https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo

NOT ANOTHER ONE

second linux LPE of the day

@noisytoot lovely. is this the same as the one that was mentioned on oss-security but with different framing, or actually its own that just happens to affect the same things somewhat?

@9pfs another one, in a different module. disable xfrm_user and xfrm_algo modules in addition to mitigate this one

@noisytoot ugh...

@9pfs @noisytoot AGAIN?

@otter @noisytoot yes (both of today's confirmed in a debian 13 VM)

@9pfs @noisytoot first one confirmed for me on my arch system, second one didn't work

@otter @noisytoot you might already have a patch for this one, I think

@9pfs @otter the fix seems to only have been merged into mainline linux today and isn't in any release yet

@9pfs @noisytoot i did the mitigation of dirtyfrag and that might have also mitigated this one

@otter @9pfs did it completely fail to modify /etc/passwd or could you just not su - sick? the PoC seems to rely on you having nullok in your PAM configuration so an empty password is accepted, but if you just make it add a password as well it works without that.

also, at least on guix, resetting /etc/passwd (by –clean or clearing the page cache) does not seem to be enough to undo the exploit:

ron@t440p ~/P/Copy_Fail2-Electric_Boogaloo (main)> grep sick /etc/passwd
ron@t440p ~/P/Copy_Fail2-Electric_Boogaloo (main) [1]> getent passwd sick
sick:$1$SFhg3s7A$KAk5fEi/EmjSRL1Eb/NvO1:0:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:/:/bin/sh
ron@t440p ~/P/Copy_Fail2-Electric_Boogaloo (main)> su - sick
Password: 
sick@t440p /# 

where the hell is it reading from if not /etc/passwd?

@otter @9pfs and it does still work for me with the dirtyfrag mitigation, so it can’t be that (edit: my mitigation didn’t work)

(and touch /etc/passwd seems to make the sick user go away after reverting the changes to /etc/passwd. I guess nss must be caching it somewhere (but where?))

@noisytoot …weirdly similar to dirtyfrag though

@9pfs @otter … never mind, my dirtyfrag mitigation wasn’t actually working (I added it to /usr/local/lib/modprobe.d which was enough to make manually modprobing the modules fail, but they still got autoloaded)

now I bind-mounted /dev/null over the module files to ensure that nothing can load them and copyfail2 indeed does not work

@_r I think this actually might just be the same ESP exploit and the reason they broke the embargo. I initially thought it was something else but the dirtyfrag mitigation prevents this too (I thought it didn't because my mitigation didn't actually work)

@noisytoot that’s what I assume too, yeah. too many overlaps to not be at least related. there’s some differences too though… but I’ll wait for the actual security researchers to comment before saying much.