If the exploit code can't open su or other setuid binaries for reading, it can't mess with their page cache.
-
If the exploit code can't open
suor other setuid binaries for reading, it can't mess with their page cache. So what about…# find / -type f -uid 0 -perm /u=s | xargs -t -r chmod u-rw,g-rw,o-rw? The binaries can then still be used for their desired privilege escalation features.
-
R relay@relay.infosec.exchange shared this topic
-
If the exploit code can't open
suor other setuid binaries for reading, it can't mess with their page cache. So what about…# find / -type f -uid 0 -perm /u=s | xargs -t -r chmod u-rw,g-rw,o-rw? The binaries can then still be used for their desired privilege escalation features.
@hillu afaiu you can also manipulate other files than just those with setuid. For example cron jobs, systemd services that get executed as root.
Better deconfigure that exploitable code in the kernel.
-
@hillu afaiu you can also manipulate other files than just those with setuid. For example cron jobs, systemd services that get executed as root.
Better deconfigure that exploitable code in the kernel.
@hillu or just edit binaries that get executed by root
-
@hillu afaiu you can also manipulate other files than just those with setuid. For example cron jobs, systemd services that get executed as root.
Better deconfigure that exploitable code in the kernel.
@clonejo Of course; thanks for helping me think.
In any case, it would still help against script kiddies, I guess. -
@clonejo Of course; thanks for helping me think.
In any case, it would still help against script kiddies, I guess.@hillu sorry
-
If the exploit code can't open
suor other setuid binaries for reading, it can't mess with their page cache. So what about…# find / -type f -uid 0 -perm /u=s | xargs -t -r chmod u-rw,g-rw,o-rw? The binaries can then still be used for their desired privilege escalation features.
@hillu@infosec.exchange It is my understanding that this will not work. There is a published exploit (https://github.com/rootsecdev/cve_2026_31431/blob/main/exploit_cve_2026_31431.py) that messes with the page cache for /etc/passwd to simply show your user id as 0, so a normal call to
suwill make you root. -
@hillu@infosec.exchange It is my understanding that this will not work. There is a published exploit (https://github.com/rootsecdev/cve_2026_31431/blob/main/exploit_cve_2026_31431.py) that messes with the page cache for /etc/passwd to simply show your user id as 0, so a normal call to
suwill make you root.@vincent Correct.
