Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.misc > #86044

Re: copy.fail

From Richard Kettlewell <invalid@invalid.invalid>
Newsgroups comp.os.linux.misc
Subject Re: copy.fail
Date 2026-04-30 22:41 +0100
Organization terraraq NNTP server
Message-ID <wwv340c15ym.fsf@LkoBDZeT.terraraq.uk> (permalink)
References <eli$2604300130@qaz.wtf> <87lde4tqpy.fsf@atr2.ath.cx>

Show all headers | View raw

jayjwa <jayjwa@atr2.ath.cx.invalid> writes:
> I haven't been able to find a *clear* list of kernels that aren't
> affected but it doesn't work on Slackware w/6.18.23. /bin/su needs to be
> readable, but it's 4711 by default. Neither the C version nor the Python
> version worked here. Some say 6.18 is already patched, but, again, no
> clear list as of this writing.

Any setuid executable will do, not just su.

I suspect that it’s worse than that and that a shared library used by a
setuid executable would be sufficient. Instead of modifying something in
the setuid executable, the exploit could modify a library function it
calls instead.

I further suspect it’s even worse than that, and that you don’t need
_any_ setuid (or setgid) executables: modify a code page belonging to an
executable that is already running (or a shared library that it uses, as
above) and wait for it to execute the modified code (or encourage it to
do so - e.g. if the victim process is a web server, send it an http
request).

As for the idea in another post that this class of attack can be
mitigated with file permissions, shared libraries cannot have read
permission removed, because the runtime linker has to be able to open
them (in both privileged and unprivileged processes):

    $ ldd /bin/ls
            linux-vdso.so.1 (0x00007f08fe3b6000)
            libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007f08fe343000)
            libcap.so.2 => /lib/x86_64-linux-gnu/libcap.so.2 (0x00007f08fe337000)
            libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f08fe143000)
            libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007f08fe094000)
            /lib64/ld-linux-x86-64.so.2 (0x00007f08fe3b8000)
    $ sudo chmod 711 /lib/x86_64-linux-gnu/libpcre2-8.so.0.14.0
    $ ls
    ls: error while loading shared libraries: libpcre2-8.so.0: cannot open shared object file: No such file or directory

Other variants can be guessed at, e.g. modify the cached contents of a
non-executable file that is interpreted by some privileged process, to
set a trusted password or public key to a known value, or to trigger a
bug in a deserializer as part of a chain of exploits.

-- 
https://www.greenend.org.uk/rjk/

Back to comp.os.linux.misc | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

copy.fail Eli the Bearded <*@eli.users.panix.com> - 2026-04-30 05:40 +0000
  Re: copy.fail Ralf Fassel <ralfixx@gmx.de> - 2026-04-30 16:39 +0200
  Re: copy.fail jayjwa <jayjwa@atr2.ath.cx.invalid> - 2026-04-30 11:25 -0400
    Re: copy.fail gazelle@shell.xmission.com (Kenny McCormack) - 2026-04-30 19:09 +0000
      Re: copy.fail Marc Haber <mh+usenetspam2616@zugschl.us> - 2026-05-01 13:19 +0200
        Re: copy.fail Richard Kettlewell <invalid@invalid.invalid> - 2026-05-01 17:48 +0100
          Re: copy.fail gazelle@shell.xmission.com (Kenny McCormack) - 2026-05-02 10:28 +0000
            Re: copy.fail gazelle@shell.xmission.com (Kenny McCormack) - 2026-05-02 12:12 +0000
            Re: copy.fail pa@see.signature.invalid (Pierre Asselin) - 2026-05-02 21:46 +0000
              Re: copy.fail Lawrence D’Oliveiro <ldo@nz.invalid> - 2026-05-02 23:44 +0000
                Re: copy.fail gazelle@shell.xmission.com (Kenny McCormack) - 2026-05-03 01:12 +0000
                Re: copy.fail rbowman <bowman@montana.com> - 2026-05-03 02:46 +0000
                Re: copy.fail Richard Kettlewell <invalid@invalid.invalid> - 2026-05-03 09:55 +0100
            Re: copy.fail Richard Kettlewell <invalid@invalid.invalid> - 2026-05-02 23:02 +0100
              Re: copy.fail pa@see.signature.invalid (Pierre Asselin) - 2026-05-03 18:11 +0000
                Re: copy.fail Richard Kettlewell <invalid@invalid.invalid> - 2026-05-03 23:05 +0100
    Re: copy.fail Richard Kettlewell <invalid@invalid.invalid> - 2026-04-30 22:41 +0100
    Re: copy.fail Stéphane CARPENTIER <sc@fiat-linux.fr> - 2026-05-01 09:33 +0000
  Re: copy.fail Ralf Fassel <ralfixx@gmx.de> - 2026-05-01 23:17 +0200
    Re: copy.fail Rich <rich@example.invalid> - 2026-05-06 04:17 +0000
  Re: copy.fail Woozy Song <suzyw0ng@outlook.com> - 2026-05-03 11:42 +0800

csiph-web