[PLUG] exploit in the wild
Ted Mittelstaedt
tedm at portlandia-it.com
Fri May 1 15:12:16 UTC 2026
That may work for now however according to:
https://xint.io/blog/copy-fail-linux-distributions
"...The scan also identified other high severity vulnerabilities, including another privilege escalation bug. These other bugs are still in the responsible disclosure process."
And we know now that from xinit's POV responsible disclosure means insert a patch then wait 30 days and publish a zero day.
So this isn't going to be the only one of these rodeos. It's just the first.
Ted
-----Original Message-----
From: PLUG <plug-bounces at lists.pdxlinux.org> On Behalf Of King Beowulf
Sent: Friday, May 1, 2026 7:46 AM
To: plug at lists.pdxlinux.org
Subject: Re: [PLUG] exploit in the wild
On 4/30/26 17:11, Ted Mittelstaedt wrote:
> I can confirm that the latest apt-get update to Ubuntu 24.04 as of a few minutes ago is disabling the aead module.
>
> For an un-updated system, running python3 copy_fail_exp.py gets you a root shell. For an updated system it gets an error. For Ubuntu 26.04 it merely asks for the root password.
>
> Ted
>
>
or run
find / * -perm -4004 -type f -exec ls -ld {} \; > setuid.txt
and remove 'r' flag from user, user group, and other group.
On Slackware, most setuid root utilities are not user readable.
# ls -l /usr/bin/sudo
-rws--x--x 1 root root 289800 Jul 26 2025 /usr/bin/sudo* # ls -l /bin/su -rws--x--x 1 root root 59552 Feb 13 2021 /bin/su*
There are a few that are unfortunately.
This will mitigate the exploit until patched.
-Ed
More information about the PLUG
mailing list