Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kernel Exploit Cause Of Debian Compromise

Posted by simoniker on from the slightly-disturbing dept.

mbanck writes "The cause of the recent Debian Project server compromise has been published by the Debian security team: 'Forensics revealed a burneye encrypted exploit. Robert van der Meulen managed to decrypt the binary which revealed a kernel exploit. Study of the exploit by the RedHat and SuSE kernel and security teams quickly revealed that the exploit used an integer overflow in the brk system call. Using this bug it is possible for a userland program to trick the kernel into giving access to the full kernel address space'. This issue has been fixed in 2.4.23. Thus, the Linux kernel compromise was not Debian specific."

10 of 673 comments (clear)

  1. Time for better security. by Sheetrock · · Score: 5, Insightful
    It's obvious that with the gradual acceptance of Linux by the business community, it's time for a stricter security model to be adopted. While OpenBSD has not shared in the commercial success of Linux, it does have one area of technical superiority: its security review process has yet to permit a remote root compromise in a standard install.

    Linux is a compelling choice in the Free Software world because of its pace of development and wide availability of software. However, it is this strength that is becoming a weakness. Perhaps it is time to slow down and review with more vigor to mimic the accomplishment of OpenBSD.

    --

    Try not. Do or do not, there is no try.
    -- Dr. Spock, stardate 2822-3.




    1. Re:Time for better security. by wirelessbuzzers · · Score: 4, Insightful

      While I agree with your point, OpenBSD's numbers are a bit skewed. For one thing, there has been one remote root compromise, not none.

      Second, that "standard install" has most of the features turned off... No Apache, etc... I don't even know if SSHD is on by default. I mean, they could have zero remote root compromises if their standard install didn't include network drivers.

      I know that OpenBSD can't possible comb every line of apache and all the other contrib software ten times over, but this would be a problem for the Debian folks too.

      --
      I hereby place the above post in the public domain.
  2. Re:Userland exploits by Anonymous Coward · · Score: 4, Insightful

    No really, a user account is as good as root on almost all systems. If you need security, don't have user accounts on the system.

  3. Comment removed by account_deleted · · Score: 5, Insightful

    Comment removed based on user account deletion

  4. Agreed by DenOfEarth · · Score: 4, Insightful

    I agree with you totally. It's one thing to say that Linux is rock-solid secure, but in the real world this just might not always be true. It is however, a good thing to be able to say that the parties concerned with this particular security breach have been forthcoming to the community. A large part of security is just that. Hats off to the debian people.

  5. Re:The kernel patch... by pclminion · · Score: 4, Insightful
    It's only "gory detail" to those who are capable of reading the code: i.e., the crackers. The entry for that patch in the ChangeLog basically reads: "Bounds checking on do_brk()". Only a programmer will recognize that this is a security problem, and the ChangeLog entry is vague and doesn't explain the importance of the change.

    If fixes are made which affect security, the ChangeLog should clearly spell out that it was a SECURITY fix. I guess people don't want to admit that they have found a security problem...

  6. Re:what kind of person... by noda132 · · Score: 4, Insightful

    What kind of person spends that much time trying to find exploits in operating system kernels?

    The kernel developers, i.e., Andrew Morton. Good for him, too.

    There *was* a patch before the Debian systems were compromised. Hopefully in the future these things will be given more attention before they blow up.

  7. Re:Well, well, well... by HeghmoH · · Score: 5, Insightful

    The worst Linux exploit of the year: an obscure kernel vulnerability that allowed one person to gain control of one box, disrupting one small OS group for a few days.

    The worst Windows exploit of the year: a hole in the RPC services (which you can't turn off) that allowed a worm to gain control of millions of Windows boxes, disrupting the entire internet.

    How does this make Linux equally bad as Windows, then?

    --
    Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
  8. Re:Well, well, well... by _Sprocket_ · · Score: 4, Insightful
    Perhapse you would like to add a point to copy-and-pasting the Linux Security advisory page? Maybe some context? Some sign of understanding what you're reading?

    A couple of points...

    1) Note that of the 15 listed advisories:

    5 are the same BIND DOS vulnerability

    2 (or 3 if you count Turbolinux's mega-update) are the same Ethereal vulnerability (DOS, possible arbitrary code)

    2 are the same stunnel hijacking vulernability
    2) None of these vulnerabilities lead to a remote exploit (although it could be argued one might be able to create a favorable condition with the ethereal issue)

    Sure - Linux runs buggy code too. If that's your point, make it. But this hardly seems to be a suitable response to the parent's (semi-trollish) comment on MS' run of remote exploits.

  9. Re:Well, well, well... by Sri+Ramkrishna · · Score: 4, Insightful

    Um no.

    First the exploit compromised one of the largest linux distribution and potentially they could have put trojan horses in all our packages and we would really be up shit river when that happens.

    Secondly, we are no longer getting package updates so they have successfully stopped Debian development while they patch all this.

    Although it's not in the scale of windows, if GNU/Linux had larger marketshare this would have been a big deal.

    sri