13Cubed

Hunting Copy Fail: 732 Bytes to Root

The video explains copy‑fail, a nine‑year‑old Linux kernel logic bug that allows any unprivileged local user to obtain full root privileges. Publicly disclosed on April 29, 2016, the vulnerability exploits a flaw in the kernel’s cryptographic subsystem to overwrite four bytes of the in‑memory copy of /bin/su. The presenter runs a 732‑byte Python script that writes the bytes, instantly changing the hash of /bin/su in memory while leaving the on‑disk file untouched. After execution, ‘whoami’ returns root and the file’s hash reverts after a reboot, confirming the attack is purely in‑memory. Because the exploit does not touch disk files, traditional auth logs show nothing. The forensic trace appears in kern.log and the systemd journal as messages like “process SU launched bin sh with null argv empty string added” and a “net registered pf_alg protocol family” entry, which together signal a successful copy‑fail breach. Detecting this LPE requires monitoring kernel logs rather than authentication logs, and the issue is likely to persist in legacy and embedded Linux devices that receive few updates. Security teams must incorporate these kernel‑level indicators into their detection and incident‑response playbooks to mitigate long‑term risk.