<![CDATA[If the exploit code can't open su or other setuid binaries for reading, it can't mess with their page cache.]]>If the exploit code can't open su or other setuid binaries for reading, it can't mess with their page cache. So what about…

# find / -type f -uid 0 -perm /u=s | xargs -t -r chmod u-rw,g-rw,o-rw

? The binaries can then still be used for their desired privilege escalation features.

]]>https://board.circlewithadot.net/topic/1fec208f-ec6b-42da-889e-97c52a0caed5/if-the-exploit-code-can-t-open-su-or-other-setuid-binaries-for-reading-it-can-t-mess-with-their-page-cache.RSS for NodeFri, 01 May 2026 01:03:37 GMTThu, 30 Apr 2026 10:34:43 GMT60<![CDATA[Reply to If the exploit code can't open su or other setuid binaries for reading, it can't mess with their page cache. on Thu, 30 Apr 2026 12:51:11 GMT]]>@vincent Correct.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/hillu/statuses/116493744330765316https://board.circlewithadot.net/post/https://infosec.exchange/users/hillu/statuses/116493744330765316Thu, 30 Apr 2026 12:51:11 GMT<![CDATA[Reply to If the exploit code can't open su or other setuid binaries for reading, it can't mess with their page cache. on Thu, 30 Apr 2026 12:25:59 GMT]]>@hillu@infosec.exchange It is my understanding that this will not work. There is a published exploit (https://github.com/rootsecdev/cve_2026_31431/blob/main/exploit_cve_2026_31431.py) that messes with the page cache for /etc/passwd to simply show your user id as 0, so a normal call to su will make you root.

]]>https://board.circlewithadot.net/post/https://knuddelweide.de/notes/alp0uqykhhen0002https://board.circlewithadot.net/post/https://knuddelweide.de/notes/alp0uqykhhen0002Thu, 30 Apr 2026 12:25:59 GMT<![CDATA[Reply to If the exploit code can't open su or other setuid binaries for reading, it can't mess with their page cache. on Thu, 30 Apr 2026 10:57:36 GMT]]>@hillu sorry 🙃

]]>https://board.circlewithadot.net/post/https://social.troll.academy/users/clonejo/statuses/116493297711039042https://board.circlewithadot.net/post/https://social.troll.academy/users/clonejo/statuses/116493297711039042Thu, 30 Apr 2026 10:57:36 GMT<![CDATA[Reply to If the exploit code can't open su or other setuid binaries for reading, it can't mess with their page cache. on Thu, 30 Apr 2026 10:55:57 GMT]]>@clonejo Of course; thanks for helping me think. 😉 In any case, it would still help against script kiddies, I guess.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/hillu/statuses/116493291213265249https://board.circlewithadot.net/post/https://infosec.exchange/users/hillu/statuses/116493291213265249Thu, 30 Apr 2026 10:55:57 GMT<![CDATA[Reply to If the exploit code can't open su or other setuid binaries for reading, it can't mess with their page cache. on Thu, 30 Apr 2026 10:48:05 GMT]]>@hillu or just edit binaries that get executed by root

]]>https://board.circlewithadot.net/post/https://social.troll.academy/users/clonejo/statuses/116493260254756479https://board.circlewithadot.net/post/https://social.troll.academy/users/clonejo/statuses/116493260254756479Thu, 30 Apr 2026 10:48:05 GMT<![CDATA[Reply to If the exploit code can't open su or other setuid binaries for reading, it can't mess with their page cache. on Thu, 30 Apr 2026 10:46:35 GMT]]>@hillu afaiu you can also manipulate other files than just those with setuid. For example cron jobs, systemd services that get executed as root.

Better deconfigure that exploitable code in the kernel.

]]>https://board.circlewithadot.net/post/https://social.troll.academy/users/clonejo/statuses/116493254329241595https://board.circlewithadot.net/post/https://social.troll.academy/users/clonejo/statuses/116493254329241595Thu, 30 Apr 2026 10:46:35 GMT