Hunting Copy Fail: 732 Bytes to Root
Why It Matters
Copy‑fail provides a stealthy, in‑memory root escalation that evades standard logs, forcing defenders to watch kernel messages and protect long‑lived Linux appliances.
Key Takeaways
- •Copy‑fail is a 9‑year‑old Linux kernel LPE bug disclosed April 29, 2016.
- •Exploit writes four bytes to in‑memory /bin/su, granting root without disk changes.
- •Successful exploitation logs appear in kern.log and systemd journal, not auth.log.
- •Look for “SU launched bin sh with null argv” and “pf_alg” messages.
- •Embedded Linux devices may remain vulnerable for years, demanding long‑term monitoring.
Summary
The video explains copy‑fail, a nine‑year‑old Linux kernel logic bug that allows any unprivileged local user to obtain full root privileges. Publicly disclosed on April 29, 2016, the vulnerability exploits a flaw in the kernel’s cryptographic subsystem to overwrite four bytes of the in‑memory copy of /bin/su.
The presenter runs a 732‑byte Python script that writes the bytes, instantly changing the hash of /bin/su in memory while leaving the on‑disk file untouched. After execution, ‘whoami’ returns root and the file’s hash reverts after a reboot, confirming the attack is purely in‑memory.
Because the exploit does not touch disk files, traditional auth logs show nothing. The forensic trace appears in kern.log and the systemd journal as messages like “process SU launched bin sh with null argv empty string added” and a “net registered pf_alg protocol family” entry, which together signal a successful copy‑fail breach.
Detecting this LPE requires monitoring kernel logs rather than authentication logs, and the issue is likely to persist in legacy and embedded Linux devices that receive few updates. Security teams must incorporate these kernel‑level indicators into their detection and incident‑response playbooks to mitigate long‑term risk.
Comments
Want to join the conversation?
Loading comments...