The PoC exploit code in python (3.10+) fits comfortably in 1k bytes. An unminified version that works for even older versions of python is just a hair under a 1500 byte packet payload, modulo headers for your preferred method of delivery. I can only guess how much it could be shrunk down to only the shellcode.
Now, y'all tell me, since I'm not a web guy. How hard is it going to be to tweak this lovely little pathogen into some kind of browser exploit? It just needs to be combined with a sandbox escape to work on current versions, right? Difficult but quite worth investing the time and effort to develop if that's your line of business. If that happens, every at-risk Tails user is going to have to stay offline for a while, unless they want to play the drone lottery.
Or how about chaining it with any of the as-yet unpatched bugs in gawd-only-knows how many web services out there that have poor input sanitization code? That bug now graduates from a DoS crash causer to a root grab. Good luck stopping it with your fancy AI Behavioral Analysis security tools. They better be fast. The sploit is going to do its work in two packets, maybe three. Fun times.
Lucky for us systems monkeys, it's not like anybody is spending billions of dollars to develop vuln finding AI tools right at this very second. So there shouldn't be many unpatched web services holes.
Oh, wait.
Of course, as the grey hats can already tell you, the really delicious part of this thing is how it's going to become the LPE tool of first resort for any APT that's already inside ur base killin ur doodz.
Nothingburger? This nothingburger is going to root a million OS instances before we know what hit us.
You're freaking out about the exploit being written in Python and occupying only a small number of bytes. Are you the LLM that wrote Xint's terrible landing page? If so, I have questions.
Oh come on, you know what I'm saying. It's small when written in python, which means any skid can spew it into a server he's got a shell on and get root in 2 seconds. He doesn't need to hope there's already a compiler installed, nor does he need to download some big tool. Just:
cat | python3 && su
<puke>, Ctrl-D
And I'm sure it can be refined into something much more likable to the spooky types, if they haven't already done it.
This is such a 1996 argument. It really was a big deal back then whether you had compilers on your multiuser SunOS boxes, because attackers would then use them to compile exploit.c.
The whole thread, really bringing me back to comp.security.unix. I'm not complaining! I miss comp.security.unix.
How many people do you let have local code execution on your systems? This is a local privilege escalation. They are relatively common. They are a big deal if you run a system that lets multiple untrusted users commingle code on a shared operating system.
Unless your systems have no network devices this vuln provides a tasty reward for being able to get any kind of RCE into your box. Most of the systems I care about are not air gapped. I don't imagine many others are either.
It's an LPE that goes back years. It affects at least 3 generations of Debian servers. >5 years of some rolling distros. And instead of the kernel team telling the distro security guys ahead of time so they could do their jobs and keep us users from getting screwed they got no warning and woke up to baddies in a feeding frenzy.
Also, LPEs are how minor holes turn into rootkitted servers. But I expect most people here already know that.
In a story that includes an RCE, you basically just assume LPE. The LPE isn’t a reward, it’s just table stakes. It’s the RCE that would be noteworthy.
Your assessment of the impact of this vulnerability is just wrong, and your level of panic about a “feeding frenzy” affecting anybody outside of hosted services where multiple users share a kernel is also wrong.
Now, y'all tell me, since I'm not a web guy. How hard is it going to be to tweak this lovely little pathogen into some kind of browser exploit? It just needs to be combined with a sandbox escape to work on current versions, right? Difficult but quite worth investing the time and effort to develop if that's your line of business. If that happens, every at-risk Tails user is going to have to stay offline for a while, unless they want to play the drone lottery.
Or how about chaining it with any of the as-yet unpatched bugs in gawd-only-knows how many web services out there that have poor input sanitization code? That bug now graduates from a DoS crash causer to a root grab. Good luck stopping it with your fancy AI Behavioral Analysis security tools. They better be fast. The sploit is going to do its work in two packets, maybe three. Fun times.
Lucky for us systems monkeys, it's not like anybody is spending billions of dollars to develop vuln finding AI tools right at this very second. So there shouldn't be many unpatched web services holes.
Oh, wait.
Of course, as the grey hats can already tell you, the really delicious part of this thing is how it's going to become the LPE tool of first resort for any APT that's already inside ur base killin ur doodz.
Nothingburger? This nothingburger is going to root a million OS instances before we know what hit us.