Slashdot Mirror
Kernel Exploit Cause Of Debian Compromise
mbanck writes "The cause of the recent Debian Project server compromise has been published by the Debian security team: 'Forensics revealed a burneye encrypted exploit. Robert van der Meulen managed to decrypt the binary which revealed a kernel exploit. Study of the exploit by the RedHat and SuSE kernel and security teams quickly revealed that the exploit used an integer overflow in the brk system call. Using this bug it is possible for a userland program to trick the kernel into giving access to the full kernel address space'. This issue has been fixed in 2.4.23. Thus, the Linux kernel compromise was not Debian specific."
When Microsoft release updates, you get them straight away. When Linus, etc. release updates, Debian might get around to putting it into the stable branch in 3-4 years.
Way to go guys.
Opportunity knocks. Karma hunts you down.
Recent Advisories
11/29/2003 3:45 - SUSE: BIND Negative cache vulnerability and many others
The BIND8 code is vulnerable to a remote denial-of-service attack by poisoning the cache with authoritative negative responses that should not be accepted otherwise. To execute this attack a name-server needs to be under malicious control and the victim's bind8 has to query this name-server.
11/29/2003 3:41 - Mandrake: GnuPG Serious key vulnerability
Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds.
11/29/2003 3:37 - FreeBSD: Bind Negative-cache DOS vulnerability
An attacker may arrange for malicious DNS messages to be delivered to a target name server, and cause that name server to cache a negative response for some target domain name. The name server would thereafter respond negatively to legitimate queries for that domain name, resulting in a denial-of-service for applications that require DNS.
11/28/2003 12:30 - Trustix: bind Cache poisoning vulnerability
A vulnerability has been found in BIND that ".. allows an attacker to conduct cache poisoning attacks on vulnerable name servers by convincing the servers to retain invalid negative responses."
11/28/2003 9:49 - Turbolinux: Multiple package updates
fileutils, fetchmail, postgresql, cups, and ethereal have been updated to address security vulnerabilities.
11/27/2003 9:47 - Immunix: bind Cache poisoning vulnerability
A vulnerability has been found in BIND that ".. allows an attacker to conduct cache poisoning attacks on vulnerable name servers by convincing the servers to retain invalid negative responses."
11/26/2003 18:22 - EnGarde: BIND cache poisoning vulnerability
A cache poisoning vulnerability exists in the version of BIND shipped with all versions of EnGarde Secure Linux. Successful exploitation of this vulnerability may result in a temporary denial of service until the bad record expires from the cache.
11/26/2003 9:55 - Mandrake: Stunnel file descriptor leak
A vulnerability was discovered in stunnel versions 3.24 and earlier, as well as 4.00, by Steve Grubb. It was found that stunnel leaks a critical file descriptor that can be used to hijack stunnel's services.
11/25/2003 20:56 - Fedora: Etherial buffer overflow vulnerability
These updated ethereal packages fix a security problem found in versions prior to 0.9.16. It also fixes several other minor bugs and problems.
11/25/2003 9:46 - Redhat: XFree86 Multiple vulnerabilities
Multiple integer overflows in the transfer and enumeration of font libraries in XFree86 allow local or remote attackers to cause a denial of service or execute arbitrary code via heap-based and stack-based buffer overflow attacks.
11/24/2003 20:09 - Gentoo: phpSysInfo directory traversal
phpSysInfo contains two vulnerabilities which could allow local files to be read or arbitrary PHP code to be executed, under the privileges of the web server process.
11/24/2003 19:40 - Gentoo: Libnids remote code execution
There is a bug in the part of libnids code responsible for TCP reassembly. The flaw probably allows remote code execution.
11/24/2003 19:34 - Gentoo: Glibc buffer overrun vulnerability
A bug in the getgrouplist function can cause a buffer overflow if the size of the group list is too small to hold all the user's groups. This overflow can cause segmentation faults in user applications. This vulnerability exists only when an administrator has placed a user in a number of groups larger than that expected by an application.
11/24/2003 19:32 - Gentoo: Etherial multiple vulnerabilities
It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read
The Church-bell peals slowly.
Linux is kernel-level exploitable.
Windows is not.
QED.
If you think this is a flame, then you need to have your head examined; this is nothing more than the truth.
ScottKin
I don't give a rat's behind about "karma" here or anywhere else. Don't like what I have to say here? Deal with it!
It amazes me when Linux-o-philes and their fellow penguin-fetishists start believing their own spin and FUD.
Apparently, the person who found this exploit was too busy to alert the rest of the commune-hive about the exploit to get the "fix" into the next build, let alone to contact anyone. This person should be forbidden from adding anything to the Linux CVS tree, let alone taken out and shot.
In regards to Windows: I can easily keep track of what patches are applied to my systems: it's called "ADD/REMOVE PROGRAMS" and actually looking in the %SystemRoot% directory for directories stating with "$NtUninstall" and finding the KnowledgeBase ("KB81027") or the Q-article ("Q828026") related to the patch.
More proof that Linux should only be considered as a hobbyist OS, let alone a bored-boys toy.
ScottKin.
I don't give a rat's behind about "karma" here or anywhere else. Don't like what I have to say here? Deal with it!