Quickly dove into the copy.fail exploit.

@kasperd @penguin42 While I am a security consultant I am not _your_ security consultant, so the best I can offer you is an enthusiastic 'yeah, I guess so!'.

@penguin42 Yeah, or just yeet the vulnerable module (`algif_aead`).

@implr @wolf480pl You can just write to any running process' .text if you have access to the binary.

You should just be able to write a better implementation of close() into /lib/libc.so.6 - one that also drops you a +s, no questions asked su in /tmp before actually closing the file, and wait until a privileged process bites.

@wolf480pl Yes.

@penguin42 Right, I'm just talking about the current exploit. I just managed to inject code into an arbitrary process by opening its file, too.

Oh yeah the above will turn your /bin/ping into a setuid(0) su until you drop caches (maybe) or reboot. So, uh, keep that in mind.

5. The authors say they have other chains (including ones that allow container escapes). I believe them.
6. A mildly de-minified PoC for Alpine with a new payload ELF is at hackerspace[pl]/~q3k/alpine.py . You'll need /bin/ping from iputils. Tested on an ancient Alpine ISO from my cringe^Wdownloads directory.

Quickly dove into the copy.fail exploit.

1. Yes, it's real.
2. Current chain can write any arbitrary content to any user-readable file (into the page cache).
3. Current chain relies on an available target suid binary that you can open() as a lowpriv user.
4. Current exploit relies on that binary being /bin/su and then being able to execve(/bin/sh, 0, 0) (which doesn't work on alpine, etc.). The former is easily replaced in the code. The latter needs a rebuilt payload ELF (also easy).

what's the career path for someone who went into tech because it was a thing they've always enjoyed and now it paid the bills too - but now they don't enjoy it anymore? is it still to open a bar to serve a clientele of other burned out tech workers?

asking for a friend

@agturcz wasn't me

it's midnight and the brainworms have just woken up

@azonenberg @gsuberland @fafo @wamserma (and maybe consider a higher end new Rigol instead)

@azonenberg @gsuberland @fafo @wamserma Good luck.

@azonenberg @gsuberland @fafo @wamserma Unfortunately that's not how the used test equipment market looks like here. The usual you'll get is stuff like https://www.ebay.de/itm/296061617249 . That's the only WaveRunner 8/9k series on sale right now as far as I can tell. And it actually seems like a really good price.

@azonenberg @fafo @wamserma I wouldn't expect to find this on the second hand market yet, at least not in the open. It might be easier to assume that you're going to buy new and just get a quote from whoever is the local Teledyne reseller.

(also this is for actually good deals when you have zero budget and infinite time; if you have actual budget and need some warranty and stuff in stock then you're better off going to more specialized suppliers which are the ones usually buying off these industrial auctions and then mark that shit up 3x or more)

@fafo @wamserma @azonenberg

More concretely:

Classifieds sites: kleinanzeigwen in DE, ricardo in CH, leboncoin in FR, etc.

Industrial auctions: restlos, haemmerle, surplex, apex-auctions.

Also many junk peddlers on eBay will accept pretty serious lowball offers - always worth a shot.

If anyone knows anything better I'm all ears... But also keep in mind we're more in market for general lab equipment, not just test/measurement equipment.

@fafo @wamserma @azonenberg