Slashdot Mirror
Linux Kernel Back-Door Hack Attempt Discovered
An anonymous reader writes "The BitKeeper to CVS gateway was apparently hacked in an attempt to add a root exploit back door to the Linux kernel, according to the linux-kernel archive. The change was in the file kernel/exit.c and changed the user ID of a process to root under the guise of checking the validity of some flags. The core Linux BitKeeper kernel repository was not at risk, and in fact it was the BitKeeper CVS export scripts that detected the unauthorized modifications to CVS. The changes were falsely attributed in CVS to long-time Linux developer davem (David Miller). Users of the BKCVS repository should resync their trees to remove the offending code if they had replicated it since yesterday."
Good to see the system works. You would wonder what would happen if said hacker was working for a company on a similar closed source program. Would it have been detected?
You mean like Borland's Interbase? The compiled in backdoor wasn't discovered until after the database opensourced.
My favorite quote from the advisory is:
"This vulnerability was not introduced by unauthorized modifications to the original vendor's source. It was introduced by maintainers of the code within Borland. The back door account password cannot be changed using normal operational commands, nor can the account be deleted from existing vulnerable servers [see References]."
How long was it in there? "These security holes affect all version of InterBase shipped since 1994, on all platforms."
The advisory dates from 2001 -- you do the math.
Learning HOW to think is more important than learning WHAT to think.
i want to know if the hack was a remote backdoor or "only" a local root compromise. In order to how bad was the hacker that try to do this.
Thanks to the admins and developers that detect that!
Damia
In other words: 1) Work on the code for a long time, developing good features and build up virtual reputation points so that people trust you. 2) One day decide to insert your backdoor amidst some big checkin. 3) Disappear.
It doesn't seem hard for someone to pay some random third world programmer to do this so. For example, if Red Hat had a guy in russia doing this they could, after the latest kernel was widely distributed, use it to attack Novell/SUSE.
All I'm saying is that I certainly won't be surprised when closed source vendors start using this in their anti-OSS campaigns.
It was only detected because software found a discrepancy.
This would happen at any closed-source shop that had the same software.
No human eyes discovered the problem, and if someone hadn't installed the checks, it might not have been discovered for months or years or ever.
Kinda proves Steve Ballmer's comments about the lack of security in Open Source development, doesn't it?!
No. I just proves you're a posturing idiot. The crack was detected as soon as it was attempted to be inserted, in the experimental development version of the code that hadn't even made it into any final distributions yet.
And here's another example of your idiocy:
If it happened in a software company, the hacker would be fired and probably charged with some kind of "espionage" charge and arrested.
This wasn't an "inside" job. If this happened at a company, to fill the analogy, it would have been an external person, NOT someone they could fire.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
Of course, at some point, we do have to trust someone.
Ken Thompson wrote an original speculative essay on this for CACM back in 1984 of all years.
It is really well worth the read. The short form is that there exists a way to subvert the compiler such that it is no longer trustable and it will build a back door into the OS forevermore. This paper is a must read.