Slashdot Mirror

← Back to Stories (view on slashdot.org)

Local Root Hole in Linux Kernels

Posted by michael on from the keep-those-users-down dept.

xepsilon writes "A local Linux security hole using ptrace has been discovered that allows a potential attacker to gain root privileges. Linux 2.2.25 has been released to correct this security hole, along with a patch for 2.4.20-pre kernels. 2.4.21 ought to contain this fix, once it is released. 2.5 is not believed to be vulnerable to this security hole. See this email from Alan Cox for details, and a patch."

7 of 495 comments (clear)

  1. patched it already by Lxy · · Score: 5, Interesting

    Got an e-mail this morning from Redhat Network that a new kernel was available to solve this vulnerability. up2date got my machine patched hours before the /. post.

    If you're running Redhat, RHN is a valuable tool that no admin should be without.

    --

    There is no reasonable defense against an idiot with an agenda
    :wq
  2. Time to patch my IIS^H^H^HKernel by Richard_at_work · · Score: 3, Interesting

    Soooo, i wonder how many posts will appear here along the lines of those in the WebDav exploit story earlier. Not many im willing to bet.

    Those people willing to shout and hollor at every serious issue, screaming bloody murder because someone got it wrong, really pisses me off. Yes people get it wrong, they write insecure code from time to time. This issue and a number of those before it show that Linux has as many opportunities for exploitation as any other OS.

  3. To all the windows bashers... by EZmagz · · Score: 5, Interesting
    Nobody's safe.

    I hate to say it, but this is kind of refreshing. This ins't a troll, so don't get me wrong...I'm a linux user myself. But after seeing the masses rip into MS yesterday when the thread about the IIS 5.0 hole was posted, I got a tad frustrated. Granted, I hate Microsoft as much as the next guy, but this just goes to show you that it's NOT just Microsoft that falls prey to holes and exploits. If it runs an OS, there's a chance it'll be cracked. Simple as that.

    Hell, the linux kernel is without a doubt one of the most audited open source projects out there, and this bug STILL didn't surface until 2.4.20. Of course, I applaud the speed and availibility of patches and workarounds to the bug. Just remember, it happens to everyone.

    --

    "Hell hath no fury like a woman scorned for SEGA. ..."

  4. Exploitable? by Rain · · Score: 5, Interesting

    Geez, only took /. 27-odd hours. Anyway.

    I tried writing an exploit for this flaw, but I couldn't get far enough to inject any code. I managed to ptrace(PTRACE_ATTACH, ...) a uid 0 modprobe (easy enough way to call kernel_thread()), but for some reason, the traced process isn't properly reparented, so all subsequent ptrace() calls fail. (Whenever you PTRACE_ATTACH to a process, it's supposed to become the child process of the tracer, and ptrace_check_attach (linux/kernel/ptrace.c) will return -ESRCH if this condition isn't met.)

    I'm not positive this is actually exploitable, but I'm not positive I took the correct approach, either. In any case, the most I've been able to do is spawn a slew of suspended root-owned processes. Not good, but not the end of the world, either. If someone has actually managed to exploit this flaw, I'd love to see some code so that I could see what I did wrong. Conversely, I'm willing to share the code I have upon request. I've only written code up to the current impasse, but once past this problem, the rest should be pretty trivial.

  5. Re:I don't think so by mmontour · · Score: 3, Interesting

    At least in Debian, even with "linux single" you have to type the root password to get root.

    How about with "linux init=/bin/sh"?

  6. Re:IT'S IN ENGLISH!!! by TheRaven64 · · Score: 4, Interesting
    Welsh has the most glaring deficit of vowels and proper spelling.

    Actually, Welsh has more vowels than English, and is spelt almost entirely phonetically. It's hard for English speakers to read since it uses the same characters to represent different sounds (Yes, I have had to listen to Alan rave about how wonderful Welsh is...). The most confusing thing I find about welsh is the way words 'mutate', that is to say their pronunciation changes depending on the syllable preceding or following them to make the sentence flow more easily.

    It is sometimes useful to know a language that no-one else in the room speaks, and I think that this is one of Alan's reasons for learning, but I prefer Latin for this purpose. The structure is more logical.

    --
    I am TheRaven on Soylent News
  7. This and IIS exploit by OoSync · · Score: 3, Interesting

    While its not really kosher to bash an OS because of a single flaw, there is a fundamental difference in the case of this flaw and the previously announced IIS exploit: this one's not yet exploited. One thing that hurts FS/OSS on bug lists is that all *potential* exploits in open code will be listed as bugs, while many proprietary producst only disclose known, possibly exploited, bugs. Case in point, the IIS problem was exploited almost a week ago. The kernel problem was noticed, fixed, and no exploit exists. In fact, a previous poster on this board has posted his inability to trigger the *potential* exploit and asked for help.

    --

    I always get the shakes before a drop.