Slashdot Mirror
Local Root Exploit in Linux 2.4 and 2.6
Anonymous Coattails writes "Summary from the advisory: 'Locally exploitable flaws have been found in the Linux binary format loaders' uselib() functions that allow local users to gain root privileges.'"
← Back to Stories (view on slashdot.org)
*awaits justifications and explanations of why this is nothing like Microsoft*
Read down to the Credits on the link and you see this line:
Credits:
========
Paul Starzetz has identified the vulnerability and
performed further research. COPYING, DISTRIBUTION, AND MODIFICATION OF
INFORMATION PRESENTED HERE IS ALLOWED ONLY WITH EXPRESS PERMISSION OF
ONE OF THE AUTHORS.
Did I violate you buy hitting ctrl-c and ctrl-v? Yeah copyrights stink even in free and open source realm. Oh yeah I guess Polly boy has something to put on his resume now as if someone else was going to steal his glory and get away with it.
How do people find this stuff? Amazing. Open source is astounding.
When do I get my kernel update?
I compiled included code at the end of the advisiory, this was the output on RHEL 2.4.21-20
./test
%
[+] SLAB cleanup
child 1 VMAs 65525
child 2 VMAs 65392
[+] moved stack bfff8000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xdf400000 - 0xfe5f2000
Wait... -
[-] FAILED: try again (Cannot allocate memory)
Killed
It's a good thing I've got the patch downloa
They've got a pretty good record. Unfortunately, kernel-level stuff is nasty -- how do you fix embedded devices?
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
since windows is more "single user" oriented, most local exploit flaws on windows do not get very much publicity.
For instance, shatter attacks are still a very large threat for multi-user windows systems
I need no exploit to gain root privileges, I just login...
The linux kernel does very little interpretation of remotely-provided data. There are occasionally remote exploits (e.g. the Ping of Death in '97 or so), but that code has now been pretty thoroughly checked at this point. Most of the code which cares at all about the validity of data is interfaces only accessible locally.
Mod parent -1 denial.
su
Because Linux is a kernel, with no real knowledge or direct interaction with outside (remote) sources, while Windows is a kernel plus a GUI plus a ton of other services. Remote exploits aren't found in the Windows kernel, they're found in the application/service part of Windows, on the Linux side these buggy, infinitely exploitable services are given individual names like "sendmail" and "bind".
Because 'Linux' exploits are kernel exploits, because Linux is a kernel, as people are so fond of pointing out, which actually has very little to do with remote entities other than the well looked at TCP/IP stack. Windows on the other hand is an Operating System, which includes things other than the kernel, including system daemons/services, user interface code, web browsers, and a whole host of other things.
Long story short, while it may be shoddy, MS Windows is a LOT bigger than Linux, and thus theres more to exploit. If you look at something like Redhat, which is a distribution, you have more of a comparison, and you will find remote exploits.
... if I forget my root password.
GETPKG - Package Management for Slackware
Is there ever a time when you can consider your systems secure against an attacker with physical access?
It can be exploited by any user or process that can compile and load executables on the machine.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
you mean to tell me that people have found exploits in bind and sendmail?
no way - they're perfect open source programs. model programs, so to speak.
next, you'll tell me that x is a crufty, inefficient kludge.
... hi bingo
Obviously if it is local if it is exploitable from the console. But can it be exploited remotely through ssh if one already has a user account?
The unofficial
How do you fix embedded devices? Um... you mean how do you update/patch the code on the embedded device so that a local user can't escalate to root?
First of all, for many embedded devices, this isn't an issue. I mean, if you're an attacker, what are you gonna do once you get root? If the owner can't patch the OS, you probably can't install a rootkit either. Sure, you can DOS it, but if you're physically at the device, you can DOS it just by hitting the power button.
However, manufacturers of all embedded devices (not just Linux-based!) should definitely put a mechanism in place for updating the program code.
Summary for the lazy ones: These are four of the probably uncounted bugs which are known for months (if not years), reported to the maintainers but are still unfixed. Yes, we're speaking about the Linux kernel.
I should mention that enabling ELF format is still highly recommended (after the patch for this is released of course) and unless you do special programming work in linux then enabling a.out format is not recommended.
"uselib" is a Linux-specific extension, and, as a result, has received much less real-world testing than traditional UNIX system calls. Keep in mind that the traditional UNIX system calls have received millions of man-years of real-world testing in large user communities likely to attempt both remote and local exploits. It is not surprising that Linux-specific extensions are at a much greater risk of containing serious security problems.
COPYING, DISTRIBUTION, AND MODIFICATION OF
INFORMATION PRESENTED HERE IS ALLOWED ONLY WITH EXPRESS PERMISSION OF
ONE OF THE AUTHORS.
Is it just me, or is this mind-bogglingly stupid? A security advisory which can't be redistributed freely? Imagine if the same approach was taken to important warnings in the real world -- "There's a tsunami heading towards you... but you're not allowed to redistribute this warning to all the people around you without my permission."
Security advisories should be in the public domain.
Tarsnap: Online backups for the truly paranoid
Right, let's compare the flaw in a single kernel versus the ENTIRE OPERATING SYSTEM of Windows, GUI, shell, and associated apps like Internet Explorer as well as user-ran executable attachments in Outlook, which have nothing to do with Microsoft.
What happened to all the "Linux is just the kernel" stuff? Oh, that's right, we were bashing Microsoft.
Besides, if you mean "past year" as 2005, then this means Linux is first out of the gate.
Incidentially, the finding of exploits found in bind and sendmail has really slowed to a crawl.
It seems that, even though they were written in different times and without security as the first concern, a sufficiently large number of bug fixes will eventually result in code that is almost as secure.
Don't you think it's more convenient for you to be able to hack multiple machines over LAN? Another reason to choose Windows over Linux.
It doesn't work on my Gentoo box running 2.6.9 so I'm safe. This machine will not be hacked.
It's a good thing I have telnet running on that box so that I could try it remotly though.
IP Therefore I am.
" Why is it every nearly Linux flaw is locally exploitable, where as every nearly every Windows flaw is remotely exploitable?"
That would be Microsoft's superior networking ability, along with it's user (or abuser) friendly interfaces!
Isec.pl has done a lot for the open source world, they've found lots of vulnerabilities (which is good - vulnerabilities ARE like any other bug):
Take a look at the impressive curriculum of those guys:
d_path() truncating excessive long path name vulnerability
Linux kernel do_brk() lacks argument bound checking
Linux kernel do_mremap() local privilege escalation vulnerability
Linux kernel do_mremap VMA limit local privilege escalation vulnerability
Linux kernel setsockopt MCAST_MSFILTER integer overflow
Linux kernel file offset pointer races
Linux ELF loader vulnerabilities
Linux kernel IGMP vulnerabilities
Linux kernel scm_send local DoS
Linux kernel uselib() privilege elevation
Guess what, they're also the guys who discovered the mozilla hole diclosed today: Heap overflow in Mozilla Browser NNTP code
Those guys are impressive. In particular, Paul Starzetz is the author in most of those kernel holes, along with a guy called Wojciech. They always contact the kernel maintainers before discosing the vulnerability, etc. Basically, they're having the same effect than a security audit. Except that they're doing it for free, so they deserve respect, I think. And yes, Linux is having too many kernel-level vulnerabilities. More than XP if I'm counting them right. Perhaps someone should offer a job to those guys so they can audit parts of the kernel better.
(And I can understand that copyright policy - there're people who probably look at those announcements, ctrl+c and ctrl+v and they release their own announcement twisting dates claiming that they're the guys who found it first)
why did they release exploit code before a fixed kernel was released and mirrored throughout kernel.org? and on a friday afternoon?
i'm not too impressed with the timing of this announcement, and i have to wonder what their motives were. it doesn't hurt their cause that slashdot is advertising for them.
please, people. there's no reason that a situation like this should ever happen.
2^5
And when some third-party developers write buggy code, they really write buggy code. Remember "Return to the Pool of Radience: Ruins of Myth Drannor". Now that was a buggy game!
Zagreus sits inside your head, Zagreus lives among the dead, Zagreus sees you in your bed and eats you in your sleep.
These are exploits in the most basic portions, against which a sysadmin can do nothing other than keep on patching things. It's not like you could have tunned this system to make it very secure, no, no matter how carefully you (or your distributor) set it, bang, a local exploit seems to be found every month or two.
I'm seriously considering going back to BSD (maybe Debian GNU/NetBSD?), which seems to have a much much much better security track.
It's the sysadmins of University email and webservers across the country going apeshit as suddenly the entire student body potentially has root...
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
It is important to know about, in my opinion. But that's just so we know we need to patch our kernels. Simply the fact that a root exploit has been found does not mean we should go about reposting the same types of stuff that has been posted endlessly before in similar articles on slashdot.
I prefer linux because it's free. It's also pretty stable and secure, which is nice. But I just like linux for what it is. I fear we are getting sidetracked in the "my OS has less exploits then yours, nanananaaaaa" childish type of fights.
I look forward to the updated kernel which will fix this issue for my distribution. Until then, I'm going to do some much needed maintenance on my box and barricade my room so no one but me can get in.... just kidding.
raw diffs to for those brave souls who want them
Time flies like an arrow, fruit flies like a banana.
...though a bit big. www.openbsd.org
What news is this? There have been local exploits in the Linux kernel before, and there will be again. This is less news than the Debian break in a while back - that was worth mentioning because a major Linux installation was comprimised with an unknown kernel vulnerability. But come on! The last few 2.4 kernels (IIRC) have included patches to fix local root exploits. Marcello didn't even rush those out the door. This exploit certainly doesn't seem especially unusual nor was there an exploit in the wild.
Newsflash kids! Linux isn't perfect! Certainly not Linux specific API extensions like uselib. Move along, this isn't the kernel vulnerability you are looking for.
Why is using MS update any different than downloading this new linux fix?
First and foremost, the terms to which you must agree before you download and install. The MS downloads and patches often come with "interesting" end-user license agreements. Meanwhile, with the Linux kernel download, you can do whatever you like, including (*gasp*) fix it yourself, if you have the ability.
Secondly, when you use Microsoft update, you don't know what is getting installed. With many things, like XP service pack 2, you get a lot of cruft that is useless.
As far as popularity being the #1 indicator for available exploits: if that were true, Apache would be the most-exploited web server, since it has 65%+ of the market. Unfortunately, that's not true. IIS has many more published exploits, in spite of the fact that the code for Apache is available for inspection by the black-hats.
There *is* a such thing as "being more secure." Yes, we can't be perfect. (In fact, I don't believe there is a such thing as perfection.) But that doesn't mean that one OS can't be objectively better than another.
Microsoft is to software what Budweiser is to beer.
All that this needs is to be combined with a vulnerability that grants remote access to a machine and you have a serious problem (provided that the remote access allows them to exploit this).
All flaws need to be fixed. Even ones you don't think are very important because they could be exploited together.
It doesn't matter how many holes Windows has compared to Linux. The exploits are usually scripted and tied to a port scanner. If you're vulnerable, you will be cracked.
That's why multiple levels of security are a Good Thing (tm). Defense in depth is the only way to go.
Thank God I run Firefox!
Atmel, amongst others, produce encrypted RAM. If you don't have the key, you can't read the memory. That's pretty secure, if you ask me.
Any OS with B1 (or better) security has comprehensive mandatory access controls, so that if you DO find an exploit somewhere, it is still not possible to access other parts of the system. (B-class and A-class OS' do not "need" a system admin account, since you can define specialised pseudo users that can do exactly what is needed for a given task and no more.)
Then, there are systems like OpenBSD which have been audited to hell and back. OpenBSD has had one provably-usable exploit in living memory.
Then, you've various security software that's out there. eg: Using OTPs w/ S/Key or OPIE for passwords, enforcement of strong passwords, IPSec w/ strong host authentication on all network connections, etc.
In theory, there is nothing to prevent someone from combining all of these elements to produce a hardened OS that is impervious to both physical and logical attacks, both locally and remotely.
In practice, nobody would spend the time and/or money on that level of security for normal use. Ok, the NSA might, but that's not strictly "normal use". It's also unlikely they'd make such an OS readily available. (They've done wonders with SE-Linux, and the declassifying of Skipjack and SHA has made a world of difference in cryptography, but that's not quite the same as Open Sourcing a bullet-proof system.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
This means only that it must be used in conjunction with a process that is exploitable. Let's say, for example, apache was running and there was an exploit available to it. Well, most people would say "oh well.... can't trash the whole machine, the apache user doesn't have the rights." Well once apache is compromised, they can likely find a way to inject the local exploit code for the apache user to run. Once that's accomplished, apache user becomes root user. From there, the machine is 0wned to borrow a word.
Yes it's serious but I expect a fix shortly...
You are just giving support to all the linux zealots out there. So what you are saying is that its worse to have a kernel exploit, than to have an os which can be crashed and seriously exploited from userland programs? I don't think so, linux tends to be pretty good at prevent user space programs from accessing or exploiting the kernel and thus crashing the system, windows has serious problems with this... like why are the web browser and user interface directly tied into the kernel.
-kaplanfx
Visualize Whirled Peas
May I recommend that Do not run this code if you can not understand what it is doing.
For all we know, this is a social engineering trick to spread some malicious code. Let's wait until some official folks eg. CERT, or your vendor/distribution responds. Are the people who released this code have some credibility that can be verified independently?
ato
Shatter attack
It's a problem with Win32 messaging if windows aren't secured properly. It's possible for a process to send windows messages (the ones inherited from Windows 1.0) to another process, regardless of what account the processes are running as. There are a few messages (WM_TIMER esp.) that, as a parameter, take an address for the owning thread to jump to. You can also fill the contents of a text box with a message.
Process A is a privilieged service running as SYSTEM. Process B is a malicious program running as a restricted user.
A creates a window on the interactive desktop (a big no-no) with a textbox in it.
B fills the textbox with exploit code with a message and then sends a WM_TIMER or similar to A with the exploit's address. A is now executing the exploit code.
First, there are ways to divide the window handle space into seperate parts, each securable with desktop and window station objects. Both of these are kernel object types with ACLs: you can't send a message to a window unless you have access to the conaining desktop.
Also, the JOB_OBJECT_UILIMIT_HANDLES flag for Job objects will prevent messages from leaving the job.
MS guidelines specifically forbid the use of windows from a priveleged process from appearing on the interactive desktop, since NT 3.51, for this reason. This doesn't stop many third-party app developers from creating insecure apps (virus scanners esp.) that do just that.
Winlogon's windows (press ctrl+alt+delete) are safe because they are on a seperate desktop that normal users can't send messages to.
I'd really like to know what's being done about this pitiful trend of Linux security, where it's 10x as easy to find a vulnerability in the kernel than it is in any app on the system, where isec releases at least one critical vulnerability for each kernel version.
And given his description of how he found these problems, plus his frustration about getting Linus and akpm to reply, his tone is even somewhat understandable.
Windows is a distribution, an operating system IS a kernel.
Semantics aside however, your right, comparing apples to apples gives a better comparison.
The minimal windows install versus a minimal redhat install is a better comparison and there aren't many linux distros in which you'll ever find remote exploits in the core minimal install.
It's still not perfect though, pretty well everything can be stripped from a linux box to harden it. A windows box cannot be hardened since most remote exploits are in core services and you can't remove or replace them in windows (the most famous example being IE).
What cracks me up is that 2K/XP are touted as being an excellent step toward security and yet it's NT based systems which suffer from the most severe viruses and exploits.
While I can't justify the difference, I'll tell you that there is one if we don't see any regularly recurring network born auto-root that's so bad it threatens the top level domain servers. It's not like someone cracked kernel.org and owned it for three months injecting whatever they pleased into the codebase. One good explanation of the difference is that Marketing dorks who do little more than buy other's code can't maintain it properly.
Friends don't help friends install M$ junk.
This would be false. It's not the gui front end most people recognize as IE that is the problem. It's the renderer and trust model behind it.
The same flawed engine is used to display your folders (turn on the location bar and type in a url, see what happens), your desktop, and your email in Outlook express and even most 3rd party apps. If you use AOL, it uses IE to render web pages. When you view a help file, guess what it's IE. It is impossible to avoid IE on a windows system.
By choosing a browser which uses it's own renderer and an email application that does the same, you ARE at least reducing the opportunity for 3rd party sources to access the renderer and it helps a great deal. The problem your left with then is that apps like firefox are still dependent on IE's trust model (the entire trust model of the OS is built around it) when running on windows. This is why almost every major "exploit in firefox" only affects firefox on windows.
There are plenty of other broken pieces in windows, but I've tried to stick to examples of why simply not using IE still leaves you vulnerable on windows.
On windows your best bet is to run as an unpriv'd user as much as the OS allows, use 3rd party email and browser apps (that use a different renderer). And don't forget to stick it behind a firewall that isn't running windows or better just keep it off the network. Also never put a disk in a windows box that came from outside your network unless it is from a known publisher and you've scanned it for viruses on a disconnected machine. Aside from that, you really just have to pray.
None of that is saying any particular other OS is secure, that's another matter entirely. I'm just saying that clearly windows is NOT and you CANNOT remove the components needed to lock it down.
I got it to compile and run on Debian Sarge with gcc version 3.3.5, kernel 2.4.25-1-386, and it says it succeeded, but I'm still my normal UID, just drops me into a bourne shell:
errm...
:D )
SElinux?
(don't even get started on the easyness of setting policies for selinux, you get offtopic: post the link of a MS equivalent else you lose the argument
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
Second, it'll probably be patched rather quickly.
There is a preliminary patch in testing for the 2.4 series.
Look here.
The file is patch-2.4.29-rc1.bz2
Note that it's in TESTING, because it probably needs testing yet. But if you're desperate to patch it up quickly at your own risk, then there you go.
Segfaulted in sys_mmap2 when I tried it on a couple machines. For what it's worth.
TANSTAAFI: There Ain't No Such Thing As A Free iPod.
In short, this one is too big (too exploitable, too public) to wait until Monday.
My life would be so much easier if profs didn't have such a hard on for Linux and let us admins install OpenBSD. Good thing I get paid overtime. Oh wait, I don't.
Serve Gonk.
Actually copyrighting the exploit is kinda cool. Say you are a admin, and some kid gets fresh and tries this out. "Hey kid, not only am I nailing you to the wall for this, but I am turning you over to the guy who "owns" it and you get to pay him a nice fine." No, I think that is it pretty hilarious that the code is copyrighted.
Sera
Slashdot, where armchair scientists get shouted down and armchair theologians get modded up.
That's why I've been sticking with 2.0.36 all these years. I haven't seen a security advisory for it in ages.
All those MCSE dorks down the hall are gonna give me sh*t for the next week.
Reminds me of a punchline to my favorite Scottish joke:
"Aye, lad...ya screw ONE goat..."
I might know what I'm talkin' about, but then again, this is Slashdot...
Consoles apps (not consoles themselves*) are not vulnerable because they are not part of the windowing system, they output to the window via stdout/stdin/stderr.
As for X, I don't know the structure of the windowing system, but the basic problem is not that apps are broken into, the problem is that any window sitting on your desktop is assumed by the OS to be owned by YOU. So, it shouldn't be illegal for a different app owned by you to send it a window message (like typing "rm -rf /").
* A console app is any app like cp or mv that you can invoke from a command prompt. These apps are unaware of windows and its messaging structure and therefor not vulnerable. Cmd.exe itself is probably aware of the messaging system though, since I'm sure it actually implements its own console.
That's why you should always put curly braces on their own lines, to increase your total lines of code. Helps achieve a more favorable sigma.
Shame on Google.