milliways-infosec/Copy_Fail2-Electric_Boogaloo
5
0
Fork 0
mirror of https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo.git synced 2026-05-16 10:50:09 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Copy Fail 2: Electric Boogaloo

Browse source
This commit is contained in:
0xdeadbeefnetwork 2026-05-07 14:09:03 -04:00
commit b7336f670b
4 changed files with 512 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

53
README.md Normal file
View file

@ -0,0 +1,53 @@
# Copy Fail 2: Electric Boogaloo
Unprivileged Linux LPE via xfrm ESP-in-UDP MSG_SPLICE_PAGES no-COW fast
path. Page-cache write into any readable file. Overwrites a nologin
line in `/etc/passwd` with `sick::0:0:...:/:/bin/bash` and `su`s into
it. Same class as Copy Fail (CVE-2026-31431), different subsystem.
Bug: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4
## Build
sudo apt install -y libssl-dev gcc
gcc -O2 -Wall copyfail2.c -o copyfail2 -lcrypto
gcc -O2 -Wall aa-rootns.c -o aa-rootns
## Run
./run.sh # install + drop into root shell
./run.sh --clean # revert /etc/passwd via the same primitive
Adds passwordless uid-0 user `sick` to `/etc/passwd`, then `exec su - sick`.
PAM `nullok` accepts the empty password silently — no input needed. The
`sick` line stays in `/etc/passwd` — re-run drops straight back into root.
State for `--clean` is stashed at `/var/tmp/.cf2.state`.
No sudo. esp4 / xfrm_user / xfrm_algo autoload via the userns netlink
path.
## Tested
| distro | kernel | result |
|--------------------|----------------------|------------------|
| Ubuntu 22.04 LTS | 5.15.0-176-generic | not vulnerable* |
| Ubuntu 24.04 LTS | 6.8.0-110-generic | root |
| Debian 13 | 6.12.74 | root |
| Arch | 6.19.11-arch1-1 | root |
| Fedora 43 | 6.19.14-200.fc43 | root |
| Ubuntu 26.04 LTS | 7.0.0-15-generic | root |
*MSG_SPLICE_PAGES UDP support was added in 6.5, so 5.15 is below the
bug's reach.
## Credits
Hyunwoo Kim (imv4bel) and Kuan-Ting Chen (h3xrabbit): reported, tested,
authored the upstream fix.
Steffen Klassert: IPsec maintainer, posted the fix to netdev/net.git.
Brad Spengler (@spendergrsec / grsecurity): called it copyfail-class
before anyone else read the commit.
Theori / Xint: original Copy Fail (CVE-2026-31431).