Copy Fail - Hacker News

Posted by unsnap_biceps 15 hours ago

894 points | 333 commentspage 5

Ekaros 14 hours ago|

So this could be usable in lot of places with Python and Linux running? Not that I have too many Linux devices around. Still, might be handy sometimes on personal devices.

kro 14 hours ago||

This can likely be shipped as binary code without dependencies like python, as the bug is in the kernel.

ranger_danger 11 hours ago|||

C version here: https://gist.github.com/alufers/921cd6c4b606c5014d6cc61eefb0...

tgies 8 hours ago|||

[dead]

SteveNuts 14 hours ago||

There's nothing specific about this related to Python, that's just demonstrating how it works.

This is usable anywhere on an affected Kernel version

krunck 13 hours ago||

Wow. I tried it on an old testing VM of Ubuntu 24.04 that had not been touched for a few months. Instant root with the bonus that any user that runs "su" gets root too. I updated the VM thinking it would be fixed afterward. Nope.

akdev1l 12 hours ago|

You’d have to reinstall the su binary itself I guess

cyberpunk 12 hours ago||

It just changes the page cache for the su binary, a reboot will revert it.

majorchord 11 hours ago||

No need to reboot:

sync && echo 3 >/proc/sys/vm/drop_caches

kayson 10 hours ago||

s6-overlay is a popular container image base for many self hosted services, and it uses an suid binary for startup. I wonder if this could be used to escape the container?

chvish 12 hours ago||

Are kernel crypto modules even loaded by default on enterprise distros

ranger_danger 12 hours ago|

Attempting to open an AF_ALG socket will load the module on-demand if necessary.

firesteelrain 10 hours ago||

RHEL is listing this as fix deferred for RHEL 8 and 9.

yrro 53 minutes ago|

They've bumped the severity and 8/9/10 are now 'affected'. Hope a patch comes soon!

nromiun 4 hours ago||

I tried this exploit on Android and it looks like you need root in the first place to create an AF_ALG socket. I guess it is an SELinux policy to disable AF_ALG entirely.

zdimension 11 hours ago||

Works on all my servers. This is terrifying.

DannyBee 9 hours ago||

I love how it says "Standalone PoC. Python 3.10+ stdlib only (os, socket, zlib). Targets /usr/bin/su by default; pass another setuid binary as argv[1]."

Except you can't pass another setuid binary as argv[1] because the AI writing this slop never added that feature to this python script.

I can't get it to work on any distro i've tried.

dist-epoch 13 hours ago||

> Will you release the full PoC?

> Yes — it's on this page. We held it for a month while distros prepared patches; the major builds are out as of this writing.

There is no update available for Ubuntu 24, PoC works and just tried updating.

jchw 10 hours ago|

I tried this on NixOS, but it doesn't seem to be easily reproducible. There's no /usr/bin/su - okay, fine: I changed it to /run/wrappers/bin/su, but that didn't work, and I think the reason why is because the NixOS suid wrappers have +x but not +r:

    $ ls -lah /run/wrappers/bin/su
    -r-s--x--x 1 root root 70K Apr 27 11:09 /run/wrappers/bin/su

Not that this makes the underlying mechanism of the exploit any better, but I wonder what else you can do with it. Is there a way to target a suid binary that doesn't have +r? I guess all of the suid binaries necessarily don't, since the wrapper system doesn't grant it and you can't have suid binaries in the /nix/store.

I know it's also unrelated, but this is the most aggressively obvious LLM slop copy I've ever seen and it is a page with like 30 sentences. I guess we're just seriously doing this, huh?

chuso 1 hour ago|

It's the same with Gentoo, setuid binaries are installed without read permission.

But modifying a setuid binary is just the demo exploit that was published with the vulnerability disclosure. The vulnerability actually allows modifying four bytes in any readable file. That means system configuration files, other binaries intended to be run by root, libraries... It's not limited to modifying setuid binaries.

More comments...