Fixing Up CopyFail on Alpine
A local privilege escalation vulnerability in Linux kernels since version 4.14 affects systems with the CONFIG_CRYPTO_USER_API option enabled. The exploit, known as copyfail, was initially ineffective on Alpine Linux due to its lack of world-readable setuid binaries. Researchers adapted the proof of concept to work on Alpine by targeting specific binaries and correcting the ELF payload to properly invoke /bin/su via BusyBox.
- ▪The copyfail vulnerability affects Linux kernels dating back to version 4.14 when CONFIG_CRYPTO_USER_API is enabled.
- ▪Alpine Linux was initially resistant to the exploit because it does not include world-readable setuid binaries by default.
- ▪The exploit was modified to target binaries like /bin/ping and /usr/bin/chsh, with a corrected ELF payload that properly sets argv[0] for BusyBox compatibility.
- ▪The patched exploit successfully spawns a root shell on vulnerable Alpine systems.
- ▪Clobbered pagecache entries persist until manually flushed or evicted from memory.
Opening excerpt (first ~120 words) tap to expand
fixing up copyfail on Alpine today, a rather nasty local privilege escalation bug affecting Linux since 4.14 (commit 72548b093ee3) dropped. the bug affects essentially all mainstream distro kernels with the CONFIG_CRYPTO_USER_API Kconfig flag enabled. A detailed explanation of the exploit process is available here. one thing I did notice is that the provided proof of concept did NOT work on Alpine Linux machines, as the base system doesn't ship with any world-readable setuid binaries. I modified the code to target a binary belonging to an installed package (/bin/ping in iputils-ping, /usr/bin/chsh in shadow also worked) and found that instead of a root shell, I was greeted with: : applet not found The tiny ELF blob bundled with the exploit doesn't invoke execve with the correct arguments.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Hacker News: Newest.
Discussion
0 commentsMore from Hacker News: Newest
