Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kernel Exploit Cause Of Debian Compromise

Posted by simoniker on from the slightly-disturbing dept.

mbanck writes "The cause of the recent Debian Project server compromise has been published by the Debian security team: 'Forensics revealed a burneye encrypted exploit. Robert van der Meulen managed to decrypt the binary which revealed a kernel exploit. Study of the exploit by the RedHat and SuSE kernel and security teams quickly revealed that the exploit used an integer overflow in the brk system call. Using this bug it is possible for a userland program to trick the kernel into giving access to the full kernel address space'. This issue has been fixed in 2.4.23. Thus, the Linux kernel compromise was not Debian specific."

45 of 673 comments (clear)

  1. How does this compare... by IamGarageGuy+2 · · Score: 2, Insightful

    to the winodows hole found the other day. Has anybody heard if that was fixed yet(not sure if it has been 48 hours yet). Technically this hole was fixed before it was found. It looks like another win for open source.

    --
    Stay tuned for new sig...
    1. Re:How does this compare... by Evil+Adrian · · Score: 3, Insightful

      It doesn't compare, because most Slashdot users won't be making a huge stink about it the way they would with a Microsoft hole.

      --
      evil adrian
    2. Re:How does this compare... by EverDense · · Score: 3, Insightful

      This story is about how great the Open Source Community is for fixing an exploit. The Microsoft story was about how incompetent Microsoft is for having an exploit.

      Actually the Windows story was about how Microsoft had not patched an exploit they had known about for months.

      This Linux exploit had ALREADY been patched.

      --
      http://jesus.everdense.com/
    3. Re:How does this compare... by DickBreath · · Score: 3, Insightful

      What this should be is a story about how a Linux exploit hasn't caused millions of dollars in damage affecting hundreds of thousands of servers in less than 24 hours, affecting ATM networks, gas pumps, etc.

      Or maybe it should be a story about how Linux users don't shoot the messenger. "They shouldn't have made the exploit known before the patch was available." -- the oft heard commercial software providers' complaint about how irresponsible it is to exploit a system before the patch is available.

      --

      I'll see your senator, and I'll raise you two judges.
  2. Re:Hurray for the Debian Security Team! by __past__ · · Score: 3, Insightful
    Hats off to the Debian Security Team.
    And to the RedHat and SuSE security teams for helping them to track it down. In other words, hats off to the whole Free Software Community for collaborating when desaster strikes.
    --
    Programming can be fun again. Film at 11.
  3. Time for better security. by Sheetrock · · Score: 5, Insightful
    It's obvious that with the gradual acceptance of Linux by the business community, it's time for a stricter security model to be adopted. While OpenBSD has not shared in the commercial success of Linux, it does have one area of technical superiority: its security review process has yet to permit a remote root compromise in a standard install.

    Linux is a compelling choice in the Free Software world because of its pace of development and wide availability of software. However, it is this strength that is becoming a weakness. Perhaps it is time to slow down and review with more vigor to mimic the accomplishment of OpenBSD.

    --

    Try not. Do or do not, there is no try.
    -- Dr. Spock, stardate 2822-3.




    1. Re:Time for better security. by Anonymous Coward · · Score: 1, Insightful
      ...it does have one area of technical superiority: its security review process has yet to permit a remote root compromise in a standard install.

      Perhaps, perhaps not. In this particular case it was not a remote root compromise. Someone had access to a developer account on the machine, and was then able to take advantage of a local exploit. The bug leading to this exploit was found in September, but had not worked its way to a released kernel until just recently. There was a window between the fix being published (and becoming publicly available knowledge) and it being distributed in 2.4.23 that was hit.

      Some would claim (and have claimed) that this is a significant problem with open source security. Not only is the source open for undiscovered exploits to be dug up, but the source for their fixes (patches, etc) is available, easing efforts to target them. A possible solution would be maintaining a patch set for exploitable bugs such as this. Those who must be up to date on critical patches can then get them easily in the period between kernel releases.

    2. Re:Time for better security. by wirelessbuzzers · · Score: 4, Insightful

      While I agree with your point, OpenBSD's numbers are a bit skewed. For one thing, there has been one remote root compromise, not none.

      Second, that "standard install" has most of the features turned off... No Apache, etc... I don't even know if SSHD is on by default. I mean, they could have zero remote root compromises if their standard install didn't include network drivers.

      I know that OpenBSD can't possible comb every line of apache and all the other contrib software ten times over, but this would be a problem for the Debian folks too.

      --
      I hereby place the above post in the public domain.
    3. Re:Time for better security. by Coryoth · · Score: 2, Insightful

      Hmmm, if someone made a Linux distribution that included no network or modem drivers in the _default_ install, they could probably go a while with no remote holes in the default install.

      Okay, OpenBSD is nowhere near that bad, but the default install doesn't actually do that mcuh - you have to turn on _some_ services if you want to do anything, and I presume that doesn't caount as "default install"?

      Jedidiah

      --
      Craft Beer Programming T-shirts
    4. Re:Time for better security. by eyeball · · Score: 3, Insightful

      Never mind that the default install is basically useless.

      Define useless. It comes with a compiler, make & other build tools, and an ftp client. What more would a real unix user need?

      --

      _______
      2B1ASK1
    5. Re:Time for better security. by spotter · · Score: 2, Insightful
      And Linux has also some barriers like SELinux that theorically renders uncommon situations not exploitable. Theorically, because there can still be bugs in SELinux or other parts of the kernel that would bypass it.

      And in this case, SELinux wouldn't have helped, because the bug let user space programs into the kernel's memory space, and once that happens all bets are off, much like what would happen if any program could write to /dev/kmem.

    6. Re:Time for better security. by drinkypoo · · Score: 2, Insightful

      Your very own argument has a big fat hole through it. You are counting bugs which have been found. OpenBSD is subject to ongoing proactive review. Linux, on the other hand, primarily approaches security through "whoops, I just got rooted, here's a patch" or "I noticed this thing while I was working on this other thing, accidentally." Given the two different styles of code review, the fact that the OpenBSD team found more potentially exploitable bugs does not mean that OpenBSD has more of them. It doesn't mean they have less, either, I'm not saying that.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    7. Re:Time for better security. by Homology · · Score: 3, Insightful
      don't mean to burst your bubble, bash Theo or OpenBSD, but I read Bugtraq daily, and I can't count the number of exploitable bugs reported in the OpenBSD kernel over the past few weeks, but it would probably take both hands and at least one foot.

      You appearantly don't pay much attention to what your read then, since for OpenBSD 3.4 there are two security fixes. One local and one remote denial of service. One of the security fixes are only relevant for i386.

      http://openbsd.org/errata.html

  4. Re:Userland exploits by Anonymous Coward · · Score: 4, Insightful

    No really, a user account is as good as root on almost all systems. If you need security, don't have user accounts on the system.

  5. Nice management by Anonymous Coward · · Score: 1, Insightful

    The management of the incedent seems very professional to me. Thanks to all the people who had a lot of work because of this. They keept the reputation of debian up! Which is a good thing since this is my favorite distribution.
    Disclaimer i'm no debian devel :)

  6. Comment removed by account_deleted · · Score: 5, Insightful

    Comment removed based on user account deletion

  7. Agreed by DenOfEarth · · Score: 4, Insightful

    I agree with you totally. It's one thing to say that Linux is rock-solid secure, but in the real world this just might not always be true. It is however, a good thing to be able to say that the parties concerned with this particular security breach have been forthcoming to the community. A large part of security is just that. Hats off to the debian people.

    1. Re:Agreed by RealProgrammer · · Score: 2, Insightful

      It's hubris to say that your code is "rock solid secure". You can say it, but you'd better not think it.

      Say (or think) instead:
      • we're as secure as effort allows
      • we know of no exploits
      • or even, in a pinch:
      • we're more solid than our competitors

      The brk(2) call is about as mundane a system call as there is. Maybe the C library calls feof(3) or abs(3) are more boring.

      Every program has its metaphorical brk(2) call. Who would look there for an exploit?

      Calling your code "rock solid secure" is a sure path to complacency. Besides, it'll look really bad when someone finds a hole in your brk(2).

      --
      sigs, as if you care.
  8. Re:How did they get in to run a userspace util? by Stradenko · · Score: 2, Insightful

    There would then need to be a vulnerability in apache/httpd to allow a user to execute arbitrary code.

  9. red hat and SUSE to the rescue by 2057 · · Score: 3, Insightful

    it seems everyones favorite whipping boys did alot of work in finding and fixing this bug. AND THEY SHARED THE INFO, who says corporate linux is evil now!@

    --
    For The Best Jazz/Hip-hop fusion > COlD DUCK
  10. Re:what kind of person... by vadim_t · · Score: 2, Insightful

    Oh, I am sure that there are very few people who really sit down and think "Hmm... how could I find an exploit in the kernel?". I think it's much more likely that it's some fairly normal programmer, working on something completely unrelated who one day makes a call the wrong way and finds that it crashes the kernel. And there comes the choice, to be a nice guy and send a mail to LKML, or to check that nobody seems to have noticed it yet and use it to break into some interesting place?

  11. Re:The kernel patch... by toirdnim · · Score: 2, Insightful

    One scary thing to consider about open-source software is that vulnerabilities are published in gory detail often before people bother to upgrade to the patched version.

  12. Re:Hurray for the Debian Security Team! by krbvroc1 · · Score: 2, Insightful

    This problem was found in September by Andrew Morton, but unfortunately that was too late for the 2.4.22 kernel release.

    If this was found after 2.4.22 but before 2.4.23 release then it should have been announced and patched. How is this any different than what Microsoft does? We complain (rightfully so) about security through obscurity and lack of transparency. In this case a KNOWN kernel exploit was left in the open for 1-2 months?

    Looking at the 2.4.23 CHANGES file I'm still not clear who/what fixed this. The closest think I see is: ": o Add TASK_SIZE check to do_brk()". Nothing from Andrew Morton's CHANGES entry implies a fix to this. Perhaps "make printk more robust with "null" pointers?" How do we know? Why wasn't it reported to the security groups immediately when it was found (or was it?).

  13. Re:It's Linux's fault not Debian(!?) by mbanck · · Score: 2, Insightful
    It's ok because it's the kernel that's been exploited; not Debian. wtf?

    Nobody says it's OK. This is a serious problem. I was just saying that this problem was not Debian-specific, i.e. it could have happened on any other Box running a (by that time) released Linux kernel, as long as the attacker had local access.

    what's Debian without the Linux kernel?

    Not much. But note that Debian also works on Debian (GNU/)*BSD and Debian GNU/Hurd, not only Debian GNU/Linux.

    Michael

  14. Um, no by Overly+Critical+Guy · · Score: 3, Insightful

    You know, people hack things. Kiddies hack servers.

    Why does it always have to be a "determined effort" against Open Source? Honestly...how paranoid do you have to be to think that? You do realize a lot of idiot kiddie (and professional) hackers are aware of Linux.

    Let me put your underlying implication to rest--no, it wasn't Microsoft. No reason to believe such. It was just some idiot hacker, like it always is.

    --
    "Sufferin' succotash."
  15. Re:The kernel patch... by pclminion · · Score: 4, Insightful
    It's only "gory detail" to those who are capable of reading the code: i.e., the crackers. The entry for that patch in the ChangeLog basically reads: "Bounds checking on do_brk()". Only a programmer will recognize that this is a security problem, and the ChangeLog entry is vague and doesn't explain the importance of the change.

    If fixes are made which affect security, the ChangeLog should clearly spell out that it was a SECURITY fix. I guess people don't want to admit that they have found a security problem...

  16. Re:Well, well, well... by jmv · · Score: 2, Insightful

    Part of what you say is right... However, the difference is that with Windows, what you hear about are *remote* holes, while in this case, it's a *local* hole. That makes a big difference. Local holes are frequent on any OS and regardless of what you do, a rogue local user can always do bad things. Remote holes are much worse, as anyone can attack your machine, not only local users. There have been very few remote holes with Linux (at least compared to Windows).

    --
    Opus: the Swiss army knife of audio codec
  17. Re:Well, well, well... by biendamon · · Score: 2, Insightful

    You're right, of course. This is an instance of a real security hole discovered in the kernel itself, and not of the garden-variety "could-theoretically-happen-under-XYZ-circumstance s" type you usually see with Linux. So that makes...hmmm...one. One real hole in the Linux kernel this year. Congratulations! You've proven that Linux isn't perfect. Which those of us who aren't trolls or delusional already know.

  18. Re:There goes my Saturday by jmv · · Score: 2, Insightful

    Remember that unless you have untrusted local users, the patch is not critical.

    --
    Opus: the Swiss army knife of audio codec
  19. Wrong by Compact+Dick · · Score: 2, Insightful
    I get flamed for being a so-called "Microsoft shill" constantly for pointing out the obvious--operating systems are as secure as their admins/makers.
    You get flamed because you're not Overly Critical when an exploit is revealed in closed source software. In fact, you're downright silent. When you get that sorted out, notice the flames dying down.

    Good luck!
    --
    Use ISO 8601 dates [YYYY-MM-DD]
  20. Re:so are other distros possible infected? by virtual_mps · · Score: 2, Insightful
    Gentoo's machines are being upgraded over the next hour. However, Gentoo forbids password logins for ssh (pk only), so they're less vulnerable to password stealing anyway.

    Right. So instead of stealing the password the intruder has to take the extraordinary step of stealing the key. And you've got an even worse problem in the general case when dealing with keys, because you have a hard time enforcing things like password expiration (just how long can someone use that stolen key to get into your system?)
  21. Re:what kind of person... by noda132 · · Score: 4, Insightful

    What kind of person spends that much time trying to find exploits in operating system kernels?

    The kernel developers, i.e., Andrew Morton. Good for him, too.

    There *was* a patch before the Debian systems were compromised. Hopefully in the future these things will be given more attention before they blow up.

  22. Re:My my my, yet another Linux bug. by Anonymous Coward · · Score: 3, Insightful

    Windows has tons of local root exploits, which nobody is bothering to fix because they're too busy patching the remote exploits.

    If Windows had a bug like this, it wouldn't be news. Microsoft hardly even tries to defend against such things. The only reason this is newsworthy is because Linux attempts to set a higher standard.

  23. Re:Well, well, well... by You're+All+Wrong · · Score: 2, Insightful

    "
    How many available kernel exploits have been identified over the last 5 years of Windows?
    "

    Sorry - Linux loses here. They don't call it a kernel exploit in windows. It's always an exploit in a separate subsystem instead.

    Shhhh! Don't go telling everyone that the subsystem has access to every byte of RAM, and every I/O port, as that would spoil the fun.

    YAW.

    --
    Your head of state is a corrupt weasel, I hope you're happy.
  24. Re:Well, well, well... by HeghmoH · · Score: 5, Insightful

    The worst Linux exploit of the year: an obscure kernel vulnerability that allowed one person to gain control of one box, disrupting one small OS group for a few days.

    The worst Windows exploit of the year: a hole in the RPC services (which you can't turn off) that allowed a worm to gain control of millions of Windows boxes, disrupting the entire internet.

    How does this make Linux equally bad as Windows, then?

    --
    Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
  25. Re:Hurray for the Debian Security Team! by adrianbaugh · · Score: 3, Insightful

    This had been rumoured for several days before the actual announcement was made.
    I'm guessing it was found and corrected, as a bug, but not thought to be exploitable, therefore no security announcement[0]. Later on, when debian.org got cracked, someone put two and two together and made the security announcement. I must admit, it seemed fairly weird to me for a long time, and I thought up a few lovely conspiracy theories, but in the end I think the simple oversight scenario is the most likely.

    [0] After all, plenty of bugs get fixed in the kernel without being specially announced. If it was subtle someone probably just overlooked the fact that this particular bug was more problematic than any of the others fixed in that patch.

    --
    "'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
    - JRR Tolkien.
  26. Re:Well, well, well... by _Sprocket_ · · Score: 4, Insightful
    Perhapse you would like to add a point to copy-and-pasting the Linux Security advisory page? Maybe some context? Some sign of understanding what you're reading?

    A couple of points...

    1) Note that of the 15 listed advisories:

    5 are the same BIND DOS vulnerability

    2 (or 3 if you count Turbolinux's mega-update) are the same Ethereal vulnerability (DOS, possible arbitrary code)

    2 are the same stunnel hijacking vulernability
    2) None of these vulnerabilities lead to a remote exploit (although it could be argued one might be able to create a favorable condition with the ethereal issue)

    Sure - Linux runs buggy code too. If that's your point, make it. But this hardly seems to be a suitable response to the parent's (semi-trollish) comment on MS' run of remote exploits.

  27. Re:A shift of focus by anthonyrcalgary · · Score: 3, Insightful

    With Linux Desktops being most popular in corporate settings, it's going to start being targetted by professional black hats, if it's not already. Security is a concern, even local exploits.

    A desktop system is exposed to tons of potentially hostile data. Strings are like acid, and a complex language like HTML is just asking for trouble.

    Don't get me wrong, OpenBSD is waaay into diminishing returns territory as far as security goes, but there's a few things that could be done to get 90% of the benefits, eg propolice in the kernel and W^X.

    --
    When someone might yell at me, it has to be OpenBSD.
  28. Re:A shift of focus by John+Whitley · · Score: 2, Insightful
    That mechanism is an excellent means to DRM. The loader only loads files signed by the OS provider and nothing more.


    I disagree with your assessment. It depends on how the separation of mechanism and policy are implemented in the system. The "fear zone" you describe could only apply to a proprietary, binary-distributed system. Consider an environment where the system installer (call 'em the Admin) can install a public key at system setup time. Then, assuming the correctness of the signing system, the Admin can be assured that only properly signed binaries are run on that system. You'd want the build system and signing system to be off-network and physically secured.

    That said I think signed binaries are a stopgap, not an OS-level security architectural feature. You'd have to refuse to sign any interpreters, or else modify all of them to run only signed code. Furthermore, this doesn't address questions of code injection into an already-running application.
  29. Re:Well, well, well... by swissmonkey · · Score: 3, Insightful

    1) It's not obscure anymore
    2) You don't know how many persons used this exploit to take over Linux servers
    3) You don't know how many Linux servers were taken over by this exploit
    4) Yes, When an exploit hits Windows, it hits many more machines, because there's many more Windows boxes than Linux
    5) You obviously have missed all the remote exploits affecting tons of server software on Linux this year(openssh, apache, etc...), any of these could lead to owning the whole machine when used with this local exploit

  30. Re:Well, well, well... by FreeLinux · · Score: 2, Insightful

    an obscure kernel vulnerability that allowed one person to gain control of one box

    This statement is missing a qualifier that is very important: 'That we know of so far'. How do you know that there is only one person who has the exploit? How do you know that said person only rooted the Debian boxes. How do you know that a larger group of people don't have this exploit and don't already own a flotilla of zombie systems? How do you know that your box isn't owned by such a group at this very moment?

    It is these "obscure kernel vulnerabilities", that we assume no one has an exploit for, that are the most dangerous of all. Vulnerabilities of this type allow very highly skilled crackers (with intentions unknown) to own countless systems and do what they will for extended periods of time without detection. Debian thinks that this is weeks old. Suppose that this is only the cracker's latest version of the exploit and that previous versions haven't owned those machines for months or years?

  31. Re:Well, well, well... by Sri+Ramkrishna · · Score: 4, Insightful

    Um no.

    First the exploit compromised one of the largest linux distribution and potentially they could have put trojan horses in all our packages and we would really be up shit river when that happens.

    Secondly, we are no longer getting package updates so they have successfully stopped Debian development while they patch all this.

    Although it's not in the scale of windows, if GNU/Linux had larger marketshare this would have been a big deal.

    sri

  32. Re:A shift of focus by GlassHeart · · Score: 2, Insightful
    That's a silly reason for plugging DRM.

    Sorry, I must have been vague, although some responses have grasped the main point of what I'm talking about.

    The binaries are signed by the local root user (preferably on a separate box), at install time. The public key is installed in the kernel. This is about the root user preventing the box from running anything he did not install, not for the program's copyright owner or whoever else to control if it can run. As you can see, this has little to do with DRM, where another party controls what runs and what doesn't on your machine.

    I'm also mainly talking about servers, on which ideally only a few trusted programs are installed. This lowers the signing overhead, and doesn't have a "power user" problem.

    Since it is hard to coax an existing signed application into making your evil system call, the most likely target would then be the various script interpreters. That's a valid concern, and you should restrict yourself to those interpreters with a sandbox concept, and are well implemented.

    The point is, by requiring two separate "points of failure", we are restricting the exploit to the intersection of time between the introduction and fixing of each bug. If no application bugs are known (to the cracker) at the time the kernel is vulnerable, you cannot exploit the bug. The reverse is also true.

    I hope this helps clarify the point.

  33. Learning from your mistakes by Walles · · Score: 2, Insightful
    The question that should be asked now is:

    Imagine there is a buffer overflow in the kernel's brk() implementation that nobody knows about. What kind of security measures (other than finding the bug and fixing it) could prevent that buffer overflow from being exploited by an attacker?

    When that question has been answered, go implement the answer, and this won't happen again.

    --
    Installed the Bubblemon yet?
  34. Re:What release did it APPEAR? by kasperd · · Score: 2, Insightful

    What about 2.2.x series kernels, is there a similar patch?

    I wrote some exploit code for the 2.4 kernel, it didn't work on 2.2, so maybe 2.2 never had this vulnurability.

    --

    Do you care about the security of your wireless mouse?