Linux 2.4.24 Release Fixes Root Vulnerability

diegocgteleline.es writes "Linux Kernel 2.4.24 has been released and is available on kernel.org. It seems there's a bug in the mremap(2) system call, where a local user can get root privileges.The new version has been released only with the most important bugs fixed - the rest of the changes have been postponed (those changes include the XFS filesystem)."

2.4.x?

[devphaeton]

I thought that everyone jumped to the 2.6.0 by now?

Oh wait, it's been 2 weeks already,
TIME FOR A RECOMPILE!!

Re:2.4.x?

[Neon+Spiral+Injector]

The bug has also been confirmed in 2.6.0-rc1. For those that have made the jump, a patch was just posted to the linux-kernel mailing list. I'm guessing -rc2 will follow soon.

Re:2.4.x?

[Neon+Spiral+Injector]

Crud, that should have been 2.6.1-rc1 of course.

Re:2.4.x?

[Dimensio]

Since you meant 2.6.1-rc1, I assume that it applies to 2.6.0?

Re:2.4.x?

[Da+Web+Guru]

Maybe, but to upgrade your kernel you don't have to purchase an entire operating system to go along with it...

Article title misleading...

[kevin_conaway]

Was this bug introduced in 2.4.23 or has it been in the 2.4 series all along ?

Re:Article title misleading...

[simoniker]

Good point, article title now changed.

s!

Re:Article title misleading...

[gazbo]

Sir,

You are dangerously close to making me believe that a slashdot editor both reads the site and actually takes action based on it. This is distorting my worldview, and most halt.

plfxthx.

Re:Article title misleading...

[mbyte]

its been in the kernel since the 2.2 days .. the 2.2 series kernel's are also affected.

read the synopsis: here

Re:Article title misleading...

If it ain't broke...

...it is now.

Re:Article title misleading...

[Lost+Race]

I can't see how this applies to 2.2. In the new 2.4.24 patch to mremap, a new size of zero is explicitly allowed if new_addr==addr. In 2.2 there was no new_addr argument to mremap, so effectively new_addr==addr always. Is there a bug in 2.2's munmap that was fixed sometime in 2.3 or 2.4 but the fix never backported? That seems unlikely. I've examined 2.2.20 and 2.2.25 and they both look OK.

For those of us who can't upgrade to the latest 2.4 kernels here is the mremap patch by itself. This applies cleanly to 2.4.21 and 2.4.22 (and probably most other 2.4 kernels as well).

Anyone written an exploit yet?

[cyt0plas]

Was this one of the usual "inform, wait, release" cases, or is this one of those "oh crap! time for a fix!" cases.

In other words, should I, Joe Schmoe SysAdmin be afraid of the script kiddies yet?

Re:Anyone written an exploit yet?

"Proof-of-concept exploit code has been created and successfully tested giving UID 0 shell on vulnerable systems."

Just because the proof of concept exploit was created DOESN'T MEAN IT WAS RELEASED! If Linus and one other guy are the only ones with the proof of concept exploit, there is no reason to fear the script kiddies yet.

They did NOT say if the reason for the fix was because someone released an exploit, or if the reason for the exploit is simply to prove the vulnerability works, and was not publically disseminated.

Go STFU.

Re:Anyone written an exploit yet?

[Xzzy]

> should I, Joe Schmoe SysAdmin be afraid of the script kiddies yet?

As soon as an exploit is publicised, yes you should.

Since it's a local exploit it's not as bad as it could be, but I guarantee you if a rootkit didn't already exist, once is being worked on now.

If you trust all your open services to not execute foreign code you can probably doze a bit, but that's walking on a razor's edge.

Re:Anyone written an exploit yet?

[irc.goatse.cx+troll]

"Just because the proof of concept exploit was created DOESN'T MEAN IT WAS RELEASED! If Linus and one other guy are the only ones with the proof of concept exploit, there is no reason to fear the script kiddies yet."

No, but it means the exploit is valid and worth patching. Its not like a lack of code in the wild means the script kiddies don't have it, just that they're good at hiding it. If sysadmins of the world knew how long some ssh exploits were private.. scarey world.

I'm assuming you're more of a windows admin, where you don't patch until you notice a new admin account named 'zer0c00l' has been created?

Re:Anyone written an exploit yet?

[ComputerSlicer23]

There needs to be a reboot in there somewhere, otherwise, your just fooling yourself into believeing it's secure, because it's installed.

I always end up rebooting manually, on glibc, ldd, and kernel security fixes. Generally pam changes too. Those are libraries that get sucked into early binaries and never get restarted. I suppose I could reboot into single user mode for everything but the kernel, but a reboot is a good idea anyways.

Kirby

Changelog

[SuperDuG]

List: linux-kernel
Subject: linux-2.4.24 released
From: Marcelo Tosatti
Date: 2004-01-05 13:55:57

- 2.4.24-rc1 was released as 2.4.24 with no changes.

Summary of changes from v2.4.23 to v2.4.24-rc1

<bjorn.helgaas:hp.com>:
&nbs p; - Fix 2.4 EFI RTC oops

<marcelo.tosatti:cyclades.com>:
- Andrea Arcangeli: malicious users of mremap() syscall can gain priviledges

<marcelo:logos.cnet>:
- Harald Welte: Fix ipchains MASQUERADE oops
- Change EXTRAVERSION to 2.4.24-rc1

<trini:mvista.com>:
- /dev/rtc can leak parts of kernel memory to unpriviledged users

Jean Tourrilhes:
- IrDA kernel log buster

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Sorry it just seemed a bit more informative than the "YES" reply ...

Mod parent back up please

[Frothy+Walrus]

In this case, "-1, Flamebait" can be read as "The truth hurts, don't it?"

My experience with Linux is the same as the parent poster's: patching, patching, patching if you're up-to-date with the latest 2.x version, or running a kernel from 3 years ago if you prefer stability to tinkering.

Re:Mod parent back up please

[ivan256]

It's also not being said enough that updates for local root exploits are practically pointless on single user systems. If you're the only one with access to your system, you don't need to apply this update, and in fact if somebody did manage to get access to such a single user system there are probably far easier ways for the attacker to gain privliges.... Like if you're in the sudoers file for example.

The recent patches are only really important if you run a multi-user system and don't trust your users.

Re:Mod parent back up please

[Zapman]

Software is written by humans, and humans make errors, so software has bugs.

All software.

The sysadmin motto (abridged) is 'all software sucks, all hardware sucks'

I just looked through the bugtraq archives, and found 3 local root exploits for OpenBSD in the year 2003. That's the same class of problem as was found in Linux.

Security is a mindset, and a practice. It's not a platform.

Re:Mod parent back up please

[xchino]

Yes because we all know it's much better to sit around with known vulnerabilties for months at a time, because you are simply UNABLE to do anything about it. No one if forcing you to patch, and as this is a local exploit the need is certainly not as great for the majority of Linux users. Are you trying to imply that the better way to do it is to trust some companies code who has in the past put the very same vulnerabilities back into their OS that had been taken out in a previous update? If you hate patching so much and prefer windows binary updates, try just getting a prepatched binary kernel, install, reboot. Hell you could go so far as to emulate windows update by randomly making calls to windowsupdate.microsoft.com and uploading sensitive information. All in all your point is meritless and shows gross ignorance about system maintenance on your part.

Well...

[Film11]

This doesn't apply to me since I don't have Linux...yet. I plan to get a Knoppix cd, after all, it was on a PCFormat that came a while ago, if only I could find it. Although I know nothing about Linux, so some links to some beginner sites could be useful =\.
Also, is Linux more secure than Windows, because I hear a fair amount of Linux security holes more than Windows, or maybe I'm just not perceptive enough.

Re:Well...

Microsoft has a lot more security issues than any typical linux distro.
They only reason you don't hear about them so often anymore, is the fact that they recently changed from a weekly patch release cycle, to a monthly patch release cycle.

That, and Automatic Updates. ;-)

Re:Well...

[RoLi]

Holes like elevation of privileges (like this one) cannot be used by worms since they work only when you already have access to the system. So while these bugs are bad enough, they are still not nearly as bad as the Win-RPC, or the bugs that allowed Nimda, CodeRed etc. to exist.

Re:Well...

[CommandNotFound]

Also, is Linux more secure than Windows, because I hear a fair amount of Linux security holes more than Windows, or maybe I'm just not perceptive enough.

All advanced operating systems can be insecure depending on configuration.

However, regarding your specific question, you see more security exploits for Linux probably because Linux has both remote and local exploits; the vast majority are local exploits. A local exploit is usually only a concern in a multiuser mainframe-style environment where you have "trusted" users who can log in to the machine. These users can log in and use a local exploit to elevate their priviliges on the machine. If the user doesn't have a login account, they do not have the opportunity to perform the exploit. Local exploits generally use buffer overflows or hijack split-second temp files to do their nastiness.

Windows generally does not operate in a multiuser fashion, so these exploits are not as pertinent. Having written Windows software for years, I can tell that if local exploits ever become a concern for Windows (e.g. if Windows ever goes multiuser in a big way, where a local user may want to exploit the machine), almost every Windows application will have big problems with local exploits, since they have been built assuming that the local system is single-user and temp files and registry entries are assumed to be safe.

Re:Well...

[wasabii]

A remote exploit woudl be an exploit on a service such as Apache, or directly in the kernel's TCP stack. Something which would allow a user who does not have access to the machine to get it.

A local exploit would be an exploit somebody sitting at a shell, or at the keyboard of the system itself, could use to elevate prividiledges he already has.

Imagine this local exploit: A program, that runs as root, creates a temporary file in /tmp, it then reads that file, and processes the information in it. Imagine if you, a hacker, had access to that computer. /tmp is for temporary files, anybody can create files in it. You create the file in /tmp that this other program expects, and the other program reads from it, and has some sort of error (vulnerbility) where you can cause it to do whatever you want. You, a normal user, just hijacked another user's (possibly root's) program. A local exploit. To exploit this, you must have access to /tmp. You must be able to run programs on the system.

Windows does not deal with local exploits, ever. Imagine all the programs that create files in C:\WinNT\Temp. All the programs that read from registry entries. I would bet the vast majority of these could be exploited without a thought. There are probably thousands/millions of local exploits in windows. But you never see patches for them. Because nobody cares. Windows isn't designed to be "multiuser". They are trying to shove it into that role, and it won't fit. :0 Or if it fits, it will be disasterous.

Linux on the other hand, commonly has many users. Think of shell accounts where you can telnet/ssh in, and run your programs. How many windows computers can you ssh into?

As MS tries harder and harder to penetrate this market, the market that Unix has historically stood in, they're going to have to radically alter their development methodologies. They have no idea what sort of task they are up against. :0 It'll be fun to watch. When you develop Unix programs, just CLI or GUI programs, these kind of condititions are always taken into consideration. I've never seen a Windows programmer even consider them.

Nice

I don't expect I'll be switching to 2.6 until May. The 2.6.1 release is very important to me as it includes a lot of patches previously rejected by Linus. I expect by May we'll have 2.6.3 at least and this kernel will be on its way to rock solid stability. As for now, 2.4 is in maintenance mode and will only be updated for bug fixes. This is great because it will replace the 2.2 kernel in this arena. But in this limbo we are in now, 2.4 is good enough for me.

Quick!

Use Depenguinator on all the unpatched boxen! Let the revolution begin! >:)

Re:HOW DO I KNOW WHAT VERSION I'M RUNNING?

[Zo0ok]

#uname -a ...but I guess you are a troll...

patch is very small - about 2K compressed

This is a quick and simple fix.

patch -p1 < patch-2.4.24
make clean dep
make bzImage modules_install

Depending on your situation, configure your boot loader - grub or lilo - to recognize the new image.

Re:Not another one

[ContextSwitch]

Yup, another 5 minutes down the drain.

XFS Filesystem

[Dibblah]

AAAAAARGH!

It's XFS. NOT XFS Filesystem. I'm gonna do something illegal to the next person that says ATM machine, too.

Re:XFS Filesystem

[Kenja]

Just dont hurt their RAM memory or HD drive or they'll have to get new ones with money from the ATM machine.

Re:XFS Filesystem

[leoboiko]

Maybe this widespread usage is an effort to avoid confusion (e.g. with XFS fonts or ATM networks)?

Re:XFS Filesystem

[AKnightCowboy]

I'm gonna do something illegal to the next person that says ATM machine, too.

Isn't that the thing where you type in your PIN number?

Re:XFS Filesystem

[SirCrashALot]

XFS is also the X font server.....

Re:XFS Filesystem

[isj]

I always thought that XFS was some sort of an integrated IC circuit.

Re:XFS Filesystem

[mark-t]

I'm gonna do something illegal to the next person that says ATM machine, too.

My curiousity got the better of me...

"ATM Machine".

Okay... what are you gonna do to me?

Re:XFS Filesystem

[Hard_Code]

download your mp3s?

Re:XFS Filesystem

I think it's "special weapons and tactics"

Re:XFS Filesystem

[dietz]

XFS is not incorrect. XFS is not an acronym, even if you want it to be. XFS is the name of the file system. You can not expand it out and talk about the "X File System", even if you wanted to, because that's not what it's called.

It's the filesystem named "XFS". Or, to put it another way, the XFS file system.

Re:XFS Filesystem

[Elwood+P+Dowd]

"Special weapons and training" yields 42 google hits, while "special weapons and tactics" yields 17,000.

I'd say you've got the accepted definition.

Re:XFS Filesystem

[DavyByrne]

Isn't that the thing where you type in your PIN number?

PIN number is quite a mouthful. I usually abbreviate it `PINN'.

Re:XFS Filesystem

[TheScienceKid]

It's sgi's eXtended File System.

Re:XFS Filesystem

[squidfood]

PIN number is quite a mouthful. I usually abbreviate it `PINN'.

That's not very descriptive to me though. To help, why not make it PINN Number?

Re:XFS Filesystem

[pclminion]

I don't know what you thought SWAT stood for, but none of the words are "team".

No, that's the sanitized version of the acronym. SWAT originally meant Special Weapons Attack Team, but the acronym was quickly changed, probably for reasons of political correctness, to "Special Weapons and Tactics."

Similarly to how they renamed the NMR machine to MRI, because people didn't feel comfortable stepping into a nuclear magnetic resonance device.

Anyway, "SWAT team" is redundant.

Re:XFS Filesystem

[Cat_Byte]

I smell another slashdot poll.
Most annoying acronyms:
a) NIC card
b) Compact Disk disk
c) VIN number
d) ATM machine
e) Cowboy Neal Neal

Re:XFS Filesystem

[Eristone]

Actually HD Drive is correct. HD stands for HardDisk. Now if you said HDD drive then heads would be rolling. I'm not going to even mention the rest of your comment ;)


Shouldn't that be heads would be crashing? (duck. run.) :)

This is why I love free (as in beer) software...

[bc90021]

...not only is there a fix already, but I didn't have to badger anyone to get it - it was announced! Off to emerge my new kernel... ;)

Can't Wait!

[gillbates]

For the Microsoft trolls to pick this one up.

Is this just more proof that Linux was built by amateurs? Or wait - I know - that Linux can't be trusted because the source code is open.

Now, for those who think I'm serious, think about it for a moment. Slashdot hypes up every single MS vulnerability as "proof" that MS systems are inherently insecure. And I wouldn't disagree that MS systems are insecure. But discovering a single (or a few) vulnerability doesn't make an OS insecure.

What it comes down to is vigilance and design. The numerous security holes in MS products are a result of bad design, not merely a mistake or two. And this is the big difference between this vulnerability - a mere isolated mistake - and Microsoft's complete lack of engineering which ensures that their software _will_ have security holes.

Okay, flame away Microsofties!

Re:Can't Wait!

[TWX]

Not only that, but Open Source/Linux tends to state specifically what the problem is, where to see it, and what the exact fix as code is, versus just relying on some international megacorporation to release a binary-only patch that one has to trust doesn't contain any more report-ware or additional bugs.

Even with Linux's problems, I'll take it any day over MS OSes. At least Linux developers are honest about their mistakes.

Re:Can't Wait!

[Meat+Blaster]

I'm not backing Microsoft, because how much is it worth being comparatively secure to another product (they've got three remote-roots and we've only got two!).

I'm still convinced that a closed-source competently-designed operating system will be, on the whole, less vulnerable than an open-source competently-designed operating system. The theoretical million eyes on the source isn't worth as much as it (used to be) hyped, because you're not talking about a million security professionals and you're really talking about maybe a thousand eyes on different parts of the code.

I'm still more comfortable with Linux than Windows, and not just because of security concerns, but I'd be much more convinced of the security benefit if there were more eyes looking proactively for things like this.

Re:Can't Wait!

[pballsim]

Personally I believe this shows that people are making the software and people make mistakes. Some mistakes are more stupid than others.

I remember an exploit in the apache code that when they received an image that was bigger then there buffered they doubled the size of the buffer (ONCE!). (This was in November, not sure if they fixed it).

I think this should just make the Linux and Microsoft and whatever communities be more humble and stop some of these flame wars.

Linux/Unix/Microsoft all have their advantages and disadvantages. Both have great programming and weak programming. They all strive for the same goal, to make it easier for users to use computers. Linux/Unix was originally designed for programmers, Microsoft was originally designed for business people. They both are working on going to the other side.

Re:Can't Wait!

[NanoGator]

"Is this just more proof that Linux was built by amateurs? Or wait - I know - that Linux can't be trusted because the source code is open... Now, for those who think I'm serious, think about it for a moment. Slashdot hypes up every single MS vulnerability as "proof" that MS systems are inherently insecure. And I wouldn't disagree that MS systems are insecure. But discovering a single (or a few) vulnerability doesn't make an OS insecure."

So doesn't it stand to reason then that the 'Microsoft Trolls' are simply giving you a taste of your own medicine? If Slashdot weren't out to sensationalize Microsoft at every turn, you wouldn't have to deal with 'Microsofties' forcing you to eat a bit of humble pie when these things come along.

In short: People in glass houses...

(no subject)

[lcde]

unsubscribe linux-kernel

Argh, just finished 2.4.23 went back from 2.6

2.6 seemed pretty good to me, except one thing: I play games like enemy territory and map times just kept getting longer and longer as I played. Only shutting down et and restarting solved it. On 2.4 the maps load at about 20-30 secs, in 2.6 it would start at that and keep getting longer, last map was over 2 minutes until I was disconnected from server.

I tried 2.6.1rc1 and with the -mm patch. Same thing. So now I'm back with 2.4.3. But in last few versions of the 2.4 series I get extreme slowdowns when using my psx pad on my lpt port. This worked fine in 2.6 and in much older kernels in the 2.4 series.

I was just looking at the gamecon.c file for 2.6 and comparing to 2.4 and noticed a PSX_DELAY value was different. I modified it to 2.6 value but same thing.

Anyone knowledgeable on this stuff tell me is it safe to use the gamecon.c from 2.6 for 2.4? Or why I would get these load times issues with 2.6?

Re:Argh, just finished 2.4.23 went back from 2.6

[YellowSubRoutine]

Sounds like you're running your X window system with a nice value. Handy trick for better responsiveness in 2.4, but lethal in 2.6.

Nice values *really* make a difference in 2.6

Re:Argh, just finished 2.4.23 went back from 2.6

run top and make sure it doesn't say -10 or anything other than 0 for X's nice value, if it does say -10 or something you'll need to find what script or config file is setting it and change it to 0 for 2.6

Re:Argh, just finished 2.4.23 went back from 2.6

[adrianbaugh]

Slashdot is probably not the best forum to get a timely response from the maintainers of the relevant parts of the kernel or X. Perhaps you should file a bug report in a more appropriate place?

Re:Argh, just finished 2.4.23 went back from 2.6

[Per+Wigren]

$ man nice

On kernel 2.4 and earlier, you usually gave the X-server a negative nice-value to give it higher priority which lead to somewhat better responsivness. But the 2.6-kernel has a new rewritten scheduler (?) that detects if the process is interactive or not and handle them differently to make interactive apps more responsive while giving non-interactive apps more throughput. By renicing the X-server you foul the kernel to not make use of this and thus get a much less responsive X desktop.
If you just compiled and installed the 2.6 kernel on a 2.4 distro that is not 2.6-ready you'll have to mock with the X startup-scripts to remove the nice/renice-stuff to make use of the great 2.6 desktop-features.

*raises eyebrow*

[Faust7]

Joe Schmoe SysAdmin

Isn't that an oxymoron?

...

Well, it should be.

RedHat fixed orphaned versions

[Kalak]

Possibly due to the fact that the last kernel fix was a week ago, or just that the patch is minoor, or because RH is being kind to those of us who still have reasons to run RH 7.3 just yet, but look to RH for a kernel update if you need one for 7.x and 8 which are unsupported in 2004. Thanks RedHat. Saved me a panicked kernel decision. I desperately didn't want to return from a vacation to a timetable jump of a few weeks.

Re:In Linux...

[Nasarius]

Uh, right. "make bzImage" actually takes a couple minutes on any decently fast computer. You don't need to rebuild all the modules, and even that will take much less than an hour unless you're running ancient hardware.

Re:Redhat 7.3 updates?

[Spoke]

Fedora Legacy isn't quite up and running yet, but RedHat released errata RPMs for RedHat 7.x, 8.0 and 9. If you read the archives of the Fedora Legacy list, you will get a good idea of the state of the project.

Re:Not another one

[Vlad_the_Inhaler]

what 'work'?
how long does it take you to prepare a kernel-upgrade?

Even the multi-user functions of today...

[Kjella]

Having written Windows software for years, I can tell that if local exploits ever become a concern for Windows (e.g. if Windows ever goes multiuser in a big way, where a local user may want to exploit the machine), almost every Windows application will have big problems with local exploits

...are pretty much only for convienience, that is to keep user settings and such separate among a group of mutually trusted users (like say, a family). There's not much in terms of real security.

That users created at install time default to admins with no passwords only goes to prove that even more. Which is fine, as long as a) noone unauthorized can get to the machine and b) all the users trust eachother.

On the other hand, local exploits are a grave concern in many settings, say for example a university where each student has a local account. So they should by no means be taken lightly, even if they don't produce worms.

Kjella

RHN has new kernels for RH 7.1 to RH 8.0

[Erik_]

RedHat Network has patches for RH 7.3. From the RHN Errata page : "We have provided kernel updates for Red Hat Linux 7.1-8.0 with this advisory as these were prepared by us prior to December 31 2003. Please note that Red Hat Linux 7.1, 7.2, 7.3, and 8.0 have reached their end of life for errata support and no further errata will be issued for those distributions."

But that's not the real problem.

[Ungrounded+Lightning]

In Linux... (Score:-1, Troll) you have to spend 4 hours recompiling your kernel for stuff like this.

In Windows, you just install a small binary patch that takes less than a minute.

A few months later when/if they get around to releasing the small binary patch. B-)

But there IS a real problem - at least as of the last version of RedHat I installed. (And I'm presuming the same is true with other "commercial-grade" distros, so somebody PLEASE let me know if there's one where this is NOT true.)

In Linux the commercial distributions make it easy to do an initial install - once. But the included documentation doesn't tell a newbie how to compile and install a new kernel. Or how to download a kernel patch (unless, MAYBE, if he figures out it might be needed and digs deep and hard for it).

With Red Hat:

- The install tools are all directed at getting him from bare (or windows-loaded) machine to login prompt.

- The phone support included with the distro (before the recent policy changes at least) stops when you get installed to where you have a login prompt.

- The admin tools are essentially all directed at tuning that initial install. (Exception is rpm - with some of the most convoluted manual pages I've seen in a long time. But even that leaves him in the same position as a Windows user - waiting for an RPM patch.)

Source included but NO documentation on how to build from source. The nicey-nice admin tools make it worse, by hiding what's going on from the user so he has NO clue what's going on behind the pretty GUIs.

I'll believe Linux is ready for prime-time when the distro documentation includes:

- A keystroke-by-keystroke walkthrough of applying a patch.

- A keystroke-by-keystroke walkthrough of building and installing a distribution-equivalent kernel from source (so the user has a trusted baseline from which to make ONLY the changes he intended).

- Explanations of the configuration-file twiddling done by the admin tools - broken down by GUI page.

Anything less leaves him in a position much like a windows user - dependent on the vendor or a consultant. Unable to make his own changes (beyond config-tool knob-twiddling) without a long learning process (much like becoming a MSCE) because any change he makes might shatter his configuration beyond his own ability to recover (short of a reinstall from scratch).

Yes, with Linux you can learn this stuff without having to go buy a monopoly's school supplies. But at least Microsoft understands that a user has other things to do than become a guru. Linux distro providers and hackers, on the other hand, seem to have forgotten the learning curve they climbed.

Linux is still in the model-T / hot-rodder stage. Versus, say, Microsoft, which has advanced to black-box engine control / recall and dealer-fix stage. (Except that the recalls are too few and too often not-free. Unlike the "big three" plus foreign compeition, a dissatisfied customer can't dump the latest in a series of lemons and switch to a competitor's functionally-equivalent peach.)

"Bugs"?

[spitzak]

The title of the article says "Root Vulnerability"!

Anybody with any rudimentary knowledge knows that this is about the worst possible thing they could say. They did not even say "Local Root Vulnerability" which they could have.

Can anybody explain...

[Avian+visitor]

If the only changes from 2.4.23 to 2.4.24 were some "minor" bug fixes, why do I see such a big difference in the size of the kernel binary?


-rw-r--r-- 1 root root 667113 Dec 1 22:44 vmlinuz-2.4.23
-rw-r--r-- 1 root root 713946 Jan 5 18:53 vmlinuz-2.4.24

Re:How do you patch?

[pr00f]

cd /usr/src/linux-2.4.23 ; patch -p1 /path/to/patch.diff

Recompile and off you go.

Re:How do you patch?

[demi]

Okay:

1. Download patch to /usr/src
2. cd /usr/src (since that's where you say your linux-2.4.23 is)
3. bzip2 -dc patch-2.4.24.bz2 | patch -p0
4. mv linux-2.4.23 linux-2.4.24
5. cd linux-2.4.24
6. Now build and install your kernel as you like it, just as you would from the virgin tarball (make depend; make however you make your kernel and modules).

Hope that helps!

Re:How do you patch?

[pr00f]

Damn. < got removed. Sorry.

patch -p1 < /path/to/patch.diff

Kernel patches as modules?

[Ktistec+Machine]

Hi folks,

I remember, back when the last ptrace bug was found, some kind soul created a kernel module that (a) renamed the current ptrace function to something else and (b) implemented a new wrapper function that first checked to see if you were root, before deciding whether to call the old ptrace. Slick!

I'm surprised this sort of workaround hasn't been done for other kernel bugs. It seems it wouldn't even have to be a workaround. A module could actually provide a new, repaired version of the buggy routine. Couldn't it?

I can imagine insmoding a list of "kernel-fix" modules at boot time. Then, every once in a while , I'd upgrade my machines to a new kernel, but without the urgency of getting a new kernel installed RIGHT NOW! to fix a small (code-wise) security problem.

Re:Kernel patches as modules?

I remember, back when the last ptrace bug was found, some kind soul created a kernel module that (a) renamed the current ptrace function to something else and (b) implemented a new wrapper function that first checked to see if you were root, before deciding whether to call the old ptrace. Slick!

Modules (or really any third-party code regardless of method be it /dev/kmem or modules or whatever) having access to the syscall table of a running kernel is (1) evil, (2) nonportable - it won't work on many of our architectures, and (3) likely to become even harder as the kernel gurus try to defeat people doing stupid things like this.

BTW, this also affects things like (why would you need this?) realtime virus scanners that hook syscalls. Please, don't do this. If the argument is that you need the machine to stay up because it's too important to reboot for a patch, then you definitely should not be inserting modules that *intentionally overwrite important chunks of kernel memory* because if there's the slightest thing wrong, your machine will either crash or begin to do bizarre things. You could end up with data corruption and/or loss for an extended period before you even realize it. Do not do this. It is not what you want. Believe me.

Trademarks are adjectives

[tepples]

Even so, "New Technology" is a name for that technology.

No. "Windows NT" is a trademark. The law recommends using trademarks and service marks as adjectives. Even if the mark consists of initials, one of which would expand to a generic term for the product (such as "FS" in "XFS" or "T" in "NT"), the law still recommends following the mark with a spelled-out the generic term.

Re:Proof-of-concept exploit code for x86

[devine10]

It means your kernel is vulnerable. Writing an exploit that yields root privileges is much harder though.

Apparently Inquirer worse than brain dead monkey

[moncyb]

Arrgh! Not more people who just count the number of vulnerabilities! I just skimmed that article, but it looks like crap to me. Standard Microsoft trolling, nothing else.

Don't listen to anyone who claims something is more secure based on the number of vulnerabilties. I bet if you look at all the "vulnerabilities" counted for Debian, most of them were for crap you'll never use (they seem to have every single little open source project ever made) or something stupid like "users can manipulate the high score file of some lame obsure video game." You have to look at what the vulnerablilites are.

You should also take into consideration whether or not the organization in charge will disclose all vulnerabilities they know about. Debian is very open, they probably couldn't keep such things a secret if they wanted to. Also, I think Debian has far more packages than any other Linux distro (certainly far more software than MS ever put out), so obviously they are going to discover more problems.

When I hear someone say a MS product is more secure than anything, my bullshit meter flies off the dial. Maybe something written by a ten year old script-kiddie. ...or something deliberately botched. I buy the statement something made by IBM or HP would be more secure (especially considering those projects are probably more mature), though obviously anything written by that reporter can't be trusted, and merely listing the number of disclosed vulnerabilities doesn't mean anything.

This is total crap (emphasis mine):

The other significant feature [talking about the three most "secure"] of these operating systems is the language in which they are written. The two from IBM are both written in assembler...

C and similar languages that use pass-by-value techniques are exceptionally prone to buffer overflow... Avoiding the use of these languages at the most vulnerable points, namely user I/O and network I/O, would appear to be wise. Linux, Unix and Windows are almost entirely written in C, and most of their middleware and application software is also in these vulnerable languages, so it should come as no surprise that they are less secure than OpenVMS, OS/400 and zOS.

Does this guy know what assembly language is???? It doesn't have any sort of bounds or type checking at all---well unless it is built into the processor design (I am not familiar with mainframe CPUs), and if it is, a C compiler written for that processor will most certainly use those features too.

Also, looking at the table, they included OS 9. Does that version even have a filesystem permission system or a concept of users? Why don't they just include Win98 too. That's like saying "the building uses empty frames instead of doors. We didn't find any problems with the locks, therefore the building must be secure."

Re:we got r00t, d00d!!!

Seems to me, those eyes just found something...

Re:we got r00t, d00d!!!

[MrNybbles]

if they can physically gain access to the computer. This is what this linux bug entails.

Sigh. Once again, let me expain something to all you pseudo-expert security n00bs here: If somebody can get physical access to your computer, you have already lost. If I can gain physical access to a linux server, I could just unplug it and remove the hard drives. Wow, a security breach that only took me five minutes! Not only that, but my 'exploit' is platform independant, too. Since I have posted it here, I'll throw you a bone and make it an 'Open Source' exploit.

I think you are missing the point. These people are not worried about someone walking in and taking hardware, they are worried about someone sneaking into the system and using it as a zombie or steal information without anyone knowing about it.

You also missed the obvous, this bug can, in theory, be exploited remotly given the right kind of access.

I wonder how long the exploit that r00ted Caldera was in the wild for?

It doesn't really matter how long the bug/exploit existed. What matters is how big of a problem the exploit is and how fast it is fixed. Microsoft tends to take forever to fix it's bugs and it doesn't always do that right. Some patches would undo other patches and one of my friends ran Windows Update and it broke his ability to connect to the Internet.
To take advantage of the mremap() syscall bug a person would either need to be able to run an executable on the Linux Box or be able to get some poorly written program to do it. And what business do most programs have calling mremap() anyway? This is not an easy bug to exploit. I would say that this exploit is not that big of a problem for most people and was fixed quickly. For people running a system where the admin was stupid enough to give untrustworthy people a login accout or somehow the ability to run executables, well, they should have been expecting something bad to happen.

But since you guys taut how supposedly secure Linux is over Windows,. . .

Why the hell are you comparing a Kernel to a collection of Operating Systems and Operating Environments (Windows 3.X 9X are not actually sperating systems) ?!? Most of the exploits of a Linux Distro are from the third party packages. I don't ever remember seeing anyone faulting Microsoft for a security hole in Windows caused by some third-party software. That Caldara exploit was most likely in a distro package, not Linux. Please get your terminology down before you pretend to know something.

Almost makes one want to take their head out of the sand and look at the REAL world!

Yah, and guess where your head is stuck? I'll give you a hint, it's not the sand. :p

"Windows is better because. . .. Linux is better because. . . Mac is better because. . . Whoever sets the terms of the argument always wins (unless that person has no idea how to argue correctly)" -- MrNybbles

Re:we got r00t, d00d!!!

[MrNybbles]

Nice FUD, security n00b. Like all good FUD, its heavy on anecdotes and light on facts.

I took the time to tell you what was wrong with your arguments and even quoted your post for easy refrence and the best you can do is call me a noob and say I am light on the facts. Do you blow everyone off that way or just the people you can't reply to with a solid argument?

First of all, what I wrote is not FUD. At most it would be misinformation and what I wrote is not even that. How could what I have said put Fear, Uncertainty, or Doubt into anyone that is unjustified. Did I say anything that you can prove is a lie? Back up what you have said.

Second, I am not a security newbie, and am not a noob. If you disagree then define what a newbie or noob is and say why I fit that description. Back up what you have said.

Third, FUD is usually not anecdotes but lies and half truths. Also, what I posted in my last reply is not an anecdote but an example. An anecdote is the telling of an interesting or humorous incident. My firend loosing the ability to connect to the Internet was not funny.

Fourth, Microsoft left many security holes unpatched cuasing lists such ashttp://www.pivx.com/larholm/unpatched/ to be made. Unfortunatly it looks like Microsoft talked them into taking down the list.

Microsoft Refuses To Fix NT 4.0 Exploit

http://slashdot.org/article.pl?sid=03/03/27/1930 25 6&mode=thread&tid=201&tid=128&tid=172

Okay, so when was the last time you saw the Linux Kernel people or the GNU people refuse to patch a known exploit?

I also pointed out that the Linux Kenrel exploit could be done remotly, something that you had totally missed.

Does anyone else see the irony of Ms t0ny accusing me of being light on facts and yet backing up nothing that she has said?

Windows is not perfect. Linux and Gnu software is not perfect. Apple products are not perfect. If someone mad a lean, efficient OS that did everything, was secure and never screwed up I would buy it. I am still looking.

Okay, now that I have thrown a few facts your way, do you have the balls to refute or apologize?