Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kernel Exploit Cause Of Debian Compromise

Posted by simoniker on from the slightly-disturbing dept.

mbanck writes "The cause of the recent Debian Project server compromise has been published by the Debian security team: 'Forensics revealed a burneye encrypted exploit. Robert van der Meulen managed to decrypt the binary which revealed a kernel exploit. Study of the exploit by the RedHat and SuSE kernel and security teams quickly revealed that the exploit used an integer overflow in the brk system call. Using this bug it is possible for a userland program to trick the kernel into giving access to the full kernel address space'. This issue has been fixed in 2.4.23. Thus, the Linux kernel compromise was not Debian specific."

22 of 673 comments (clear)

  1. Re:Hurray for the Debian Security Team! by __past__ · · Score: 3, Insightful
    Hats off to the Debian Security Team.
    And to the RedHat and SuSE security teams for helping them to track it down. In other words, hats off to the whole Free Software Community for collaborating when desaster strikes.
    --
    Programming can be fun again. Film at 11.
  2. Time for better security. by Sheetrock · · Score: 5, Insightful
    It's obvious that with the gradual acceptance of Linux by the business community, it's time for a stricter security model to be adopted. While OpenBSD has not shared in the commercial success of Linux, it does have one area of technical superiority: its security review process has yet to permit a remote root compromise in a standard install.

    Linux is a compelling choice in the Free Software world because of its pace of development and wide availability of software. However, it is this strength that is becoming a weakness. Perhaps it is time to slow down and review with more vigor to mimic the accomplishment of OpenBSD.

    --

    Try not. Do or do not, there is no try.
    -- Dr. Spock, stardate 2822-3.




    1. Re:Time for better security. by wirelessbuzzers · · Score: 4, Insightful

      While I agree with your point, OpenBSD's numbers are a bit skewed. For one thing, there has been one remote root compromise, not none.

      Second, that "standard install" has most of the features turned off... No Apache, etc... I don't even know if SSHD is on by default. I mean, they could have zero remote root compromises if their standard install didn't include network drivers.

      I know that OpenBSD can't possible comb every line of apache and all the other contrib software ten times over, but this would be a problem for the Debian folks too.

      --
      I hereby place the above post in the public domain.
    2. Re:Time for better security. by eyeball · · Score: 3, Insightful

      Never mind that the default install is basically useless.

      Define useless. It comes with a compiler, make & other build tools, and an ftp client. What more would a real unix user need?

      --

      _______
      2B1ASK1
    3. Re:Time for better security. by Homology · · Score: 3, Insightful
      don't mean to burst your bubble, bash Theo or OpenBSD, but I read Bugtraq daily, and I can't count the number of exploitable bugs reported in the OpenBSD kernel over the past few weeks, but it would probably take both hands and at least one foot.

      You appearantly don't pay much attention to what your read then, since for OpenBSD 3.4 there are two security fixes. One local and one remote denial of service. One of the security fixes are only relevant for i386.

      http://openbsd.org/errata.html

  3. Re:Userland exploits by Anonymous Coward · · Score: 4, Insightful

    No really, a user account is as good as root on almost all systems. If you need security, don't have user accounts on the system.

  4. Re:How does this compare... by Evil+Adrian · · Score: 3, Insightful

    It doesn't compare, because most Slashdot users won't be making a huge stink about it the way they would with a Microsoft hole.

    --
    evil adrian
  5. Comment removed by account_deleted · · Score: 5, Insightful

    Comment removed based on user account deletion

  6. Agreed by DenOfEarth · · Score: 4, Insightful

    I agree with you totally. It's one thing to say that Linux is rock-solid secure, but in the real world this just might not always be true. It is however, a good thing to be able to say that the parties concerned with this particular security breach have been forthcoming to the community. A large part of security is just that. Hats off to the debian people.

  7. red hat and SUSE to the rescue by 2057 · · Score: 3, Insightful

    it seems everyones favorite whipping boys did alot of work in finding and fixing this bug. AND THEY SHARED THE INFO, who says corporate linux is evil now!@

    --
    For The Best Jazz/Hip-hop fusion > COlD DUCK
  8. Re:How does this compare... by EverDense · · Score: 3, Insightful

    This story is about how great the Open Source Community is for fixing an exploit. The Microsoft story was about how incompetent Microsoft is for having an exploit.

    Actually the Windows story was about how Microsoft had not patched an exploit they had known about for months.

    This Linux exploit had ALREADY been patched.

    --
    http://jesus.everdense.com/
  9. Re:How does this compare... by DickBreath · · Score: 3, Insightful

    What this should be is a story about how a Linux exploit hasn't caused millions of dollars in damage affecting hundreds of thousands of servers in less than 24 hours, affecting ATM networks, gas pumps, etc.

    Or maybe it should be a story about how Linux users don't shoot the messenger. "They shouldn't have made the exploit known before the patch was available." -- the oft heard commercial software providers' complaint about how irresponsible it is to exploit a system before the patch is available.

    --

    I'll see your senator, and I'll raise you two judges.
  10. Um, no by Overly+Critical+Guy · · Score: 3, Insightful

    You know, people hack things. Kiddies hack servers.

    Why does it always have to be a "determined effort" against Open Source? Honestly...how paranoid do you have to be to think that? You do realize a lot of idiot kiddie (and professional) hackers are aware of Linux.

    Let me put your underlying implication to rest--no, it wasn't Microsoft. No reason to believe such. It was just some idiot hacker, like it always is.

    --
    "Sufferin' succotash."
  11. Re:The kernel patch... by pclminion · · Score: 4, Insightful
    It's only "gory detail" to those who are capable of reading the code: i.e., the crackers. The entry for that patch in the ChangeLog basically reads: "Bounds checking on do_brk()". Only a programmer will recognize that this is a security problem, and the ChangeLog entry is vague and doesn't explain the importance of the change.

    If fixes are made which affect security, the ChangeLog should clearly spell out that it was a SECURITY fix. I guess people don't want to admit that they have found a security problem...

  12. Re:what kind of person... by noda132 · · Score: 4, Insightful

    What kind of person spends that much time trying to find exploits in operating system kernels?

    The kernel developers, i.e., Andrew Morton. Good for him, too.

    There *was* a patch before the Debian systems were compromised. Hopefully in the future these things will be given more attention before they blow up.

  13. Re:My my my, yet another Linux bug. by Anonymous Coward · · Score: 3, Insightful

    Windows has tons of local root exploits, which nobody is bothering to fix because they're too busy patching the remote exploits.

    If Windows had a bug like this, it wouldn't be news. Microsoft hardly even tries to defend against such things. The only reason this is newsworthy is because Linux attempts to set a higher standard.

  14. Re:Well, well, well... by HeghmoH · · Score: 5, Insightful

    The worst Linux exploit of the year: an obscure kernel vulnerability that allowed one person to gain control of one box, disrupting one small OS group for a few days.

    The worst Windows exploit of the year: a hole in the RPC services (which you can't turn off) that allowed a worm to gain control of millions of Windows boxes, disrupting the entire internet.

    How does this make Linux equally bad as Windows, then?

    --
    Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
  15. Re:Hurray for the Debian Security Team! by adrianbaugh · · Score: 3, Insightful

    This had been rumoured for several days before the actual announcement was made.
    I'm guessing it was found and corrected, as a bug, but not thought to be exploitable, therefore no security announcement[0]. Later on, when debian.org got cracked, someone put two and two together and made the security announcement. I must admit, it seemed fairly weird to me for a long time, and I thought up a few lovely conspiracy theories, but in the end I think the simple oversight scenario is the most likely.

    [0] After all, plenty of bugs get fixed in the kernel without being specially announced. If it was subtle someone probably just overlooked the fact that this particular bug was more problematic than any of the others fixed in that patch.

    --
    "'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
    - JRR Tolkien.
  16. Re:Well, well, well... by _Sprocket_ · · Score: 4, Insightful
    Perhapse you would like to add a point to copy-and-pasting the Linux Security advisory page? Maybe some context? Some sign of understanding what you're reading?

    A couple of points...

    1) Note that of the 15 listed advisories:

    5 are the same BIND DOS vulnerability

    2 (or 3 if you count Turbolinux's mega-update) are the same Ethereal vulnerability (DOS, possible arbitrary code)

    2 are the same stunnel hijacking vulernability
    2) None of these vulnerabilities lead to a remote exploit (although it could be argued one might be able to create a favorable condition with the ethereal issue)

    Sure - Linux runs buggy code too. If that's your point, make it. But this hardly seems to be a suitable response to the parent's (semi-trollish) comment on MS' run of remote exploits.

  17. Re:A shift of focus by anthonyrcalgary · · Score: 3, Insightful

    With Linux Desktops being most popular in corporate settings, it's going to start being targetted by professional black hats, if it's not already. Security is a concern, even local exploits.

    A desktop system is exposed to tons of potentially hostile data. Strings are like acid, and a complex language like HTML is just asking for trouble.

    Don't get me wrong, OpenBSD is waaay into diminishing returns territory as far as security goes, but there's a few things that could be done to get 90% of the benefits, eg propolice in the kernel and W^X.

    --
    When someone might yell at me, it has to be OpenBSD.
  18. Re:Well, well, well... by swissmonkey · · Score: 3, Insightful

    1) It's not obscure anymore
    2) You don't know how many persons used this exploit to take over Linux servers
    3) You don't know how many Linux servers were taken over by this exploit
    4) Yes, When an exploit hits Windows, it hits many more machines, because there's many more Windows boxes than Linux
    5) You obviously have missed all the remote exploits affecting tons of server software on Linux this year(openssh, apache, etc...), any of these could lead to owning the whole machine when used with this local exploit

  19. Re:Well, well, well... by Sri+Ramkrishna · · Score: 4, Insightful

    Um no.

    First the exploit compromised one of the largest linux distribution and potentially they could have put trojan horses in all our packages and we would really be up shit river when that happens.

    Secondly, we are no longer getting package updates so they have successfully stopped Debian development while they patch all this.

    Although it's not in the scale of windows, if GNU/Linux had larger marketshare this would have been a big deal.

    sri