Slashdot Mirror
Local Root Exploit in Linux 2.4 and 2.6
Anonymous Coattails writes "Summary from the advisory: 'Locally exploitable flaws have been found in the Linux binary format loaders' uselib() functions that allow local users to gain root privileges.'"
← Back to Stories (view on slashdot.org)
*awaits justifications and explanations of why this is nothing like Microsoft*
Does this exploit run Linux?
Read down to the Credits on the link and you see this line:
Credits:
========
Paul Starzetz has identified the vulnerability and
performed further research. COPYING, DISTRIBUTION, AND MODIFICATION OF
INFORMATION PRESENTED HERE IS ALLOWED ONLY WITH EXPRESS PERMISSION OF
ONE OF THE AUTHORS.
Did I violate you buy hitting ctrl-c and ctrl-v? Yeah copyrights stink even in free and open source realm. Oh yeah I guess Polly boy has something to put on his resume now as if someone else was going to steal his glory and get away with it.
I always thought that NAT and bastille would be enough. I never considered the risk of this sort. Worse yet, it seems that the reported exploit isn't the only locally exploitable flaw
What's an admin to do?
from the without-users-this-wouldn't-be-a-problem dept.
*Shudders*
Then, methinks: "I'll just apply a patch..."
It turns out that patches do NOT always fix the problem.
What's an admin to do?
How do people find this stuff? Amazing. Open source is astounding.
When do I get my kernel update?
I compiled included code at the end of the advisiory, this was the output on RHEL 2.4.21-20
./test
%
[+] SLAB cleanup
child 1 VMAs 65525
child 2 VMAs 65392
[+] moved stack bfff8000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xdf400000 - 0xfe5f2000
Wait... -
[-] FAILED: try again (Cannot allocate memory)
Killed
It's a good thing I've got the patch downloa
They've got a pretty good record. Unfortunately, kernel-level stuff is nasty -- how do you fix embedded devices?
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
since windows is more "single user" oriented, most local exploit flaws on windows do not get very much publicity.
For instance, shatter attacks are still a very large threat for multi-user windows systems
I'll shoot anybody who come 100 meters close to my machine*.
Now, that's security!
* May not be trueThis has got me thinking. The bug can only be caused by local users; does this include non-jailed programs like apache and postgresql. these all have non-root user accounts on most systems, could the apache user use this exploit?
I need no exploit to gain root privileges, I just login...
The linux kernel does very little interpretation of remotely-provided data. There are occasionally remote exploits (e.g. the Ping of Death in '97 or so), but that code has now been pretty thoroughly checked at this point. Most of the code which cares at all about the validity of data is interfaces only accessible locally.
Mod parent -1 denial.
It's a straight fight so far in the Privilege Escalation match in the past year, so let's look in on our contenders:
Windows (all versions) 100
Linux 1
It looks pretty bad for Linux until you consider that this game is scored like golf, and then it's all tears and jeers in Redmond.
Back to you, Cowboyneal.
(NB. I know there have probably been other Linux kernel exploits, but this is the first in recent memory.)
su
Because Linux is a kernel, with no real knowledge or direct interaction with outside (remote) sources, while Windows is a kernel plus a GUI plus a ton of other services. Remote exploits aren't found in the Windows kernel, they're found in the application/service part of Windows, on the Linux side these buggy, infinitely exploitable services are given individual names like "sendmail" and "bind".
I don't see why not. Local roots are used for privilege escalation. If someone had access to the apache account on the machine, they could then gain root access.
"Upon attaching the waterblock to my penis, I began to notice that I know nothing about computers." -- JRockway
Because 'Linux' exploits are kernel exploits, because Linux is a kernel, as people are so fond of pointing out, which actually has very little to do with remote entities other than the well looked at TCP/IP stack. Windows on the other hand is an Operating System, which includes things other than the kernel, including system daemons/services, user interface code, web browsers, and a whole host of other things.
Long story short, while it may be shoddy, MS Windows is a LOT bigger than Linux, and thus theres more to exploit. If you look at something like Redhat, which is a distribution, you have more of a comparison, and you will find remote exploits.
Linux is just a kernel. A more accurate comparison is Linux distributions vs. Windows. Bugs are discovered all the time in application software that is bundled with many distributions. The difference, however, is that if there's a bug in a Linux app, you can uninstall/disable it until it is fixed, while many of the apps shipped with Windows can't be easily removed.
... if I forget my root password.
GETPKG - Package Management for Slackware
dude i'm not going to read all that crap. give me a freaking summary.
its difficult to compare windows vs linux. in a scientific fashion atleast:
Do you include the bundled software on your average linux distro...
Kernel to kernel would be interesting.
Is there ever a time when you can consider your systems secure against an attacker with physical access?
It can be exploited by any user or process that can compile and load executables on the machine.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
except you know, when you have users...
It should be simple enough - if you have remote access to the machine already (i.e. you want to r00t a machine at school or whatever.) Log in, run the exploit from the shell, bingo bango bongo - you're root.
It's not like the code magically runs on your machine at home...
The only surefire protection against Microsoft infections is abstinence. - The Onion
s/fanboys/Vice Presidents/
vodka, straight up, thank you!
you mean to tell me that people have found exploits in bind and sendmail?
no way - they're perfect open source programs. model programs, so to speak.
next, you'll tell me that x is a crufty, inefficient kludge.
... hi bingo
Obviously if it is local if it is exploitable from the console. But can it be exploited remotely through ssh if one already has a user account?
The unofficial
I would wager that if the world switched to linux tommorrow then next week we would see a fairly large number of new exploits. Would it be as many as windows...or would they be as damaging? I don't know. But I do believe that being open source would allow the said exploits to be fixed within a couple of weeks of discovery and certainly the next kernel release would be much safer. just my guess tho.
what?
I mean, just look at it... Windows gets exploited across their network facilities. Linux never does.
;-)
Who's smiling now, eh?!?
To Terminate, or not to Terminate, that's the question - SCSIROB
How do you fix embedded devices? Um... you mean how do you update/patch the code on the embedded device so that a local user can't escalate to root?
First of all, for many embedded devices, this isn't an issue. I mean, if you're an attacker, what are you gonna do once you get root? If the owner can't patch the OS, you probably can't install a rootkit either. Sure, you can DOS it, but if you're physically at the device, you can DOS it just by hitting the power button.
However, manufacturers of all embedded devices (not just Linux-based!) should definitely put a mechanism in place for updating the program code.
Troll or not, not posting will just end up with more vulnerable boxes.
:)
Short-term vulnerability in retrun for media coverage and quick patching, or long-term vulnerability while those "in the know" freely exploit.
Former, please.
I should mention that enabling ELF format is still highly recommended (after the patch for this is released of course) and unless you do special programming work in linux then enabling a.out format is not recommended.
"uselib" is a Linux-specific extension, and, as a result, has received much less real-world testing than traditional UNIX system calls. Keep in mind that the traditional UNIX system calls have received millions of man-years of real-world testing in large user communities likely to attempt both remote and local exploits. It is not surprising that Linux-specific extensions are at a much greater risk of containing serious security problems.
COPYING, DISTRIBUTION, AND MODIFICATION OF
INFORMATION PRESENTED HERE IS ALLOWED ONLY WITH EXPRESS PERMISSION OF
ONE OF THE AUTHORS.
Is it just me, or is this mind-bogglingly stupid? A security advisory which can't be redistributed freely? Imagine if the same approach was taken to important warnings in the real world -- "There's a tsunami heading towards you... but you're not allowed to redistribute this warning to all the people around you without my permission."
Security advisories should be in the public domain.
Tarsnap: Online backups for the truly paranoid
Right, let's compare the flaw in a single kernel versus the ENTIRE OPERATING SYSTEM of Windows, GUI, shell, and associated apps like Internet Explorer as well as user-ran executable attachments in Outlook, which have nothing to do with Microsoft.
What happened to all the "Linux is just the kernel" stuff? Oh, that's right, we were bashing Microsoft.
Besides, if you mean "past year" as 2005, then this means Linux is first out of the gate.
Incidentially, the finding of exploits found in bind and sendmail has really slowed to a crawl.
It seems that, even though they were written in different times and without security as the first concern, a sufficiently large number of bug fixes will eventually result in code that is almost as secure.
If we look at a standard office, the servers are normally under lock and key. If we look at a machine in your house, you probably lock your doors when your not at home.
All in all, this is not even close to the problem MS has with their exploits.
I'm not a doctor, but I play one in bed.
i thought that the reason the bind and sendmail bugs have driopped is because any sane sysadmin had stopped using them.
... hi bingo
The parent was modded as funny, but I have always wondered about a trojan that exploited sudo, possibly through a too-permissive NOPASSWD rule, or something that exploits the window where sudo doesn't prompt for a password.
(S(SKK)(SKK))(S(SKK)(SKK))
Strong passwords won't help against the disgruntled-employee-h4x0r who knows one of the strong passwords, nor against the insecure getpwpit() function.
Don't you think it's more convenient for you to be able to hack multiple machines over LAN? Another reason to choose Windows over Linux.
It doesn't work on my Gentoo box running 2.6.9 so I'm safe. This machine will not be hacked.
It's a good thing I have telnet running on that box so that I could try it remotly though.
IP Therefore I am.
./test
child 1 VMAs 0
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xdf800000 - 0xfee67000
Segmentation fault
Same compile errors, tried with gcc-2.95 gcc-3.3.5 gcc-3.4.
For purposes of this comparison, do you include IE as part of the Windows kernel?
This isn't just a slam at Microsoft's statements in the antitrust trial - there are architectural reasons to consider it part of the kernel. (Of course, those architectural changes seem to have been made solely in order to be able to make those statements at the trial, they seem insane from any reasonable perspective...)
How did this get modded flamebait....I just wanted to see the numbers.
CS: It is all sink or swim...oh and did I mention there are sharks in that water?
The idea that 'Once Linux gains enough momentum and is deployed on a meaningful percentage of business users desktops, hackers will deem it worthwhile to devote time to exploit it', while having some merit, is far too simplistic. Sure more "hackers" might attack Linux if it had more market share, but that doesn't mean that more exploits would be found, especially if the system is inherently more secure.
In addition, just because Windows is the most wide spread OS and likely to receive the most attention, does not excuse MS from its poor programming and implementation.
I am not sure, it would be interesting to see a full comparison between the two. Just lay out the numbers without people getting all up in arms about it.
CS: It is all sink or swim...oh and did I mention there are sharks in that water?
" Why is it every nearly Linux flaw is locally exploitable, where as every nearly every Windows flaw is remotely exploitable?"
That would be Microsoft's superior networking ability, along with it's user (or abuser) friendly interfaces!
This really does work!
1) Login with your userid
2) type 'su' at the command prompt
3) fill in root's password
4) ???
5) proceed to screw up your flaky linux install
You are pretty much right... if no one uses something, it's probably pretty secure :)
I don't know of anyone who uses either anymore.
Was linux ever even ment to be secure locally? You can stick it in single user mode, or just nick the hard-drive. Meanwhile IE is counting its 80th root exploit...
This comment does not represent the views or opinions of the user.
Local means "has an account on the machine". It does not mean "physically at the computer". This can be exploited remotely by anyone with a login account on the machine who can login via ssh or telnet. If you're running, say, a university's Linux server, this is a major problem, as now all your students and professors have root.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Why is it every nearly Linux flaw is locally exploitable, where as every nearly every Windows flaw is remotely exploitable?
This is because there are so many holes in Windows command line it would be impossible to find them all. This is not a joke, if you can get any kind of executable access on Windows you can get admin.
Isec.pl has done a lot for the open source world, they've found lots of vulnerabilities (which is good - vulnerabilities ARE like any other bug):
Take a look at the impressive curriculum of those guys:
d_path() truncating excessive long path name vulnerability
Linux kernel do_brk() lacks argument bound checking
Linux kernel do_mremap() local privilege escalation vulnerability
Linux kernel do_mremap VMA limit local privilege escalation vulnerability
Linux kernel setsockopt MCAST_MSFILTER integer overflow
Linux kernel file offset pointer races
Linux ELF loader vulnerabilities
Linux kernel IGMP vulnerabilities
Linux kernel scm_send local DoS
Linux kernel uselib() privilege elevation
Guess what, they're also the guys who discovered the mozilla hole diclosed today: Heap overflow in Mozilla Browser NNTP code
Those guys are impressive. In particular, Paul Starzetz is the author in most of those kernel holes, along with a guy called Wojciech. They always contact the kernel maintainers before discosing the vulnerability, etc. Basically, they're having the same effect than a security audit. Except that they're doing it for free, so they deserve respect, I think. And yes, Linux is having too many kernel-level vulnerabilities. More than XP if I'm counting them right. Perhaps someone should offer a job to those guys so they can audit parts of the kernel better.
(And I can understand that copyright policy - there're people who probably look at those announcements, ctrl+c and ctrl+v and they release their own announcement twisting dates claiming that they're the guys who found it first)
I remember recently reading that commercial software generally has several bugs (usually minor, not necessarily security holes) per 100 lines of code (line being terminated with ;). I also recall reading a long time ago in PC World Win 2K was about 16 million lines of code. XP being more or less a facelift to 2K we can assume there maybe is 18-21 million something lines of code. Based on 18 mil. and a very generous 2 bugs per 100 lines, in theory, Windows has approximately 360 000 bugs and holes of varying severity. Good job M$!!!
Its funny how all the 0.x versions of open source software I am running never seem to crash and burn like Windows (and commerical Windows software...3rd party developers make buggy software too)
STFU! You should be posting these kinda things AC, like me!
This is exploitable by anyone with a local account on the machine, which includes those who can login over ssh. This affects literally thousands of servers. Now everyone with access to your Beowulf cluster has root on your Beowulf cluster. Every student that can login and use pine to read their email on your university's Linux email server now has root on the email server. Etc.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
why did they release exploit code before a fixed kernel was released and mirrored throughout kernel.org? and on a friday afternoon?
i'm not too impressed with the timing of this announcement, and i have to wonder what their motives were. it doesn't hurt their cause that slashdot is advertising for them.
please, people. there's no reason that a situation like this should ever happen.
2^5
It's not a bug... it's a feature.
Still, if you want to be fair, the most flawed application in Windows is by far Internet Explorer. Which I cannot UNinstall, and which is a full part of Windows. I can choose not to use it, but it remains in my system.
If any major Linux application had so many exploits, well I'd just remove it and use another one, end of story.
Guess this will take some time to fix.
And when some third-party developers write buggy code, they really write buggy code. Remember "Return to the Pool of Radience: Ruins of Myth Drannor". Now that was a buggy game!
Zagreus sits inside your head, Zagreus lives among the dead, Zagreus sees you in your bed and eats you in your sleep.
Probably now because unix software collectively has been around a lot longer than Windows and most of the exploits which were there originally have been fixed. Linux is a relatively new unix variant but it still benefits from the experienced gained in older variants.
When windows NT is 20 years old it will be much less buggy
http://michaelsmith.id.au
These are exploits in the most basic portions, against which a sysadmin can do nothing other than keep on patching things. It's not like you could have tunned this system to make it very secure, no, no matter how carefully you (or your distributor) set it, bang, a local exploit seems to be found every month or two.
I'm seriously considering going back to BSD (maybe Debian GNU/NetBSD?), which seems to have a much much much better security track.
It's the sysadmins of University email and webservers across the country going apeshit as suddenly the entire student body potentially has root...
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
and anyone who disagrees will get modbombed by trolls.
That's not true. I still pretend that Linux and Mozilla are perfect and that windows is the only operating system with security flaws, and my post that states something to that effect is currently moderated troll...
It is important to know about, in my opinion. But that's just so we know we need to patch our kernels. Simply the fact that a root exploit has been found does not mean we should go about reposting the same types of stuff that has been posted endlessly before in similar articles on slashdot.
I prefer linux because it's free. It's also pretty stable and secure, which is nice. But I just like linux for what it is. I fear we are getting sidetracked in the "my OS has less exploits then yours, nanananaaaaa" childish type of fights.
I look forward to the updated kernel which will fix this issue for my distribution. Until then, I'm going to do some much needed maintenance on my box and barricade my room so no one but me can get in.... just kidding.
Sadly, no. You might be right that admins knowing what they're doing are not using them, but admins who don't know what they're doing are.
Most people in North America use RedHat products, and for whatever reason they default to bind+sendmail. Few of these people change off these defaults, so a lot of people are installing and running bind and sendmail.
Seems crazy to me, but RH must have a reason. And I hope it isn't just politics...
raw diffs to for those brave souls who want them
Time flies like an arrow, fruit flies like a banana.
ahhh, flamed by an anonymous coward. I was referring to the fact that it is incredibly easy for others to point fingers at the poor programming and implementation that you mention occuring over in Redmond. Last time i checked they recruit some of the brighest minds in the world (heck i didnt make it past lunch in my interview ;) and spend more on research and development than any other company in the world. I believe that their intentions are coming from the right place, however in practice they have issues (much like communism) since their ultimate goal is to appease shareholders by making money. Sacrifices (it seems) are made to get product out the door.
The sheer infrastructure and process needed to build, deploy, and distribute, not to mention maintain software (specifically operating systems) would bring the linux world to it's knees in about a month should every MS product in the world dissapear. bet on it.
I am by no means a large MS fan, however i find the holier than though attitude adopted by a large number of the linux crowd hysterical.
This of course, is just my humble opinion.
-R
...though a bit big. www.openbsd.org
What news is this? There have been local exploits in the Linux kernel before, and there will be again. This is less news than the Debian break in a while back - that was worth mentioning because a major Linux installation was comprimised with an unknown kernel vulnerability. But come on! The last few 2.4 kernels (IIRC) have included patches to fix local root exploits. Marcello didn't even rush those out the door. This exploit certainly doesn't seem especially unusual nor was there an exploit in the wild.
Newsflash kids! Linux isn't perfect! Certainly not Linux specific API extensions like uselib. Move along, this isn't the kernel vulnerability you are looking for.
See, I run FreeBSD because it feels like a more cohesive system than any other linux distribution i've used (Debian, Redhat, Fedora Core, Slackware, SuSE, Gentoo...which comes the closest..., Ubuntu, Mandrake), and it's a more responsive desktop than any linux distribution i've used as well. The whole...mature code with very few exploits...that's just an added bonus. It also feels the least kludgy on my opteron box. But, you know, don't tell anyone that. FreeBSD isn't supposed to run on modern hardware. So, we'll just keep that our little secret.
Why is using MS update any different than downloading this new linux fix?
First and foremost, the terms to which you must agree before you download and install. The MS downloads and patches often come with "interesting" end-user license agreements. Meanwhile, with the Linux kernel download, you can do whatever you like, including (*gasp*) fix it yourself, if you have the ability.
Secondly, when you use Microsoft update, you don't know what is getting installed. With many things, like XP service pack 2, you get a lot of cruft that is useless.
As far as popularity being the #1 indicator for available exploits: if that were true, Apache would be the most-exploited web server, since it has 65%+ of the market. Unfortunately, that's not true. IIS has many more published exploits, in spite of the fact that the code for Apache is available for inspection by the black-hats.
There *is* a such thing as "being more secure." Yes, we can't be perfect. (In fact, I don't believe there is a such thing as perfection.) But that doesn't mean that one OS can't be objectively better than another.
Microsoft is to software what Budweiser is to beer.
"A toy operating system, for the price of a real one!" (Shatner did some commercials for the Commodore VIC-20 where his line was "A real computer, for the price of a toy." Of course, the VIC-20 was pretty close to a toy, with its 22-column display and 5k RAM.)
This seems to be a common theme in the last few months, and the meta-mod system is failing in this regard. I have seen a LOT of posts that fail the rabid Linux fanboy test instantly get modded flamebait. Its sad to see since there are a lot of thoughtful ideas that never see the light of day once they get the curse of flamebait. Its harder to get rid of than gum on your shoe since lots of moderators seem to think that once they see the first flamebait label hit a post they need pay no further attention to it.
All that this needs is to be combined with a vulnerability that grants remote access to a machine and you have a serious problem (provided that the remote access allows them to exploit this).
All flaws need to be fixed. Even ones you don't think are very important because they could be exploited together.
It doesn't matter how many holes Windows has compared to Linux. The exploits are usually scripted and tied to a port scanner. If you're vulnerable, you will be cracked.
That's why multiple levels of security are a Good Thing (tm). Defense in depth is the only way to go.
So you live in Ballmer's fantasy land when posting? If so, then you'll have to admit that the GPL is viral and encourages Communism and software piracy. YEAH!
I am running 2.6.10 and I just get a segfault when running this. Anyone else get it to work?
This is simply a bad design decision. Running everything (including GUI and other things where this is totally unnecessary) as root/Admin is not a good design. Running as few things as possible with maximum rights (and everything with minimum rights necessary) is the best design from the security point of view.
Linux is not Windows
$ for l in a b c d e f g h i j k l m; do
> printf "${l}: "; host -c chaos -t txt version.bind ${l}.root-servers.net | tail -1
> done
a: VERSION.BIND text "VGRS2"
b: VERSION.BIND text "8.4.1-REL"
c: VERSION.BIND text "8.4.2"
d: VERSION.BIND text "8.4.4"
e: version.bind text "9.2.3"
f: version.bind text "9.3.0"
g: Host version.bind not found: 2(SERVFAIL)
h: version.bind text "NSD 1.2.3"
i: version.bind text "contact info@netnod.se"
j: VERSION.BIND text "VGRS2"
k: version.bind text "NSD 1.2.4"
l: VERSION.BIND text "named-8.4.1"
m: VERSION.BIND text "8.4.5-REL"
Looks like about half of them are running BIND.
P.S. I run BIND and sendmail on a server at the office, and BIND and postfix on a server at home.
only if the apache account had gcc rwx accesswhich it should not have
Welcome to humor. It might take a day or two for you to become sufficiently acclimated.
Yep, a security flaw allowing unauthorized root access is undeniably embarrassing. It also seems that us Linux zealots suddenly have a life this weekend and aren't able to submit too many biased excuses for this /. news item. Oh wait, maybe our Firefox browser got hacked and we're just downloading/installing patches. A lot of bad Open Source news for an otherwise good weekend. Oh well, no OS is perfect.
So how does a university or comparable large organization with hundreds or thousands of users with shell access deal with a situation like this?
There is no patch for this yet right?
Thank God I run Firefox!
I'm running Gentoo.. Where can I get the ebuilds for this?
=)
I don't know what sigma level Microsoft is at but with 2 defects per 100 is 360000 per 1,000,000 lines of code. That puts them at a sigma level between 3 and 4. The Majority of software makers are below that. Yet if MS were six-sigma (they sell software that tracks it) they would have only 61 defects for those 18 million lines of code. NASA isn't six-sigma as there are only a few companies in the world that can achieve that kind of quality. Its like purifying gold - it gets exponentially tougher and tougher the purer you try to achieve.
Windows has approximately 360 000 bugs
Well based off of what you say, software is never improved nor fixed. Generally I'd say mature and tested software will have significantly LESS bugs than what you say. Note that a lot of crap qualifies as being a part of windows 2000, notepad, telnet, and a slew of other stuff know one knows what to do with. Some of this stuff has been drug along since NT4 or earlier, so I would say that the core windows os has much less than 360,000 bugs, even if you do coun't the garbage with it. I'm also wondering if those bugs cover logic errors where all code is correct, but there are still problems between layers and modules. God knows windows' complexity breeds enough of that...
if a virus writer wrote a virus; oviuously. that used this exploit to raise its permissions to root
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
Atmel, amongst others, produce encrypted RAM. If you don't have the key, you can't read the memory. That's pretty secure, if you ask me.
Any OS with B1 (or better) security has comprehensive mandatory access controls, so that if you DO find an exploit somewhere, it is still not possible to access other parts of the system. (B-class and A-class OS' do not "need" a system admin account, since you can define specialised pseudo users that can do exactly what is needed for a given task and no more.)
Then, there are systems like OpenBSD which have been audited to hell and back. OpenBSD has had one provably-usable exploit in living memory.
Then, you've various security software that's out there. eg: Using OTPs w/ S/Key or OPIE for passwords, enforcement of strong passwords, IPSec w/ strong host authentication on all network connections, etc.
In theory, there is nothing to prevent someone from combining all of these elements to produce a hardened OS that is impervious to both physical and logical attacks, both locally and remotely.
In practice, nobody would spend the time and/or money on that level of security for normal use. Ok, the NSA might, but that's not strictly "normal use". It's also unlikely they'd make such an OS readily available. (They've done wonders with SE-Linux, and the declassifying of Skipjack and SHA has made a world of difference in cryptography, but that's not quite the same as Open Sourcing a bullet-proof system.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
This means only that it must be used in conjunction with a process that is exploitable. Let's say, for example, apache was running and there was an exploit available to it. Well, most people would say "oh well.... can't trash the whole machine, the apache user doesn't have the rights." Well once apache is compromised, they can likely find a way to inject the local exploit code for the apache user to run. Once that's accomplished, apache user becomes root user. From there, the machine is 0wned to borrow a word.
Yes it's serious but I expect a fix shortly...
Wow, I'm quite amazed at the ammount of people who post here that don't know what is ment by a "local" exploit.
But I guess the good news is for every post who dosn't get it there are 4-5 people correcting them.
If you look at something like Redhat, which is a distribution, you have more of a comparison, and you will find remote exploits.
This comparison is not very fair. Linux distributions are much more modular and a lot of alternatives for critical software like MTAs are available.
If you use Windows you are stuck with a lot of stuff you can't dispose of. Good, solid, exploit-proof stuff like mshtml engine and various RPC-based services.
Who's the moron who modded this up as Informative? Guys, the OP was kidding.
You are just giving support to all the linux zealots out there. So what you are saying is that its worse to have a kernel exploit, than to have an os which can be crashed and seriously exploited from userland programs? I don't think so, linux tends to be pretty good at prevent user space programs from accessing or exploiting the kernel and thus crashing the system, windows has serious problems with this... like why are the web browser and user interface directly tied into the kernel.
-kaplanfx
Visualize Whirled Peas
Is there a similar test for this vulnerability for 2.6 and gcc v3.4.* out there yet?
child 1 VMAs 0
[+] moved stack bfffc000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xdf800000 - 0xfedc9000
Segmentation fault
May I recommend that Do not run this code if you can not understand what it is doing.
For all we know, this is a social engineering trick to spread some malicious code. Let's wait until some official folks eg. CERT, or your vendor/distribution responds. Are the people who released this code have some credibility that can be verified independently?
ato
Grsecurity and PaX report vulnerabilities
2.4.29rc1 ( http://www.kernel.org/pub/linux/kernel/v2.4/testin g/patch-2.4.29-rc1.bz2) and 2.6.10-ac6 ( http://www.kernel.org/pub/linux/kernel/people/alan /linux-2.6/2.6.10/patch-2.6.10-ac6.bz2) fixed this exploit.
Never learn by your mistakes, if you do you may never dare to try again
I just wrote down them on this commentary on the thread above...http://linux.slashdot.org/comments.pl?sid= 135324&threshold=0&commentsort=0&tid=172&tid=106&m ode=thread&pid=11291472#11291873
XP has had much less holes in the kernel. Most of the Windows holes are in the system services or in the apps - not in the kernel.
Shatter attack
It's a problem with Win32 messaging if windows aren't secured properly. It's possible for a process to send windows messages (the ones inherited from Windows 1.0) to another process, regardless of what account the processes are running as. There are a few messages (WM_TIMER esp.) that, as a parameter, take an address for the owning thread to jump to. You can also fill the contents of a text box with a message.
Process A is a privilieged service running as SYSTEM. Process B is a malicious program running as a restricted user.
A creates a window on the interactive desktop (a big no-no) with a textbox in it.
B fills the textbox with exploit code with a message and then sends a WM_TIMER or similar to A with the exploit's address. A is now executing the exploit code.
First, there are ways to divide the window handle space into seperate parts, each securable with desktop and window station objects. Both of these are kernel object types with ACLs: you can't send a message to a window unless you have access to the conaining desktop.
Also, the JOB_OBJECT_UILIMIT_HANDLES flag for Job objects will prevent messages from leaving the job.
MS guidelines specifically forbid the use of windows from a priveleged process from appearing on the interactive desktop, since NT 3.51, for this reason. This doesn't stop many third-party app developers from creating insecure apps (virus scanners esp.) that do just that.
Winlogon's windows (press ctrl+alt+delete) are safe because they are on a seperate desktop that normal users can't send messages to.
What is this? A troll fight I'm presuming. Have either of you ever examined MS source code?
Caesar si viveret, ad remum dareris.
I'd really like to know what's being done about this pitiful trend of Linux security, where it's 10x as easy to find a vulnerability in the kernel than it is in any app on the system, where isec releases at least one critical vulnerability for each kernel version.
And given his description of how he found these problems, plus his frustration about getting Linus and akpm to reply, his tone is even somewhat understandable.
There isn't even an architectural reason to consider the Win32 subsystem as part of the NT kernel. The laywered model of Windows NT means that almost nothing that is directly manipulable is in the kernel.
Get. A. Clue.
"What's the frequency Kenneth?"
I am unpatched ( at the moment ), but ultimately protected.
Why? My system has many different partitions, most of which have the no-exec flag set on mount. So, unless you are able to log in as someone other than yourself, AND that other account has some area to run executables, my system is safe. Not that I'm not going to patch it anyway.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Windows is a distribution, an operating system IS a kernel.
Semantics aside however, your right, comparing apples to apples gives a better comparison.
The minimal windows install versus a minimal redhat install is a better comparison and there aren't many linux distros in which you'll ever find remote exploits in the core minimal install.
It's still not perfect though, pretty well everything can be stripped from a linux box to harden it. A windows box cannot be hardened since most remote exploits are in core services and you can't remove or replace them in windows (the most famous example being IE).
What cracks me up is that 2K/XP are touted as being an excellent step toward security and yet it's NT based systems which suffer from the most severe viruses and exploits.
If you are paranoid, go with OpenBSD. Those guys rarely have exploits. If you're not paranoid, go with FreeBSD, linux, or whatever. Human's coding can result in bugs/exploits. Since Human's code all Operating systems, there are going to be bugs/exploits. If you are paranoid, but don't want to go out of your way to be it, use FreeBSD or Linux, and remember to recompile your kernel (30 minutes maybe?) whenever there's a bug you're worried about.
BA
Shatner attacks are scary indeed.
One line blog. I hear that they're called Twitters now.
And my post is trolling how?
Yes I've looked over MS code and no I didn't find anything good or bad about it - mainly because I don't care.
Right - "part of the OS" is not the same as "part of the kernel".
My bad...
Shatter attack
It's a problem with Win32 messaging if windows aren't secured properly. It's possible for a process to send windows messages (the ones inherited from Windows 1.0) to another process, regardless of what account the processes are running as. There are a few messages (WM_TIMER esp.) that, as a parameter, take an address for the owning thread to jump to.
I thought MS issued a hotfix for this a couple of years ago, around about the time XP SP1 was released, I thought.
You can also fill the contents of a text box with a message.
Process A is a privilieged service running as SYSTEM. Process B is a malicious program running as a restricted user.
A creates a window on the interactive desktop (a big no-no) with a textbox in it.
You're right that that _is_ a big no-no. MS's documentation has always told people not to do that. When installing services you have to specifically instruct the system to allow them to interact with the desktop; by default they do not have permission to do so. The API documentation states "Services running in an elevated security context, such as the LocalSystem account, should not create a window on the interactive desktop, because any other application that is running on the interactive desktop can interact with this window," and (IIRC) did so clearly even before this exploit was made public.
So why, when security flaws are caused by applications doing something that the Windows API documentation specifically instructs them not to do, is this considered a flaw in Windows?
While I can't justify the difference, I'll tell you that there is one if we don't see any regularly recurring network born auto-root that's so bad it threatens the top level domain servers. It's not like someone cracked kernel.org and owned it for three months injecting whatever they pleased into the codebase. One good explanation of the difference is that Marketing dorks who do little more than buy other's code can't maintain it properly.
Friends don't help friends install M$ junk.
This would be false. It's not the gui front end most people recognize as IE that is the problem. It's the renderer and trust model behind it.
The same flawed engine is used to display your folders (turn on the location bar and type in a url, see what happens), your desktop, and your email in Outlook express and even most 3rd party apps. If you use AOL, it uses IE to render web pages. When you view a help file, guess what it's IE. It is impossible to avoid IE on a windows system.
By choosing a browser which uses it's own renderer and an email application that does the same, you ARE at least reducing the opportunity for 3rd party sources to access the renderer and it helps a great deal. The problem your left with then is that apps like firefox are still dependent on IE's trust model (the entire trust model of the OS is built around it) when running on windows. This is why almost every major "exploit in firefox" only affects firefox on windows.
There are plenty of other broken pieces in windows, but I've tried to stick to examples of why simply not using IE still leaves you vulnerable on windows.
On windows your best bet is to run as an unpriv'd user as much as the OS allows, use 3rd party email and browser apps (that use a different renderer). And don't forget to stick it behind a firewall that isn't running windows or better just keep it off the network. Also never put a disk in a windows box that came from outside your network unless it is from a known publisher and you've scanned it for viruses on a disconnected machine. Aside from that, you really just have to pray.
None of that is saying any particular other OS is secure, that's another matter entirely. I'm just saying that clearly windows is NOT and you CANNOT remove the components needed to lock it down.
It's not like BSD is immune from kernel exploits.
I use both linux and BSD. They both have problems from time to time....kernel-level problems. Admittedly, user-space programs are easier to fix, but there's problems everywhere. I also kind of laugh when I go to netcraft and see a FreeBSD box with a gazillion-day uptime. It would probably be pretty damn easy to root one of those boxes.
no time to RTFA, still at work. Can someone give me a technical summary of how this works. Just interested. Plus, you guys usually offer more useful/terse/comedic info than the bulletins.
rootexploit.c: In function `check_vma_flags':
rootexploit.c:530: warning: deprecated use of label at end of compound statementwhat does this mean?
there is nothing in
www.TECHNETIUM.net.au
And my post is trolling how?
The lack of any actual facts, merely lots of conjecture, by both/all of you.
Caesar si viveret, ad remum dareris.
I can't find an analogous note in the 2.6 changelogs.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
You need clever people to find an exploit on FreeBSD.
You just need a kid to crash your Linux box several times in several different ways.
A lot of the companies involved in space hardware do really cool stuff. (No pun intended.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Change the location of _elf_lib to /tmp instead. That'll work.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
I'm glad I upgraded to Fedora Core 3, and left SELinux running, despite the problems with MySQL. Even if you can get a root account, if you don't have the right roles, you are still locked in a tiny little box without a key.
The radical sect of Islam would either see you dead or "reverted" to Islam.
"NASA isn't six-sigma as there are only a few companies in the world that can achieve that kind of quality."
So which companies are six-sigma and what do they produce? IMHO any software "quality" standard that certifies companies rather than products is inherently flawed.
Of course the exploit sample code specifically says only tested on 2.4... [joshuaa@nemo joshuaa]$ uname -a Linux nemo 2.6.9 #1 SMP Tue Nov 30 15:21:17 PST 2004 i686 Intel(R) Xeon(TM) CPU 2.66GHz GenuineIntel GNU/Linux [joshuaa@nemo joshuaa]$ gcc -v Reading specs from /usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/specs
Configured with: [abbreviated]
Thread model: posix
gcc version 3.3.4 20040623 (Gentoo Linux 3.3.4-r1, ssp-3.3.2-2, pie-8.7.6)
[joshuaa@nemo joshuaa]$ make test
gcc test.c -o test
test.c: In function `check_vma_flags':
test.c:545: warning: deprecated use of label at end of compound statement
[joshuaa@nemo joshuaa]$ ./test
child 1 VMAs 0
[+] moved stack bfffd000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xb5c00000 - 0xffffd000
[-] FAILED: open lib (/dev/shm/_elf_lib not writable?) (Permission denied)
Killed
Only 3.5 million? Don't they have tens of billions in the bank? They should donate maybe half a billion.
"It is not how things are in the world that is mystical, but that it exists." -Ludwig Wittgenstein
I got it to compile and run on Debian Sarge with gcc version 3.3.5, kernel 2.4.25-1-386, and it says it succeeded, but I'm still my normal UID, just drops me into a bourne shell:
This is not a hole! This is wheel... if user is in wheel, of course he can access root... ppl don't put ppl on wheel for no reason... that is stupid... Paul startetz wants a lot of attention... wtf... a hole? That is stupid.
errm...
:D )
SElinux?
(don't even get started on the easyness of setting policies for selinux, you get offtopic: post the link of a MS equivalent else you lose the argument
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
Second, it'll probably be patched rather quickly.
There is a preliminary patch in testing for the 2.4 series.
Look here.
The file is patch-2.4.29-rc1.bz2
Note that it's in TESTING, because it probably needs testing yet. But if you're desperate to patch it up quickly at your own risk, then there you go.
Something similiar to th parents reply, I didn't become root, but after about the 20th time of running it it crashed the machine, there goes 60 days of uptime.....
I've got a hardened gcc compiler on my main server, so I compiled on a unpatched machine (stock RedHat 9) and moved it over. Although the RedHat 9 exploit worked fine, my production machine was completly unaffected.
The solution? Grsecurity. Besides the fact that
compiler access is restricted (can't compile exploits), and normal users cannot write anywhere executables are allowed to run (can't copy exploits from other machines), the address-based overflow protection and other protections work like a charm.I'll still apply the appropriate patches to my source tree, but it's nice not to need to do it _now_.
I'm also kinda curious ... if I have a root terminal open on my desktop, can a malicious program running as me do something similar?
If not, then it's a security deficiency in the Windows API for allowing it. If this can be done on X too, then it's a security deficiency in both.
You don't get security points by leaving a door unlocked and a note on it saying, "Please use other door."
A local user could convert this into a remote exploit if they have the ability to make cgi's on the system's webserver.
File under 'M' for 'Manic ranting'
Segfaulted in sys_mmap2 when I tried it on a couple machines. For what it's worth.
TANSTAAFI: There Ain't No Such Thing As A Free iPod.
And since when is conjecture trolling? Unless using terms such as "Generally I'd say" and "I'm wondering" elude to "These are absolute facts". These statements are simply my opinion that the parent is probably not accurate based on my perceptions. Maybe windows has 360000 bugs, maybe 10 billion more - I highly doubt it and I doubt there are any facts to prove or disprove it either.
Reasonable- as long as they choose a very strong password and you have MAC filtering in your SSH to prevent other computers from logging in.
ssh postgres@target
Access denied for MAC 12:34:56:78:90:ab
>ip link set eth0 address ba:09:87:65:43:21
>ssh postgres@target
Access allowed for MAC ba:09:87:65:43:21
Password> *********
Ta Da!
I support the Center for Consumer Freedom
You failed to notice reference to two separate articles I had read in the past. I used the example of Microsoft Windows simply to demonstrate the amount of bugs that are possible in large scale projects.
I too doubt that Windows has 360 000+ bugs (I have no information to prove or disprove this). But even if Windows had 1/4 of the 2 bugs per 100 lines of code it would still be a significant amount. The point being that any large scale programming project will have more bugs than could possibly be patched (or even discovered) before the software is retired .
That explains all the dupe stories on slashdot...
Coder's Stone: The programming language quick ref for iPad
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Actually copyrighting the exploit is kinda cool. Say you are a admin, and some kid gets fresh and tries this out. "Hey kid, not only am I nailing you to the wall for this, but I am turning you over to the guy who "owns" it and you get to pay him a nice fine." No, I think that is it pretty hilarious that the code is copyrighted.
Sera
Slashdot, where armchair scientists get shouted down and armchair theologians get modded up.
Fair enough, point taken. =)
I'm still not sure if I buy the 2 lines per 100 though. Because after you reach a certain point of complexity, it's hard to say if application 'x' has a function that calles 3-4 routines deep if they all do "what they're supposed to" and there was faulty logic in the model of the program itself. So I'd say it's hard to base bugs off of a raw code count. But then again I don't know because really understanding how a million lines of code is pretty far over my head.
rebel-base:~$ ./elflbl
child 1 VMAs 0
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xff400000 - 0xffffd000
[-] FAILED: try again (Cannot allocate memory)
In the end a did a quick script and kept it running for 10 minutes. Always FAILED.
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
Of course, the VIC-20 was pretty close to a toy, with its 22-column display and 5k RAM.
Not at that time. Granted I started (well, got more serious) with a C=64, but I did play around with a VIC-20. All I had before that was an Atari 2600 (and played with a Sinclair and a luggable Compaq in there somewhere, I for get the exact time line). The VIC was superior to anything that was remotely available (read == affordable) at that time.
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
That's the IE way, not nice
That's why I've been sticking with 2.0.36 all these years. I haven't seen a security advisory for it in ages.
Of course they don't. But they should do it anyway.
"It is not how things are in the world that is mystical, but that it exists." -Ludwig Wittgenstein
I've never bought into this Marketing argument. MS's marketing has about as much dazzle as Bill Gates' personality.
On the other hand, look at Apple. Jobs is charismatic and a master media manipulator.
If marketing was the key factor, Apple would be the one with the 90% market share instead of MS.
Every desktop Linux distribution contains a bind caching nameserver and a sendmail engine.
Conformity is the jailer of freedom and enemy of growth. -JFK
i'm getting the same segmentation fault as well.
2.6.9-gentoo-r13
All those MCSE dorks down the hall are gonna give me sh*t for the next week.
Reminds me of a punchline to my favorite Scottish joke:
"Aye, lad...ya screw ONE goat..."
I might know what I'm talkin' about, but then again, this is Slashdot...
Consoles apps (not consoles themselves*) are not vulnerable because they are not part of the windowing system, they output to the window via stdout/stdin/stderr.
As for X, I don't know the structure of the windowing system, but the basic problem is not that apps are broken into, the problem is that any window sitting on your desktop is assumed by the OS to be owned by YOU. So, it shouldn't be illegal for a different app owned by you to send it a window message (like typing "rm -rf /").
* A console app is any app like cp or mv that you can invoke from a command prompt. These apps are unaware of windows and its messaging structure and therefor not vulnerable. Cmd.exe itself is probably aware of the messaging system though, since I'm sure it actually implements its own console.
That's why you should always put curly braces on their own lines, to increase your total lines of code. Helps achieve a more favorable sigma.
Shame on Google.
MS's marketing has about as much dazzle as Bill Gates' personality.
You are conflating "advertising" with the much broader term "marketing", which includes many more aspects of making a sale. For example, exclusive OEM bundle agreements are one aspect of aggressive marketing.
For high-budget corporate customers, an impression of "dazzlement" can be a negative, as it signals a product meant for artists and radicals.
Yes, Debian stable is no fun to run on your desktop. But for your servers and public area machines it's the best choice.
This post written under Gentoo-linux with an SCO IP license.
I expect they are just covering their asses agianst being sued for helping some kid take down google. If they prohibit modification/distribution then legally they are not providing something you can use in an exploit. If you are going to take down google with this, what the hell do you care about the copyright.
-- http://thegirlorthecar.com funny dating game for guys
Hey, it still beat my US$1000 Model I with 4K RAM. The Vic had color, too.
Put identity in the browser.
Am I the only one who sees this as a reason to keep my roomate away from my comp and not worry about Gates invading my privacy?
Ok, maybe I left the description a bit too vague.
I'm running an xterm. Definitely an X-based app. I happen to have a privileged shell running in it. Another malicious application is running on my DISPLAY (whether that is started by me, or over the network via X protocols). Can it send messages to the xterm to cause it to think that I typed "rm -rf /" in that window? Nevermind that finding it would be difficult - finding such a window on Windows would not necessarily be easy, either, IIRC.
The reason is because they are standardized programs. Just about every root server uses bind and most major mail gateways use sendmail. They've been tested and proven and can handle crazy loads, others are nice for personal mail servers and small to medium business, but any larger and you need to bring out the big boy toys. Btw, bind and sendmail aren't as bad as people make them out to be, especially not in this day and age.
Regards,
Steve
Pls RTFM bfr cmmnt kthxby.
I had to add the flag -Dmodify_ldt_ldt_s=user_desc to the gcc command line to get this to compile on a Linux 2.6 system with vanilla kernel headers and a vanilla generic glibc 2.3 installation.
Ecept that this situation isn't analagous to leaving the door unlocked with a note pinned to it. It's more analagous to giving the building's tenants each a key to the door and saying "Don't leave that door unlocked because then uninvited people can get in."
Yup, that's pretty much it.
The other response to my post is correct. The apache user itself is a special case, a "normal" user that happens to be running a vulnerable app like you suggest would be a possible way to remotely root a machine.
"Upon attaching the waterblock to my penis, I began to notice that I know nothing about computers." -- JRockway
Its funny how all the 0.x versions of open source software I am running never seem to crash and burn like Windows (and commerical Windows software...3rd party developers make buggy software too)
I think it is a cultural thing. MS has lowered everybodys expectations far, far to much. Now many developers and users on Windows think that buggy and crashy code is acceptable.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Shouldn't that be TANSTAAFi?
Best Slashdot comment ever
The older servers still run Solaris on Sun hardware, but Sun hardware is just so much slower and more expensive than commodity x86 hardware that they've been migrating to Linux on x86.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
The entire point of the Unix account system is that you can give people accounts on your system with restricted privileges. As opposed to Windows, where (until recently) any user could touch anything, on Unix systems users can only touch certain things. Thus, you can safely give people accounts on, say, a compile-farm to run their code. Or a Beowulf cluster to run overnight simulations. All without them all having access to everyone else's accounts, or being able to mess up the server.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
X on UNIX is like GDI on Windows. The issue is in Win32.USER, the window manager. Although X isn't vulerable, certain window managers could be; it depends on how messages are sent between windows.
X performs similar functions to both GDI32 and USER32. Specifically, it does perform the USER32 function of passing events to windows, and does include a mechanism that one client can use to generate events that will be sent to another client. This works regardless of the window manager in use.
However, when the destination client receives the event, it can easily distinguish between an event generated by the X server itself and one generated by another client. Many X programs, including xterm, ignore events generated by other clients, thus preventing similar holes from being exploitable.
I also believe that it isn't common practice to pass around pointers to code to be executed in event data structures in X, although my actual X programming experience is limited to a low level "hello world" program using Xlib and a solitaire implementation in QT, so I could easily be wrong.
All in all, I'd say any given X application is highly unlikely to be vulnerable to such a problem, but you may find one or two that are.
should I explain this to you? it goes like this: if you have ANY service exposed to the internet, it can potentially be exploited to get the user of that server, then escalated to the root using this exploit. So, potentially, you're not safe either.
I'll do the stupid thing first and then you shy people follow...
I'm running an xterm. Definitely an X-based app. I happen to have a privileged shell running in it. Another malicious application is running on my DISPLAY (whether that is started by me, or over the network via X protocols). Can it send messages to the xterm to cause it to think that I typed "rm -rf /" in that window? Nevermind that finding it would be difficult - finding such a window on Windows would not necessarily be easy, either, IIRC.
No. X does provide a mechanism that allows you to send the events, but it also provides a mechanism that allows the receiving app to tell if the event was a real one or a synthetic one. xterm ignores all synthetic events. I've tried doing this myself, it just does nothing.
Finding the window is trivial, btw, on both Windows and X; you just need to know what its title is.
Consoles apps (not consoles themselves*) are not vulnerable
Note that console windows are _strange_. They don't seem to have been implemented using the standard Win32 APIs; if you try playing around with them they behave differently to other windows.
I can't remember the exact details, but I specifically think they do not react to SendMessage calls. They caused me a fair amount of hassle when I was writing a virtual desktop management program a while back.
The user interface component it not tied into the kernel either, unless you are referring to the display drivers which (since NT 4, I believe) are run in ring 0. The same is true of most operating systems - at least some of the display driver is run in kernel mode for performance reasons (see QNX for an exception).
Windows is considerably better at preventing use-space programs from accessing or exploiting the kernel than UNIX derivatives, since it has no concept of a root user. Administrator users in Windows are still restricted - there are some processes they can't kill, and some resources they can't access. Windows also has a finer grained access control model than UNIX.
The reason security holes in Windows are often more serious is that there is no need for a local root hole in Windows. Most software, including the web browser, shell, etc. runs with administrator privileges and hence can do anything an administrator can do. If there is a remote hole in Mozilla on *NIX, then the worst that can happen is that the affected user is compromised, and loses their data. This is not something that should be downplayed, since most important data is owned by system users. If IE has a remote hole then the entire system can be compromised by a user running as an administrator.
In my opinion, the biggest mistake in designing UNIX security was to force processes to run as root if they wished to bind to a port number below 1024. This means that any major server (DNS, HTTP, FTP, etc.) must at least start as root. This means that there is a significant chance of a complete system compromise if a single server is compromised. Windows does not have this problem.
The biggest security mistake in designing Windows was the lack of a su or sudo equivalent (yes, I know about the RunAs service, but it lacks a good UI). This makes it very difficult for users to switch to administrator privileges, encouraging them to run as an Administrator at all times, making security holes a lot more serious.
I am TheRaven on Soylent News
Do you hear that sound? It is the sound of a thousand OpenBSD admins laughing in their sleep...
I am TheRaven on Soylent News
Linux and Mozilla are not perfect, but they are a hell of a lot better than Windows and IE.
For your typical Windows exploit all you need to do is feed in too much data and overrun some buffer. An endless string of absolutely trivial and STUPID vulnerabilities.
I'm a programmer. This Linux bug is impressively deep and sophisticated. The sort of bug that is going to exist in Windows as well, but which will simply remain there ignored because there is so much damn low-hanging-fruit of trivial and more dangerous bugs.
It is also "merely" a local priviledge escalation exploit. Certainly a problem, but it is hardly in the same class as the DEVESTATING remote-root exploits we see almost weekly in Windows and IE. The ones where you can just spew packets across the internet and infect machines by the millions. The ones that allow worms, or that can infect your machine simply by visting a website.
When Windows has this sort of vulnerability it doesn't make the front page of Slashdot. Hell, you get "ho-hum" stories off the front page citing like SEVEN new Windows bugs that are similar or more dangerous. One relatively non-dangerous Linux bug is front page news, but a half-dozzen similar Windows bugs PLUS a critical remote root bug isn't front page news anymore, it's a ho-hum same-crap-different-day report.
And the really ugly part isn't simply that Microsoft's code is worse, but that it is often more vulerable as a direct result of Microsoft's own malicious intent. For example most of the IE problems are a direct result of Mircosoft deliberately ram-rodding IE to be a part of the "operating system". An absolutely horrendous "design decision" from a programming point of view. It is something they did as part of deliberately abusing and extending their monopoly, and as a deliberate part of circumventing court prosecution and remedy of their illegal activities. The webbrowser should not be exposing the deep and complex operating system directly to attack by websites.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
I hope you have updated to the latest version of Mozilla / FireFox...
I am TheRaven on Soylent News
I'm running windo
I suspect that the shareholders would disagree !
Of course, by default the kernel isn't installed from a package so it won't update as part of the normal update/upgrade unless the user has installed a specific kernel image from apt before.
cmd.exe is just a Win32 console application. The console you see is provided by the kernel as part of the console subsystem.
You can observe this by running cmd.exe under Wine in Linux; like all Win32 console applications running under Wine, it simply inherits the console of the shell and doesn't create a new window for itself. You can also see it if you directly run a console application from a Win32 GUI app. cmd.exe isn't started, but the standard console window still applies. cmd.exe is also run from the Windows telnet service, with its stdin and stdout attached to the socket, to provide its command line interface.
(Running GUI applications from the telnet prompt can be interesting, since they aren't run in the same window station as the active desktop. They run, but you can't interact with them in any way and you just have to kill the process to get rid of them.)
Sarge, aka Debian 3.1, is the codename of the next release... and like the other child poster said, they're named after characters in Toy Story.
For example, the development branch is called Sid, because Sid was the kid next door who broke the toys.
If you look at the Debian Archive you'll see old distributions included bo, buzz, hamm, rex and slink.
Ciao,
TSK (611371).
The average home user, however, is safe.
I am trolling
There are many major differences between that and the M$ crack. The most important being:
Please don't try to compare the Microsoft monoculture disaster to free software. You can't.
Friends don't help friends install M$ junk.
"For example, exclusive OEM bundle agreements are one aspect of aggressive marketing."
I'm not an expert so I can't judge if OEM bundle agreements should be classified as marketing. It sounds more like negotiation on the terms of a sale to me.
"For high-budget corporate customers, an impression of "dazzlement" can be a negative, as it signals a product meant for artists and radicals"
As far as advertising is concerned, IBM's services Ads on TV are far more interesting than anything MS has done and high-budget corporate customers are their bread-and-butter.
Sure more "hackers" might attack Linux if it had more market share, but that doesn't mean that more exploits would be found, especially if the system is inherently more secure.
Unfortunately, Linux is not inherently more secure. Don't get me wrong. I prefer Linux to M$, but according to MaximumPC, (sorry I can't cite the exact issue and article,) Windows 2000 was the only operating system to meet all of the DoD security requirements. Linux did far worse.
I have my own theories as to Linux's imagined security superiority:
(1) Minority - Linux machines are a minority. Yes, the number is growing everyday but still a minority. Hackers exploit flaws either to steal information for monetary gain or to gain notoriety. The results are not quite worth the effort.
(2) Community - Linux has a strong community. A large percentage of Linux users would report a flaw to the community rather than exploit it.
I stand corrected. I thought more was offloaded to the window manager.
I'm sure they would. That's part of why I hate capitalism. No I'm not a communist. I am a libertarian socialist.
"It is not how things are in the world that is mystical, but that it exists." -Ludwig Wittgenstein
What's particularly funny here is that you're asserting Microsoft has the "industry standard rate of bugs" and then (from your sarcasm) implying they're worse than average...
They aren't.
Complete and utter bollocks.
Most software, including the web browser, shell, etc. runs with administrator privileges and hence can do anything an administrator can do.
Note that this only happens if the end user is silly enough to run everything as Administrator, so in reality it's no different to a unix user running everytyhing as root. In both cases the solution is easy - don't run things as a privileged user unless you have to.
If there is a remote hole in Mozilla on *NIX, then the worst that can happen is that the affected user is compromised, and loses their data. This is not something that should be downplayed, since most important data is owned by system users.
False. In a typical system the most important data is generally that which is constantly being modified by end users.
On a scale of rating data from "irrelevant" to "critical", a bunch of OS binaries, libraries and configuration files that can be (relatively) painlessly reinstalled and/or recreated generally sit right at the bottom. Indeed, I can't think of anything on my systems I'd be less worried about if I detected an intruder on them than the "OS files".
If IE has a remote hole then the entire system can be compromised by a user running as an administrator.
Only if the user is running IE as Administrator, in which case the scenario is identical to the user running Mozilla/Firefox/whatever on unix as root.
In my opinion, the biggest mistake in designing UNIX security was to force processes to run as root if they wished to bind to a port number below 1024. This means that any major server (DNS, HTTP, FTP, etc.) must at least start as root. This means that there is a significant chance of a complete system compromise if a single server is compromised. Windows does not have this problem.
This is not a problem, this is merely a *symptom* of the problem (and one easily circumvented by dropping privileges after binding to the port or running things in a chroot or jail environment). The _problem_ is that root on (traditional) unix is all-powerful and impossible to restrict.
The biggest security mistake in designing Windows was the lack of a su or sudo equivalent (yes, I know about the RunAs service, but it lacks a good UI).
Right. Because right-clicking a shortcut is _so_ hard and 'sudo firefox' is much more intuitive than 'runas /user:Administrator firefox'.
RunAs _is_ the sudo equivalent. More importantly, neither 'sudo' nor 'runas' are design issues at all, they're simply methods of leveraging the multiuser aspect of the OS (it's the multiuser part that is the *design* issue).
This is a perfect example of /. failing. This thread is next to useless for finding information related to fixing this problem, especially regarding the 2.6 kernel. So let me share (don't ask me why).
/ linux-2.6/2.6.10/
5 01071130.patch
What Alan Cox and Linus have to say on the subject:
http://kerneltrap.org/comment/reply/4503
Alan Cox already fixed it in 2.6.10-ac, I assume this to be as of ac6, but you should grab -ac10 (or whatever is the latest):
ftp://ftp.kernel.org/pub/linux/kernel/people/alan
This method is unlikely to make it into the mainline kernel.
grsecurity also fixes it, using do_brk_locked():
http://www.grsecurity.net/linux-2.6.10-secfix-200
This method is also unlikely to make it into the mainline kernel, but it should work fine.
Both of these "fixes" present their own set of problems; I am not familiar with the -ac patchset and it would foolish to apply it to a production environment. The grsecurity "secfix" patch is specified for use _after_ applying the main grsecurity patch, so for those that don't use/desire it may pose a problem.
This is rather shameful, that an official patch does not exist days after the advisory was published. This is Microsoft bad, or worse! It makes Linux look like a toy, not a serious contender in the enterprise. SIGH
Must-not-watch TV!
Being setuid this cannot be subverted by using LD_PRELOAD or similar mechanisms to fool sudo into thinking it's running on an interactive terminal (or to inject characters into the input).
I think that covers everything.
HAND.
...if I wanted to use this on an account, I sure as hell wouldn't use my account. How easy is it to get someone else's (standard unprivilidged account) at any school or university? Hint: Really easy.
Live today, because you never know what tomorrow brings
I don't think virus-writers need any more good luck... But local root vulnerability means they can only compromise a few tens of thousands of people at a time
Agreed with your point however he states "virus writers", which refer to one or one group of associated writers can comprimise tens of thousands of people, in the context of "versus" rather than the whole internet, seems to imply 10,000+ machines not "user accounts" given the implicit design of "virii" (or more accurately worms) in their spread..if 10,000 users of one box are comprimised ie, one rooted machine, then a worm/virus obviously is not the method in which this "spreads". It's simply the context in which he stated what he did. My statement suited my view of what he stated. Though I am fully in agreement that one box with X number of users is comprimised, X number of people have been comrpimised since root can see all and use all of those accounts... robf();
OpenBSD (and NetBSD and FreeBSD) have a better security track record than Linux or Windows.
When OpenBSD people find a bug, the audit the code and look for other instances of the same flaw. The perfectionist attitude is quite refreshing.
The OpenBSD team is like a bunch of border collies, compulsively working to keep the rest of us safe.
I wish more people prioritized security over rich features and convenience (there isn't any real reason to do so). Thank goodness that the OpenBSD people do what they do! What a thankless job.
http://www.thebricktestament.com/the_law/when_to_
Shatter attacks.
A couple years ago I identified that a worm was geting past a lot of virus software simply because it had CF/LF's at the end of each line instead of just CFs; they looked identical, but they were not, and virus software was missing the new "strain".
I emailed a well-known head of a well-known security mailing list, who just so happens to work for a private security firm. He congradulated me, thanked me for finding it. The next day- I found an article where he was interviewed and said "I found..." and then pretty much word for word what I wrote in my email.
I was fucking pissed. The guy stole credit for my discovery, and I began to see why he was such an "expert" in the field.
I understand EXACTLY where this guy is coming from.
Please help metamoderate.
I know it's a joke and all, but the grandparent to your post defined lines as ending with a semicolon. So, where you put your braces wouldn't make a difference.
I can't imagine ever wanting to know enough about Windows to understand this except at a very high level. I hope my next contract (and all the others after that), like my last, are at UNIX sites.
What a long, strange trip it's been.
So how do you actually count lines? One statement = one line?
True confidence comes not from realising you are as good as your peers, but that your peers are as bad as you are.
Ah, but in that case, just replace all instances of ';' with ";;;;;;;;;;".
True confidence comes not from realising you are as good as your peers, but that your peers are as bad as you are.
Alan Cox has a patch up for the 2.6.10 kernel, available here.
The file is patch-2.6.10-ac8.bz2 (or later)
This is also still considered "testing" until merged.
It's the sound of someone wasting valuable worktime reading /.
Cite please?
l and I can't seem to find any mention of Internet Explorer.
Do you really mean what you are saying? I've looked through all the Native APIs listed at http://www.sysinternals.com/ntw2k/info/ntdll.shtm