Hacker News new | ask | show | jobs
by mustardo 45 days ago
I thought copy.fail is a privelage escalation exploit, become root from a regular user? Am I missing something?

How would "node architecture" make people vulnerable to this?

You have to have shell access to a victim first right? Or am I missing something?
1 comments
bjackman 45 days ago
Yeah you need native code execution, and if you have AF_ALG access there is clearly no sandboxing in place. At that point it's game over on Linux, there are too many bugs. Even if you fix all the known ones in the current kernel, by the time the version with those fixes is qualified and released (not to mention, the machine must reboot), new LPEs have been discovered.
link
eggprices 45 days ago
To convince me Linux is full of kernel LPE bugs, can you share some of the bugs?
link
bjackman 44 days ago
Look at kCTF results.

Look at the CVE database. Most of those UAFs are LPE. Many of the OOBs and many of the race conditions too. These are fixed in Linus' master but you are running an old kernel.

Then look at the KASAN reports on the syzkaller dashboard. Many of them are LPE. Many of the WARNs and crashes are revealing and underlying bugs that is also an LPE. Most of these never get fixed.

Then try pointing your LLM at the codebase and saying "find an LPE". It will find as many as you want (you will exhaust your tokens long before it stops finding bugs). 99.99% of them will be bogus so you need a way to evaluate them at scale, currently this is the weakest approach but we'll get better at it.

I can't actually point you to a list of confirmed LPEs coz the only way they get confirmed is when someone exploits them, but there aren't enough exploit authors to do this for all of them. If inference gets really cheap and someone builds a really good agent harness we might start to see it get automated at some point.

link
ece 45 days ago
https://gtfobins.org
link