Slashdot Mirror
Linux Kernel Bugs
Armin Herbert writes: "According to this mail from Rafal Wojtczuk and a german article on Heise Online, there's a new severe bug in all Linux Kernels, from 2.2.0 up to 2.4.10, which allows users to become root on your system.
Kernel 2.4.12 fixes this problem, and RedHat, Caldera and other distributors already supply patches for their Kernels. See Bugtraq for more information." Important notes for anyone running a multi-user system. Update: 10/19 16:12 GMT by J : If I'm reading Nergal's writeup correctly, 2.4.10 is still vulnerable to the local DoS, but not to the local root exploit. Separate issues. And as
pheared points out,
there is one unverified report of a custom 2.4.12 being vulnerable as well; please try the exploit on your system and let us know what you find. This is a big one, you can expect the kiddies have already added this to their rootkits. Update your systems now!
Well, where's the Gartner Group proclaiming that people should immediately switch from Linux to another platform?
Oh yeah, it's Linux.
After nimda, codered and countless other virii, I've noticed several companies moving over to linux in the last few months. Could this pose a threat to the "migration"? It might very well do, not something I would look forward to, personally.
Admins "starting out" on linux may not know how to upgrade their kernels and out of fear move their network back to NT. Just a thought.
I'd rather have a bowl of coco-pops.
I always hear people saying how great open source software is, because they can look through the code and fix any bugs themselves.
But I've always wondered exactly who's looking through all this code? Apparently not enough people if a bug this big has lasted this long.
I used to bulls-eye womp-rats in my pants
This happens all the time? When will people realize that Linux is inferior and unsecure. Everyone knows that open-source peer-review is a lousy tool for security-audits. No, why doesn't everyone run Microsoft products? They're completly secure and doesn't have any problems at all. Because that's the power of closed source.
Hope the irony isn't lost on you...
Additionally the 2.2 'superstable' series are also vulnerable. Better get out those patches on multi-user systems and be snappy too. Don't want to look like an M$-admin now do we? :D
Karma? what's that again?
Karma? What's that again?
They just want you to switch to 2.4.12 because it's the secret pagan version! Don't let it spread!
I bet the Linux mob still say its Microsofts fault cos they where playing Max Payne on their win2k box while their linux boxes where rooted !
I'm aware that the exploit is within ptrace and not newgrp itself but...
...the SecurityFocus notice uses newgrp as an example of a program from where the hole can be exploited and it states that most Linux distributions default with newgrp suid root and world-executable. Call me odd, but I'm not sure I understand why a sysadmin would want newgrp to be world-executable.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
I wonder what response all the MS bashers will give to this, like you cannot get admin rites on a 2k box without knowing an admin??? Right?
--
The computer told me to press any key to continue,I pressed the one looking like this (|) !!OH SH*T!!
Strangely, I think that this is a good thing. It will hopefully make Linux users a little less complacent (and smug) than before. Okay, the avaerage user isn't going to trawl through the kernal source (hell, I wouldn't!), but maybe they'll get more involved with the full develoment of Linux - that includes QA, bug-fixing, not just writing of crappy Tetris clones.
One thing I'm looking forward to is finding out how many lazy people there are out there who don't patch their systems..... much like with NT and the easily fixed holes that lead to Code Red.
Tom.
Oh arse
This means there is at least a year's moritorium on stupid "Microsoft-is-insecure" jokes. :)
Sometimes it's best to just let stupid people be stupid.
If you're going to run 2.4.12, I suggest adding the latest Alan Cox patch to it, as well as Rik van Riel's "hogstop" and "eatcache" patches.
First, start with the base 2.4.12 kernel: (Use a patch to save Kernel.org's bandwidth, if you have a recent 2.4 kernel lying around.)
2.4.12
Next, patch it up to 2.4.12-ac3:
2.4.12-ac3
Finally, apply these two patches to 2.4.12-ac3 to yield 2.4.12-ac3+hogstop+eatcache
Hogstop+Eatcache
This is currently the ultimate in Linux VM performance.
While it's true that this is a nasty, bad root exploit... at least it's a LOCAL exploit. You have to already have local access to the machine in order to take advantage of it.
The IIS holes of late have been REMOTE exploits. Any half-wit script kiddie can take advantage of it.
People are never as simple as their stereotypes. This applies equally to Christians, Muslims, and Emacs-lovers.
Before screaming, please remember that this is only a local root exploit, that is you must already have logged in on the machine as non-root before using this exploit.
Most Unixes have had dozens of (sometimes known) local root exploits for years, and while most of them have been ironed out, some surely remain. They are much much harder to eradicate as exploits directed to network services (i.e. from the outside) are. Every once in a while one is discovered in most UNIXes (often obscure race conditions etc).
Till a few years ago the saying was that you should never give a local login to someone who you would not trust to be root, i.e. one could assume that sooner or later those that really try to become root shall succeed. Any mission critical servers should not have any user accounts for untrusted people; therefore, local root exploits have never been considered to be a big deal.
If you want to compare to Windows: up till Windows XP it wasn't even possible to be logged in as multiple users at the same time, so the equivalent of a local root exploit was not really possible. Still, Windows managed to have multitudes of the way more stupid and serious class of remote exploits. With the advent of Windows XP the concept Windows kind of becomes multi-user for the first time (though in a very crude way, since unlike UNIX/Linux each login session almost starts a new instance of larger parts of the operating system). While this new concept is 30 years old in UNIX, only now Windows (XP) starts having the possibility of local exploits. Surely many of them will exist and it will take decades to kind of iron them out.
not to use Microsoft software ... oh, but wait
signature not found
That's odd... I've grown used to any Slashdot posting about privilege elevation exploits being condescending and insulting. Where are the accusations of carelessness on the part of the programmers? How about the shots at the intelligence of the administrators? Oh, this is a Linux bug? How convenient....
I'd continue to rant, but I have a worm to write.
Well, I only "Admin" of a very small network and when I started out with Linux (nearly 2 years ago) I thought: updating a kernel?!? Oh, no! I'm sure I'll never be able to do that! :-)
Ehm, well, some nice evening, when I had a lot of spare time, I downloaded the latest kernel and only read the README (or was it INSTALL???) and compiled/installed and was running my own custom compiled kernel.
No, an Admin worthy of the name should at least be able to read the (provided) docs and type at the command line. The Linux-kernel people really made it easy to compile your kernel IMNSHO. Honestly, even an NT-Admin must be able to read the docs otherwhise he woudn't know that, for example, after Windows asks it's original CD you have to re-apply your service-packs.
I admit, between Linux and Windows the environment changes, but the ability to read the instructions is needed everywhere as an Admin (and dare I say, as a normal user too!)
Besides, any sane admin has a production and testing environment....so compiling the kernel on prod machines should only be done after extensive testing.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
Go figure, all those students have local accounts on those big very important boxen. But that's no big deal, right?
The mail reads:
/usr/bin/newgrp must be
In order for this flaw to be exploitable,
setuid root and world-executable. Additionally, newgrp, when run with no
arguments, should not prompt for password.
Well, Duh!
World Exec + Suid == bad
This is a distribution bug, not a kernel one. You should not have world exec programs set suid, especialy on a system that you expect to be completely secure.
Why is it so hot? Where am I going? What am I doing in this handbasket?
Warning !
This is not true !
Don't upgrade to Linux 2.4.12.
Linux 2.4.12 is a satanic linux version which will control your mind and your computer.
You can easily see this on the version number,
for 2.4.12 means 2+4 . 2*6 = 6 6 6 - THE NUMBER OF THE BEAST.
DON'T UPGRADE.
If you scan the kernel sources you will see other satanic messages like "Inode" an anagram for DEOIN the 32. commander of baalzebubs forces, "semaphore" an anagram for SHAPOMER the 6. servant of azmoziel and "kernel threads" an anagram for "LAD SHENK RETER".
Or do I need to deploy these patches myself? What's the policy for ass-nasty bugs in superstable kernels which have already reached their official end-of-development?
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
To all the people that feel really good about this because they are sick of microsoft being attacked about this: Good for you, you deserve it, enjoy because it won't happen again this year ;-)
;-)
Now to all the linux zealots here: To make sure that this doesn't become a problem we NEED to patch EVERY machine we can find and tell EVERYONE that has a linux box to patch it, why? because NOW it's funny, there isn't a worm out with a remote exploit of GPM that triggers an error Identd to give away your "Games" password so you can log on and become root
but we must make sure that this disappears ASAP or else this sure as hell won't be funny anymore. PLEASE make sure that we won't get staroffice macro virusses, sircam 4 linux etc... THAT we will be the laughing stock of the entire software world... I'll bet that microsoft competetion management (r) is already producing FUD on this....
Fighting for peace is like fucking for virginity
In case many of you don't subscribe to bugtraq, there was a follow-up posted to the original advisory. I have replicated it here for your convenience. It raises an important issue, suggesting that kernels up to 2.4.12 may be affected as well. I don't claim to know, just forwarding the facts. Note that, he is using a patched kernel which could introduce any number of flaws, but I'm willing to give him the benefit of the doubt.
/* begin shell session */
./epcs_ptrace_attach_exploit
/* end shell session */
Original Message:
From: Demitrious Kelly
To: bugtraq@securityfocus.com
Subject: RE: Flaws in recent Linux kernels
The description of the second problem is accurate, but I don't think the
assessment of the kernels which can or cannot be affected by this exploit
is... I'm using a newly compiled kernel Linux 2.4.12-grsec-1.8.3.
( Linux 2.4.12 with the Grsecurity Patch
http://www.grsecurity.net/features.htm )
#
[12:52:11][apokalyptik@home:~]:
bug exploited successfully.
enjoy!
sh-2.05$
#
Where are all the pompous Linux snobs in this thread as there are in the MS DRM thread? What hypocrites.
Huh. Lookit that. The "boys at Red Hat" put out an update before this story even appeared on Slashdot.
And I think you're seriously underestimating Mr. Torvalds.
The MacOS according to bugtraq has never had a single exploit over a network.
Running Webstar on MAc OS 9.2 or older, any versions, is the safest most secure platform.
Instead of a backdoor every month or two like competing OS's, it has never had a discoverred exploit, or been hacked.
It is because the mac has no command line, no paths, no concept of root (all code is root, except micro kernel), no way to exec code from data files based on file name or file suffix, no way to corrupt stack easily (call chain different than intel), no way to creat buffer overruns from strings because most ac people and the ROMS, and OS, use length delimited pascal style strings instead of null terminated.
There are many more secure things dealing with CGI, alias paths, etc.
But in summary, the US ARmy uses MAc web servers and most experts agree, that the most secure server, if price is not an issue, is a mac from a local store and Webstar.
Somewhere deep inside the comments on both sides that start comparing linux to microsoft are missing the fact that most linux users are on average more technically savvy, expecially if they are connected to the big old net. So obviously, when linux announces a security hole a majority of users who are attached to the web get concerned and go out immediately and update thier system.
But when companies and home users are running a COTS that they prolly didn't even install and don't even no what say IIS is, they don't get real concerned about updating thier systems.
For an example, look at Code Red Infections that occured after the security hole had been announced.
I need a TiVo for my car. Pause live traffic now.
The subject says it; if the kernel gets preemptible (difficult word), wouldn't that solve the dos-problem more or less? (the one with the enormous symlinks) Since the problem seems to be that the scheduler isn't executed for a while which should be solved when things are preemtible.
www.vanheusden.com - home of Multitail, HTTPing, CoffeeSaint, EntropyBroker, rsstail, bsod, listener, nagcon, nagi
So what ?
;-))
I always felt that the best part about Linux is when you get to become root (esp. by mistake
--
Do not try and read this signature..
That's impossible.
Instead, Only try to realize the truth..
There is no signature.
Even though Microsoft has a new security hole every week, they have a security bulletin mailing list which lets subscribers know quickly of security issues (of course recently my inbox has been stuffed with them). Can someone recommend a good mailing list for linux issues? I am using mostly RedHat boxes, but they don't seem to have any free mailing list that I can find (perhaps they have one i don't know about).
Linus Torvalds, creator of the Linux operating system, commented today on the newly discovered root-exploit present in the operating system since version 2.2.0 of the software imploring bug tracker teams not to release such information to the public.
"Security companies have a responsibility to protect the public", said a visibly upset Linux, "and releasing information such as this practically gives out blueprints for weapons to attack private systems." He went on to say that "System administrators shouldn't have to worry about whether or not their box could be rooted out from an end user's explot script or even a third party exploiting a hole in a remote service." He called the notion of letting people know about potential vulnerabilities, "Wholly irresponsible" and referred to the demonstration of example scripts for exposing and exploiting such vulnerabilities "dangerous and destructive."
Linus finally called upon security companies to "excercise self-restraint" on issues of security flaws.
"We're working with Microsoft", he stated, "to help develop an industry-wide standard. We will keep our systems secure, even if we have to classify every insecurity and vulnerability as copyrighted material and prosecute reporters under the DMCA to do it."
STOP MISUSING APOSTROPHES, YOU MORONS!!!
If you read the report, you'd know that someone must be logged into your machine in order to use the exploit. Secondly, you'll notice that /usr/bin/newgrp must be setuid root and world-executable. Additionally, newgrp, when run with no arguments, should not prompt for password." Maybe it's time we looked at how newgrp is set up. Secondly, by default in my distros, this is not the case. Go ahead. Try typing newgrp as a normal and see if it works. Now, if that's not the case, a simple chmod of newgrp will fix you right up (very few systems i suspect require newgrp be used from the point of a local user.)
"In order for this flaw to be exploitable,
Geez... I suppose if you make the useradd (or adduser) command world executable, make your shadow password list world readable, and then make a guest account on your system open to the public, then you too can have an insecure system!
The point is, at least for the second exploit mentioned in the mail, that unless a admin has set world-executable permissions on files to which only root should have such access, then this problem shouldn't exist. As others have said, its not like some random person out there can do all this stuff remotely to your box!
In case of fire, do not use elevator. Use water!
And we complain the MS Windows has serve problems....
Oh well, looks like the boys at RedHat are gonna be putting in some overtime this weekend.
We released updated kernels yesterday:
And does he know the co-ordinates of a certain campus in Redmond?
And here i am trying to remember my password for root..
will deny service after a few iterations on most machines, no?
I have heard people over and over again saying "this is ONLY a local exploit". This sound like they are trying to justify why they can b#@*h and moan about how insecure Windows/IIS is without admiting that Linux has its far share of dangerous vulnerabilities.
The fact that it is "only" a local exploit does not make it much safer. The fact is, it has been shown time and again that a large percentage of computer misuse/abuse comes from within a corporation (its own employees). Furthermore, the most damaging abuse is almost always an inside job. Clearly, these people would already have local access. And even so, what if one employee with remote access capabilities (dial-in, telnet, etc) happens to have a weak password? Can they not potentially get into the system and then take advantage of this exploit?
There are two bugs present in Linux kernels 2.2.x, x<=19 and 2.4.y, y<=9
The above quote from the email, would suggest that those folks running the 2.4.10 kernel would be immune to the specific bugs. However, the article referenced seems to point to later releases being affected. Does anyone know which to trust? I would think the bugtraq correspondence a little more trustworthy in this situation.
Errr? Terminal server? Telnet? Stuff available since NT4. Which is already phased out. Bashing is fine, as long as it is done by the facts, not by made up poop.
Never underestimate the relief of true separation of Religion and State.
In the Log On to Windows dialog box, type your user name, password, and domain (if required), and then click OK. The Remote Desktop window will open and you will see the desktop settings, files, and programs that are on your office computer. Your office computer will remain locked. Nobody will be able to work at your office computer without a password, nor will anyone see the work you are doing on your office computer remotely.
What WinXP are you talking about?
How we know is more important than what we know.
I understand that you may have intended your post to be funny. I can't mod it up as so, but I still want to say my piece just in case you were actually serious.
The ratio of M$ insecurities to Linux insecurities is still quite high. I still stand by the fact that "Microsoft-is-insecure".
This insecurity appears to have been discovered before it was largely exploited. Unlike M$ insecurities which are exploited and systems compromised before M$ figures out that the exploit even existed.
Once again, the open source peer review system works as it should.
I'm seeing a lot of comments like "This is only a local root exploit", or michael's "Important for anyone running a multi-user system."
That's crap. This is a big deal. Don't try and downplay this. If you leave this unpatched, it turns every remote login hole into a remote root hole. There's plenty of code running remotely: mail, cgi, etc. Good security isn't foolproof. Good security is defense in depth. That means that you are patched against remote holes, and patched against local holes, so that escalation of privileges is difficult.
--sam
--sam
Any technology distinguishable from magic is insufficiently advanced.
Mac OSX also got a remote root exploit of its own.
I don't know whether it's ironic or not that the introduction of open source software led to the first Mac-based remote exploit that I can remember in a long, long time. I'm leaning against it as code's still made by humans and humans still make mistakes. You'd be well-advised to remember this and temper your flames against Any OS That Isn't Mine next time.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
NT boxes have different types of user. Sure, only one can be logged in at once, but an exploit which allowed a normal user to gain Administrator privilidges is _exactly_ the same as a local root exploit. And yes, these have existed in the past, and probably still do.
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
It's not that hard, people
First its A Local Exploit which makes it harder to start exploiting right away, so we wont see a worm to make use of this until there is some major Remote Exploit. The Patch is already out there, just recompile your kernel and if you dont then your a retarted system admin ( or whatever they said about it ), Keep your Systems update or dont whine about security.
I haven't read the story/mails cause i cant seem to reach them from my computer here, but i just had to repond to the its a local and the its local and just as bad as remote...
Any exploit is bad until you fix it, UPDATE!
and if you think like i do that the information
on your computer systems doesnt really matter to you anyways dont whine afterwards when you loose it!
One more thing, if you dont Update your system regulary then most rootkits will find a way to become root even without the New Kernel Root Exploit, and i think most systems arent updated anyways so this wont change the Linux World in a couple of hours.
Quazion.
I am currently running 2.2.18 out of necessity (VPN patch that's not available for 2.2.19). From the article it would seem that until patches are available for your kernel, you can remove the suid (chmod -s) from the newgrp binary. Granted, you won't be able to add any new groups, but I think it would temporarily remove the exploit. Am I correct here?
Praying for the end of your wide-awake nightmare.
Hmmm, according to the LWN that you linked to, aa patches have the best performance.
For those that don't know aa stands for Andrea Archelangi who one of the very importent kernel hackers. It was a large part of his effort that stabalized the 2.2 VM. Although it is debated on which VM is better, over 90% of the benchmarks I've seen have pointed to AA being the better choice.
AC even mentioned that the AA-VM was the right way to go, just too wild of a change for a stable kernel series. There is too much conspiracy theory going on that AC is hijacking the kernel for RedHat, or that the RedHat crew has a not-invented-here phobia for not including the better VM.
Now on to a more editorial comment.
There seems to be quite a war on this right now, but I think it will settle down in about 6 months or so like the ReiserFS wars have. I also think that we'll see a new order established in the stabalizing of kernels.
I have no political say, but I expect that Linus will run a kernel that will be considered the "experimental, quicker evolving" kernel where things change violently. AC and others job will may to pull out pieces to salvage a semblance of stability, essentialy forking the stable branches from Linus's more exotic cutting edge kernel.
This seems to be how things run in any case when there is a developmental kernel, and they run pretty well. The question that may be asked is "Does Linus need to slow down his effort to stabalize at all?" Its arguably true that the answer is "yes", but only to a degree that suits his own needs for order in his life-long persuit of the sexy kernel.
Linus himself mentioned that AC does a better job of it, maybe its time to give him the whole forking-a-stable-kernel job.
Yes you did. I must point out that they are horribly broken too(for RH7.1 anyway.)
Xconfig is broken
Tulip doesn't compile if you set it to be built-in in the config--I got to the point where I just loaded the i686-smp config from Redhat and made that one single change(I'll go back tonight and try to compile just the i686-smp config to see if that works)
Tulip under i686-smp doesn't seem to work
I hope this isn't the kernel you guys plan on shipping with 7.2 next week.
If Microsoft is going to repeat their call for silence from the security orgs on this one.
Put identity in the browser.
So, let's see, when someone points out a flaw in a Microsoft product, Microsoft ignores it, until it gets out to the public, then Microsoft issues a patch (which may or may not fix the actual problem). It gets exploited (usually in the form of viruses and worms than spread like wildfire), and then Microsoft whines about "information anarchy."
When a flaw in Linux is discovered, they just fix the damn kernel and say, "oops."
Of the two, I know which one I like better.
There's a loadable kernel module that
replaces the ptrace() function call with
a wrapper that makes it impossible to exploit
this bug. It can be found from
http://c.home.cern.ch/c/cons/www/security/.
Works on 2.2.19, not tried to use it with 2.4.x yet (should be pretty easy).
In a recent article on CNet:
This week, Linus Torvalds, manager for Linux's security response center, published an essay on the company's site decrying the information and example code released by some companies and independent security consultants as "information anarchy."
"It's high time the security community stopped providing the blueprints for building these weapons," Linus wrote in the essay. "And it's high time that computer users insisted that the security community live up to its obligation to protect them."
"The state of affairs today allows even relative novices to build highly destructive (malicious software)," he wrote in the essay. "It's simply indefensible for the security community to continue arming cyber criminals. We can at least raise the bar."
"(We) don't purport to have the answer to the problem," he said in a Wednesday interview. "But we believe that these practices are harmful."
Things you think are in the Constitution, but are not.
If you find bugs, please put them in bugzilla.
- make sure to add details on your hardware, as it's not a generic Tulip problem (I've just tested mine - no problems).
- If you want to compare to Windows: up till Windows XP it wasn't even possible to be logged in as multiple users at the same time
This is incorrect.Windows NT, of which Windows 2000 and XP are but new iterations, has been multi-user from the start, even though it has lacked the shell counterparts to easily exploit it without resorting to C or C++. For example, the Windows NT Resource Kit comes with a "su" program.
The NT user API design is heavily based on ACLs, which means, for example, that you can create threads, pipes, files, synchronization objects, etc. and restrict access to users with certain permissions. I'm no Windows fan, but they got this part right.
Hurrah!
(Okay, now it drops back down to 48, but I'll cope - and, yes, I have read the FAQ on what karma isn't doesn't do)
Tom.
- to turn a buffer overflow of a non-privileged nework daemon into a remote root exploit;
- to allow unprivileged users to sniff the LAN;
- to allow 'viruses' (.i.e. executables from an unknown source which a luser run without checking) to have full access to your machine
This is a serious bug (though not a new kind of bug: as you said, local exploit have been with us for years), because it undermines the basics of Linux security model (every user stays in its box).Ciao
----
FB
Yes, I have something to do here at work! Finally, after watching the NT admin's patching all their boxes every day because of all the M$ Software holes, I finally have something to patch.
Let's see.. M$ Patches for the last year... 500++ Linux patches for the last year... 1...
Of course, I'm only talking about security patches, not 'feature' patches...
Tom.
I find the tone of this post to be part of a disturbing, if subtle, trend.
I know this isn't new ground to tread in these forums, but the respective tones of posts about Microsoft bugs and Linux bugs are worthy of change.
When there's an MS bug, the posts generally read something like... "User writes, "Here's a big surprise. There's a bug in IIS that lets any six year old root the box. Excuse me while I gasp in surprise. Exploits are here and here. Cnet has the whole story." It's amazing that people still rely on IIS... I wonder when people will stop making their software choices entirely based on FUD."
When there's a bug that eluded many major kernel revisions, the post reads: 'Apparently there's been a bug in the kernel for months that yields unauthorized remote access to root. Huh. Users of multi-user systems might want to patch this when they get a chance.' -- and it's on to the next story.
Disparities such as these, subtle as they are, affect Linux communities' credibility. It makes us look immature because we appear to apply a double standard. It's a chink in our armor we should patch ASAP.
It looks like to me this is the Anthrax scare for Linux users.
I have no doubt that newgrp can be exploited, but I can't use newgrp unless I su running RH 7.1.
Am I missing something here?
Those who think in the box have a small view.
My name is Scottissue Pulp and I'm the Manager of the Linux Security Response Center and I'd like to take this opportunity to decry this
"Provided by the management for your protection."
I've been trying to download, and its taking forever. I'm using RedHat and their ftp servers are slow even under more ideal conditions, but now its terrible. Wish me luck.
Oh shit! Now Gartner is going to recommend that I switch all my servers back over to NT.
Hey, why doesn't someone use this exploit to insert a virus on that guy who was offering a $10K reward to anyone who could do this to his Linux box. A recent /. story but I don't have it handy. Come on, we know who that was...
Oh boy, there goes the uptime.
It may be flamebait, but it's 100% true. The FUD you guys have been surgar-coating Linux with is pretty thick, but when it comes down to it, Linux is a house of cards.
1. This is a local exploit and thus CANNOT in ANY WAY be compared to Code Red or Nimda. Anyone who does so is simply ignorant about exploits and is just trying to downplay how bad the Windows worms demonstrated MS box security generally is right now.
2. Yes anything like this is an inconvenience. You mention all the steps that you need to take to bring a patch into service (testing etc). You compare to Windows where apparently you believe this process isn't necessary. You basically just demonstrated that windows sucks because it's not expected to be as stable as linux, and (according to my impression) the patches are not provided with enough info to bring them into service intelligently.
3. Any admin who keeps his systems up to date regularly would know exactly how to go about deploying this fix. Patches come out almost weekly, you'd probably just have to move your schedule up a bit.
4. You'd have taken this chance to root the machines provided for you and skrew your admin? Let me put this bluntly: you suck.
Thank god I use FreeBSD!
If anything I think this shows that it's not a good thing for everyone to be on one OS. Having a mix of *BSD, Linux, and some OSes you pay for can certainly minimize the damage for any OS specific exploit; and every OS has one somewhere...
I seriously doubt it will take decades to iron out. Come on this is MICROSOFT people!!! They will have the bugs fixed with the next release of stolen *nix code. :-)
/* oops I accidentally made a comment, sorry */
There doesn't seem to be any mention of this kernel bug on their security updates section.
$ uname -a ./ptrace-exp ./insert_shellcode 24982
Linux limbo 2.4.0 #8 sat jul 21 14:24:48 CEST 2001 i686 unknown
$ id
uid=1001(johan) gid=1001(johan) groups=1001(johan)
$ gcc insert_shellcode.c -o insert_shellcode
$ gcc ptrace-exp.c -o ptrace-exp
$
attached
exec
$ id
uid=1001(johan) gid=1001(johan) groups=1001(johan)
So what's up?
Weird kernel-source and kernel-headers problem. All fixed now though.
It would seem that preemptible kernels would allow kernel functions to be written to take arbitrarily long times, and only the calling process is hurt by this. This would avoid the DoS attack, but more importantly I would think it would make a lot of kernel stuff much easier to write and the code much easier to read and debug.
So do any experts in kernel design think this, or am I totally wrong?
How does this even compare to the patching required to stop the Nimda worm? This is the first patch I have *EVER* had to apply, the others were not security fixes. I have NEVER had to patch the kernel to stop a potentially weak exploit (yes, I call a local exploit weak, cuz its possible to get root locally on any OS easily anyway, just a little social engineering...). Please don't take this as having a angery tone, but seriously, this is much different than admin'ing 2k boxes. Yes, updating an enterprise network is a pain, I'd imagine (I admit, I don't do it). But how can that compare to the regular patches required to keep 2k secure? This is a once in a few years patch, for a weak exploit. Not the ___ patches required ( I'm not sure how many, insert the # please) to just stop Nimda from saturating your network.
C Pungent
How do you know what to change ADDR to? I'm assuming it's the address space of newgrp, but how do you find out what that is?
Now, if that's not the case, a simple chmod of newgrp will fix you right up /usr/bin/newgrp and yr set. I'll get the patch later.
Thats what I did, since this is a desktop (well, laptop) system, I never need the newgrp command, and I suspect that the ftp sites are bogged right now (plus I'm still on 2.4.9, so I'd need several patches to get to the right version). Simple chmod go-x
C Pungent
The instructions from the mentioned link are pretty vague. Do you just run ptrace-exp, and it gives you a shell? What do you modify the #define in insert_code.c to? And what about slackware? How do you modify it to use sh instead?
Remember, we can make money off the bug fix ... um, upgrade to the next "version".
...
Oh, wait, we're not Microsoft.
Never mind
--- Will in Seattle - What are you doing to fight the War?
The Linux kernel has grown dramatically since 2.0. There are certainly more bad bugs lurking in 2.2. I refuse to even try 2.4 until 2.5 is well on its way.
-Mike_L
I read this story and was very confused.
Reason? I heard of this root exploit months ago, by a friend who said he'd known it for quite a while. I even wrote a little kernel module that disables ptrace() to all users but root back then.
I can't believe it hasn't shown up on bugtraq until now. 2.2.0 is over a year old, isn't it? I thought there were quite a few people actively looking for kernel bugs and reporting them there.
test sucks
wonk
(sarcasm, you fool)
Terminal server can't be compared to a multi-user system like UNIX. It may look the same at first sight, but in fact it is more like VMWare, in the sense that a large part of the operating system is instantiated for every user that "logs in", that is each user has almost a private copy of the operating system (which explains the huge amount of resources required per user). This is a gross hack, and WinXP multi-user logon is based on the same technology. It can't be compared to a true multi-user operating system such as UNIX.
Indeed (as someone also remarked in another response) one could compare getting admin-right on a flie as equivalent to a local root exploit. Still, it is not the same. It only applies to file-access rights, not to executing processes with other permissions.
It would have been nice if you also updated the list of 6.2 Security Advisories. At the moment (1:15 PM Pacific) the latest updated on there is the Netscape one back from April 10. It would have saved me (and probably many others) time poking around this morning trying to guess if it was updated for this exploit or not.
Maybe this is a little over simplifed, but still its a local exploit, either a login or a server running localy. whats the difference between telnet/ssh over a machine loop, a serial cable/modem dialup, a ethernet, or from the internet, it's still a executing the shell localy.
Apocalypse Cancelled, Sorry, No Ticket Refunds
See http://www.geocrawler.com/lists/3/Linux/35/2250/67 89857/ and related - according to the thread ptrace refuses to honor the setuid bit and even though the exploit program thinks it has succeeded, it just provides a non-priviledged shell.
"What the hell is this invalid formkeys crap??"
Thank God somebody else is running into this. It appears to be repeatable if you're running cookies disabled and lose connection (and probably i.p. address) between accessing the "Post Comment" page and Submitting the post. I tried to report this on Sourceforge as requested, but to report a bug you have to log on which sorts of defeats the purpose of anonymous posting anyway... :P
Update: This time it did it without dropping the connection... got this:
Invalid form key: fVaGAAQl20 !
Will copy to clipboard, and try again (sigh!).
And got:
Invalid form key: EL8bMdHoSu !
Once more...
See http://www.geocrawler.com/lists/3/Linux/35/2250/67 89857/ and related emails in the thread - the "exploit" just gives you a non-priviledged shell because ptrace() does not honor the setuid bit.
that's regarding a different exploit. It's already known that the old exploit doesn't work on 2.4 kernels. The new one works on all 2.4.12.
-Brad
There are plenty of local user DoS's for linux, this one is ugly, but nothing to get bent out of shape about.
AC's cheerfully ignored
Are you sure? On neither 2.2.19 nor 2.4.12 do I get a priviledged shell running the exploit.
sorry, i tried to say that it affects all 2.4 less than 2.4.10...but i kept getting "key" errors...grrr
Brad
It "Only" loads explorer.exe, rundll32.dll and display.dll, not a major part of the operating system at all huh?
I think you have just confirmed what the above poster was saying.
You have to figure out which machines have untrusted users. Fortunately, this particular case is a local-only exploit; so if you're a sysadmin of a large system, then it's time to take it down.
However, this is also where having a good firewall can save you much heartache. The firewall itself is by definition a system with untrusted users (unless you can guarantee you've never been broken into), so needs to be patched. If you have unprotected systems, all of them need to be patched.
Keep all your systems behind a well-designed firewall, and these decisions become much, much easier.
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
This article appeared on stepwise.com, a site devoted to Mac OS X (so yes, Macs *are* vulnerable!") http://www.stepwise.com/Articles/Admin/2001-10-15. 01.html
[posted 18-Oct-01]
>>
Mac OS X 10.1 Local Security Exploit
A serious security exploit has been found in Mac OS X 10.1 (in fact, as it turns out, it has been present in 10.0.x versions as well). Using this exploit any user at the Desktop can gain root access to the machine.
The problem is caused by applications that are set-uid root (that is, regardless of the user that runs them, they have root permissions). Normally these programs have a limited scope of functionality so that damage is minimized. However, it appears that any items launched from the Apple->Recent Items menu inherit the root user privileges. Additionally, any other apps in the Apple menu (i.e. System Preferences) can be launched as root using this hole.
This can be demonstrated using the following technique:
[See URL above for more details]
So obviously, Linux isn't the only one that has these kinds of problems. And to that thread commenting about Mac OS not having problems like this -- yes, that might be true for Classic Mac OS, but its obviously not true for the current OS
Every OS that I've used in the past couple of decades has had some kind of "local security exploit". That's just the way it is.
Later,
--Gregory
Just for the record...
The kernel update broke both Nvidia's proprietary 3D driver and the open-source 2D driver. (PIII 500 with a RIVA TNT)
this is informative, just a little more info: the box in the hack-a-mac contest was cracked due to a combination of CGIs. On an OS with no concept of privileges whatsoever, any exploit is a root exploit.