Ka hare ho motheo Linux Bofokodi ba bohlano (1, 2, 3) bo tebileng libekeng tse peli tse fetileng bo fumanoe, bo lumellang mosebelisi ho eketsa litokelo tsa hae tsamaisong. Ho phatlalalitsoe mekhoa e 'meli e sebetsang: sshkeysign_pwn e lumella mosebelisi ea se nang tokelo ho bala litaba tsa linotlolo tsa SSH tsa moamoheli oa poraefete /etc/ssh/ssh_host_*_key, 'me chage_pwn e lumella mosebelisi ea se nang tokelo ho bala litaba tsa faele ea /etc/shadow e nang le li-hashes tsa phasewete tsa mosebelisi.
Bofokodi bona bo ne bo sa rerelwa ho senolwa, empa mofuputsi wa tshireletso o ile a kgona ho hlwaya bofokodi, ho itshetlehile ka patch ya kernel e sisintsweng, e dumella ho balwa ha difaele tse ka fihlellehang feela ho mosebelisi wa motso, jwalo ka /etc/shadow. Phetoho ya kernel e fetotse logic ya ho sebedisa mosebetsi wa get_dumpable() ho ptrace ha ho kgethwa maemo a phihlello mosebetsing wa ptrace_may_access().
Bofokodi bo bakoa ke boemo ba morabe bo lumellang phihlello e se nang tokelo ho tlhaloso ea faele ea pidfd kamora ho fihlella faele ho tsoa ts'ebetsong ea motso oa suid. Pakeng tsa ho bula faele le ho seta bocha litokelo lenaneong la suid (mohlala, ka ts'ebetso ea setreuid), ho hlaha boemo moo sesebelisoa se sebelisang lenaneo la motso oa suid se ka fihlellang faele e butsoeng ke lenaneo la suid ka tlhaloso ea pidfd, leha litumello tsa faele li sa e lumelle.
Fensetere e ka sebelisoang e hlaha hobane ts'ebetso ea "__ptrace_may_access()" e tlola ho hlahloba phihlello ea faele haeba tšimo ea task->mm e behiloe ho NULL kamora exit_mm() empa pele exit_files() e bitsoa. Hona joale, pidfd_getfd system call e nka hore ID ea mosebelisi ea ts'ebetso ea ho letsetsa (uid) e ts'oana le ID ea mosebelisi e lumelletsoeng ho fihlella faele. Hoa hlokomeleha hore bothata bona bo kile ba rarolloa pele ka 2020, empa bo ntse bo sa lokisoa.
Ho exploit e fumanang dikahare tsa /etc/shadow, tlhaselo e kenyeletsa ho qala ts'ebeliso ya /usr/bin/chage kgafetsa ka fork+execl ka folaga ya motso wa suid, e balang dikahare tsa /etc/shadow. Kamora diforks tsa tshebetso, pidfd_open system call e a etswa, mme sekgutlo sa ditlhaloso tsa pidfd tse fumanehang se etswa ka pidfd_getfd system call le netefatso ya tsona ka /proc/self/fd. Ho exploit ya sshkeysign_pwn, diphetoho tse tshwanang di etswa ka lenaneo la suid root ssh-keysign.
Bothata bona ha bo so abelwe sesupo sa CVE, mme dintlafatso tsa kernel le sephutheloana ha di so phatlalatswe dikabong. Bofokodi bo ntse bo sa lokiswa ho di-kernel 7.0.7, 6.18.30, le 6.12.88, tse lokollotsweng dihoreng tse mmalwa tse fetileng. Nakong ya ho ngola, ke patch feela e ka sebediswang. Ho ntse ho buuwa ka di-workaround tse ka bang teng, jwalo ka ho beha sysctl kernel.yama.ptrace_scope=3 kapa ho tlosa folaga ya motso wa suid ho di-executable tse tsamaisong (bonyane ho tswa ho ssh-keysign le chage utilities tse sebediswang ho exploits).
Ntlafatso: Bofokodi bo filoe sesupo sa CVE-2026-46333. Lintlafatso tsa kernel li hlahisitsoe. Linux 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, le 5.10.256 ka litokiso tsa bofokoli. Boemo ba tokiso ea bofokoli bakeng sa likabo tsena bo ka hlahlojoa maqepheng ana: Debian, Ubuntu, SUSE/openSUSE, RHEL, Gentoo, Arch, Fedora.
Source: opennet.ru
