<![CDATA[Quickly dove into the copy.fail exploit.]]>Quickly dove into the copy.fail exploit.

1. Yes, it's real.
2. Current chain can write any arbitrary content to any user-readable file (into the page cache).
3. Current chain relies on an available target suid binary that you can open() as a lowpriv user.
4. Current exploit relies on that binary being /bin/su and then being able to execve(/bin/sh, 0, 0) (which doesn't work on alpine, etc.). The former is easily replaced in the code. The latter needs a rebuilt payload ELF (also easy).

]]>https://board.circlewithadot.net/topic/663b9e0b-af62-4aca-9ca2-2668ad45153f/quickly-dove-into-the-copy.fail-exploit.RSS for NodeFri, 01 May 2026 03:05:38 GMTWed, 29 Apr 2026 22:02:21 GMT60<![CDATA[Reply to Quickly dove into the copy.fail exploit. on Thu, 30 Apr 2026 01:07:14 GMT]]>@kasperd @penguin42 While I am a security consultant I am not _your_ security consultant, so the best I can offer you is an enthusiastic 'yeah, I guess so!'.

]]>https://board.circlewithadot.net/post/https://social.hackerspace.pl/users/q3k/statuses/116490976292953574https://board.circlewithadot.net/post/https://social.hackerspace.pl/users/q3k/statuses/116490976292953574Thu, 30 Apr 2026 01:07:14 GMT<![CDATA[Reply to Quickly dove into the copy.fail exploit. on Wed, 29 Apr 2026 23:49:54 GMT]]>@q3k ..if your distro hasn't built that in.

]]>https://board.circlewithadot.net/post/https://mastodon.org.uk/users/penguin42/statuses/116490672163338188https://board.circlewithadot.net/post/https://mastodon.org.uk/users/penguin42/statuses/116490672163338188Wed, 29 Apr 2026 23:49:54 GMT<![CDATA[Reply to Quickly dove into the copy.fail exploit. on Wed, 29 Apr 2026 23:49:16 GMT]]>@penguin42 Yeah, or just yeet the vulnerable module (`algif_aead`).

]]>https://board.circlewithadot.net/post/https://social.hackerspace.pl/users/q3k/statuses/116490669710966123https://board.circlewithadot.net/post/https://social.hackerspace.pl/users/q3k/statuses/116490669710966123Wed, 29 Apr 2026 23:49:16 GMT<![CDATA[Reply to Quickly dove into the copy.fail exploit. on Wed, 29 Apr 2026 23:48:28 GMT]]>@q3k So I guess you can disable it by a seccomp or bpf that blocks hmm, socket(2) with AF_ALG ?

]]>https://board.circlewithadot.net/post/https://mastodon.org.uk/users/penguin42/statuses/116490666535231062https://board.circlewithadot.net/post/https://mastodon.org.uk/users/penguin42/statuses/116490666535231062Wed, 29 Apr 2026 23:48:28 GMT<![CDATA[Reply to Quickly dove into the copy.fail exploit. on Wed, 29 Apr 2026 23:42:48 GMT]]>@q3k working around the broken execve is trivial enough like you said; https://social.treehouse.systems/@astraleureka/116490148181953204
it's pretty amusing seeing the trodden pagecache results persist afterwards

]]>https://board.circlewithadot.net/post/https://social.treehouse.systems/users/astraleureka/statuses/116490644270529061https://board.circlewithadot.net/post/https://social.treehouse.systems/users/astraleureka/statuses/116490644270529061Wed, 29 Apr 2026 23:42:48 GMT<![CDATA[Reply to Quickly dove into the copy.fail exploit. on Wed, 29 Apr 2026 23:33:53 GMT]]>@q3k
@implr
people have done that with dirtypipe before https://github.com/polygraphene/DirtyPipe-Android/blob/master/TECHNICAL-DETAILS.md

]]>https://board.circlewithadot.net/post/https://mstdn.io/users/wolf480pl/statuses/116490609189694927https://board.circlewithadot.net/post/https://mstdn.io/users/wolf480pl/statuses/116490609189694927Wed, 29 Apr 2026 23:33:53 GMT<![CDATA[Reply to Quickly dove into the copy.fail exploit. on Wed, 29 Apr 2026 23:17:54 GMT]]>@implr @wolf480pl You can just write to any running process' .text if you have access to the binary.

You should just be able to write a better implementation of close() into /lib/libc.so.6 - one that also drops you a +s, no questions asked su in /tmp before actually closing the file, and wait until a privileged process bites.

]]>https://board.circlewithadot.net/post/https://social.hackerspace.pl/users/q3k/statuses/116490546334231842https://board.circlewithadot.net/post/https://social.hackerspace.pl/users/q3k/statuses/116490546334231842Wed, 29 Apr 2026 23:17:54 GMT<![CDATA[Reply to Quickly dove into the copy.fail exploit. on Wed, 29 Apr 2026 23:04:18 GMT]]>@wolf480pl @q3k
If you managed to get the page swapped out first (with an oom condition or sth), then probably yes, but idk how the page cache interacts with .text mappings to be sure.
If that is possible, then there should be plenty of tasty targets in pid1 - systemd is a pretty thicc binary

]]>https://board.circlewithadot.net/post/https://social.hackerspace.pl/users/implr/statuses/116490492885955148https://board.circlewithadot.net/post/https://social.hackerspace.pl/users/implr/statuses/116490492885955148Wed, 29 Apr 2026 23:04:18 GMT<![CDATA[Reply to Quickly dove into the copy.fail exploit. on Wed, 29 Apr 2026 23:03:59 GMT]]>@wolf480pl Yes.

]]>https://board.circlewithadot.net/post/https://social.hackerspace.pl/users/q3k/statuses/116490491634960802https://board.circlewithadot.net/post/https://social.hackerspace.pl/users/q3k/statuses/116490491634960802Wed, 29 Apr 2026 23:03:59 GMT<![CDATA[Reply to Quickly dove into the copy.fail exploit. on Wed, 29 Apr 2026 22:44:07 GMT]]>@penguin42 Right, I'm just talking about the current exploit. I just managed to inject code into an arbitrary process by opening its file, too.

]]>https://board.circlewithadot.net/post/https://social.hackerspace.pl/users/q3k/statuses/116490413481802795https://board.circlewithadot.net/post/https://social.hackerspace.pl/users/q3k/statuses/116490413481802795Wed, 29 Apr 2026 22:44:07 GMT<![CDATA[Reply to Quickly dove into the copy.fail exploit. on Wed, 29 Apr 2026 22:43:06 GMT]]>@q3k I don't think you need any suid binary though; I mean, if you can modify an arbitrary file that you're allowed to open, you could change /etc/passwd or libc.

]]>https://board.circlewithadot.net/post/https://mastodon.org.uk/users/penguin42/statuses/116490409486752827https://board.circlewithadot.net/post/https://mastodon.org.uk/users/penguin42/statuses/116490409486752827Wed, 29 Apr 2026 22:43:06 GMT<![CDATA[Reply to Quickly dove into the copy.fail exploit. on Wed, 29 Apr 2026 22:32:19 GMT]]>@q3k Another route would be to patch a root password hash into /etc/passwd (yes, that still works though shadow passwords have been a thing for decades) and use any login mechanism with that password.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/hillu/statuses/116490367079007253https://board.circlewithadot.net/post/https://infosec.exchange/users/hillu/statuses/116490367079007253Wed, 29 Apr 2026 22:32:19 GMT<![CDATA[Reply to Quickly dove into the copy.fail exploit. on Wed, 29 Apr 2026 22:27:48 GMT]]>Oh yeah the above will turn your /bin/ping into a setuid(0) su until you drop caches (maybe) or reboot. So, uh, keep that in mind.

]]>https://board.circlewithadot.net/post/https://social.hackerspace.pl/users/q3k/statuses/116490349317937955https://board.circlewithadot.net/post/https://social.hackerspace.pl/users/q3k/statuses/116490349317937955Wed, 29 Apr 2026 22:27:48 GMT<![CDATA[Reply to Quickly dove into the copy.fail exploit. on Wed, 29 Apr 2026 22:13:12 GMT]]>@q3k would this primitive also work for overwriting code of an already-running privileged process?

]]>https://board.circlewithadot.net/post/https://mstdn.io/users/wolf480pl/statuses/116490291952967124https://board.circlewithadot.net/post/https://mstdn.io/users/wolf480pl/statuses/116490291952967124Wed, 29 Apr 2026 22:13:12 GMT<![CDATA[Reply to Quickly dove into the copy.fail exploit. on Wed, 29 Apr 2026 22:09:26 GMT]]>@q3k ayy I was wondering about the Alpine suid situation, blacklisted the alg module to be sure, nice job

]]>https://board.circlewithadot.net/post/https://mastodon.social/users/shiz/statuses/116490277140504606https://board.circlewithadot.net/post/https://mastodon.social/users/shiz/statuses/116490277140504606Wed, 29 Apr 2026 22:09:26 GMT<![CDATA[Reply to Quickly dove into the copy.fail exploit. on Wed, 29 Apr 2026 22:05:45 GMT]]>5. The authors say they have other chains (including ones that allow container escapes). I believe them.
6. A mildly de-minified PoC for Alpine with a new payload ELF is at hackerspace[pl]/~q3k/alpine.py . You'll need /bin/ping from iputils. Tested on an ancient Alpine ISO from my cringe^Wdownloads directory.

]]>https://board.circlewithadot.net/post/https://social.hackerspace.pl/users/q3k/statuses/116490262660109178https://board.circlewithadot.net/post/https://social.hackerspace.pl/users/q3k/statuses/116490262660109178Wed, 29 Apr 2026 22:05:45 GMT