Local Root Hole in Linux Kernels

xepsilon writes "A local Linux security hole using ptrace has been discovered that allows a potential attacker to gain root privileges. Linux 2.2.25 has been released to correct this security hole, along with a patch for 2.4.20-pre kernels. 2.4.21 ought to contain this fix, once it is released. 2.5 is not believed to be vulnerable to this security hole. See this email from Alan Cox for details, and a patch."

How is Microsoft responsible?

[jmulvey]

With all the brainpower on /. I'm sure we can discover a way.

Re:How is Microsoft responsible?

[lavalyn]

Microsoft would have a monopoly on privilege escalation exploits if not for Linux.

Re:How is Microsoft responsible?

[kfg]

I think the late George Mallory put it rather succinctly:

"Because they're there."

On the other hand, in the words of Voltaire:

"If Microsoft didn't exist it would be necessary to invent them."

However, regarding the current kernel situation I think my deeply missed old granny put it best:

"Oh fuck."

KFG

Re:How is Microsoft responsible?

[Sloppy]

If Microsoft had not stolen all that free publicity, then Linux wouldn't have had to steal it back.

Re:How is Microsoft responsible?

[kasperd]

Microsoft would have a monopoly on privilege escalation exploits

No, Microsoft has a bulletproof way to prevent privilege escalations. They simply make sure the attacker gets all privileges at once, then there is nothing to escalate.

Re:How is Microsoft responsible?

[CoffeeCrusader]

Voltaire wasn't an actor. He's one of the more important French philosophers of the 18th century. He basically developed a philosophy of logic, that bans poverty. But he would certainly be most annoyed about flaws in anything, but especially the Linux Kernel, since he was a promoter of free and open work, and flawlessness.

Re:How is Microsoft responsible?

[aggieben]

uhh.....I don't think so. SunOS has had it's share....
but that's besides the point. The OS has little to do with privelage escalation, anyway; it has everything to do with the programmers who write programs that will be suid.

Re:How is Microsoft responsible?

[palfreman]

"If Microsoft didn't exist it would be necessary to invent them."
So you are equating Microsoft to God. Interesting...

Although Voltair may have said "If God didn't exist it would be necessary to invent him" it is another matter as to whether Microsoft resembles Him. I would have said that Microsoft was just anouther popular-for-now company with nothing to fall back on. Nothing special in the long run.

However,if you want to be really picky, they have the advantage of existing and actually being pointable-to, unlike God.

Re:How is Microsoft responsible?

[kfg]

No, I was not equating Microsoft to God.

I was equating Microsoft to an imaginary friend. :)

KFG

Re:How is Microsoft responsible?

[rark]

well, if you define $GOD as 'an entity on which all things can be blamed, when one needs such a thing' then it does rather fit....

Re:How is Microsoft responsible?

[gd23ka]

Doesn't a privilege escalation feature in the Linux kernel somehow violate Microsoft intellectual property rights?

Got Root?

[FAngel]

Got Root?

Re:Got Root?

[Anonymous+Cow+herd]

I do now >:)

Re:Got Root?

[cyb97]

Just give me a minute ;-)

Re:Got Root?

[42forty-two42]

Root has all the priviliges and suid-bits you need for a healthy rootkit.

Re:Got Root?

[Gortbusters.org]

Got User Account?

Re:Got Root?

[pebs]

# whoami
root

Re:Got Root?

[wirelessbuzzers]

I do now >:)

I believe you mean "#:)"

Eek!

[Jouster]

And please, allow me to be the first to say:

Holy shit, this could be a problem.

Excuse me while I go patch my servers, which all of my developers have user-level access to, albeit very limited access.

New marketing ploy for TMF: get your security news before the 13-year-old 5<R1p7 <1|)|)135, since they don't have credit cards with which to subscribe.

Jouster

Re:Eek!

[dreamchaser]

New marketing ploy for TMF: get your security news before the 13-year-old 5

Not so fast! What if they steal some CC numbers first?

Re:Eek!

[gnixdep]

...since they don't have credit cards with which to subscribe.

Sure they do

it's just your credit card.

It's Tuesday

Journal Entries:

(looks at watch) its monday again... time to go patch my IIS

(looks at watch) its tuesday again... time to go patch linux.

Re:It's Tuesday

[charon_on_acheron]

Four day week, huh? Must be nice. :^P

Re:It's Tuesday

[Edgewize]

I don't know about you but I certainly don't check my watch to find out the day of the week.

Re:It's Tuesday

[Moloch666]

What kind of geek are you?

Re:It's Tuesday

[Col.+Panic]

Oh, you use a PDA, huh?

Re:It's Tuesday

[carboncopy79]

Oh I do. But my watch died recently. Being depending on my mobile phone since. Damn, need to get a "REAL" job. Anyway, I don't get stability problem with 2.5.* kernels. Which is really great.

Re:It's Tuesday

[statichead]

I wish with my watch included the year.

Could someone post the email up?

[00_NOP]

It's been /.ed and I'd really like/need to read it asap. Hence I am posting at +2. Karma burning away...

Re:Could someone post the email up?

[cyb97]

linux-kernel-list

Different mirror

I guess these are the same.. haven't read the origial ./ed site, but this is from lklm and guess they're the same...

Re:Could someone post the email up?

[uncleFester]

The article-linked message also had a patch attached but the lameness filter is pissed about including it so you'll have to snag it somewhere else.. the patch did not specify what kernel version it applied to, though.

Vulnerability: CAN-2003-0127

The Linux 2.2 and Linux 2.4 kernels have a flaw in ptrace. This hole allows
local users to obtain full privileges. Remote exploitation of this hole is
not possible. Linux 2.5 is not believed to be vulnerable.

Linux 2.2.25 has been released to correct Linux 2.2. It contains no other
changes. The bug fixes that would have been in 2.2.5pre1 will now appear in
2.2.26pre1. The patch will apply directly to most older 2.2 releases.

A patch for Linux 2.4.20/Linux 2.4.21pre is attached. The patch also
subtly changes the PR_SET_DUMPABLE prctl. We believe this is neccessary and
that it will not affect any software. The functionality change is specific
to unusual debugging situations.

We would like to thank Andrzej Szombierski who found the problem, and
wrote an initial patch. Seth Arnold cleaned up the 2.2 change. Arjan van
de Ven and Ben LaHaise identified additional problems with the original
fix.

Alan

Re:Could someone post the email up?

[Malcolm+Scott]

"the patch did not specify what kernel version it applied to"
...
"A patch for Linux 2.4.20/Linux 2.4.21pre is attached."

patched it already

[Lxy]

Got an e-mail this morning from Redhat Network that a new kernel was available to solve this vulnerability. up2date got my machine patched hours before the /. post.

If you're running Redhat, RHN is a valuable tool that no admin should be without.

Re:patched it already

[(startx)]

It's also been fixed in slackware-current, which became 9.0 just a few hours ago :-)

Re:patched it already

[sporty]

The only reason not to update, is if you haven't QA'd (burn in test) your new kernel. Put int through 100% load tests for 24-48 hours to make sure nothing goes haywire. Last thing you'd want is a strange memory leak causing processes to go bezerk.

Not to say that you haven't done that, but buyer beware. It makes no diff if it were linux, mac os x , windows, commodore 64. Don't randomly update things. Heck, sometimes us programmers create bugs in programs that are fixed by other bugs existing. Closing one may expose a new one.

Re:patched it already

[slashtom.org]

So far with the 2.4 kernels there have been 2 that were quickly superceeded after some nasty bugs were found as a result of the patch being applied.

I now wait at least a few days before applying a kernel patch. I'm not going to let something like my filesystem get trashed when all it takes is to wait a couple of days.

Re:patched it already

[ignipotentis]

And the difference between this and setting Windows Update to download automaticlly then inform you before proceeding with an install is? Basically all that has been proved is a good admin will stay on top of updates. And eveyone here gets confused when something isn't Microsofts fault.

Re:patched it already

[dAzED1]

absofreakenlutely.

did a kernel update a couple months ago that then bombed mysql. Could not for the life of me figure out what was wrong with mysql. Just wouldn't work. I then tried rebooting to the older kernel that had been in use the previous day...what the hell do ya know, mysql worked again. A whole freakin day wasted.

Recompiling mysql fixed the problem, oddly enough. Never quite got what was going on, either - was too busy to try to figure it out.

Re:patched it already

[SilverSun]

1. you can have the same and more with apt
(works wonderfull with RH)

2. No sysadmin in his right mind will allow
RHN to reboot his mashines

Re:patched it already

[sporty]

Point is, even if 100million people test, the kernel can affect your system in a particular way, resolving a bug which could really be a strut holding your entire infrastructure in place. Pulling it out would cause everything to crash.

Remeber, burn in those new kernels with your new system. Screw waiting. Heck, you might be the one person a particular kernel works well for.

Re:patched it already

[Lxy]

There is one difference: who do you trust?

I trust Redhat not to slip spyware and weird license agreements into the kernel I'm downloading. I trust that it's an honest to God GPL'd kernel. Why? Because I'm a trusting person, and I haven't had any freakish incidents with Redhat.

I don't trust Microsoft. I don't want code with God knows what hacked in with a license agreement that takes away my first born while installing.

While I'm on the subject, I received an e-mail from Microsoft before I recieved the e-mail from RHN. I then had the option of doing a Windows Update or installing it manually. I chose manual, because MS doesn't know about my machine and I want to keep it that way.

Re:patched it already

[lkturner]

Copied directly from Redhat's website... "Red Hat Network Basic service level: $60/year per system subscription" If MS tried to do charge for Windowsupdate, Bill would be crucified.

Re:patched it already

[Lxy]

1. you can have the same and more with apt
(works wonderfull with RH)

yes, but if there's an e-mail list for exploits with apt, I'm unaware of it. RHN seems to work better in Redhat than apt, no comparison on Debian based distros that apt hauls ass.

No sysadmin in his right mind will allow
RHN to reboot his mashines

It doesn't reboot your machine unless you tell it to.

Re:patched it already

[kasperd]

The only reason not to update, is if you haven't QA'd (burn in test) your new kernel.

There is no reason not to update. But of course some QA first would make sense for a production system. Review the patch, and test it on a nonproduction system. But don't wait many days before upgrading. The ptrace feature is not very important to production systems, so you wouldn't expect much to break. The flaw OTOH can potentially be a major problem. My uptime when I read this on /. was more than 22 hours - with an updated kernel.

Re:patched it already

[DrXym]

It would be even more invaluable if Red Hat et al made RPM and their updates incremental. It is rather silly to expect people on 56k modems (of which there are still many) to download 30-50mb of patches to fix what probably amounts to 1mb at most of code changes. Kernel changes are particularly horrible - a one line patch means 35Mb download! How many users will bother with that? Now perhaps that's their own fault when they're rooted, but it's bad for everyone else too - a rooted box is a springboard for further attacks, not to mention dragging the reputation of Linux through the mud.

Why isn't it possible to produce incremental binary patches containing just the diffs? Not only would it vastly increase the chances of people downloading them (which is good for everyone), it is good for Red Hat too since their bandwidth for up2date is slashed.

Now obviously there are times when incremental diffs are not useful, but with the proper safeguards (e.g. checksums and backing up originals etc.) I don't see what the problem is. If anyone from Red Hat or RPM land is listening, please consider implementing this feature. Pretty please with a cherry on top.

Re:patched it already

[rwsorden]

It's about time someone mentioned this. Also, RHN knows a whole heck of a lot about the machines you've registered.

Re:patched it already

[Narcissus]

The reason he'd be crucified is because we'd still have to wait how long until the patch came through?

Pay the $60 to Red Hat, check the time between flaw discovery and fix, and then compare to what MS have to offer.

Re:patched it already

[weave]

Very wise advice. I've had some bad luck with rh 7.3 kernels of late. A few Redhat kernel updates ago, after an update, our main servers kept hanging, no panic, just hang. A later kernel update said it fixed a hanging condition in tg3 (gigabit ethernet driver). We installed it, hangs stopped. Then next kernel update, we installed it, hangs started again. Downgraded kernel, hangs stopped. Then yet another kernel update again listed tg3 hang fix. We installed that and ran it, no hangs.

Now there is this latest kernel update. We immediately updated the box with user accounts that have shell access due to the risks, but the other systems we're not updating for now.

Re:patched it already

[caluml]

I would disagree.

I much prefer it the way it is. Take Apache/ IIS as examples.
If you're running 1.3.26, you're safe, and you know it.
With IIS, if you're running IIS5, but with patch X, and patch y, and patch z applied before patch q, unless you have the MSSql patch r installed in which case you need patch f for IIS, and patch k for MSSql...

They should do it the other way. Make it simple.
If you're running IIS 5.0.185 then you're OK. Anything else, and you've got problems.

Patches and stuff were OK during floppy disk days, and 28.8k modems. I'd much rather not have to worry about incrememental patches.

Re:patched it already

[DrXym]

I didn't mean that way. I mean if up2date says there is a new version e.g. 1.2.1 and you have 1.2.0, and there is an incremental diff available (i.e. 1.2.0-1.2.1) then it should fetch and apply that rather than fetching the whole 1.2.1 package which could be massive. After patching you now have 1.2.1 as if you had done rpm -Uvh on it.

There is no 'hotfixing' or piece patching here. The result of the incremental diff is the same as installing the whole new version, just considerably easier to download. As I mentioned, a kernel update is 35mb of patches. I would be surprised if an equivalent incremental patch were more than a megabyte.

Re:patched it already

[drfreak]

RHN is free for one machine. If you have more than one, you have to round-robin "entitle" each box to update them. Windows Update is really just appealing to the user's perception that they are buying new versions of windows for new features, not for bug fixes. They would probably get lynched if they charged for bug fixes because everybody knows how flawed Windows is.

What is good about OSS is most of the software is already written so distribution companies can focus on adding value to Linux. Microsoft not only has to burn money on R&D, they also have to burn money on their OS.

Re:patched it already

[betis70]

>>Heck, sometimes us programmers create bugs in programs that are fixed by other bugs existing. Closing one may expose a new one.

Preach on Brother Sporty!

Just fixed a bug today that didn't exist in Sunday's build, but was found by QA. My former fix to Thrusday's bug (Friday's build) caused this one.

Dammit, I hate it when I do that.

Re:patched it already

[WNight]

It's a local root hole. Do you give out accounts (at any privellege) to anyone else? If not, you should be safe waiting a day or two to see how other, more daring people fare. But, you are that person... Post back in a day or two and let us know how it works.

It could be the purpose of your life is to serve as a warning to others.

Re:patched it already

[agurkan]

himm, but this is a kernel patch, not only do you need to install it, you also need to reboot for the changes to take effect. RHN might be valuable but in this case it is not that useful.

Re:patched it already

[ianezz]

Why isn't it possible to produce incremental binary patches containing just the diffs?

Better said: why not provide also rsync access to packages?

After all, it is possibile that foo-x.y.z-N+1.arch.rpm is mostly the same as foo-x.y.z-N.arch.rpm (same for .deb packages).

Or it could be as well that this is far from being true.

Assuming (for the sake of the argument) it is true, unfortunately, rsync is NOT the right tool, since diffs are done on the fly and this would put huge workloads on the server side.

But a tool specially crafted for this that makes a local copy of the package to update, retrieves via http all the needed patchsets (precomputed static files on the server-side), applies them in the proper order and does a bit of MD5summing to check if the result is right would be something nice to have.

Probably there is something out there that already implements most of the needed functionalities (unfortunately I don't know where), since the idea is so simple.

Re:patched it already

[sporty]

There is no reason not to update.

Of course there is. If the patch breaks your system somehow. All you need is that one stupid piece of software that works in some strange, yet correct way, that brings in a lot of revenue, to break, because some admin didn't burn in a new system.

Re:patched it already

[rifter]

1) Slackware 9.0 has not been released yet. Slackware 9.0rc1 was released and does not have the patch for this.

2) I found no reference to this patch in the changelog
for slackware-current.

Re:patched it already

[(startx)]

you sir, are looking at the wrong Changelog.

Slackware 9.0rc2, rc3, and final have all been released since the last time sourceforge updated. Get with the times.

Re:patched it already

[rifter]

Well, heck, it was the rc3 changelog I was looking at, and the slackware one was unaccessable ... still, all I can say is Hooray! I have been waiting for the final release to come out before upgrading...

Re:patched it already

[Syberghost]

If you're running Redhat, RHN is a valuable tool that no admin should be without.

And which will shortly be a pay-only tool. It already requires filling out privacy-challenged surveys every 60 days to continue to use for free.

Even Microsoft takes security seriously enough to make security fixes available conveniently and free, so that people will actually apply them. How many RedHat systems are going to go unpatched, thereby screwing things up for the rest of us, because of this lame-ass decision?

Come on, RedHat, set up an apt-rpm server for security fixes!

Here's the text of Alans post (minus the .diff)

[Mish]

Ptrace hole / Linux 2.2.25

To: linux-kernel@vger.kernel.org
Subject: Ptrace hole / Linux 2.2.25
From: Alan Cox
Date: Mon, 17 Mar 2003 11:04:35 -0500 (EST)
Sender: linux-kernel-owner@vger.kernel.org

-----------------------

Vulnerability: CAN-2003-0127

The Linux 2.2 and Linux 2.4 kernels have a flaw in ptrace. This hole allows
local users to obtain full privileges. Remote exploitation of this hole is
not possible. Linux 2.5 is not believed to be vulnerable.

Linux 2.2.25 has been released to correct Linux 2.2. It contains no other
changes. The bug fixes that would have been in 2.2.5pre1 will now appear in
2.2.26pre1. The patch will apply directly to most older 2.2 releases.

A patch for Linux 2.4.20/Linux 2.4.21pre is attached. The patch also
subtly changes the PR_SET_DUMPABLE prctl. We believe this is neccessary and
that it will not affect any software. The functionality change is specific
to unusual debugging situations.

We would like to thank Andrzej Szombierski who found the problem, and
wrote an initial patch. Seth Arnold cleaned up the 2.2 change. Arjan van
de Ven and Ben LaHaise identified additional problems with the original
fix.

Alan

dead already?

[zozzi]

Slashdotted already? Try here: here

Re:dead already?

[jhunsake]

I'm not the anonymous coward above, but what you are pointing out is irrelevent. It would be easy to have a page with a redirect, or better yet, have the http server send a redirect header.

Re:dead already?

[gid]

I tried the patch in this email and got a LOT of failed hunks, I copied and pasted into a file, and also tried save as in mozilla. I just looked at the source on that page and it looks like they added their own br's and other crap to the patch, which basically makes it unuseable. *sigh*

In other news...

[AnriL]

And for the hax0rs without a local shell, there's a recent samba instant-remote-r00t vulnerability. Get your patches while they're hot!

Re:In other news...

[jedidiah]

If you don't replicate the bugs in something like Samba you run the risk of your clone being incompatible with the original.

Sad but true.

Re:In other news...

[molarmass192]

You beat me to it. There was an interview with Jeremy Allison in Linux Format sometime back where he said exactly that. The same problem exists with WINE whereby they're forced to replicate MS bugs in order to be compatible.

Re:In other news...

[kasperd]

If you don't replicate the bugs in something like Samba you run the risk of your clone being incompatible with the original.

Of course that is true as long as the bugs are in the protocol. But it does not apply to exploits. Just because there are exploits in the original, you don't need to replicate those for compatibility.

Re:In other news...

[Hentai]

You do when the Windows OS uses those exploits to perform its routine file-sharing tasks.

Re:In other news...

[walt-sjc]

Considering that MS has not released FULL documentation for SMB (they had a partial release of info that lacked certain details) the only way to implement it is to reverse engineer behavior you see in various Windows products - which means bugs and all.

Love the headline

[L.+VeGas]

Lo-Cal Root Hole in Linux Kernels

I think I saw this in an advertisement for granola.

mmmm... breakfasty

Re:Love the headline

[TheDarkener]

This just made me realise, if some cereal company were to make "Linux Kernels" cereal, the publicity would be tremendous!! Just think of the commercials!

"Look Ma, there's no holes in my kernels!"
"I know dear, that's why they are so good!"
"Ma, I love Linux Kernels!"
"And I love you, Billy!"

"Linux Kernels. Get yours!"

There could even be Tux on the front of the box!! People would dig it!!

FYI, Red Hat Network Advisory

[Znonymous+Coward]

Red Hat Security Advisory

Synopsis: Updated 2.4 kernel fixes vulnerability
Advisory ID: RHSA-2003:098-00
Issue date: 2003-03-17
Updated on: 2003-03-17
Product: Red Hat Linux
Keywords: ptrace
Cross references:
Obsoletes: RHSA-2003:025-20 RHBA-2003:069-12
CVE Names: CAN-2003-0127

1. Topic:

Updated kernel packages for Red Hat Linux 7.1, 7.2, 7.3, and 8.0 are now
available. These packages fix a ptrace-related vulnerability that can
lead to elevated (root) privileges.

2. Relevant releases/architectures:

Red Hat Linux 7.1 - athlon, i386, i586, i686
Red Hat Linux 7.2 - athlon, i386, i586, i686
Red Hat Linux 7.3 - athlon, i386, i586, i686
Red Hat Linux 8.0 - athlon, i386, i586, i686

3. Problem description:

The Linux kernel handles the basic functions of the operating system.
A vulnerability has been found in version 2.4.18 of the kernel. This
vulnerability makes it possible for local users to gain elevated (root)
privileges without authorization. This advisory deals with updates to
Red Hat Linux 7.1, 7.2, 7.3, and 8.0.

All users of Red Hat Linux 7.1, 7.2, 7.3, and 8.0 should upgrade to
these errata packages, which contain patches to fix the vulnerability.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied, especially the additional
packages from RHSA-2002:205 and RHSA-2002:206.

The procedure for upgrading the kernel manually is documented at:

http://www.redhat.com/support/docs/howto/kernel- up grade/

Please read the directions for your architecture carefully before
proceeding with the kernel upgrade.

Please note that this update is also available via Red Hat Network. Many
people find this to be an easier way to apply updates. To use Red Hat
Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system. Note that you need to select the kernel
explicitly on default configurations of up2date.

Hole Found in Linux Server

[ch-chuck]

(Server Room, DP) A hole was found in 'cypress', one of the principle Linux file, email and web servers of Brapco Corp early today. "We were dusting out around the back", said Mike Koyro, IT manager of Brapco, "and there it was, right by the power supply." The hole was quickly verified by other members of the IT dept as "really there". Speculation that it may be a screw hole was quickly dispelled when Frank, chief scripting officer, pointed out it didn't have any threads, and no screws were found loose anywhere nearby. "If someone got in here and drilled it during the night, they sure did a clean job - there's no shavings on the floor and the hole has no burrs" observed Mike. "It was either a professional job, with a sharp bit and machining oil, or a manufacturing defect". Calls to Linux Security were unanswered as of press time.

IT'S IN ENGLISH!!!

[strredwolf]

Haleulia and pass the green beer. It's not in Welsh.

BTW: If you haven't read, or tried to read, Alan's blog you won't get the joke.

Re:IT'S IN ENGLISH!!!

[cyb97]

Speaking of green...
It was saint paddy's day yesterday, so I wonder how in the hell Mr. Cox could nail a bug today...
I know I couldn't do something like that the day after...

Re:IT'S IN ENGLISH!!!

[Varitek]

I'm a fluent Welsh speaking geek who reads Alan's diary. That probably just makes the two of us, and Alan isn't even that fluent yet.

Re:IT'S IN ENGLISH!!!

[chrisseaton]

"saint paddy's day" is for the Irish you moron. Cox is Welsh.

Re:IT'S IN ENGLISH!!!

[cyb97]

Like the welsh doesn't use any excuse to get drunk?
Come one grow up! Anybody that knows about st. paddy uses it as an excuse to get smashed on a monday!

Re:IT'S IN ENGLISH!!!

[Jouster]

And I'll sell you Welsh if you need to brush up.

Latin, Welsh, Swahili--all languages that are very hard to find in computer-based language-learning products--and, of course, they don't have the Rosetta Stone method, which kicks some serious ass.

Jouster

Re:IT'S IN ENGLISH!!!

[Kourino]

It's only in English because BitKeeper isn't involved -_^

Re:IT'S IN ENGLISH!!!

[TheRaven64]

Welsh has the most glaring deficit of vowels and proper spelling.

Actually, Welsh has more vowels than English, and is spelt almost entirely phonetically. It's hard for English speakers to read since it uses the same characters to represent different sounds (Yes, I have had to listen to Alan rave about how wonderful Welsh is...). The most confusing thing I find about welsh is the way words 'mutate', that is to say their pronunciation changes depending on the syllable preceding or following them to make the sentence flow more easily.

It is sometimes useful to know a language that no-one else in the room speaks, and I think that this is one of Alan's reasons for learning, but I prefer Latin for this purpose. The structure is more logical.

Re:IT'S IN ENGLISH!!!

[juan2074]

Less than one-quarter of the population in Wales can even speak Welsh. Apparently, at least one person can even read and write it.

Re:IT'S IN ENGLISH!!!

[TKinias]

scripsit TheRaven64:

It is sometimes useful to know a language that no-one else in the room speaks, and I think that this is one of Alan's reasons for learning, but I prefer Latin for this purpose. The structure is more logical.

Beware on two fronts. First, it is dangerous to assume that people don't speak the language you're using. I have had friends burned this way with several languages, not expecting (for example) that people in Arizona speak Hebrew, or that people in Germany speak Greek. Or that cute blonde English girls speak both modern colloquial and classical Arabic.

Also, with Latin in particular, most European languages have enough Latin vocabulary that people may pick up what you're saying... If you shoot me a look and say to your buddy ``asinus est ille Americanus,'' I don't need a whole lot of Latin to know you just insulted me.

Time to patch my IIS^H^H^HKernel

[Richard_at_work]

Soooo, i wonder how many posts will appear here along the lines of those in the WebDav exploit story earlier. Not many im willing to bet.

Those people willing to shout and hollor at every serious issue, screaming bloody murder because someone got it wrong, really pisses me off. Yes people get it wrong, they write insecure code from time to time. This issue and a number of those before it show that Linux has as many opportunities for exploitation as any other OS.

Re:Time to patch my IIS^H^H^HKernel

[suicidal]

lol
Too bad this was only exploitable locally. Any secure server would not have local access available to users. I have to agree, but not as a zealot. Bugs will happen but Linux development seems to have them patched instantly, whereas Microsoft's ploy is play dumb until the patch is released, and then act like they did it overnight.

Re:Time to patch my IIS^H^H^HKernel

[skrowl]

The default configuration of URLScan prevents the WebDAV vulnerability from being exploited. URLScan is a part of the IIS Lockdown tool. For more information about URLScan, visit the following Microsoft Web site: http://www.microsoft.com/technet/security/URLScan. asp

Re:Time to patch my IIS^H^H^HKernel

[Albanach]

Surely there's a world of difference between a hole that's remotely exploitable and one that can only be exploited by a local user. Web servers, mail servers (properly configured as 'black boxes'), firewalls, routers etc are all unlikely to be affected if the only user account is actually root).

Then we have timescale - the BBC are reporting here that the US Army were caught out by the Microsoft hole as much as 2 weeks ago, yet a patch didn't turn up until now. Here we have a patch before any known exploits are running in the wild. That's the big difference.

Every operating system has its vulnerabilities. Nonetheless, if the vendor refuses to acknowledge them and your OS is closed source there's nothing you can do. If it's open source at least you know that when a problem comes along you'll be able to get it fixed.

Re:Time to patch my IIS^H^H^HKernel

[FroMan]

remote local

Two different things. Not that this isn't an issue, but they are two different problems.

But, but then trolls will be trolls.

Patch'm up folks.

Re:Time to patch my IIS^H^H^HKernel

[dAzED1]

"This issue and a number of those before it show that Linux has as many opportunities for exploitation as any other OS."

That's some pretty interesting logic you have goin there. Might I suggest though that for there to be "as many opportunities for exploitation as any other OS" that there would have to be, in fact, the same #? I believe windows was at more than just a few major issues at last count, and even quite a few that are still unresolved. The fact that once something is discovered its fixed within hours also plays really heavy on the "opportunities" side, versus the fact that fixes take eons from some vendors after they are known...

And I won't even go in to your "any other OS" part...*any*? yeahhh....

Keep in mind that samba is NOT "linux," its just a tool that people run on it. I'm willing to include in the umbrella tools that are needed to make the OS usable (a shell, for instance), but really...the OS team can't be expected to secure every freaking tool that anyone puts out, even if its as useful as the samba suite.

Re:Time to patch my IIS^H^H^HKernel

[Jouster]

Any secure server would not have local access available to users.

The advantage of *NIX is that this is not the case. My secure servers are where the source code for my company's projects are housed, and where nightly builds live. Not everyone with access to builds should have the capability to grab all the source, or exploit trust relationships between that box and backup boxen, etc....

Jouster

Re:Time to patch my IIS^H^H^HKernel

[1010011010]

Let it piss you off. There's a difference, though -- MSFT software is usually broken by design, problems are common, and they don't fix it or even admit to it until forced to; whereas Linux problems are bugs, more rare, fixed more quickly, and admitted up front.

Re:Time to patch my IIS^H^H^HKernel

[Grax]

Why in the world is URLScan not installed by default?

Why in the world is WebDAV installed by default?

Re:Time to patch my IIS^H^H^HKernel

[juan2074]

Linux has as many opportunities for exploitation as any other OS.

That is not necessarily true. I would say that the way OS developers do their work can help prevent many security holes in the first place.

Open source allows everyone to look at the code. Anyone can find problems, and anyone can fix problems.

OpenBSD developers take it to the extreme with code audits and work extra hard to prevent buffer overflows.

This ptrace flaw was discovered and patched by Andrzej Szombierski.

In theory, every person putting together an OS should do code audits and be on the lookout for buffer overflows, but that does not always happen in reality.

Re:Time to patch my IIS^H^H^HKernel

[jdrugo]

You have IIS?

Holy shit, your fucked!

Re:Time to patch my IIS^H^H^HKernel

[timeOday]

What irritates me is people who insist that Arizona and Washington state have different climates. The fact is, they both have sunny days and rainy days.

Re:Time to patch my IIS^H^H^HKernel

[SurfsUp]

This issue and a number of those before it show that Linux has as many opportunities for exploitation as any other OS.

You're talking out of your ass. This is a local root exploit, the black hat has to get a shell first.

Hrm

[B3ryllium]

I guess they were just trying to out-do the IIS hole.

Ah well ... there's always "linux single" ... :)

Re:Kernel Patches

[NetJunkie]

When does it take a week? The WebDav exploit? That's because blackhats found it... They usually don't disclose.

Known exploits?

[rf0]

Are there any know exploits for this yet? Has anyone scene this in practice?

Rus

Re:Known exploits?

[Soko]

The Linux 2.2 and Linux 2.4 kernels have a flaw in ptrace. This hole allows
local users to obtain full privileges. Remote exploitation of this hole is
not possible. Linux 2.5 is not believed to be vulnerable.

It isn't a remote exploit. Anyone who is foolish enough to attempt to h4X0r your b0X0rz with this vulnerability is within the normal attack range of a LART.

Please, do patch any affected machines you have as soon as possible, but don't *ahem* panic.

Soko

Re:Known exploits?

[datastew]

Actually, if I am understanding these informative slashdot posts correctly, the attacking person does not have to be within range of a cluebat to exploit this flaw.

The remote/local designation refers to whether the attacker already has a valid username/password on your vulnerable system. It does not refer to the physical location of the attacker.

ptrace() again?

[misof]

This is already at least the second problem somehow connected with ptrace() in the kernel. Kernels prior to 2.2.19 were vulnerable to a race-condition attack, that enabled local users to gain root privilegies. This was one of the most "famous" problems in last years and it's known as the execve/ptrace exploit.

More details:

This vulnerability exploits a race condition in the 2.2.x Linux kernel within the execve() system call. By predicting the child-process sleep() within execve(), an attacker can use ptrace() or similar mechanisms to subvert control of the child process. If the child process is setuid, the attacker can cause the child process to execute arbitrary code at an elevated privilege. There are also other known lesser security issues with Linux kernels prior to 2.2.19 which have been noted as fixed.

Re:ptrace() again?

[Ben+Hutchings]

It seems to me that it ought to be possible to disable ptrace(2) on a system-wide basis, as it is likely to be a source of vulnerabilities and will rarely be used on a production box (AFAICS).

Re:This has to be erroneus.

Perhaps a better question to ask would be "Would this bug have been discovered had the source not been open to the public?"

Re:Linux disclosure procedures?

[N3WBI3]

1) umm, I got a mail from redhat about this same as I get something from MS.
2) I think you worry about crackers knowing not hackers, hackers fix problems like this. Also as anyone in a production environment knows just because MS does not publish it does not mean that people dont know before they have a fix. Also the time to deploy a MS patch in production is much longer due to shutdowns and testing.
3) As opposed to almost *ALL* MS updates which requres a restart of every server in your company Woo Hoo!
4) ??? 5) Profit

Re:Linux disclosure procedures?

[ichimunki]

I don't know. Let's ask the U.S. Army what they think of Microsoft after the latest server hacking.

Re:Linux disclosure procedures?

However, quoting some guy further down the page:

A Windows vulnerability is discovered and it takes a week or more to get it taken care of.

The Linux kernel has a vulnerability and the patch is available immediately.

Don't forget us 2.0.x users.

It may be old, but it's still useful.

Re:Don't forget us 2.0.x users.

[Lxy]

I don't doubt that you have reasons for using a 2.0.x kernel. I know old software has its value. I just want to know, why? What makes 2.0.x better for you than a 2.2 or 2.4 kernel?

Re:Don't forget us 2.0.x users.

[schon]

What makes 2.0.x better for you than a 2.2 or 2.4 kernel?

Depends on the box. A better question is "what makes 2.2 or 2.4 better for me than 2.0?"

I have a few 2.0.x boxes kicking around that "just work".. they've never been down, there are no known exploits for them, and users would be pissed if I took them down to upgrade them.. so it just makes sense to leave them as is.

If I upgrade them, it's more work, not to mention the inevitable downtime.

If I leave them be, it's less work, with no gain (there's nothing that 2.2 or 2.4 will do that I need for these boxes.)

Pretty simple decision.

If/when they break, I'll replace them with something newer.. but until then, I'll just leave them be.

Re:Don't forget us 2.0.x users.

[eeek]

I know of a VOIP gateway product that uses a 2.0 kernel. There is no good reason to change to a newer kernel and doing so would require updating several device drivers.

Re:Huh

[ageOfWWIV]

We're not patching, we're in denial.

Noone ever said Linux/BSD is perfect

[nurb432]

But at least they admit it when there are problems. As does the BSD crowd too.

And *nix is still a hell of a lot closer to perfect..

Re:This has to be erroneus.(aehm erroneous)

English is my second language, but I`m pretty sure
it should be erroneous.
Or was that on purpose? That`d be funny.

To all the windows bashers...

[EZmagz]

Nobody's safe.

I hate to say it, but this is kind of refreshing. This ins't a troll, so don't get me wrong...I'm a linux user myself. But after seeing the masses rip into MS yesterday when the thread about the IIS 5.0 hole was posted, I got a tad frustrated. Granted, I hate Microsoft as much as the next guy, but this just goes to show you that it's NOT just Microsoft that falls prey to holes and exploits. If it runs an OS, there's a chance it'll be cracked. Simple as that.

Hell, the linux kernel is without a doubt one of the most audited open source projects out there, and this bug STILL didn't surface until 2.4.20. Of course, I applaud the speed and availibility of patches and workarounds to the bug. Just remember, it happens to everyone.

Re:To all the windows bashers...

[negacao]

Yes, it happens to everyone.

But this is a local-root exploit. WebDav thing/nimda/code red/etc were all windows exploits that allowed remote-root..

Big difference there; I'm not even going to patch my machines, because I'm the only user.

:)

Re:To all the windows bashers...

[nathanh]

... but this just goes to show you that it's NOT just Microsoft that falls prey to holes and exploits. If it runs an OS, there's a chance it'll be cracked. Simple as that.

Well, duh. You make it sound like you only realised this last week. Welcome to the 1960s, kid.

Re:To all the windows bashers...

[Grax]

Sure these are valid points. Feeling smug will get you nowhere.

But the IIS 5.0 hole falls squarely into the realm of "we could have lessened the impact of this bug had we not made the default options that insecure"

Why isn't URLScan installed by default? Why is WebDAV enabled by default?

Re:To all the windows bashers...

[Dalcius]

Anyone who is admining a server and can't understand anything more complex than "start->windowsUpdate->download->reboot" shouldn't be admining a server.

The rebooting issue pulls up another point: very few Linux holes reported involve the kernel. Rebooting mission critical servers to fix a hole in a sub-program is inane. It's just bad programming to restart the entire system when one minor level needs a change.

Re:To all the windows bashers...

[Dalcius]

I should add, I am not implying that Linux is often much more difficult to fix than using Windows Update. I've never had problems with up2date, and speaking as how other package management systems are much better IMO (portage, apt-get, etc.), that's saying quite a bit about Linux.

Re:To all the windows bashers...

[jelle]

Sure, both are security bugs, but of a totally different order of magnitude.

The IIS hole was a remote exploit including privilege escalation open to abuse by anybody on the Internet, and the kernel one was a local privilege escalation open to abuse by system users with shell access or other capability to run&abuse ptrace(). If you have untrusted local users, you should run them in a UML or vservers/ctx anyway so thay if they escalate privileges, they still can't harm the system.

Plus, the IIS bug was found after US ARMY web sites were getting hacked, and the kernel bug was found by a developer that was auditing/working on part of the code and patch available before any bad guy got to it.

Re:To all the windows bashers...

[SN74S181]

the kernel bug was found by a developer that was auditing/working on part of the code and patch available before any bad guy got to it.

The kernel bug was publicized by the first white-hat developer who found it. 'Bad guys' who found it will now be pissed.

Re:To all the windows bashers...

[jelle]

You're just speculating. Where was it used then?

Re:To all the windows bashers...

[horza]

I hate to say it, but this is kind of refreshing. This ins't a troll, so don't get me wrong...I'm a linux user myself. But after seeing the masses rip into MS yesterday when the thread about the IIS 5.0 hole was posted, I got a tad frustrated. Granted, I hate Microsoft as much as the next guy, but this just goes to show you that it's NOT just Microsoft that falls prey to holes and exploits. If it runs an OS, there's a chance it'll be cracked. Simple as that.

The feeling you felt of frustration arose from a mixture of anger and helplessness. This is the same feeling a Sys Admin gets when there is a bug in IIS and MS refuses to acknowledge it or they are slow in getting a patch out. With Open Source you don't get that same helplessness, which manifests itself on forums like Slashdot in the form of less bashing.

Just remember, it happens to everyone.

That's not good enough. What happens *after* is also crucial.

Phillip.

Re:To all the windows bashers...

[SN74S181]

The grandparent comment was speculating in much the same way. I was just pointing out the contradiction.

Stupid question...

[Eneff]

"Remote exploitation of this hole is
not possible."

Does that mean you have to be at the keyboard, or does that mean you have to have access to the box itself? (a shutdown/restart exploit?)

Re:Stupid question...

[Xerithane]

Does that mean you have to be at the keyboard, or does that mean you have to have access to the box itself? (a shutdown/restart exploit?)

This means that you have to already have an existing user account on the system, running in user space. You cannot exploit the box without having (control of) a user account.

If you are at the keyboard, you can usually get root instantly on Linux. "lilo: linux single"

Re:Stupid question...

[ygbsm]

means they have to have an account on the machine . . . usually (always??)local exploits can still be executed via some sort of remote shell (ssh, telnet, rsh, etc)

Re:Stupid question...

[DarkMan]

A remote exploitation means that if your are connected to the internet, (And, in the case of a server deamon, running the affected daemon), then a remote attacker (== only using net acesses) can obtain root privs.

A local exploit menas that the attacker must be first logged in as a local user (i.e. have a valid account, or have exploited a server daemon to obtain local, unprivildiged access).

Attacks that require you to have physical acess to the box are generally not classified, as these will always exist (through boot disks, etc), and as thus not audited for.

It is a common practice to use an insecure deamon to first get local acess, then to use a local root hole, such as this one.

Hope that helps - the jargon is dense, but useful.

Re:Stupid question...

[CableModemSniper]

To expand on this question, is being a "local" user logged in thru ssh "local" enough to exploit this?

Re:Stupid question...

[dissy]

It just means you need to be able to run code on the machine somehow.

Remote exploits allow you to run code on a machine with no access.
Local exploits dont, so you have to already have that ability.

If you are a regular old user on a machine, you can get root this way.

If you can exploit a jailed app (IE bind or apache in a chroot jail) this bug will raise you from user nobody to root.

Re:Stupid question...

[James_Duncan8181]

In this case please take out your adimin and shoot him as he is too stupid to live.

Our machines here (high-sec enviroment) boot from network and my extremely locked down server checksums the bootblock (checksum and boot block are on non writable, non-removable media). Yes, we're paranoid.

Re:Stupid question...

[Xerithane]

In this case please take out your adimin and shoot him as he is too stupid to live.

I'm just saying, in general. For my home machines, I don't bother with this. If someone breaks into my home, I doubt they care about any software based security, as they can just take the hardware. Depending upon the security necessary in your environment, it changes what you do.

Our machines here (high-sec enviroment) boot from network and my extremely locked down server checksums the bootblock (checksum and boot block are on non writable, non-removable media). Yes, we're paranoid.

What about someone bringing in a laptop and connecting it to the network? I've seen fairly high security environments that never took that into account.

Re:Stupid question...

[James_Duncan8181]

Your laptop would have to have the correct bootblock. If you did install this bootblock it would turn over nearly all control of your machine over to our server at which time you would not have access to any hardware on your machines save network card, video card keyboard and mouse. You would then reach a prompt demanding a username and password within 30sec. If you failed to insert a valid combo then security would be paged. If you did insert a correct combo then your machine would become a dumb client on the server.

This is all slightly moot as the fact that your network card did not have a recognised MAC address for that network cable would have alerted security about .2 seconds after your machine passed POST.

I could go on but I might have to shoot you. ;)

Re:Stupid question...

[Xerithane]

This is all slightly moot as the fact that your network card did not have a recognised MAC address for that network cable would have alerted security about .2 seconds after your machine passed POST.

This is actually what I was looking for as an answer :-)

I could go on but I might have to shoot you. ;)
Oh damn, not again...

Re:Stupid question...

[James_Duncan8181]

We did once have someone who spoofed a MAC addy for us as a proof-of-concept (IBM sec team) which is why I mentioned the other sec stuff.

Got any cool and unusual stuff on your site?

Re:Stupid question...

[Xerithane]

Got any cool and unusual stuff on your site?

Where I am working now, security from an internal point of view is non-existent. The only place that I've worked that has good security, I'm not really allowed to talk about because of all those pesky NDA type things. *shrug*

Re:Kernel Patches

[kfg]

Who's a sysadmin to trust?

Ummmmm, Ghostbusters?

KFG

I'm not going to patch.

[gosand]

Soooo, i wonder how many posts will appear here along the lines of those in the WebDav exploit story earlier. Not many im willing to bet. Those people willing to shout and hollor at every serious issue, screaming bloody murder because someone got it wrong, really pisses me off. Yes people get it wrong, they write insecure code from time to time. This issue and a number of those before it show that Linux has as many opportunities for exploitation as any other OS.

I hate when I choose to reply instead of mod, but this needs to be said - they aren't the same!

I am not going to patch my Linux systems. Why? Because it isn't possible to exploit this vulnerability remotely. The only local user on my machine knows the root password (me). So it isn't quite the same severity as a bug in a widely distributed webserver. Yes, they are both serious, but compare apples to apples. (not that your comments aren't correct, just that you need to make them at the right time.)

Re:I'm not going to patch.

[siteTHREE]

Have you considered the possibility of someone exploiting a non-root remote hole on your box and now having the ability to escalate themselves to root?

Re:I'm not going to patch.

[duplicate-nickname]

It's Linux. That's unpossible.

Re:I'm not going to patch.

[bytor4232]

Only if your unfiltered ports to the dirty network are not patched. General rule: Anything that touches a dirty network gets updated immediatly. Everything else can wait. IP Tables works wonders for putting together a secure box. And no, not all accounts on a system should have a shell. Any E-Mail account should definatly not have a shell.

Re:I'm not going to patch.

[gosand]

Have you considered the possibility of someone exploiting a non-root remote hole on your box and now having the ability to escalate themselves to root?

Well, I, ahhh....

Shut up!

Would someone please mod my previous post down as "fingers faster than brain"?
Thank you.

Re:I'm not going to patch.

[Havokmon]

Have you considered the possibility of someone exploiting a non-root remote hole on your box and now having the ability to escalate themselves to root?

EVERYBODY plays the odds:

FIRST: a user has to exploit *A* remote exploit. Which one? Could be anything. Most exploits are either popular services, or shots in the dark. Patch the popular services, and you've defeated 90% of the scans. Remember, there's safety in numbers, and the vast amount of hosts on the internet just makes it less likely you'll even been scanned in the first place - and even less likely that your exploitable remote hole is discovered... (But, yes, definately patch outside services)

SECOND: As a cracker, once you've got that local exploit, what root exploit do you try and take over? Granted, you may have an unlimited amount of time to scour the system for vulnerabilities, but unless that system is actually WORTH something to you, you'll just move onto something easier.

Ease of use, it's the American way. Sure, you may say it's security by obscurity, but deadbolts are EXACTLY the same thing. Any idiot can break down the door or pick the lock.. it's just easier to get into a home with a door that's already open.

Re:I'm not going to patch.

[smcavoy]

Well officer I locked the front door, didn't occur to me that I should lock the windows AND the back door. :)

Re:I'm not going to patch.

[saskwach]

If someone knows how to get remote access to my box through some exploit, then escalate themselves to root, this patch won't affect that. That's why they call it a local exploit.

Re:I'm not going to patch.

[humphrm]

How about "Security-By-Not-Having-Anything-Of-Any-Real-Inter est-To-Crack" on my system?

Re:I'm not going to patch.

[einhverfr]

How about "Security-By-Not-Having-Anything-Of-Any-Real-Inter est-To-Crack" on my system?

Doesn't cut it....

Someone could *put* something of interest on your system-- kiddie porn, warez, etc. So free hard disk space is something of interest to a cracker. I have seen cases where this sort of thing has happened.

Also your interenet could be of interest as well-- one can use it to leapfrog to other systems and implicate you.... Or they could install a DDOS client... Or many other things....

Security-- it is not just for businesses.

Re:I'm not going to patch.

[Craig+Davison]

If someone knows how to get remote access to my box through some exploit, then escalate themselves to root, this patch won't affect that.
You misunderstand. This vulnerability is what would escalate them to root.

That's why they call it a local exploit.
'Local exploit' means the attacker needs at least the ability to execute code as an unpriviliged user. As others here have said, 'local exploits' are step 2 after you've exploited apache, or ftpd, or sshd or whatever.

Re:I'm not going to patch.

[BlackHawk-666]

Yeh, that'll work - just hoping that because there's so many machines out there no-one will want to attack yours. Unfortunately, as the number of machines increases, so too does the number of crackers. Here's an extract from my portsentry logs for the last week:

1047482497 - 03/12/2003 15:21:37 Host: 211.22.92.214/211.22.92.214 Port: 1433 TCP Blocked
1047525721 - 03/13/2003 03:22:01 Host: CPE00045a92c3ba-CM014280100907.cpe.net.cable.roger s.com/24.42.75.140 Port: 1433 TCP Blocked
1047532272 - 03/13/2003 05:11:12 Host: 206.muka.htfd.washdctt.dsl.att.net/12.101.58.206 Port: 1433 TCP Blocked
1047632475 - 03/14/2003 09:01:15 Host: pD9512AC9.dip.t-dialin.net/217.81.42.201 Port: 1433 TCP Blocked
1047637241 - 03/14/2003 10:20:41 Host: p5083F99D.dip.t-dialin.net/80.131.249.157 Port: 1433 TCP Blocked
1047761332 - 03/15/2003 20:48:52 Host: 217.166.59.67/217.166.59.67 Port: 1433 TCP Blocked
1047779059 - 03/16/2003 01:44:19 Host: 61-221-147-250.HINET-IP.hinet.net/61.221.147.250 Port: 6667 TCP Blocked
1047779552 - 03/16/2003 01:52:32 Host: a213-22-7-237.netcabo.pt/213.22.7.237 Port: 1433 TCP Blocked
1047782754 - 03/16/2003 02:45:54 Host: 1Cust39.tnt1.ladue.mo.da.uu.net/65.239.144.39 Port: 1080 TCP Blocked
1047893734 - 03/17/2003 09:35:34 Host: 195.243.243.19/195.243.243.19 Port: 1433 TCP Blocked
1047995484 - 03/18/2003 13:51:24 Host: 63.211.23.16/63.211.23.16 Port: 1080 TCP Blocked
1048017581 - 03/18/2003 19:59:41 Host: 211.217.75.89/211.217.75.89 Port: 1433 TCP Blocked
1048052387 - 03/19/2003 05:39:47 Host: 196.3.64.50/196.3.64.50 Port: 1433 TCP Blocked
1048061209 - 03/19/2003 08:06:49 Host: 208.186.1.175/208.186.1.175 Port: 3389 TCP Blocked

I used to get about 50 scans/day six months ago but apparently firewalling the little creeps out on first port scan is working a treat.

Re:I'm not going to patch.

[Havokmon]

Also your interenet could be of interest as well-- one can use it to leapfrog to other systems and implicate you.... Or they could install a DDOS client... Or many other things....

Do you have a bomb shelter built yet? It doesn't matter WHERE you live, you could always be in the path of a missle. Are you telling me you spend more time on the 'virtual' possibilites, than on saving the lives of you and your family?

Why? You must have weighed the odds and figured it was unlikely it would happen.

Sounds like my computer security 'thought processes' are the same as your life security :P

Re:I'm not going to patch.

[Havokmon]

I used to get about 50 scans/day six months ago but apparently firewalling the little creeps out on first port scan is working a treat.

Apparently? I doubt it. You really think they're coming from the same IP's over and over? If you're getting scanned by the same IP, it's just an infected system with an automated script on it (looking for existing vulns). Half of what you've posted is dynamic.

All you're doing (if you don't go clear your blocks) is slowly blocking the whole of the internet one IP at a time.

A cracker using the same IP? That would be breaking pre-internet Rule #1: Thou Shalt not phreak from thine own phone lines.

Re:I'm not going to patch.

[einhverfr]

Do you have a bomb shelter built yet?

This is an interesting question-- but I do make sure I have good stores of dry foods, etc. in the event of an earthquake, etc.

I am not going to be patching this partivular vulnerability until it has been out for a little while to make sure that it works with all the software (noticing that it changes a few other things as well) and that other bugs are not introduced which might cause other problems, Since I am the only interactive user, I am not worried as much about this so much as I am worried about my services themselves. This is where i focus 90% of my energy because it is the most important security boundary that is there.

Re:I'm not going to patch.

[BlackHawk-666]

I clear them down every few weeks so I don't "slowly block the whole internet" as you say. I think you give the cracker kids too much credence. Most of these hits are just dumbfucks with a scanning tool or script kiddies. They're firewalled within a second of starting their scan (all the interesting ports on my machine except for the very few that have legitimate services are firewalled and port sentried). A serious cracker would compromise another host first and then use that to get mine - regardless, the effect is the same. The box that is attacking/probing mine is locked out and can't come back again until next time I reset my firewall. Since I don't give a crap about serving up content to any but a few friends (and friends don't let friends portscan other friends machines) it's no loss to me to be restricting access to compromised machines.

I do see attacks coming from familiar netblocks in the logs - many from the segment I am on as they portscan the whole x.x.x.x/16 range. These rogue nodes get shutdown until they get assigned another address from their DHCP server - which might be several days or longer. Mine only changes every few weeks.

I could conduct an experiment to see if allowing them to continue their work uninterupted would result in more hits against portsentry, but I like knowing that they're locked out before they get too much intel.

Re:I'm not going to patch.

[Negatyfus]

You only need to be able to run abritrary code as that user. Then you can spawn your own shell. Also, last time I checked IPTables didn't close all buffer overrun flaws in servers run on ports that NEED to be open to the "dirty network."

Re:I'm not going to patch.

[bytor4232]

But if you keep the open ports updated, you dont have to worry about buffer overruns or arbitrary code. For example, on one of my servers I only have OpenSSH and Apache. Both are up to date, with no known security problems.

Re:I'm not going to patch.

[Negatyfus]

Which doesn't mean there aren't any. Sure, the chance that anyone will be able to exploit an as-of-yet undiscovered hole before the good guys discover it is perhaps pretty small, but nonetheless existant. And then, of course, you have the threat of poorly written PHP or CGI applications, if you do that sort of thing with your Apache.

Root Kit

[Jason1729]

Once the patch is installed, is there any way I can be sure my system hasn't been rootkitted without doing a clean install?

Jason
ProfQuotes

Re:Root Kit

[Tom7]

No, but a good bet is to reinstall MD5-verified binaries of netstat and ps, and then look for suspicious processes or network servers. All of the rootkits I've seen work by running a hidden background process, or by modifying the kernel -- and you're replacing the kernel, so that should be ok.

Re:Root Kit

[zCyl]

is there any way I can be sure my system hasn't been rootkitted without doing a clean install?

No. Absolutely not.

You could check for specific rootkits which leave traces behind, but there is no way to find arbitrary rootkits.

Re:Root Kit

[42forty-two42]

If there is one, it'd have to be installed by one of your users. You can't be sure, but you can't do a clean install each time a patch is released :)

Re:Root Kit

[GT_Alias]

ChkRootKit will check for the known ones and some of the obvious signs for one.

Doesn't help much though if the user has developed something of their own that flies below the radar. Chkrootkit doesn't hurt for a bit of peace of mind.

Help a newbie

[eyeye]

As a linux newbie is there an easy way to find if my kernel is vulnerable to exploits?

I run debian woody and can do apt-get update,upgrade but that wont update the kernel will it?

Thanks for any help.

Re:Help a newbie

[CausticWindow]

If you want to check what kernel version you are running, type

uname -r

in a console.

Unless you let people you don't trust login to your box, you needn't worry though.

Re:Help a newbie

[swv3752]

I would append to that a big "yet". There are no known exploits for this and if you are properly patched, you are probably ok. If you are just running a desktop box, then you are probably ok as well, particularly if you have a firewall active.

Re:Help a newbie

[KjetilK]

Newbie here too. Anyway, there has been a post on the debian-security list that indicates that the Debian maintainers have made a package with the patch, and there was a response to that post asking WTH are this packages, and that has not been answered yet. Frankly, I have no clue, but I have the package kernel-source-2.4.18 installed, and my hope is that this apt-get upgrade will download a new one when it is available... :-)

That's all I have for the moment...

Not *believed* to be vulnerable??

[psoriac]

2.5 is not believed to be vulnerable to this security hole.

Is this along the same lines as "we don't think this will kill you"?

Re:Not *believed* to be vulnerable??

[David+McBride]

Hey, if you're running a development 2.5 kernel then you should be prepared for (nay, expect) bad things to happen.

Re:Not *believed* to be vulnerable??

[Osiris+Ani]

Well, I don't think any C programmer can look you in the eye and say "No, really, this software has no bugs. No buffer overflow exploits, no memory leaks, no overrunning pointers. Well, maybe just one. Or two."

"And 1.1.81 is officially BugFree(tm), so if you receive any bug-reports on it, you know they are just evil lies." - Linus Torvalds

Heh.

Dangit, Slashdot, mirror things like this

[Kiwi]

Dangit, Slashdot, mirror things this important; don't just link to some poor low-traffic Linux kernel archive which can not handle Slashdot-level traffic. I normally don't mind sites being Slashdotted, but a critical security fix being slashdotted is not a good thing.

Anyway, another copy of the patch.

- Sam

Re:Dangit, Slashdot, mirror things like this

[42forty-two42]

If you don't want to be locked out, subscribe to the list :)

GRSecurity

[Ex+Machina]

Are GRSecurity patched kernels vulernable?

Simple workaround

[volkerdi]

If you can't patch this right away, you can easily work around the hole. In order to be vulnerable, you need to have kmod enabled in the kernel, and /proc/sys/kernel/modprobe must contain the name of ANY VALID EXECUTABLE. It doesn't have to be /sbin/modprobe. Even /bin/false is vulnerable on this one.

To prevent the exploit, give the kernel a bogus filename to use as modprobe, like this:

cat /this/file/aint/there > /proc/sys/kernel/modprobe

If you only use kmod to load modules at boot time, you might consider having this run after all your other init scripts, say in rc.local.

Pat

Re:Simple workaround

[volkerdi]

cat /this/file/aint/there > /proc/sys/kernel/modprobe

Oops... While the above also happens to work, what I meant was more like this:

echo "/this/file/aint/there" > /proc/sys/kernel/modprobe

Pat

Re:Simple workaround

[volkerdi]

Er, example number one (with 'cat') does not work after all (thought it would, but it doesn't). The second example does work. Just check your /proc/sys/kernel/modprobe afterwards and make sure it's been changed.

Re:Simple workaround

[schon]

If you can't patch this right away, you can easily work around the hole.

Thanks for the info Pat.. turns out that all my Slackware boxes are safe on this one, as I turn off kmod when I compile a kernel.

Thanks for a great distro!

Re:Simple workaround

[tunah]

cat /this/file/aint/there > /proc/sys/kernel/modprobe

If the file ain't there, good luck catting it ;-) You meant echo right?

Re:Simple workaround

[Ex+Machina]

There's *NO* way to exploit this on a non modular kernel? Really? Ptrace doesn't seem to be really connected to modules....

Re:Simple workaround

[wrong]

Let me get this straight. Would this workaround mean that kmod wouldn't be able to insert modules? Remove them?

Re:Simple workaround

[volkerdi]

That's right. It disables kmod.

Re:Simple workaround

[tunah]

Are you root?

Re:Linux disclosure procedures?

[truenoir]

Hmm...seems to me that either way, time would be needed to fix it. *Someone* knows about it earlier than the patch (unless somehow Linux is magic and codes up a patch as soon as some lonely hacker recognizes an exploit). Perhaps it's a matter of "hey, there's a bug here" vs. "hey, there WAS a bug here, but I fixed it" type news. Either way, there are unpatched systems worldwide that may never get patched, and whole lot of patching to be done for those that will be.

Those wanting to exploit such a problem are obviously going to stay quiet about it.

Re:Linux disclosure procedures?

[mmol_6453]

The difference in this case is it's a kernel exploit. Unless the problem lies in a module, you'll still have to reboot. :/

Question for those who may know...

[dacarr]

Will Ximian's red-carpet patch this?

Another copy of the patch online

[Kiwi]

here

This one seems to make a cleaner text patch than the last one I linked to.

- Sam (compiling the kernel as we speak)

Re:Linux disclosure procedures?

[molarmass192]

Linux kernel patches are very rarely that bad, not to say that I like them either. So long as your kernel minor version number doesn't change and you're using loadable modules, there's no need to recompile any existing drivers. However, you DO still have to recompile the kernel, drop it into /boot, AND reboot which DOES mean you will lose any uptime bragging rights you were saving for your performance review.

Re:Linux disclosure procedures?

[N3WBI3]

And of all updates for a Linux server what % of them are Kernel and require a reboot? as compared to Windows which almost all updates require a reboot.

In the meantime...

[TheSHAD0W]

Until the patch has been tested and distributed, you can prevent the bug from being exploited by locking the door to your office.

Re:In the meantime...

[greenrd]

Don't forget to also unplug your network cable!

Re:In the meantime...

[TheSHAD0W]

Naw, it's a LOCAL exploit.

I don't think so

[niom]

If you are at the keyboard, you can usually get root instantly on Linux. "lilo: linux single"

At least in Debian, even with "linux single" you have to type the root password to get root. And any installation with the least pretense of security has always disabled user parameters for LILO, of course. Just like it had to disable e.g. booting from a disk.

Re:I don't think so

[Xerithane]

At least in Debian, even with "linux single" you have to type the root password to get root. And any installation with the least pretense of security has always disabled user parameters for LILO, of course. Just like it had to disable e.g. booting from a disk.

I know the Red Hat series it still works... I haven't tried it for years. The distribution installation can't change the BIOS boot order though. If a CD/Floppy drive is accessible, it's up to the user to change the BIOS boot order, not the distribution.

Yay for knoppix CDs!

Re:I don't think so

[mmontour]

At least in Debian, even with "linux single" you have to type the root password to get root.

How about with "linux init=/bin/sh"?

Re:I don't think so

[niom]

Or "linux root=/dev/fd0". That's the reason of the "least pretense of security" part of my comment :-).

Re:I don't think so

[niom]

Well, by installation I meant the setup done by the admin when installing the distribution. The point was that to get a secure setup you can't just install a distribution and leave it at that, you still have to configure things like the boot loader, the BIOS, probably the network services, etc.

Re:I don't think so

[quelrods]

hey i forget how to guard against that, what's the fix?

What about ptrace?

[42forty-two42]

What, exactly, is this bug? I remember one a while back where you could ptrace an app that had a saved uid of 0 and keep the trace once it ran seteuid(), is this the same?

Common misconception

[burgburgburg]

With so very many vulnerabilities (and ever expanding), it's easy to see why you'd assume that Windows was the only buggy vulnerable bloated operating system. This isn't true. It just seems that way. It feels that way. And, considering how wide rangingly destructive Windows vulnerabilities tend to be, for all intensive purposes, it is that way. But, deep down, we all acknowledge that it isn't technically true.

Exploitable?

[Rain]

Geez, only took /. 27-odd hours. Anyway.

I tried writing an exploit for this flaw, but I couldn't get far enough to inject any code. I managed to ptrace(PTRACE_ATTACH, ...) a uid 0 modprobe (easy enough way to call kernel_thread()), but for some reason, the traced process isn't properly reparented, so all subsequent ptrace() calls fail. (Whenever you PTRACE_ATTACH to a process, it's supposed to become the child process of the tracer, and ptrace_check_attach (linux/kernel/ptrace.c) will return -ESRCH if this condition isn't met.)

I'm not positive this is actually exploitable, but I'm not positive I took the correct approach, either. In any case, the most I've been able to do is spawn a slew of suspended root-owned processes. Not good, but not the end of the world, either. If someone has actually managed to exploit this flaw, I'd love to see some code so that I could see what I did wrong. Conversely, I'm willing to share the code I have upon request. I've only written code up to the current impasse, but once past this problem, the rest should be pretty trivial.

Re:Exploitable?

[GammaTau]

An anonymous writer at kerneltrap.org provided this link for a working exploit:
http://isec.pl/cliph/isec-ptrace-kmod-exploit.c

Re:Exploitable?

[moz25]

I tried this on two systems of mine... on one system it worked, on the other I got "[-] Unable to attach: Operation not permitted" -- I have modules disabled on that system.

Is it a valid workaround to have modules disabled in the kernel??

Re:Exploitable?

[GammaTau]

I tried this on two systems of mine... on one system it worked, on the other I got "[-] Unable to attach: Operation not permitted" -- I have modules disabled on that system.

I did the same and got the same results. On a system running 2.4.18 with module support it worked (i.e. I got root) while on a system running 2.4.18 without module support it didn't work. But I'm not a kernel hacker so I don't know if that's the essential difference.

Re:Exploitable?

[moz25]

Well, I certainly hope it's a good workaround, because the non-modules box is a co-located one... and I'm not a big fan of doing remote reboots ;-) After previous security problems on that machine (being rootkitted), I decided to turn off modules altogether.. this seems to have been a good choice.

Re:Exploitable?

[Ex+Machina]

xm@jolt:~$ gcc -o hack -O2 isec-ptrace-kmod-exploit.c
xm@jolt:~$ ./hack
[-] Fatal error: Unknown error 125
Killed
xm@jolt:~$ ./hack
[+] Attached to 25459
[+] Waiting for signal
[+] Signal caught
[+] Shellcode placed at 0x47a55a22
[+] Now wait for suid shell...
xm@jolt:~$ whoami
xm
xm@jolt:~$ uname -a
Linux jolt 2.4.18-grsec-1.9.4 #2 Sat Apr 20 03:20:23 EDT 2002 i586 unknown

(non modular)

Re:Exploitable?

[Make]

works great on all my Debian woody systems:

max@squirrel:~$ uname -a
Linux squirrel 2.4.20-ac2 #1 SMP Thu Jan 23 23:15:33 CET 2003 i686 unknown
max@squirrel:~$ id
uid=500(max) gid=100(users) groups=100(users),4(adm),24(cdrom),25(floppy),29(a udio),40(src),104(lpadmin),205(sfc),106(uox),108(t s)
max@squirrel:~$ ./isec-ptrace-kmod-exploit
[+] Attached to 25393
[+] Signal caught
[+] Shellcode placed at 0x4000da2d
[+] Now wait for suid shell...
sh-2.05a# id
uid=0(root) gid=0(root) groups=0(root)
sh-2.05a#

Huh?

[FireballFreddy]

St. Patrick's Day, a perfectly valid and socially acceptable excuse to get rip-roaring pissed, and you say it's *only* for the Irish? I'm sorry, please hand in your geek membership card. You aren't allowed to post here anymore.

workaround without reboot by disabling ptrace()

[Brian+Ristuccia]

After the last ptrace() fiasco, there was a temporary workarounds in the form of loadable modules which stub out or wrap the ptrace function. For servers where downtime and reboots must always be scheduled in advance, such a fix was well received.

You can create such your own module containing a do-nothing fake_ptrace function. In init_module(), set sys_call_table[__NR_ptrace]=fake_ptrace so the fake ptrace gets run instead of the real one. Search google for "no ptrace module" to find a few readymade ptrace wrapper/stub modules.

Clean patch against 2.4.20 found within

[gid]

You can see the message here or download the patch linked from this email here

Personally I think I'm going to wait for a proper version of the kernel to come out, (and hope it does).

Re:Clean patch against 2.4.20 found within

[Cro+Magnon]

I figure 2.4.21 will be ready this May. Or maybe June! Well, surely by July!!

How do we find the next one?

[daves]

I wonder how well smatch/stanford checker could check for similar conditions.

Re:Huh?

[vsprintf]

Linux has security problems? I've been reading this site for so long, I thought that was only in Microsoft's domain.

We do want to make Windows users feel at home as they migrate to a Linux desktop. We don't expect 'em to go cold turkey right away.

Patch won't apply to linux-2.4.20

[sanermind]

It fails on include/linux/sched.h with default patch options. Which kind of sucks. You can get it to 'work' by giving patch a fuzz-factor of 3, but then the build fails. Not a very usefull patch.
cd /usr/src
mv linux-2.4.20 linux-2.4.20_OLD
bzcat /otherhome/stor/src/linux/linux-2.4.20.tar.bz2 | tar xv
cd linux-2.4.20
patch -p1

fails at include/linux/sched.h

If you do 'patch -p1 -F 3' instead, it won't fail, but the fuzz factor obviously leads to a patch error, as the compilation breaks [as soon as include/linux/sched.h is included, BTW]

I mean, I appreciate knowing that my system is horribly vulnerable, but a WORKING FIX would sure be nice.

Re:Patch won't apply to linux-2.4.20

[crimsun]

Apply the offending line in include/linux/sched.h manually then.

$EDITOR include/linux/sched.h

insert the offending line above #define __wait_event(wq, condition) \

(which is line 809 with my $TERM setting)

You should end up with something that looks like:

...
extern void FASTCALL(add_wait_queue_exclusive(wait_queue_head_ t *q, wait_queue_t * wait));
extern void FASTCALL(remove_wait_queue(wait_queue_head_t *q, wait_queue_t * wait));
extern long kernel_thread(int (*fn)(void *), void * arg, unsigned long flags);

#define __wait_event(wq, condition) \
...

(beware of line-break butchery due to /.)

You'll also have a harmless non-existing arch/um/kernel/process_kern.c, which is because Alan generated the diff against his tree (-ac), which includes UML, whereas vanilla doesn't.

Re:Linux disclosure procedures?

[0x1337]

Yeah - no shit.

No security through obscurity.

The bgs are found FAST and are PATCHED FAST. If your lazy 200-lbs fritto-lay-eating "sys admin" thinks its above his ego to patch his systems up, that his problem.

Re:Uptimes

[shiflett]

If you have 955 days of uptime, your kernel does not have this vulnerability. Of course, it might have others. :-)

Re:Well, you have to choose ...

[jedidiah]

That's true in general. It's always much easier to hack a box the closer you are to it. So you should generally seek to prevent vandals from "getting close".

You should always assume that there's a root exploit available when attempting to securing Unixen.

Where's Debian??

[drwho]

Where the hell are the debian people with a patched kernel? The patch alan cox provided doesn't apply cleanly to the debina modified kernel, so I am trying to hack it up now. But shouldn't someone in charge of security patches at debian have done this and had an update out?

COME ON WAKE UP!

Re:Where's Debian??

[some1somewhere]

just checked apt-get update again... it still isn't there yet........ Strange... Debian is *USUALLY* pretty fast about issuing security fixes... is there something else going on?

Re:Where's Debian??

[crimsun]

It _really_ helps if you _read the debian-security list_.

*thwap*

http://lists.debian.org/debian-security/2003/deb ia n-security-200303/msg00300.html

Re:Where's Debian??

[KjetilK]

I saw it there too, but a response to the follow-up post to that message is still to be seen...

So, where are the packages? Me, I grabbed the most recent kernel-source-2.4.18 I could find, but that doesn't seem patched.

But then, there shouldn't be many remote normal-user exploits on my box either, so I'm not really that worried.

Re:This has to be erroneus.

[zebs]

After all, Linux is perfect, right? Linux has NO vulnerabilities. It's that OS from Bill that is buggy, right?

Its bugs from code Billy-boy wrote under a pseudonym

Re:In Soviet Russia...

[physman]

Ah, but theoretically, if you were still to use the 2.3 kernel series, you would not face this hole, so what's retarded in that!?

Troll: Arrest Alan Cox!

Obviously the kernel provides access control to a copyrighted work (the Linux kernel, and all apps on the system). Therefore by providing this info, he is disseminating a mechanism to bypass said access control. Therefore he is in violation of the DMCA!

Go ahead an call me a troll, but he did say that's why he wasn't ever setting foot in the US again!

Tux is Welsh!!!

[schon]

I know "Cymru" means "Welsh" but that's about it.

Tux, the beloved Linux mascot is Welsh!

It's true! Tux is a penguin..

Penguin is derived from two Welsh words: Pen (head) and Gwynn (white)...

So (besides Alan) there is another link between Wales and Linux.

(That, and I've tripled your knowledge of the Welsh language :o)

Re:Tux is Welsh!!!

[Large+Green+Mallard]

So Alan's significant other Telsa Gwynne is half penguin?

Kinky :)

Re:Tux is Welsh!!!

[einhverfr]

Penguin is derived from two Welsh words: Pen (head) and Gwynn (white)...

Just looked it up in the Oxford English Dictionary. This had been an accepted etymology for a long time but is disputed because there are a number of problems. The first birds to be called "penguins" were great awks from Newfoundland (Extinct since 1844, but there is a print on the cover of the O'Reilly book ;-))

The problem is that the Great Swk had a black head, and this is a problem for the pen-gwynn etymology, so officially, the origin is listed as obscure.

What about 2.0.x?

[FattMattP]

What about 2.0.x? Are they okay?

Re:What about 2.0.x?

[FattMattP]

Hey, if it ain't broke, no need to break it.

Linux auditing

[Kourino]

I think our friend Al Viro would have something to say about the auditing level of the Linux kernel. And if we're talking about drivers/ in particular, it would probably involve the words "obfuscated", "brain dead", "steaming pile of shit", "warped beyond all belief" ... :)

Linux code gets a fair amount of review. But once it's there, there really isn't any auditing at all.

Re:Linux auditing

[frehe]

Maybe the Linux developers could learn something from the OpenBSD project and its continuous source, documentation and license auditing. The process not only catches security holes, but also results in cleaner code, better documentation and a more stable system in general.

Re:Linux auditing

[jelle]

OpenSSH and OpenSSL are developed as part of the OpenBSD project, and didn't we have a couple of security problem discoveries of fielded versions in the last year? So it still doesn't catch all problems before fielding.

If it's found and patched before exploited, that's already an order of magnitude better than after exploitation is rampant (IIS). Sure, a strict auditing process may help security, but still has no guarantees and may slow development speed.

Re:Linux auditing

To: BugTraq
Subject: Locally exploitable races in OpenBSD VFS
Date: Jun 2 2001 7:00PM
Author: Alexander Viro
Message-ID:

Frankly. my respect to Theo went way down. This code had never been read
through, let alone audited. And that's the core kernel. Moreover, the
same bugs had been fixed in FreeBSD half a year ago. In other words, just
keeping an eye on other *BSD trees would be enough to catch them. Same
for lurking on freebsd-hackers. Same for watching the Linux tree, where
an audit of relevant areas had been done nearly two years ago. Done and
discussed on linux-kernel. Sad...

http://www.securityfocus.com/archive/1/188474

Re:Linux auditing

[quelrods]

i would certainly agree. I was a linux user but have switched purely to bsd because of complaints in the way they handle firewalling, nat, etc. That said openbsd is the only os i know of that has code audits. (officially) Linux seems more concerned with new features, new devel, etc. Either way vmware still isn't support by openbsd sadly :-)

Re:Linux auditing

[frehe]

OpenSSL is not part of the OpenBSD project in the same sense that OpenSSH is.

I have never said that OpenBSD's auditing will catch all bugs before code goes into production (the auditing is after all done by humans with limited amounts of time at their hands) but it certainly helps a lot.

I find that an auditing process may in fact speed up development in bigger projects, since it catches a lot of non-security related bugs and also improves both code and documentation in general.

Re:In Soviet Russia...

[Repugnant_Shit]

I'm new to Linux, so I might be wrong, but: If the minor version 2.x is odd, its a development/beta/alpha/whatever kernel. So 2.3 became 2.4, and no one should be using 2.3 on a production box. 2.5 is the current development branch, and when it is final it will be renumbered to 2.6. At that point no one should be running 2.5 on any box that matters.

Re:Linux disclosure procedures?

[mentin]

the time to deploy a MS patch in production is much longer due to shutdowns and testing.

You will deploy Linux patches on production machines without testing?

monolythic?

[digitalsushi]

does this affect monolythic kernels? as in a kernel you cannot load modules into.

Re:monolythic?

[kobaz]

Monolythic is the type of kernel that linux is. Monolithic means all commincation is done by funtion calls. You can load modules because its designed for it. Removing module support does not make linux non-monolithic.

Re:monolythic?

[phaze3000]

The vulnerability uses kmod, so it shouldn't work on a system without module support (which made me breath a sigh of release, out of the fifty or so servers I admin there is only one with a modular kernel).

Note that with or without module support, the Linux kernel is still technically monolithic, as I believe someone else has already pointed out.

This isn't the same thing.

[pathological+liar]

This isn't a race condition with ptrace and execve, this is the kernel not handling threads properly with ptrace.

That being said, there are mitigating factors ... packetstormsecurity.nl has a kernel module that disables ptrace for all users other than root (aptly named "ptracekm") ... and users of grsecurity with randomized pids turned on should be safe as well, since the exploit assumes child = mypid+1

Re:In other news... - except:

[Havokmon]

And for the hax0rs without a local shell, there's a recent samba instant-remote-r00t vulnerability [samba.org]. Get your patches while they're hot!

True, except here it basically says if you expose samba/CIFS in general, you're fuxored.

"The SMB/CIFS protocol implemented by Samba is vulnerable to many attacks, even without specific security holes. The TCP ports 139 and the new port 445 (used by Win2k and the Samba 3.0 alpha code in particular) should never be exposed to untrusted networks."

So all they've done is release a patch for what can be fixed WITHOUT breaking Windows integration.

this could be a big problem

[Trepidity]

Everyone's taking comfort in the fact that no remote exploitation is possible, but remember all those universities that you've convinced over the past few years to switch from proprietary UNIX to Linux for their cs department and mail servers? The ones with thousands of local accounts given out to all the students and faculty? Yeah, they might not be happy about this.

Re:this could be a big problem

[sparkz]

Looks like sf.net are safe!

shell accounts suck anyway

[timmarhy]

only myself and the IT manager are able to log into our system ( everyone else has /bin/false ) so as long as no one kicks in my office door or guesses our root or admin password i feel safe. and no, i will NEVER be giving shell logins to our users ( shiver )

The Smaller Folks

[DarwinDan]

I second that opinion. However, many sysadmins have a responsibility for public servers (lots of ports open even with a firewall). As such these same sysadmins are smart and have a redundant box to do things like patch a system.

In addition, some small businesses don't have the luxury of a secondary box or even an IT specialist that can put a machine through a high-load test for more than a few hours at a time -- let alone having to patch it at all!

Ideally we would all have a RAID 10 array connected to four boxes each running a different OS. While some companies (!) may have the time and money for this, the small folks like mom-and-pop stores can't afford the expense of time or money.

Re:The Smaller Folks

[sporty]

The mom and pop shops also don't have much room for error. They don't always have many sources of revenue, or savings or smart people to say, "hrm.. this doesn't look right" until it is too late.

UNIX to Linux switch

[aksansai]

Never forget that proprietary, commercial UNIX solutions are also vulnerable to kernel-level bugs and exploits. I used to work for a university that deployed Linux and Solaris solutions - the patch sets for Solaris (kernel and userland utilities) were just as necessary as the Linux server installations.

The beauty of the Linux and open-source worlds is that the code is available right before your very eyes and is subject to scrutiny, day-in and day-out. Commercial offerings are not available to the general public, potentially leaving behind bugs that wouldn't be caught by the few who _could_ see the code. Code that is viewed by literally thousands of all programming backgrounds, versus code that is viewed by a select few which only specialize in that code, is more likely to be exploit-free.

This particular Linux kernel exploit was encountered by developers that recognized the flaw. And, luckily for us, the developers were talented enough (or knew someone in the core development group) that could quickly produce a patch so that administrators could secure their servers from being taken advantage from.

If the exploit was encountered in the commercial arena, the person who found the flaw would have to contact the company who supports the operating system. An assessment team would have to see the cause/effect/consequences of the exploit. Then, the development group would have to produce a patch. The company would then contact their support group to contact their enterprise customers first (more than likely) to deploy the patch. Finally, with the company's core customer interests intact, the company would publish their findings and solution for the remainder of the world. Many Microsoft patches are first released to their core enterprise companies - and then released via Windows Update (or through their web site).

For universities that have made the switch, there should be more peace of mind knowing that the quantity of security breaches on the kernel level are much less than the overwhelming number of Windows flaws (which generally require a reboot) and at a much cheaper price than a commercial UNIX offering.

Re:This has to be erroneus.

[rusty+spoon]

Yeah, that William H. Torvalds III has done a lot of damage with his weasly little kernel hacks, dammit.

erm

[c0ol]

redhat is free for download, windows isnt. they have to make money somwhere along the line.

Re:Linux disclosure procedures?

[N3WBI3]

Of course I will test, but the testing almost always takes less time because it does not break other services. When we had to patch windows to avoid all the SQL server crap a while back it broke the damn server, so in testing there is going to be more tweaking involved than one might have with a typical Linux patch..

ptrace - setuid?

[caluml]

If you don't have the ptrace prog on your systems, or you make it not setuid (if it is anyway) does that make a temporary fix?

Re:ptrace - setuid?

[PinkX]

ptrace is a function, not a program.

*yawn* ptrace exploits *yawn*

[Lethyos]

These come up so often, I thought this story was a /. dupe at first glance.

get over it--your local system isn't secure anyway

[g4dget]

Realistically, most regular Linux systems are not secure against local exploits: making a system secure that way is possible, but it's quite a bit of work. You certainly won't get such a system by just doing a [insert your favorite distribution] install. This isn't exactly news either--it's been like that for a long time.

Of course, it is good that these kinds of bugs get fixed. Some people do run multiuser systems, and it provides an additional barrier against intrusions. But don't lose any sleep over it.

Incidentally, these kinds of exploits are probably rampant on Windows systems; there, people don't even bother looking for them because there are very few multiuser machines and most people have local Administrator privileges anyway. Also note that Microsoft didn't even try to get Windows certified secure for multiuser use.

Parent isn't troll. Patch really won't apply

[sanermind]

to linux-2.4.20

Re:Parent isn't troll. Patch really won't apply

patch for 2.4.20

patch for 2.4.21-pre5

Got these from a LKML archive that handles attachments nicely.

Re:Linux disclosure procedures?

[mmol_6453]

I agree with you, though I don't think those statistics are readily available.

Heck...under Windows, even video game installations tend to demand a reboot. (Though you can usually get away with saying No and running the game anyway.)

This is because most software applications include DLLs that get added to system directories, and, technically, you're supposed to reboot in order for those DLLs to be recognized and harbored by the OS.

Under UNIX (NOT just Linux), You only have to type ld as root, and you should be just fine. Special integration with things like Mozilla or Emacs may require you to restart the program, though.

I suspect UNIX's resiliency is partially the result of IEEE's efforts in developing POSIX, etc.

This and IIS exploit

[OoSync]

While its not really kosher to bash an OS because of a single flaw, there is a fundamental difference in the case of this flaw and the previously announced IIS exploit: this one's not yet exploited. One thing that hurts FS/OSS on bug lists is that all *potential* exploits in open code will be listed as bugs, while many proprietary producst only disclose known, possibly exploited, bugs. Case in point, the IIS problem was exploited almost a week ago. The kernel problem was noticed, fixed, and no exploit exists. In fact, a previous poster on this board has posted his inability to trigger the *potential* exploit and asked for help.

How to check?

[Malcolm+Scott]

Anyone know how to check whether my server has this problem? Or alternatively, does anyone know whether the Grsecurity patches for 2.4.20 (as included in Gentoo's kernel) fix this hole?

And the obligatory..

[mivok]

OpenBSD isnt vulnerable :P

Re:Huh

[bahamat]

I just assume if someone gets a user account on my machine my entire network is fucked anyways.

Come on, it's not that hard to set a root password.

Rule of Thumb

When setting up security, I always assume any local user can get root priviledges and make sure I don't care that much. It makes life much easier and less worrisome.

Clean patch against 2.4.20

[bahamat]

This is probably way too late in the discussion to get seen, but Alan's patch won't apply cleanly to 2.4.20.

A clean patch can be found here:

http://www.hardrock.org/kernel/2.4.20/linux-2.4.20 -ptrace.patch

Sorry if you get /.ed.

I am not going to patch my home systems yet either

[einhverfr]

Have you considered the possibility of someone exploiting a non-root remote hole on your box and now having the ability to escalate themselves to root?

Yes I have. The thing is that this assumes several things that may or may not be true. There are risks involved in this approach, but I am running my email server, etc. and can't afford the downtime if something goes wrong. Also my kernel is highly customized, so moving to a new version of the kernel is difficult, time consuming, and I don't have a testing system, so if something goes wrong, I may not see it until it is too late.

Instead I am focusing on the security perimeter-- making sure the web server, ssh, and email server are secure, etc.

Basically I see this as a contributing issue not a primary one. And at this time, I thing it is too soon to patch for me.

Re:Mod Parent Down

[crimsun]

Um, no, I'm afraid the guy (Rain) _does_ know what he's talking about (since I know him), and I've done a fair amount of kernel hacking in my day.

If you'd actually like to read something on-topic, see Ben Pfaff's response to Alan's post. The short of it, "we're [i.e. you're free to do it!] working on a correct fix for all cases, this is just the quick sledgehammer."

http://www.uwsg.iu.edu/hypermail/linux/kernel/03 03 .2/0271.html

Re:Who said anything about needing shell access?

[einhverfr]

A webserver that allows users to run their own cgi-scripts could very well be in trouble, and so could a mail-server letting users at their .forward and .procmailrc files.

OK-- in these cases, the users probably have some sort of shell access. Or maybe they run FTP.... In which case how secure is that? Can one get it to execute a shell if there is any exploit there?

And regarding the .rc files, this is a problem, but not one without workarounds.... Usually people don't see it worth it and just give shell access....

Impact analysis in which we get a tech clue

[fw3]

1. Local root exploit. The experts(sic) posting here have been saying this means "has access to a user account".

Wrong. "local" in this sense means able to run a shell under any UID. Yes this means any user with an account may be able to escalate to root. It also means that any non-root hole can probably then be escalated to root.

2. That doesn't only encompass flawed daemons (apache, bind ... all run as non-root), it includes poorly written CGI/php and other server parsed scripts. If a script allows remotely controlled data to be passed to a shell, that's now a potential root compromise.

2. Plus this flaw probably isn't countered by any of the various approaches to kernel hardening (gr-sec and the like).

So it's potentially serious if you weren't serious about security of your Linux servers.

Now let's look at the current understanding of the "WebDAV"/IIS exploit

I think it's already well known that the this was discovered *after* an army server was compromised. If you don't already believe that Opensource works better then my $0.02 probably isn't going to convince you, however *very* few *nix problems are found *&* applied by the vandals before a patch is available / developed.

1. Because by *default* IIS is installed on w2k servers, and installed with Administrator (root) access, many IIS boxes are rooted.

2. Yes the Lockdown tool is supposed to fix this, however it's being reported that it doesn't in all cases. Thus the patch is strongly advised, whatever workarounds you're using.

3. The actual flaw is in ntdll.dll This library is loaded by nearly every process running on w2k.

a. This is about as central to NT/w2k as you might care to get.
b. MS *thinks* that iis/webdav is the only vector into this flaw "They're researching it"

If they're wrong it's going to be a nightmare. Even if they're right, it's pretty darned bad.

Sure, security is a process, not a product, but part of that process is choosing systems that you actually have some ability to evaluate and predict and manage problems.

Re:Impact analysis in which we get a tech clue

[Zero_Satisfaction]

Just a correction, IIS runs as LocalSystem (root) not Administrator.

Re:Impact analysis in which we get a tech clue

[maddskillz]

Just pointing out your incorrect use of sic. Sic is meant to be used with quotes, but you did not use a quote

Sic - Thus; so. Used to indicate that a quoted passage, especially one containing an error or unconventional spelling, has been retained in its original form or written intentionally.

If some one had said, in a previous quote, "The Expert's" then (sic) would apply, since Experts should not have an apostrohpe in it.

I beleive what you mean to post was an emoticon of someone rolling their eyes in disbelief, doubting that these people are actually experts

Re:New root exploit found in Linux....

[TeddyR]

bet you havnt been on the #linux channel in the early days of efnet IRC?

stuff like that used to happen all the time...

[as well as ascii bomb xlpoits and telling some poor slob that the way to defrag his HD was to use rm -rf / & > /dev/null]

[disclaimer: I did not do any of those things; but have seen the rm -rf message; and by the time that other responded "DONT DO THAT" it was too late]...

aahh... the good old days.... when time was abundant and free.....

Re:A bug!?!?11

[t0ny]

NOW linux is ready for the desktop

Patch for 2.4.20 from LKML

[KPU]

Further in the thread, there is a patch against 2.4.20.

Kernels with grsecurity patches?

[Zof]

I am using the grsecurity patches and have always had the "restricted ptrace" option turned on (only root can ptrace). Does this provide some (any?) protection against this vulnerability?

Yet another possible exploit.

[princeofweasels]

Boy would this open source developers give it a rest. Let atleast one or two exploits get exploited. This makes for slow news when we all we hear about is it being discovered. I say Alan should sit on it for six months or so, really see if something news worhty comes of it.

meaning of the term 'remote'

[Trepidity]

It is possible to exploit this remotely, in the sense of "over the internet, thousands of miles from the vulnerable box." It's not possible to exploit it remotely, in the sense of "just a user on the internet who knows your IP." The "local" here refers to the fact that the exploiter needs to have a local account on the system already; this exploit will allow the unprivileged local account to illicitly elevate itself to root privileges.

So don't panic if you're just running a desktop machine, but if you're running something like a university cs department server, where thousands of people have local accounts (and thus now potentially root access), some panic (or quick patching) would be in order.

of course I got root

[gotr00t]

Yeah, what's my name?

Sample code?

[kylegordon]

I found http://oxcart.xcalibre.co.uk/~kyle/ptrace24.c lying on a webserver I maintain about 7 hours before I heard of this exploit. Does anyone reckon the two are related?

Re:Kernel Patches

[Sj0]

The people that you're after are the people you depend on. We cook your meals. We haul away your trash. We connect your calls. We drive your ambulances. We guard you while you sleep. Do not fuck with us.

(sorry, it just fits, in my psychotic mind. :P)

Re:A bug!?!?

[eryk]

Since when having a security problem became a required feature for desktop OS?

Oh... never mind!

Re:Linux disclosure procedures?

[N3WBI3]

Yes I know its the whole *nix world, I mentioned Linux because most commercial Unix platforms have the type of system in place MS has and the parent of my origional post was talking about how it makes MS better than Linux.

Thanks for the reply

Re:OTBOS Re:Linux disclosure procedures?

[N3WBI3]

What do you know a frenchy posting as an Anonymous **COWARD** it just feels right..

Grsecurity immune?

[hjhornbeck]

The exploit doesn't seem to work on every kernel. I've tried two, Gentoo's 2.4.19 and a lightly patched 2.4.20, and only the latter was exploitable.

My best guess is that Grsecurity prevented it from working, or at least changed enough things to stop the standard exploit. It might be worth looking into, to prevent future bugs like this.

HJ Hornbeck

Clean Patch

[NicoNet]

Alan's Patch does not apply cleanly to 2.4.20. This one should.

--
http://www.niconet2k.com

Moderation results...

[jelle]

I guess opinions are divided on this comment!:
Insightful, Funny, Redundant, Overrated and back to Insightful...

Perhaps /. needs a 'heavily moderated'-metric so that is becomes visible to the readers when moderators disagree. news.yahoo.com has it.

Re:To all the windows bashers..., posted to Local Root Hole in Linux Kernels, has been moderated Insightful (+1).

It is currently scored (2).

It may try to talk like a duck, posted to A Slightly-Softer Microsoft Shared Source License, has been moderated Funny (+1).

It is currently scored (2).

It may try to talk like a duck, posted to A Slightly-Softer Microsoft Shared Source License, has been moderated Redundant (-1).

It is currently scored (1).

Re:Absolutely one step closer!, posted to A Slightly-Softer Microsoft Shared Source License, has been moderated Overrated (-1).

It is currently scored (0).

Re:To all the windows bashers..., posted to Local Root Hole in Linux Kernels, has been moderated Insightful (+1).

It is currently scored (3)

Patch for 2.4.20

[Nickopopo]

You can find a patch for kernel 2.4.20 here :
http://www.hardrock.org/kernel/2.4.20/linux-2.4 .20 -ptrace.patch

I don't really know if it's as stable as it has to be but it does the job it has to do.

Re:How is Microsoft (or God) responsible?

[palfreman]

well, if you define $GOD as 'an entity on which all things can be blamed, when one needs such a thing' then it does rather fit.....

Definitions definitions. What I think you are doing there is defining God into existance by weakening the normal monotheistic defintion - that God is the one monotheistic god (a tautology), with real power to do stuff as shown in the Bible and is still doing stuff today, as claimed by monotheists.

It seems to me that with God being just something that people blame for events not caused by obviouse things, there doesn't necessiarily have to be any existance in your definition, just the act of blaming. ;-0