said, a few of us tested it and it didn't work on our boxen.
@drwho@masto.hackers.town @thibaultmol@en.osm.town @darkrat@chaosfurs.social
It is minified but really not difficult to pull apart.
It opens /usr/bin/su, then repeatedly calls c(f, i, e[i:i+4]) to write the embedded payload into the cached image of /usr/bin/su in 4-byte chunks.
The write-up describes this. The sendmsg() data carries the 4 controlled bytes, splice() supplies the page-cache-backed file pages, and recv() triggers the authencesn path that writes those bytes into the cached file page.
After patching the cached copy, it just runs su. That's it.
s.socket(38,5,0) are the numeric constants for AF_ALG and SOCK_SEQPACKET, it's equivalent tosocket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET, 0).
The zlib blob decompresses to a 160-byte ELF executable, it basically only contains:
to pop a root shell.setuid(0) execve("/bin/sh", NULL, NULL) exit(0)
The CVE is real; I got it to work just fine on my Proxmox host (Linux 6.17.13-2) -
R relay@relay.mycrowd.ca shared this topic
