Slashdot Mirror
New Linux Kernel Vulnerability
Stop Or I'll Noop writes "Paul Starzetz writes, "A critical security vulnerability has been found in the Linux kernel memory management code inside the mremap(2) system call due to missing function return
value check. This bug is completely unrelated to the mremap bug disclosed on 05-01-2003 except concerning the same internal kernel function code." Full scoop here."
Update: 03/07 20:53 GMT by T : This vulnerability (and fixes) were mentioned briefly in an update to this earlier posting.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which
gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.
Are you GAY ?
Are you a NIGGER ?
Are you a GAY NIGGER ?
If you answered "Yes" to any of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America. You, too, can be a part of GNAA if you join today!
Why not? It's quick and easy - only 3 simple steps!
First, you have to obtain a copy of GAY NIGGERS FROM OUTER SPACE THE MOVIE (Click Here to download the ~280MB MPEG off of BitTorrent)
Second, you need to succeed in posting a GNAA "first post" on slashdot.org, a popular "news for trolls" website
Third, you need to join the official GNAA irc channel #GNAA on Evolnet (or EFNet), and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today!
If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is Evolnet (or EFNet), and you can connect to irc.gnaa.us as one of the Evolnet servers. (or irc.EFNet.nl for EFNet)
If you have mod points and would like to support GNAA, please moderate this post up.
This post brought to you by Lysol , a proud member of the GNAA.
CLICK HERE TO SIGN THE PETITION TO BRING BACK GOATSE.CX!
________________________________________________
| ______________________________________._a,____ |
| _______a_._______a_______aj#0s_____aWY!400.___ |
| __ad#7!!*P____a.d#0a____#!-_#0i___.#!__W#0#___ |
| _j#'_.00#,___4#dP_"#,__j#,__0#Wi___*00P!_"#L,_ |
| _"#ga#9!01___"#01__40,_"4Lj#!_4#g_________"01_ |
| ________"#,___*@`__-N#____`___-!^_____________ |
| _________#1__________?________________________ |
| _________j1___________________________________ |
| ____a,___jk_ GAY_NIGGER_ASSOCIATION_OF_AMERICA_|
| ____!4yaa#l___________________________________ |
| ______-"!^____________________________________ |
` _______________________________________________'
looked at in great depth just recently, after a critical vulnerability was found. A few weeks go by and another hugely important hole is found...
Now I know the consequences of a problem bear little relation to its root cause, but I am a little surprised at how this managed to find its way through all these eyes looking at the offending code a week or so ago. Actually making it work as a security hole looks to be reasonably complex, (which may be why it wasn't found, I guess), but if one piece of code can have 2 major vulnerabilities in as many weeks, maybe it's time to start worrying about when Linux *does* take over the desktop...
I thought the automated 'Stanford Checker' (sp ?) was ideal for this sort of problem ? (Where the returned value from a function is ignored...) Perhaps it was flagged up but took some in-depth analysis for the kernel developers to realise it really was a problem...
So, is this a master-stroke of the development model, with various people around the world all individually checking code and Hey! Someone found something, or is it a "failure" where all those people missed it the first time around, and it's a pure fluke it was found now.... I'm still not sure, but I'll give the benefit of the doubt to the model - hey, it's been fixed!
Simon
Physicists get Hadrons!
second post
first post too late
but second post just on time
not quite first post
close enough for second post
I swear allegiance to the cult of foo bar.
Wasn't there a (third) problem with mremap back around summertime too? These all sound like barebones, common mistakes. Who is contributing this source? Was it all the same person? Maybe we should be checking his/her code a bit more closely!
Sig.i>
Which kernels are effected?
Piethein Strengholt
Get windows CD
Boot
Install
bah
Computers are like air conditioners.
- They stop working when you open Windows.
I really did not want to spend my Sunday patching kernels.
huu dupe? that thing was released over a week ago!
Apparently, only .sigh.
Roses are #FF0000, violets are #0000FF, all my base are belong to you
This is the same vulderability that was disclosed a few weeks ago. The advisory was updated on March 1st to include exploit code.
After all, if they can expect people to license Linux from them, they should be providing support.
...I'm going to have to patch the kernels on the Debian servers and reboot again?
That'll be the third time in as many months.
My operat~1 system unders~1 long filena~1 , does yours?
In Linux it's a bug...
In Windows it's a feature.
Do I laugh or do I cry? ...
just when I had finished compiling 2.4.25 on my systems..
Did I read the security bullentin correctly, but would grsec and Limited per user virtual memory still not render this exploit harmless?
Just compare the time and effort putting together the 3 page write up on the bug to the cost of reviewing and fixing the code in question when it was originally written. I believe the study that found that once the bug leaves the development shop to go to consumers it costs $9000 per line to fix. It's as true in open source as it is for closed source.
So we can get back to bitching about Window's security flaws :D
Oh really? I am running 2.4.25 on my all systems for two weeks already - since the first advisory. Patch or be patched.
You can defy gravity... for a short time
Seems like none of the current releases are affected by this anyway. Ref. the article:
Only version: 2.2 up to and including 2.2.25, 2.4 up to to and including 2.4.24, 2.6 up to to and including 2.6.2
-jmoen-
Slowly but surely as Linux is getting more mainstream it seems the same kind of holes that perpetually plague Windows exist in Linux as well.
It might be time to take a page from the MS book and take a few weeks for a full line by line audit.
Kernel 2.6.4-rc2-bk3: Never, I'll Never turn to the Dark side, I'm open source...like my father before me.
Bill: So be it, open source
Bill: if you will not be turned, you will be destroyed (shooting purple lightning bolts)
Bill: You will pay the price for your lack of vision
Kernel 2.6.4-rc2-bk3: Linus please (in agony).
.....to be continued
I await my -5 (Troll)
How does one go about patching his kernel, pray tell?
You can run but you can't hide, except, apparently, along the Afghan-Pakistani border.
AN IP ISSUE. CLICK HERE TO CONTINUE.
-----
# Important Stuff: Please try to keep posts on topic.
# Try to reply to other people's comments instead of starting new threads.
# Read other people's messages before posting your own to avoid simply duplicating what has already been said.
# Use a clear subject that describes what your message is about.
# Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
Problems regarding accounts or comment posting should be sent to CowboyNeal
Local, not remote.
In general: If an attacker has local access or can gain the equivelent by using a remote access tool, a local exploit can be a problem.
So, personally I'm not too worried though others with different types of users or configurations might have a high level of concern.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
remember the solaris local root exploit earlier this week? remember how the linux/bsd fanboys smirked incessantly?
*smirk* right back at you, baby.
This is why 2.6.3 was released, as discussed in this slashdot story from the 18th of Feb. The date on the linked article is March 1 - this is a second document on the same vulnerability that gives more details. It was not released at the time to give people a chance to patch.
Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
actually this vulnerability was announced on 18. feb. 2004 by isec (see http://lwn.net/Articles/71682/).
isec just waited some weeks until they released the exploit...
Is that supposed to be funny, or are you just fucking ignorant?
Last I checked, I don't think I've ever had a VBScript virus infect my Linux box.
Maybe you need to take that page and shove it back up whatever orifice you pulled it out of.
Could someone please say what this vulnerability is in English? That article made my head hurt.
Jay | http://oldos.org
And with a 25 year history of UNIX behind it, it is "surprising" to say the least.
And how do you avid windows-baiters react to it? How come you hypocrites just blow Windows bugs out of proportion while attempting to cover up Linux kernel holes?
With just 6 year history bejind it i think Windows has come a far way from Linux (what it was when a 6 year old).
Moral: People in Glass houses should not throw stones: So you UNIX/Linux guys just suck up and keep quiet instead of baiting WIndows hereafter.
So, which ones are exploitable?
Thanks.
The date in the original threw me - I'm not from the US, and the month/day/year order just makes them damned hard to grok. It looks very much like this *was* the the same problem as a few weeks back...
Simon.
[Posted no-karma etc. yadda yadda...]
...and my computer is turned off right now. For once, my system is more secure than yours. Take that, Linux zealots! Ha ha!
Lets face it, Michael Moore is an idiot and we should take back his Oscar. Where does he get off calling our President fictitious...moreover, sending a quarter of a million troops into war for "fictitious reasons."
Moore along with the Dixie Chicks, should pack their bags and make a b-line for nearest communist country. Their personal attacks on our beloved President are cowardly and utterly disrespectful.
Mr. President Bush, if you ever read this article, take peace in knowing that while the majority of Hollywood is not taking sides with you, the majority of America supports your cause as it is in the best interest of national security. God Bless your soul, God Bless the troops in Iraq, God Bless America!
I'm glad I voted for you. And just in case if any of you out there are wondering what party I am? I'm not a republican, but an independent.
Remember, most of what Moore says are lies. Including elements that are included in his movies. To find out the truth please visit MOORE WATCH.
When a Windows vulnerability is patched, it is proof that closed source software is evil.
Wne a Linux vulnerability is patched, it is proof that open source software is wonderful.
I hope when this guy is finished with mremap that he is continiuing with other functions :).
From an administrative view it would have been much nicer if he would have released his findings after he finished the complete code review.
Otherwise code review is a not very rewarding task so there's no reason to accuse this guy.
This story is old.
Version: 2.2 up to and including 2.2.25, 2.4 up to to and including 2.4.24, 2.6 up to to and including 2.6.2
2.6.3 and 2.4.25 have been out a while. This is _not_ a new vuln. All this will accomplish is a bunch of idiots saying "see, linux is insecure".
what was that noise?
that was the sound of 1 million script kiddies around the world coming in their pants
SURELY NOT!!!!!
Another kernel vulnerability was recently found in all FreeBSD (4.X and 5.x) versions.
:
e s/ FreeBSD-SA-04:04.tcp.asc
The TCP/IP stack can be stopped by sending unordered TCP fragments.
This is a serious remote vulnerability, and any FreeBSD with an open TCP port should be patched ASAP.
Here's a link to the official advisory
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisori
Regardless of the operating system you are running, always keep everything up to date.
{{.sig}}
"...And how do you avid windows-baiters react to it? How come you hypocrites just blow Windows bugs out of proportion while attempting to cover up Linux kernel holes?..."
Um, the source code for the *fix* is listed *in* the article (you didn't read it did you?)
i don't call posting fixed code and owning up to an exploitable coding error "covering up".
This is old bug! Look at versions! 2.2.26, 2.4.25 and 2.6.3 are out for couple of days. Who is admin on slashdot? Does he checks news? There are three mrremap bugs, but two. Kill this article.
No need to worry, and we all know why...
a patch will be out (if it isn't already out) within days, sometimes hours. I don't have to rely on MS.
He's flying to Redmond to join team Longhorn. Efforts in open source can get you a paying job!
Neither have I, but that wasn't the point of my post.
The goal a lot of people have is to make Linux mainstream, that means that less and less knowledgeable users will be using it. If Linux continues to suffer from kernel exploits from time to time just like Windows then those same users will be running executable mail viruses built for Linux just like they do for Windows now.
A lot of people I've seen using Linux have a false sense of security and therefore aren't as careful as they are on Windows (which is a scary thing because we all know how insecure Windows is).
This is the second mremap() vulnerability finaly making it to slashdot. Note the date on the linked page, March 1.
/.
You just thought it was the third because you already heard about two, and forgot that sometimes things take a week or so to make it to
This is pretty old news. It was fixed weeks ago in 2.2.26, 2.4.25, and 2.6.3.
The whole reason the above kernels were released was because of this vulernability.
This security announcement is redundant.
That's what Eric Raymond said.
And he's never told a lie.
This guy investigating mremap is saving a new vulnerability for every week. He's working only to get his name printed everywhere. I cannot take this seriously. If he's a genuine security analyst, he'd fix _all_ mremap related bugs within 1 patch.
My biggest grief, is him not releasing source code patches for genuine kernel.org kernels. If he's so good to release sploits, he's good enough to submit source code patches.
Robert
OK time for me to tilt at a few windmills. Aside from the date being off by a year (the link quotes the date as 05-01-2004), is this supposed to be 1st of May or the 5th of January?
In an international forum and for clarity, ISO 8601 dates. Therefore: 2004-01-05.
Sorry for the rant, but I work for an international company, and have spent sizable parts of meetings trying to figure out which version of a document is "most recent", 2/3/04 or 3/2/04.
Expect a patch? I'd rather sue them! LOL
Bugs happen. Your post is just a sign of ignorance.
Why wasn't this modded +5 funny?
It might be time to take a page from the MS book and take a few weeks for a full line by line audit.
Look, security is a process, not a one-time event! And this is the result of that process. You don't look for problems because there aren't any. You look for problems because, in something as complex as an OS, there are bound to be problems and it is better than you find and fix them before a black hat finds and exploits them.
And you never stop looking!
This is partially redundant to a few of the other posts here saying that this vulnerability was already disclosed several weeks ago. However, I thought I'd add that if you already patched, check the vulnerability ID; in this case it's CAN-2004-0077. Your patch should have specifically mentioned this ID. If not, you need to patch again.
Thank $DEITY I don't need to patch/reboot again. I was starting to get a bit annoyed at having to patch the kernel twice in two months. Scheduling reboots of machines in use by many people is no fun.
That would be every admin of a linux server with user accounts... college student linux user accounts.
You fucking fail it
Second post is not for you
Death is the answer
Get a windows CD
Boot
Reboot
Install
Reboot
Install some more
Reboot
Continue installation
Reboot
Register windows installation
Change a setting
Reboot
bah
I'm fairly sure this was patched in 2.6.3. Running the test code included in the advisory on my 2.6.3 (vanilla) system shows:
[+] kernel 2.6.3 vulnerable: NO exploitable NO
There's also a patch to mremap listed in the 2.6.3 ChangeLog. So I don't know how "new" this bug is.
No patched kernel yet available for my RedHat, SuSE or Gentoo distributions and I'm sure as hell not going to compile a vanilla kernel that would only mess up the package management system.
The owls are not what they seem
FCC Plans New Round of Indecency Fines Targeting Broadcasters, Stern
Fri Mar 5, 4:05 AM ET
"
NEW YORK -- Amid a widening and increasingly politicized campaign to clean up the nation's airwaves, regulators are proposing fines against many of the nation's major radio companies for carrying well-known "shock jocks," Federal Communications Commission (news - web sites) officials told The Wall Street Journal.
About a dozen cases are being finalized, these officials said, and one target is Howard Stern, one of the nation's most popular and controversial radio hosts. The FCC (news - web sites) is deciding on penalties against his employer, Viacom Inc. (NYSE:VIA - News)'s Infinity Broadcasting. Also facing further scrutiny are Emmis Communications Inc. and Clear Channel Communications Inc. (NYSE:CCU - News) , the nation's largest radio owner, which last week took Mr. Stern's show off six of its radio stations and fired a controversial -- and oft-fined -- Tampa, Fla., radio host, Todd Clem, known as "Bubba the Love Sponge."
Bowing to public pressure, the agency also plans to reverse its earlier finding that singer Bono's use of a vulgarity on live television during the 2003 Golden Globes broadcast wasn't indecent, possibly as soon as next week, officials said. However, it won't impose what could have been a multimillion- dollar fine against General Electric Co. (NYSE:GE - News)'s NBC network, which carried the event, or its affiliates.
The flurry of new cases is the latest sign of a sweeping federal crackdown on controversial content beamed over television and radio airwaves. Congress has held a spate of hearings in the last two months to decry what some legislators call a "race to the bottom" by broadcasters. While a move to act against questionable material had been under way before, it was ignited by this year's Super Bowl broadcast, in which entertainer Janet Jackson's breast was exposed during the halftime show to the embarrassment of broadcaster CBS, a Viacom unit, its affiliates and the FCC.
Feeding the push is an increasingly charged, and polarized, political atmosphere in which cultural issues such as obscenity and gay marriage have become hot topics as the general election campaign heats up. Lawmakers of both parties have been implicitly and in some cases openly threatening legislative action if regulators don't step up their enforcement of existing decency standards.
Wall Street Journal Staff Reporters Anne Marie Squeo and Joe Flint contributed to this report.
"
Clearly, the only way to defeat this is to vote out the republicans. But are the democrats any better?
Which really is the lesser of two evils?
In Linux, peer review found it, fixed it and made the information available, so you know that you have an exploit.
Linux seems much more Mainstream to me. Until people write perfect, bug free, secure software, give me a system that at least I can keep up to date and have a chance to protect myself.
vi +
As long as it isn't YOUR $9,000.... ;)
paintball
What winds up happening is I pay MS to produce a product that I have very little input on. I buy the off the shelf solution to then develop 50% of the solution anyway. And, then it crashes, the documents are incorrect (updates might be available on their web sites), and I have no way of figuring out what the issues are without paying more $s for something I paid for already. If I tried to pull the same trick, I would loose my client.
Linux side is someone spots the issue, makes us aware of it in most cases. People have something more important than a paycheck at stake get to work on a fix for the problem. A, or multiple, potential fix(es) is(are) put up. Sometimes a fix goes straight in with minimal review (it works, most liked it), sometimes the fix gets kicked around to hash out any potential problems (in the full light of day, normally my apps do not break when the fix is rolled out.)
I like the public knowledge aspect of OSS. Yep, hackers have access to it also, but closed source never seemed to stop them, it just stop me from protecting myself.
Maybe we need to look at the next step for OSS? Maybe there is a better model for building OSS? Maybe companies might start providing more donations (like cheap lic fees) to a foundation that rewards freelance OSS programmers with cash for tackling certain problems (and does not pay until the code is peer reviewed and bug checked to a reasonable extent.) Maybe that would work better... Are certain organizations not starting to do that?
Given how much OSS has accomplished in the past decade with its relative lack of fees and "structure", imagine what might happen if more companies started using their proprietary source software budget to put bounties out on features they needed in OSS. True, not all features would they want to make public, but enough they would wat to so as to dramatically cut everyone's costs (GNU lic is important because of this). Most companies actually have very close to the same needs. But, their money goes to legal and marketing fees more than it seems to go to actual development fees with off the sheld software. What an economic waste! Check out John Nash for a rather different rather OSS view of the world.
In the end, you are left with a decision. The programmers at MS are very bright. The programmers in OSS are very bright. The real difference is the perceived safety of being able to blame MS (who you can not hold responsible yet - name one successful law suit against MS for the failure of their software to function as advertised) versus the cost effectiveness of not paying for huge legal and marketing fees (as well as other corporate overhead having very little to do with getting better or more code). I am not against programmers getting paid. I am against sloth and leeches in a corporate setting destroying the market in which programmers get paid.
InnerWeb
Freud might say that Intelligent Design is religion's ID.
I can't exploit this on my SUSE kernel. All I get (after many attempts) is:
[+] kernel 2.4.21-192-athlon vulnerable: YES exploitable YES
MMAP #65530 0x50bfa000 - 0x50bfb000 [-] Failed
Perhaps this hasn't gone completely unnoticed...
You may trust your authorized users, but do you trust their passwords, habits in storing passwords ("You don't expect me to remember that, do you? Where are my post-it notes..."), and wisdom to not extend trust to ANYONE?
Do you also trust users to not run a piece of malicious code that shows up purporting to be some groovy new Linux app that will do some groovy new thing? Afterall, it would only have to require a vanilla user account... and Linux never gets viruses, so why worry? ;)
I think you see where I'm going with this. Local exploits need to be patched too, and sysadmins all too frequently think they don't because they are "only local".
perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'
Let me get this straight, it has nothing to do with the bug from a year ago, except that it affects the same code in the same system call? Call me unenlightened, but, that sounds pretty similar to me.
I hate sigs.
How hard is it to spin a process out of controll via repeatedly doing a denial of service attack on memory or the paging subsystem.
All you need is:
1. (optional) ability to fork() another process
2. a large array of whatever
3. random accessing that array
Extras include scanning and thrashing the hard disks via random reads on random files.
Even a simple infinite loop will dos the system.
So where _is_ that patch to fix these mremap bugs?
I wouldn't call a whole new kernel installation and kernel upgrade a PATCH.
Robert
ISO dates are the way to go - for the sanity of everybody concerned. They sort lexically in a sensible way, they're in a reasonable order, and they're unambiguous (YYYY- not YY-).
/rest/ of the world would change over.
This, of course, is why nobody uses them.
*sigh*
As the evil dictator-like sysadmin, at work all my in-house intranet tools report ISO dates. I had a few people confused at first, but now it's the accepted format at work for things like archive directories (hundreds of directories named NN-NN-NN, NN.NN.NN or NNNNNN can get rather confusing - YYYY-MM-DD is so much easier).
Now, if only the
While we're at it, can we have the ISO paper sizes adopted by the few holdouts, too? (I only wish...)
Umm.
"On a Windows box, there would have been no peer review."
I doubt that even Microsoft lets security fixes be released without having other Microsoft programmers review all the relevant code. A more accurate comment might be:
"On a Windows box, there would have been no public peer review."
Wouldn't grsecurity provide protection for this?
It's called OpenBSD.
this hole was found and patched by vendors a month ago. i personally submitted to slashdot at least 10 stories detailing this hole and how to patch it, and i was quite obviously ignored.
p u= i386- 2004-0077
http://www.slackware.com/changelog/stable.php?c
"
Wed Feb 18 03:44:42 PST 2004
patches/kernels/: Recompiled to fix another bounds-checking error in
the kernel mremap() code. (this is not the same issue that was fixed
on Jan 6) This bug could be used by a local attacker to gain root
privileges. Sites should upgrade to a new kernel. After installing
the new kernel, be sure to run 'lilo'.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN
Thanks to Paul Starzetz for finding and researching this issue.
(* Security fix *)
"
2.4.25 and 2.6.3 are NOT affected by this hole, and there is a patch for 2.4.24 which you can make yourself by diffing a vanilla 2.4.24 kernel with slackware 9.1's 2.4.24 kernel source package.
CmdrTaco, before you post another "announcement" like this, do your homework. last thing we need is more security disinformation surrounding linux.
No patched kernel yet available for my RedHat, SuSE or Gentoo distributions and I'm sure as hell not going to compile a vanilla kernel that would only mess up the package management system.
That's what source packages are for. For RPM systems, either add the patch to the spec file, or bump the version and get the new tar.bz2. Then rpmbuild -ba and be happy.
If that's too much pain (the .spec for kernel is a big hairball), build and install vanilla kernel from source and create an empty package for kernel-2.4.25 and install it to keep the version number in the database up to date.
Of course, many RedHat users just build the kernel and install from source, and don't worry about the kernel version in the rpm database. In most cases for the kernel, that's harmless.
I ran the test code in the advisory on a stock 2.4.25 build and it printed out NO and NO for both questions [vulnerable and exploitable].
Is this really a bug? [tinfoilhatmode] Is the advisory code correct? Or is this just so old that both 2.4 and 2.6 lines have it fixed already?
Tom
Someday, I'll have a real sig.
So where _is_ that patch to fix these mremap bugs?
The patch is here.
Tarsnap: Online backups for the truly paranoid
www.freebsd.org
www.linuxisforbitches.org
When the Germans rounded up all the jews into camps it was proof that the Nazis were evil.
When the Americans rounded up all the Japanese Americans into camps it was proof that America was wonderful.
ESB-2004.0176 -- FreeBSD-SA-04:04.tcp -- many out-of-sequence TCP packets denial-of-service
= 20
http://www.auscert.org.au/render.html?it=3910&cid
Topic: many out-of-sequence TCP packets denial-of-service
Category: core
Module: kernel
Announced: 2004-03-02
Credits: iDEFENSE
Affects: All FreeBSD releases
Corrected: 2004-03-02 17:19:18 UTC (RELENG_4)
2004-03-02 17:24:46 UTC (RELENG_5_2, 5.2.1-RELEASE-p1)
2004-03-02 17:26:33 UTC (RELENG_4_9, 4.9-RELEASE-p3)
2004-03-02 17:27:47 UTC (RELENG_4_8, 4.8-RELEASE-p16)
CVE Name: CAN-2004-0171
FreeBSD only: NO
Ok, so I read the write up.
Here's the immediately pertinent part:
Proper exploitation of this vulnerability leads to local privilege escalation giving an attacker full super-user privileges. The vulnerability may also lead to a denial-of-service attack on the available system memory.
Tested and known to be vulnerable kernel versions are all
So it looks like we've all got to update to the latest of respective trees. I guess the days of running a kernel for months on end are pretty much over.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Just what the subject says.
this is just like the ati article, missinformed. generally wrong. and completely unchecked. do they just have a script running to randomly select article submissions and post them? or has slash dot been outsourced? =(
NetBSD on my laptop, but I could reinstall it anyways.
My other Sun box runs NetBSD too (the one I'm one now runs Solaris).
But that's it, I'm installing NetBSD today!!!
there is so much 'reboot' in your post LMAO!!! its like, lollll
DID THE PENTAGON MANUFACTURE AIDS AS A BIOLOGICAL WEAPON?
By David Guyatt
"
AIDS kills. It does so in extremely nasty ways. By attacking the human immune system, the disease opens the victim to any number of, otherwise, non fatal illnesses. The result is generally a heart-rending debilitating and lingering death.
According to some experts, AIDS - Acquired Immune Deficiency Syndrome - first arose in the middle to late 1970's in Africa, when a small, infected Green Monkey, sunk its teeth into a local native. From such humble beginnings it then exploded across the globe - as a result of sexual transmission - bringing massive death and misery in its wake.
There are currently 30 million people - throughout the world - who have contracted the killer disease. With a death toll already set at over 8.4 million, estimates indicate this could leap to 40 million by the year 2000. Over 1000 people are dying from AIDS per day. Figures provided by the United Nations show that the geographic spread is almost entirely focused on black Africa and Southeast Asia - which combined - account for almost 90% of all known cases. In effect, AIDS/HIV fundamentally attacks the impoverished Third World.
This geographic spread has led to spectacular charges that the rich industrialised countries secretly developed and deployed AIDS as a biological weapon aimed at decimating the "useless eaters" of the Third World. Researchers point to a number of government documents which they claim supports this charge. Chief amongst these is National Security Memorandum (NSSM 200) authored in the early seventies by then US National Security Adviser, Dr. Henry Kissinger. This document, hitherto marked as top secret, was quietly de-classified in 1990 and lodged in the US National Archives. It is a chilling, cynical document.
"De-population should be the highest priority of US foreign policy towards the Third World." This sentence formed the hard backbone of NSSM 200. The memo went on to state that "Reduction of the rate of population in these States [Third World nations] is a matter of vital US national security." Why? Simply because "The US economy will require large and increasing amounts of minerals from abroad, especially from less developed countries." In stating this the focus was exclusively, on the "...economic interests of the US."
The arrogant and cynical mindset that underscored Kissinger's document was nothing new. Third World citizens merely continued to be viewed as useless, lazy degenerates. Years earlier, in 1932, cancer experiments were undertaken by Cornelius Rhoades, then chief pathologist of the Rockerfeller Institute. The experiments involved deliberately infecting a number of Puerto Ricans with cancer. Thirteen died as a consequence. Rhoades explained away the experiments with the comment: "The Porto(sic) Ricans are the dirtiest, laziest, most degenerate and thievesh race of men ever inhabiting this sphere... I have done my best to further the process of extermination by killing off eight and transplanting cancer into several more... all physicians take delight in the abuse and torture of the unfortunate subjects."
Amazingly, Rhoades not only escaped prosecution for this hideous admission, but was later placed in charge of a number of chemical warfare projects during WW11. He was also given a seat on the Atomic Energy Commission and awarded the Legion of Merit. One may also remark on the known close connections of Henry Kissinger to the Rockerfeller family. It was due to this close family connection that Kissinger was appointed National Security Adviser in the Nixon administration in 1971. According to US News & World Report the appointment "was on the advice of Governor Rockerfeller, who described Mr. Kissinger as 'the smartest guy available.'"
When viewed in conjunction with another US government document, the underlying foreign policy aims of NSSM 200, are caus
I'm not sure microsofties have peers.
I've had this sig for three days.
A typical user experience.
1) Buy computer with Windows XP Home Edition pre-installed.
2) They get a virus, perhaps even a trojan. Or maybe a worm, since the computer wasn't up-to-date. Or they were stupid and opened MyDoom. Regardless, it cripples the computer.
3) They buy or download an antivirus software. Perhaps their computer works well enough to install it, and reinstall Windows if it does not.
4)Ok, finally a working computer again. But since they browse the internet as administrator (as it works by default) they get spyware. Lot's of spyware. It builds up on each other and Internet Explorer has trouble starting. Pop-ups occur on every website, even Google or when IE isn't open. Perhaps their credit card info is stolen.
5) If their lucky, they would have heard of Ad-Aware or Spybot Search and Destroy and they somehow get it on their computer to install it (no IE remember?). It deals with most of the pop-ups. But nothing really works right. Reinstall Windows.
6) Go to step 2.
I work at the campus helpdesk, so I see students with these sorts of problems all the time. I have a problem respecting an OS that will get a worm before the user has a chance to do Windows Update, an occurance I've seen a few times.
When the Germans rounded up all the jews into camps it was proof that the Nazis were evil.
When the Americans rounded up all the Japanese Americans into camps it was proof that America was wonderful.
We don't want to forget that the Germans also gave the Jews access to showers - atleast thats what the Jews thought a few seconds before gas started spewing out.
ISO 8601 is OK, and it's great for sorting and automated systems, but for readability AND unamibiguity, I use MM-DDD-YYYY (e.g. 07-Mar-2004). I've been using this format since the day I started working for a company that did 99% of its business with non-US customers (nearly a decade ago). Some US folks may look at me funny when I do it that way, but nobody has EVER been confused about what date I meant ...
One simple rule for its versus it's
There is a patched kernel at least for RedHat:
https://rhn.redhat.com/errata/RHSA-2004-065.html
Note in the third paragraph:
"Paul Starzetz discovered a flaw in return value checking in mremap() in the Linux kernel versions 2.4.24 and previous that may allow a local attacker to gain root privileges. No exploit is currently available; however this issue is exploitable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0077 to this issue."
This is the same CVE as the article. The patch was issued 2004-02-18.
This issue was patched in Fedora on 19 Feb with 2.4.22-1.2174. See the Fedora announce list here:
http://www.redhat.com/archives/fedora-announce-li
God is imaginary
Its a source-level patch. See `man patch`. I understand the sarcasm inherent in your statement and yet I don't see peoples' problem with doing a quick recompile and reboot. Its really that simple.
- Michael T. Babcock (Yes, I blog)
Get a windows CD
Boot
Reboot
Install
Reboot
Install some more
Reboot
Continue installation
Reboot
Register windows installation
Change a setting
Reboot
That is soo Windows 98.
Oh yes, I can see Microsoft doing it in a few weeks. The compressed tarball of the Linux kernel is 40 Megabytes. Uncompressed it's about 60 Megabytes. At an average of 40 bytes per line, you can look at all of in in 'merely a month' if you work at it 8 hours a day, 5 days a week and at a rate of 156.25 lines per minute! (2.6 lines per second). Oh yes, your proposed 'line-by-line audit' in a few weeks is exactly what Microsoft did. I wouldn't call it 'secure', but you can crow all you like. What's your url? Got any ports open?
Comment removed based on user account deletion
This is so stupid. They are not the same kind of holes. People who write things like this don't understand the severity of exploits. This is LOCAL, not remote. If fact, I am hard pressed to think of any remotely exploitable problems in the linux kernel in the last 3 years. A local root isn't a problem for 98% of linux systems. As long as any daemons listening for network connections are up to date, you really don't have anything to worry about. One could run 2.4.0 with no patches without worry as long as all network daemons are up to date.
In fact, I know of a red hat 6.2 box just running apache and ipchains on a 100mhz box that has been running for at least 4 years without a single security problem. It probably has at least 20 local roots, but it doesn't matter because apache has had a good security history.
The point is, we almost NEVER see the equivalent of local roots on windows boxen. Everything we see is remotely exploitable. It's rare that Linux sees anything remotly exploitable (in popular software...Joe's cgi script doesn't count). And when we do, the "fragmentation" of distributions that everyone bitches about helps immensly. Because most packages are compiled differently, the memory address to exploit are different. So it's difficult to exploit a box and usually you have to brute force it. As we see more things like non-executable stack patches and random memory patches these problems will be extremely difficult to exploit.
The proof is in the pudding... when's the last time we saw anything in linux so widely exploitable that 90% of affected machines are infected within 10 minutes of the release of a worm? We should have seen hundreds of apache worms by now since there are at least as many apache installations as IIS. MySQL? MySQL has gained huge popularity and is on almost as many boxen as SQL server. Why haven't we seen a single MySQL worm?
... BSD is only *dying*
Linux is dead *already*
(sigh, all those critical security flaws)
any BSD is better than linux. And if you need any help you won't have too ask some teenagers.
BSDs = adults and professonal businesses that don't want to waste time.
Linux = unproductive teenagers and companies that will be rooted in the next week.
HA HA its about time fucking linux gets brought down. I hope this is the demise of that fucking piece of shit operating system. Linux SUCKS!!! Long live Windows 2000 Server!
Just to add my .02, I've tested this exploit code on a representative sample my boxes here, some running stock fedora kernels, some running 2.6 kernels, and NONE of the systems is exploitable, though the reports vary depending on kernel.
/home/jjs ./a.out
/home/jjs ./a.out
So, before the fud machine starts churning out all these opinions on how insecure linux is, let's check our facts OK?
neo:
(tty/dev/pts/1): bash: 1016 >
[+] kernel 2.6.3-ck1 vulnerable: NO exploitable NO
gibson:
(tty/dev/pts/1): bash: 126 >
[+] kernel 2.4.22-1.2174.nptlsmp vulnerable: YES exploitable YES
MMAP #65525 0x50bf5000 - 0x50bf6000
[-] Failed
[269] if (old_len >= new_len) {
do_munmap(current->mm, addr+new_len, old_len - new_len);
if (!(flags & MREMAP_FIXED) || (new_addr == addr))
goto out;
}
Who in Fuck's name uses goto? Burn them!
Oh yes i know how to use /usr/bin/patch . But where is the patch itself? like linux-2.4.24-mremap.patch ? for instance
cat linux-2.4.24-mremap.patch | patch -p0
would do the job. However _where_ is the linux-2.4.24-mremap.patch to be found?
Robert
Running 2.6.4-rc1 here... this is the vuln that motivated the move, besides wanting to get into 2.6 in general.
C|N>K
"Get a windows CD
Boot
Reboot
Install
Reboot
Install some more
Reboot
Continue installation
Reboot
Register windows installation
Change a setting
Reboot
bah"
You forgot the video drivers.
if continues to where Vader (bill) turns good and saves Luke (kernel).
sooo....
Bill = Linus?
Interesting! Bill and Linus might just be two sides to a schitzophrenic megalomaniac, taking two approaches to conquer the world in an unpredecented pincer!
Well, I think this proves that the "security through obscurity" model is, at best, ineffective. If it has been so long there for anyone to see and the "good" guys didn't see it, what makes you believe that the "bad" guys would spot it?
I don't have hard data to prove this, but I believe that the following two points are true: (1) there are more good guys than bad guys, or otherwise society as we know it wouldn't exist; and (2) good guys are smarter than bad guys, because our current social organization tends to favor being honest. Good guys get good salaries, bad guys are sent to jail.
So, if it took many smart good guys five years to find this vulnerability, how many years it would take a few stupid bad guys to find it?
It is is so unfortunate humanity never agrees on such simple issues! Why can't we all get along? He doesn't even release his exploits as GPL! Just what do they think they are messing our community with public domain code? This makes me almost suicidal :-(
It did not work on any of my SuSE (same kernel as yours), Redhat and Gentoo systems. The only vulnerable ones were Debian boxen (sic!)
Strange... First this FreeBSD bug, now something wrong with Debian
You can defy gravity... for a short time
Well then, you are an idiot, and there is nothing we can do about that.
If I had a SCO license, (hah) I'd be expecting them to fix 'their' system. Raggedy ass punks, anyhow.
I fear the day i have to buy a AV-tool for Linux. My opinion is : if a user is too stupid and runs email-executables, at least the only thing he deserves is to have all his personnal files deleted. Users should always be sponsored.
However _where_ is the linux-2.4.24-mremap.patch to be found?
I extracted it from the 2.4.25 patch: mremap-patch.diff
God, root, what is difference ?
If they do create this wouldn't it make sense to use BitTorrent? The distro's server could push out a bit torrent link to the update app and you wouldn't even have to go to the command line to do it.
What if Digg added local news and a Slashdot inspired comment karma system? ---
http://houndwire.com
When are they ever going to get their act together and stop releasing such a buggy OS with these security violations!
Oh.... wait....
Yet another sickening blow has struck what's left of the *BSD community, as a soon-to-be-released report by the independent Commision for Technology Management (CTM) after a year-long study has concluded: *BSD is already dead. Here are some of the commission's findings:
Fact: the *BSDs have balkanized yet again. There are now no less than twelve separate, competing *BSD projects, each of which has introduced fundamental incompatibilities with the other *BSDs, and frequently with Unix standards. Average number of developers in each project: fewer than five. Average number of users per project: there are no definitive numbers, but reports show that all projects are on the decline.
Fact: DragonflyBSD, yet another offshoot of the beleaguered FreeBSD "project", is already collapsing under the weight of internal power struggles and in-fighting. "They haven't done a single decent release," notes Mark Baron, an industry watcher and columnist. "Their mailing lists read like an online version of a Jerry Springer episode, complete with food fights, swearing, name-calling, and chair-throwing." Netcraft reports that DragonflyBSD is run on exactly 0% of internet servers.
Fact: NetBSD, which claims to focus on portability (whatever that is supposed to mean), is slow, and cannot take advantage of multiple CPUs. "That about drove the last nail in the coffin for BSD use here," said Michael Curry, CTO of Amazon.com. "We took our NetBSD boxes out to the backyard and shot them in the head. We're much happier running Linux."
Fact: There are almost no FreeBSD developers left, and its use, according to Netcraft, is down to a sadly crippled
Fact: *BSD has no support from the media. Number of Linux magazines available at bookstores: 5 (Linux Journal, Linux World, Linux Developer, Linux Format, Linux User). Number of available *BSD magazines: 0. Current count of Linux-oriented technical books: 1071. Current count of *BSD books: 6.
Fact: XFree86 is dropping support for *BSD. The remaining core group believes that the *BSDs have strayed too far from Unix standards and have become too difficult to support along with Linux and Solaris x86. "It's too much trouble," said one anonymous developer. "If they want to make their own standards, let them doing the porting for us."
Fact: Many user-level applications will no longer work under *BSD, and no one is working to change this. The GIMP, a Photoshop-like application, has not worked at all under *BSD since version 1.1 (sorry, too much trouble for such a small base, developers have said). OpenOffice, a Microsoft Office clone, has never worked under *BSD and never will. ("Why would we bother?" said developer Steven Andrews, an OpenOffice team lead.)
Fact: servers running OpenBSD, which claims to focus on security, are frequently compromised. According to Jim Markham, editor of the online security forum SecurityWatch, the few OpenBSD servers that exist on the internet have become a joke among the hacker community. "They make a game out of it," he says. "(OpenBSD leader) Theo [de Raadt] will scramble to make a new patch to fix one problem, and they've already compromised a bunch of boxes with a different exploit."
With these incontroverible facts staring (what's left of) the *BSD community in the face, they can only draw one conclusion: *BSD is already dead.
My gateway box:
[+] kernel 2.2.25 vulnerable: YES exploitable NO
cerberus:~$ uptime
11:32:26 up 353 days, 12:09, 1 user, load average: 0.02, 0.02, 0.00
cerberus:~$ uname -a
Linux cerberus 2.2.25 #3 Wed Mar 19 22:23:56 MST 2003 i586 unknown
Argh, now it'll be another 1.5 years before I can watch it roll over.
I'm sorry, but ISO dates still take more energy to parse.
In today's world of 3+ GHz processors, that is such a bullshit argument to not use ISO dates.
Yet another sickening blow has struck what's left of the *BSD community, as a soon-to-be-released report by the independent Commision for Technology Management (CTM) after a year-long study has concluded: *BSD is already dead. Here are some of the commission's findings:
Fact: servers running OpenBSD, which claims to focus on security, are frequently compromised. According to Jim Markham, editor of the online security forum SecurityWatch, the few OpenBSD servers that exist on the internet have become a joke among the hacker community. "They make a game out of it," he says. "(OpenBSD leader) Theo [de Raadt] will scramble to make a new patch to fix one problem, and they've already compromised a bunch of boxes with a different exploit."
Fact: DragonflyBSD, yet another offshoot of the beleaguered FreeBSD "project", is already collapsing under the weight of internal power struggles and in-fighting. "They haven't done a single decent release," notes Mark Baron, an industry watcher and columnist. "Their mailing lists read like an online version of a Jerry Springer episode, complete with food fights, swearing, name-calling, and chair-throwing." Netcraft reports that DragonflyBSD is run on exactly 0% of internet servers.
Fact: the *BSDs have balkanized yet again. There are now no less than twelve separate, competing *BSD projects, each of which has introduced fundamental incompatibilities with the other *BSDs, and frequently with Unix standards. Average number of developers in each project: fewer than five. Average number of users per project: there are no definitive numbers, but reports show that all projects are on the decline.
When Windows has a bug a comment saying "The bugs aren't in the software. THEY'RE IN THE CORPORATE CULTURE OF THIS PARTICULAR VENDOR" get modded to +5 Insightful.
Another +5 Insightful comment says "I still wouldn't say Microsoft is getting 'better' though. They'd be getting 'better' if the vulnerabilities didn't exist in the first place!"
I wonder what he has to say about this vulnerability existing in the first place.
This patch requires a reboot, right? Kinda funny that nobody complains about it, but in this article, someone says "Of course I like to reboot all the time. Otherwise I would be running Linux" in response to his newly-patched computer asking him if he'd like to reboot.
I tried the "Proof-of-Concept" code. Nice thing about it is that it tells you two things. 1) If your kernel is vulnerable 2) If your vulnerability is exploitable.
I have one kernel that is vulnerable but not exploitable according to the Proof-of-Concept code. Saves me some time to not patch, recompile and reboot a new kernel.
I wish future vulnerability announcements will be like this one. e.g. contain Proof-of-Concept exploit code that can tell me whether or not the kernel/software I am running is vulnerable and/or exploitable.
http://www.debian.org/security/
seriously, read the +5 posts and get ready to laugh. i feel like i am reading articles from 1993. Yes, my unlimited budget allows me to patch everything i own within five hours of the problem becoming known. :P
fucktards.
nothing changes around here. same loonies.
..that tears it, I'm switching to BSD!
I agree that date formats are confusing, but I don't think that ISO format solves anything. I still don't know whether the user is aware of the standard. I usually use the DD-MMM-YYYY format because it removes all ambiguity: 05-JAN-2004.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
The code that SCO wrote.
Because Earth's ~250(?) languages uses different names for the 3rd month :)
So programs/databases has to know ~250 x 12 x 2 words for month. (Two because you don't always say 'february' but 'feb').
Also what happens if language A uses a name for month X that is the same as language B's name for month Y?
Im a mandrake user so here is my SOLUTION:o ries/adviso ry.php?name=MDKSA-2004:015
;)
n drake
:D
http://www.mandrakesecure.net/en/advis
Other distro users may repply to this thread with their corresponding links
I found mine with this
http://google.com/search?q=CAN-2004-0077+ma
Isn't that special?
Move on already!
The advisory was released Feb. 18, so this has all been public knowledge for over two weeks. This USENET post shows the vulnerability and upcoming exploit was known about, and slashdot is just plain late on this one.
You have had two weeks to patch your systems. I know slackware's advisory was sent right after the vulnerability became public knowledge.
Exactly... Otherwise you might have patches/updates that would break your system even worse, right?
Well, IIRC, that has happened in the past...
this is why anywhere unpriviledged users can write (/home, /var, /tmp, etc.) should be on a partition mounted 'noexec'. If a cracker can get local access, but not execute their own code, they are limited as to what they can do. This is also another good use of chroot, although the BSD 'jail' is a more robust solution.
That's a very naive, idealistic argument. American business often maximizes shareholder value by being as dishonest as possible, short of clearly breaking commonly enforced laws. Under your argument, Darl McBride is a "good guy" because he's a) rich from the SCOX pump-n-dump and b) not in jail (yet).
Anyway, go read "The Art Of War" or watch "The Godfather". It is a serious error to assume your enemy is weak, and I would recommend against that philosophy when securing critical assets.
up 93 days, 9:29, 9 users, load average: 0.70, 1.91, 2.36 :/
Last reboot i patched because of the last Kernel vulnerability, can't really say Linux == uptime anymore
Are there enough effort put in finding these bugs ?
Don't forget
So
Heh... OK, call it a kernel update or upgrade then. Since I used precompiled kernel packages that came with my Linux distribution, I honestly didn't do any traditional patching nor kernel recompiling. It was all apt-get update, apt-get upgrade, etc; pretty simple actually. The reboot was of course still disruptive though.
One technical point: you cannot just "disable" mremap() without breaking the dynamic link loader and many userspace applications. There was, however, an unofficial kernel module that you could load into a vulnerable kernel to replace sys_mremap with a non-exploitable version (which in theory is racey, but it basically works and postpones the reboot).
Yet another sickening blow has struck what's left of the *BSD community, as a soon-to-be-released report by the independent Commision for Technology Management (CTM) after a year-long study has concluded: *BSD is already dead. Here are some of the commission's findings:
Fact: the *BSDs have balkanized yet again. There are now no less than twelve separate, competing *BSD projects, each of which has introduced fundamental incompatibilities with the other *BSDs, and frequently with Unix standards. Average number of developers in each project: fewer than five. Average number of users per project: there are no definitive numbers, but reports show that all projects are on the decline.
Fact: DragonflyBSD, yet another offshoot of the beleaguered FreeBSD "project", is already collapsing under the weight of internal power struggles and in-fighting. "They haven't done a single decent release," notes Mark Baron, an industry watcher and columnist. "Their mailing lists read like an online version of a Jerry Springer episode, complete with food fights, swearing, name-calling, and chair-throwing." Netcraft reports that DragonflyBSD is run on exactly 0% of internet servers.
Fact: There are almost no FreeBSD developers left, and its use, according to Netcraft, is down to a sadly crippled
Fact: NetBSD, which claims to focus on portability (whatever that is supposed to mean), is slow, and cannot take advantage of multiple CPUs. "That about drove the last nail in the coffin for BSD use here," said Michael Curry, CTO of Amazon.com. "We took our NetBSD boxes out to the backyard and shot them in the head. We're much happier running Linux."
Fact: *BSD has no support from the media. Number of Linux magazines available at bookstores: 5 (Linux Journal, Linux World, Linux Developer, Linux Format, Linux User). Number of available *BSD magazines: 0. Current count of Linux-oriented technical books: 1071. Current count of *BSD books: 6.
Fact: XFree86 is dropping support for *BSD. The remaining core group believes that the *BSDs have strayed too far from Unix standards and have become too difficult to support along with Linux and Solaris x86. "It's too much trouble," said one anonymous developer. "If they want to make their own standards, let them doing the porting for us."
Fact: Many user-level applications will no longer work under *BSD, and no one is working to change this. The GIMP, a Photoshop-like application, has not worked at all under *BSD since version 1.1 (sorry, too much trouble for such a small base, developers have said). OpenOffice, a Microsoft Office clone, has never worked under *BSD and never will. ("Why would we bother?" said developer Steven Andrews, an OpenOffice team lead.)
Fact: servers running OpenBSD, which claims to focus on security, are frequently compromised. According to Jim Markham, editor of the online security forum SecurityWatch, the few OpenBSD servers that exist on the internet have become a joke among the hacker community. "They make a game out of it," he says. "(OpenBSD leader) Theo [de Raadt] will scramble to make a new patch to fix one problem, and they've already compromised a bunch of boxes with a different exploit."
With these incontroverible facts staring (what's left of) the *BSD community in the face, they can only draw one conclusion: *BSD is already dead.
Version: 2.2 up to and including 2.2.25, 2.4 up to to and including 2.4.24, 2.6 up to to and including 2.6.2
And me having kept up to date running a 2.6.3 kernel.
The horrors!
-1 Overrated (Too many big words for me to comprehend)
This latest Linux root exploit bolsters my confidence even more in OBSD. I know they recently had a remote crash exploit, but the claim of no remote root exploit since '97? is a very good track record indeed.
OBSD takes the time to validate their code. While OBSD or any OS will never be perfect, the OBSD method of engineering is still tops in my book.
maintainers of said problem code need to be fired.
Why is more security disinformation surrounding linux the last thing we need? Because it takes up valueable space that could instead be dedicated to more security disinformation about Windows?
Microsoft has a better security record that linux does now....
alex_n@styx alex_n $ ./mremap_pte
[+] kernel 2.6.3 vulnerable: NO exploitable NO
How does this affect any systems using any of these frameworks which effectively allow you to neuter root? I would think that if you were using one of these systems with proper ACLs you would be unaffected.
Great, there goes my uptime record..
No, they come in and we fix the problem most of the time. Usually an anti-virus and a spyware/ad-aware scan fixes it. Sometimes it doesn't. And if it does, the machines aren't always working like their supposed to, but they do work. We don't provide full support to students computers, we refer them downtown if they need something drastic like an OS reinstall.
Then I can here and 'slag Microsoft' (slag: the "the scum formed by oxidation at the surface of molten metals") out of frustration. And for some fun.
Please. So, to run it I have to chmod +x it; ooh, but /home is mounted noexec, so I log as root, cp it to ... hmm ... /usr/local/bin ... nope, no /usr/local ... ok, /usr/bin it is ..., oops, it's mounted read-only, I'll have to mount -o rw,remount /usr then I'll chmod +x it, aaah ... now I go back to my regular account and execute it.
How this compares to send me a fscking html-with-vbscript that will be executed while in the preview pane of Outlook Express and downloads another executable that has the power to install itself as a device driver and run in kernel mode?????
Even if I have to click on the attachment, it will execute right away!!!!
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
It might just as well be that the mistake made by the originator of the bug or insecurity was hard to spot because it made sense, at least on the surface, to those trying to follow the program logic to analyze it for problems. It certainly wasn't likely to be a syntax error or the compiler would have caught it, so it seems [to me] like it must be a procedural mistake in the program logic or a storage/retrieval error.
I haven't taken time to look at the fix and the original code to see what is broken and how to write it one-notch-better-for-now. Do you have a pointer to the patch or is it still too early to find it?
07mar04 is better.
070304 is worse because it can be a number.
open4free
Your mouse has moved.
Windows has to be rebooted for this change to take effect.
[Reboot now] [Reboot later]
:-)
Database engine for analyzed or annotated text
OK, I went back to the article and found the ---->code listing-----!!
I STILL haven't looked at it long enough to decipher what the error is. It says somethng about elevating privilege level by writing over an unprotected virtual memory area in a certain way. I promise not to post again on this topic until after I have tried to reason through the fixed code.
And prob'ly not after that either! Doh!
Thank you.
Hmm i'd say that mremap() bug is one big dirty giant hole, which has been lurking for ages. The fact that the kernel maintainers don't have a simple fix in the form of a small patch is striking.
In fact : the complete vmmem remap MM stuff has been rewritten going from 2.4.24 to 2.4.25. The only sane thing to do, is to install 2.4.25 from scratch. That polish kernel hacker certainly lifted some heavy rock, and now all the dirty stuff is flying in your face. The exploit he posted sofar gives me root-shell on ALL my Linux machines.
Robert
Since security is something programmers always need to be concerned about, maybe it's time a few kernel hackers devoted a few months to thorough vulnerability audits of at least the 2.4 and 2.6 kernels? I get the feeling everyone's been so busy adding hardware support, features, and backporting stuff to earlier stable kernels that security may have fallen to the wayside. The particular way that the kernel is developed doesn't seem to lend itself to a freeze and audit, but maybe this is something a few of the kernel gods could undertake before 2.7 is branched.
If nothing else, it would demonstrate that the Linux folk are as serious about clean, secure code as the BSD teams, and heck, it's an intrinsically Good Thing to do from time to time.
Someday, you're going to die. Get over it.
It should be noted that this is simply a new way of exploiting the same mremap bug that had been reported before. It was fixed with the 2.4.25 kernel patch.
Number one Apache is not the only web server for that job Bind is not the only server that does DNS setups it job and Sendmail has a clone as well.
Note replacing SendMail and Bind can be good sercuity options. Some of there replacements have better checks than both of them.
sshd yes and no sshd comes from openssl in most cases but is able to be obtained in the usa in a comercial form.(different source base) But it has a price tag.
You can turn of mremap if you static link everything. Note I don't recommend this ie 2g linux install turns to around 10g I would guess.
LOLOLL!L!L!LLL1l1ll1l1ll!Ll1l1ll1llLLLOL00lLLL!00l )L)L)L)L)L)L
That's an acceptable (and reasonable) solution when writing on the 'net, or developing user interfaces, and one I tend to forget about because of the common prevalence these days of 'shorthand' dates as the standard.
It doesn't solve the lexical sorting issue, though - you still need ISO dates for that purpose.
The people who believe the fallacy that many eyes make bugs shallow are ignorant or stupid.
;).
Coz if it actually is true you might as well throw monkeys at the problem, and add some beetles and spiders too while you're at it.
It's skill in that particular issue/area that counts.
Many user eyes can spot common user GUI problems, coz they're users and the problems are user level problems.
But they are unlikely to identify an SQL injection issue etc. They may notice something different happening but not go much further.
Imagine getting thousands of Slashdotters to check your spelling and grammar for "free" instead of a single trained editor. Wonder why that hasn't turned up in an Ask Slashdot yet
Go fix your code.
http://saveie6.com/
...and besides, Netcraft confirms it.
...that you and he have a least one thing in common?
Why is this modded as funny? It'd be funny if it happened on the Enterprise, it's not funny when it happens to 99% of computer desktops. :) damn toothache! Wonder if I can do bullet time like Max Payne...
Umh, I'm posting as AC, so while I'm at it... There was this pc cartoon strip in which the 'hero' was called 'byteman' and was a real idiot, almost never did the right thing, misoginist, etc. So in one of the strips he and his sidekick (he has to have one! Bitboy) are beamed up to the Enterprise, and they ask them for help because the Borg have installed some software on the Enterprise computer (and the Borg logo looks like another well known logo... hmmm). Move on to next image where someone says the usual 'The warp core is about to explode', so Picard turns to Byteman who shrugs and says "I just installed Windows Plus".
In my defense, I'm on pain killers
When a Windoze troll bitches and you are tired of correcting them /another/ open source zealot will step in and do it for you. That's because open source is so good that even though it's not but 1% popular or whatever - the closed source trolls still can't keep up.
Here's the output I get: [+] kernel 2.6.1 vulnerable: YES exploitable YES MMAP #65530 0x50bfa000 - 0x50bfb000 [+] Success Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline] [-p pattern] [-s packetsize] [-t ttl] [-I interface or address] [-M mtu discovery hint] [-S sndbuf] [ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
But no root shell... :(
How can this lead to an exploit? Must have been fixed before.
" How does one go about patching his kernel, pray tell?"
PAY MONEY TO A LINUX SERVICE PERSON/COMPANY.
Open source software is a great money making opportunity.
I believe that these exploits couldn't be in the kernel *if* it was written in Ada95.
r.
err, you're talking complete shit my friend.
clearly you've never worked for any major software distributor.
get out a bit more, stop thinking linux is the God of all OS's. use BSD / Solaris / OSX - and then perhaps you might realise what a true UNIX station feels like.
1: This is a problem with OE, not Windows,: OE comes standard with windows; most people use it because Outlook proper is much heavier;
2: and it has been fixed for a long time.: No, it does not fixes itself. The user has to fix it, or the sysadmin if inside some enterprise. You install any Win2k from the CD, and you have a buggy mail client by default;
3: Programs can only install device drivers when priveleged. Do you run your mail client as root? Normal users can't install drivers.: Yes, I and all other Win95/98/ME using people around the world run our email clients as root/Administrator. Or do you think every small firm/govment agency out there has the resources to migrate from 9x to NT? [Disclaimer: hummassa works at a State Representative House in Brasil] Worse, as using a lot of commercial software require dongles and stuff, many of us running NT/2k/XP run all stuff as Administrator or PowerUser, too;
4: Also, Outlook and other Internet Explorer based programs put downloaded files, like attachments, into the current user's profile under "Temporary Internet Files". You could always deny everyone execute access in that directory to get the same effect as noexec.: Why isn't it by default?
5: You can also deny users from writing and creating files by the use of ACLs for an effect like mounting read-only. If anything, the security model of WinNT is more flexible than a standard Linux system.: Please, don't ACL vs. rwxrwxrwx me. [Disclaimer: hummassa is a seasoned sysadmin] With a well-tought structure of groups; rwx does exactly the same thing as ACLs, but keeps stuff more organized.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
FTP, POP3, and many other protocols tend to use unencrypted passwords. If any of those work as a local user... it's not too hard to sniff one. After that, you're just an upgrade to root away from the gold (one of the reasons I'm plying SCP/SFTP and secure-POP3 here)