Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Kernel Bugs

Posted by michael on from the patching-time dept.

Armin Herbert writes: "According to this mail from Rafal Wojtczuk and a german article on Heise Online, there's a new severe bug in all Linux Kernels, from 2.2.0 up to 2.4.10, which allows users to become root on your system. Kernel 2.4.12 fixes this problem, and RedHat, Caldera and other distributors already supply patches for their Kernels. See Bugtraq for more information." Important notes for anyone running a multi-user system. Update: 10/19 16:12 GMT by J : If I'm reading Nergal's writeup correctly, 2.4.10 is still vulnerable to the local DoS, but not to the local root exploit. Separate issues. And as pheared points out, there is one unverified report of a custom 2.4.12 being vulnerable as well; please try the exploit on your system and let us know what you find. This is a big one, you can expect the kiddies have already added this to their rootkits. Update your systems now!

12 of 307 comments (clear)

  1. Okay, okay.... by tomknight · · Score: 2, Insightful
    Yes, it's open soyrce, where the fact that everyone can review it for themselves ensures that problems like this never occur. Yes, this is a cock-up....

    Strangely, I think that this is a good thing. It will hopefully make Linux users a little less complacent (and smug) than before. Okay, the avaerage user isn't going to trawl through the kernal source (hell, I wouldn't!), but maybe they'll get more involved with the full develoment of Linux - that includes QA, bug-fixing, not just writing of crappy Tetris clones.

    One thing I'm looking forward to is finding out how many lazy people there are out there who don't patch their systems..... much like with NT and the easily fixed holes that lead to Code Red.

    Tom.

    --
    Oh arse
    1. Re:Okay, okay.... by quartz · · Score: 3, Insightful

      It will hopefully make Linux users a little less complacent (and smug) than before.

      In your dreams. As a Linux user, I'm smugger than ever. How can that be? Well, let's see: a huge bug is found in Linux kernel. Did anyone write an exploit that pur millions of Linux computers in jeopardy? No. Did a malicious worm get released and wreaked havoc on the Internet? Um, no. Did this bug cause ANY inconvenience AT ALL thus far? Um, no. And it never will. Why? Because 1) a patch was made instantly available, and 2) generally, Linux people have enough common sense to stay up to date with kernel patches. Sho why the hell shouldn't I be smug?

    2. Re:Okay, okay.... by tomknight · · Score: 2, Insightful
      No inconvenience? Well it's no more inconvenient than having to patch all your NT/W2K boxes (actually very easy with a decent bit of scripting). The average user won't be affected that badly - all they have to do is apply a patch. The pain in the arse is when you have a whole load of machines (which may as it happens be running different flavours of Linux), and you spent a fair while ensuring that they all work ncely. Along comes a patch, and you have to start working out which machines tou can take off-line to test the patch, which machines are most vulnerable (when you have a fair few users with shell accounts...)


      Anything like this, on NT or Linux or whatever OS you use is a pain, and a definite inconvenience.


      Certainly, as it's a local exploit, the danger level is lower, but what if there's a Linux admin who hears about this a day after their users do? Think of the average student faced with the opportunity to become root. I'd have taken that chance!


      The reason you shouldn't be smug is because people who care found this first, and this isn't a remote exploit.


      Tom.


      What the hell is this invalid formkeys crap??

      --
      Oh arse
  2. Re:Huh? by Dimensio · · Score: 3, Insightful

    Well it's not exactly a remote hole. The user still needs to have execute privs on the system they want to root out.

    The "laughing" at MS's security holes isn't necessarily about how easiy it is for a user to gain administrative priveledges, but how easy it is for anyone anywhere to gain remote admin privs.

    Not that I'm saying your comments are completely without merit; a hole like this should have been spotted sooner IMO (though I don't know how obvious it was). I'm also not blind to the fact that remote exploits have been found on Linux systems/services.

    --
    STOP MISUSING APOSTROPHES, YOU MORONS!!!
  3. "Only" a local root exploit by Baki · · Score: 5, Insightful

    Before screaming, please remember that this is only a local root exploit, that is you must already have logged in on the machine as non-root before using this exploit.

    Most Unixes have had dozens of (sometimes known) local root exploits for years, and while most of them have been ironed out, some surely remain. They are much much harder to eradicate as exploits directed to network services (i.e. from the outside) are. Every once in a while one is discovered in most UNIXes (often obscure race conditions etc).

    Till a few years ago the saying was that you should never give a local login to someone who you would not trust to be root, i.e. one could assume that sooner or later those that really try to become root shall succeed. Any mission critical servers should not have any user accounts for untrusted people; therefore, local root exploits have never been considered to be a big deal.

    If you want to compare to Windows: up till Windows XP it wasn't even possible to be logged in as multiple users at the same time, so the equivalent of a local root exploit was not really possible. Still, Windows managed to have multitudes of the way more stupid and serious class of remote exploits. With the advent of Windows XP the concept Windows kind of becomes multi-user for the first time (though in a very crude way, since unlike UNIX/Linux each login session almost starts a new instance of larger parts of the operating system). While this new concept is 30 years old in UNIX, only now Windows (XP) starts having the possibility of local exploits. Surely many of them will exist and it will take decades to kind of iron them out.

  4. Re:Huh? by tmark · · Score: 3, Insightful

    Well put. If a comparable NT exploit were available you can bet the Slashdot
    editors and readers would have been quick to drag MS over the coals. But since
    this is a Linux love-fest, we just get a pointer to the fix, and probably later
    some rationalizations as to how this points to the Linux's superiority, or how
    this is really minor anyways. Reminds me of arguments I used to foolishly
    engage in with creationists; anything that supports their argument is treated
    as scientific evidence, while anything contradictory is dismissed out of hand
    or ignored completely.

  5. Ha by Anonymous Coward · · Score: 0, Insightful

    Where are all the pompous Linux snobs in this thread as there are in the MS DRM thread? What hypocrites.

  6. I may be wrong but... by Kailden · · Score: 4, Insightful

    Somewhere deep inside the comments on both sides that start comparing linux to microsoft are missing the fact that most linux users are on average more technically savvy, expecially if they are connected to the big old net. So obviously, when linux announces a security hole a majority of users who are attached to the web get concerned and go out immediately and update thier system.

    But when companies and home users are running a COTS that they prolly didn't even install and don't even no what say IIS is, they don't get real concerned about updating thier systems.

    For an example, look at Code Red Infections that occured after the security hole had been announced.

    --
    I need a TiVo for my car. Pause live traffic now.
  7. "Only a local root" by petrov · · Score: 3, Insightful

    I'm seeing a lot of comments like "This is only a local root exploit", or michael's "Important for anyone running a multi-user system."

    That's crap. This is a big deal. Don't try and downplay this. If you leave this unpatched, it turns every remote login hole into a remote root hole. There's plenty of code running remotely: mail, cgi, etc. Good security isn't foolproof. Good security is defense in depth. That means that you are patched against remote holes, and patched against local holes, so that escalation of privileges is difficult.

    --sam

    --
    --sam
    Any technology distinguishable from magic is insufficiently advanced.
  8. Re:What is a Good Mailing List for this Info? by teg · · Score: 5, Insightful

    Can someone recommend a good mailing list for linux issues? I am using mostly RedHat boxes, but they don't seem to have any free mailing list that I can find (perhaps they have one i don't know about).

    Go to our mailing list server, and sign up for redhat-watch-list.

  9. Re:well... Duh... by BMazurek · · Score: 5, Insightful
    You should not have world exec programs set suid, especialy on a system that you expect to be completely secure.

    'Cause no local user ever needs to run passwd.

    Or df.

    Or ping.

    Or xterm.

    Or rlogin.

    Or su.

    Or top.

    Or traceroute.

    A completely secure machine is a painful thing to work on. Yes, it may be necessary in some circumstances. Banning world executable setuid programs is a securing technique, but it's not the blessed saviour you're making it out to be.

    Parallels a situation many governments are facing right now: How much security do you implement to protect your population while still maintaining some semblance of freedom?

  10. Re:well... Duh... by BMazurek · · Score: 2, Insightful
    There is absolutely NO REASON for you to have passwd suid-root. NONE

    How about accessing shadow password files? Since you don't want your /etc/passwd (or your shadow password file) writable by your average user, how does a non-suid passwd program work?

    All that would allow you to do is set root's password from a normal user's account.

    Please refer to documentation that explains the difference between real and effective user ids.

    Ping??? Ummmm.... NO. It can send and recieve packets fine and dandy as an unpriveleged user.

    The message to which I was replying made no indication what OS he/she was speaking in reference to. I was examining my FreeBSD, HP-UX and Solaris machines. My point was not Linux-specific (if that is the OS to which you are referring).

    Unless you want to ping-flood, which it will only let root do.

    XTERM???? Goodnight, that's most insecure thing I've ever heard! When an xterm starts, it opens up a shell for whatever user it's running as. Even if that means opening up a root shell.

    Once again, I believe you're confusing real and effective user ids. Furthermore, this (AFAIK) depends on the restrictions the OS places on the access to system resources.

    Top has no need for suid-root.

    Once again, I think this point depends on the OS and the implementation of top, and the permissions on devices such as /dev/mem and /dev/kmem (depending on your OS).

    Security is your friend.
    Finally, something we can agree on.

    As I indicated in my first post, depending on your circumstances removing world executable setuid binaries may be an option. For example, on my firewall. This doesn't necessarily make for the most user-friendly system.

    I look forward to your response...