Copy Fail - Hacker News

Posted by unsnap_biceps 13 hours ago

Copy Fail(copy.fail)

846 points | 320 commentspage 4

w2seraph 13 hours ago|

holy smokes it just rooted my just installed from ISO Ubuntu server

mikeweiss 7 hours ago||

Anyone have any idea when Bottlerocket will acknowledge CVE? Seems like a critical for kubernetes nodes......

https://github.com/bottlerocket-os/bottlerocket/security/adv...

WhyNotHugo 7 hours ago||

> Any setuid-root binary readable by the user works.

Interesting detail. On Alpine, `/usr/bin/su` is not readable by any user, so the PoC doesn't work.

I suspect that the underlying issue can be exploited in other ways, but it makes me think that there's no reason for any suid binary to be world-readable.

ranger_danger 2 hours ago|

Wouldn't executing it still put it in the page cache, just in a different place?

porridgeraisin 13 hours ago||

Better explanation of the write up (still from original exploit author) : https://xint.io/blog/copy-fail-linux-distributions

erans 11 hours ago||

For agents, if you are concerned about that, block access to "su" as it is interactive anyway. Not loading it into the memory will block the attack. If you are using AgentSH (https://www.agentsh.org) you can add a rule to block "su" and soon be able to block AF_ALG sockets if you want to further protect things.

tardedmeme 9 hours ago|

This vulnerability can affect any file you can read. The PoC uses "su" but any setuid binary or any binary that root invokes or is already running as root is vulnerable, as well as many configuration files.

deep2secure 11 hours ago||

I checked it. Very nice efforts made to create it

chasil 13 hours ago||

On the downside, I need to push new kernels to all my servers.

On this bright side, does this mean Magisk is coming to all unpatched Android phones?

akdev1l 11 hours ago|

No, Android doesn’t have suid binaries to exploit like in the PoC

tardedmeme 9 hours ago||

The vulnerability can also be used on any binary that is already running as root and you can open for reading. So yes, any android app can now escalate to root if android has the vulnerable module.

userbinator 7 hours ago||

Unfortunately another comment thread here says that it doesn't.

aniou 11 hours ago||

Looks like a LLM hallucination - there is no thing like "RHEL 14.3", although referenced kernel signature (6.12.0-124.45.1.el10_1) contains reference to real RHEL release, i.e. 10.1.

Ekaros 13 hours ago||

So this could be usable in lot of places with Python and Linux running? Not that I have too many Linux devices around. Still, might be handy sometimes on personal devices.

kro 13 hours ago||

This can likely be shipped as binary code without dependencies like python, as the bug is in the kernel.

ranger_danger 10 hours ago|||

C version here: https://gist.github.com/alufers/921cd6c4b606c5014d6cc61eefb0...

tgies 7 hours ago|||

[dead]

SteveNuts 12 hours ago||

There's nothing specific about this related to Python, that's just demonstrating how it works.

This is usable anywhere on an affected Kernel version

nromiun 2 hours ago|

I tried this exploit on Android and it looks like you need root in the first place to create an AF_ALG socket. I guess it is an SELinux policy to disable AF_ALG entirely.

More comments...