Slashdot Mirror
No ELF Vulnerability in 2.6 Kernel
gaijincory writes "Greg KH, the co-maintainer of the 2.6 kernel has posted a comment on lwn.net confirming that there is indeed no such ELF vulnerability as spelled out by Paul Starzetz on isec. The bug was originally thought to be particularly nasty, allowing a malicious user to gain elevated privileges using a carefully crafted binary which would exploit the kernel's Executable and Linking Format. The bug's author confirmed that no one has been able to repro the exploit."
What about the DWARF and GNOME vulnerabilities though? Eh where's your answer now Greg?
I saw this story on OSnews today, but they made it out to be about the Hyperthreading issue. But that didn't make any sense since that is not ans OS bug at all, but a hardware issue. (If it is evan an issue)
Try out fish, the friendly interactive shell.
They've tested it and been unable to reproduce the vulnerability. But vulnerabilities are tricky things. I'm glad they still bothered to patch the kernel.
I am trolling
Is it a bug, if it can't be reproduced? Not yet, anyway. Did he really create this vulnerability problem, at least once? - so many people get sloppy on scientific method, conditions, variables.. and recording the details. Especially me. And what they think happened, did not.
Mike Harrison -
5 minutes to be precise. May be world is coming to an end and Hemos want to post as many stories he can before it.
"I'm a bug author. Today I've written five bugs!" Sounds like a nice career choice ...
"The bug's author confirmed that no one has been able to repro the exploit"
That's really comforting.
First, the obligatory joke to set the questions:
According to Starzetz report, the flaw is in the function elf_core_dump(), (...)
That writes itself. Adding in references likening this to bears and woods is optional and subliminal.
Anyhow, if there is an ELF core dump bug and no one else steps in it, does it really matter? Did it really happen?
Do we dump the kernel, insist on a grooming of all ELF involved code, and rebuild and recompile?
What is the threshold anyhow for reproducing a bug? How many people must do it? If only one person reports activating the bug, do we ignore all their documentation of the event as if it was spurious because we couldn't do it? Do we wait till a malware write manages it?
What is the proper level of concern here?
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
Speaking for myself, and elves everywhere, this is great news. I can finally use my favorite OS without worrying about any attacks I'm opening myself to.
Or it can simply be a fact that modern computer systems (both hardware and software) change states so much every second that its next to impossible to recreate the exact state required without having a rig that recorded the origional state and set it up as a test system. It could be a very obscure bug that requires some very exacting conditions that only occur extremely rarely, thats why noones been able to replicate it. Im sure that in the course of development, all programmers have come across a random one time only bug that causes you to shrug your shoulders, watch out to see if it ever happens again, but get on with life.
They've discovered most of the linux kernel vunerabilities in the latest ~2 years or so, and they've always disclosed them friendly, so I don't think they deserve all this noise. It's better to think that there're vulnerabilities and fix them than the contrary.
We found that almost all the exploits we tried did not work as advertised. Yet the security advisory lists blindly post these as if they work. While the design/implementation issues may be present in a range of kernels, I'm beginning to think that these exploits are not vetted, and that the exploit writers look for a possible weakness and publish a piece of software that sort of pokes at it and claim success. It is very frustrating, since if the vulnerability can be exploited, a bogus exploit gives a false sense of security (since you can't compromise the system using it).
All I can say is, some jerk bit my 2.4.21 system with this bug. This past week has not been a happy week for me.
--Quentin
It could also be that the original analysis as wrong, and the priviledge escalation was due to the exprimental setup, not a problem in ELF.
What keeps me going is my inertia.
Has anyone confirmed the bug in 2.4?
If the conditions for an exploit are so specific that is is hard to create them even if you're trying then the exploit isn't all that dangerous...
Beware he who would deny you access to information, for in his heart he dreams himself your master. -Anonymous
I had a project manager once who had a saying: "If it didn't happen twice, then it didn't happen once."
Yes I know the whole world revolves around Linux, but it would still be nice if articles like this wouldn't just take for granted that everyone knows what they're referring to, when it isn't named anywhere.
And I call it job security, FYI.
If it really is a bug, then the people that claim its existence should devise a more reliable means of replicating the bug.
What I didn't say is that there's a certain level of responsibility to the person reporting a problem. If they want a claim to fame, then they should be able to prove its existence, rather than making everyone else work furiously track it down, because for all anyone else knows, it could be a complete fluke at best, or at worst, a total fraud.
Paul has found a metric shit-ton of extremely subtle and interesting flaws in Linux. If you google for ihaquer@isec.pl, you'll see that he's a world class security researcher. I don't know him personally, but as someone who does this kind of research for a living, it's obvious to me that he has the right mix of technical acumen and destructive creativity necessary for doing high-end vulnerability research.
All I'm saying is that if he's wrong, then no one should begrudge him a mistake in light of his other findings. That said, he's probably not wrong.
'I had a project manager once who had a saying: "If it didn't happen twice, then it didn't happen once."'
Was he a zen monk? If you follow that philosophy then all occurances are first occurances and therefore never happen, causing the next occurance to again be the first.
How very wrong..
/tmp/.root/ps exec file that woukld then proceed to copy state from the kernel and then be read back into the real PS. This file would only last 1/1000 of a second before rm got it.
/tmp did not have group sticky on and so it didnt control who overwrote others' files. Turns out if you do a timed attack (of calling ps, moving /tmp/.root/ps to your ~, and then edit it to be a shellscript that calls bash), root was easy to get.
A while back (in '92) there was the 'PS' bug.
Because ps lists full processor charts of whats running, how much cpu time, and how much mem used up, it requires root access (hence a suid root bit set).
When you run it, it would create a
Now, how would you hack a system like this to get root? On this specific SUN system,
Since this depended on a variable on state, you would run it in a script that called ps about 5000 times, and then BAMN! You have root.
I guess getting root isnt all that dangerous when you have to the attack some 5k times... Now is it?
But what about all of those a.out vunrebilities that are out there right now
Yes, but most people don't follow every clever little maxim to their potentially absurd logical conclusions.
I've come for the woman, and your head.
You just described an exploit where the situation was *easy* to create and the poster was talking about a situation where the situation was hard to create.
There was the same obfusication in both. Timing based attacks are 'not cool' unless used in conjunction with other security measures.
In the most likelyhood, some idjit will think this is 'security' and secure a telnetd on a port. Then when they're hacked, oh-nos! Thats when they realize from the logs the attack came from within the ISP. Big surprise.
Anyways, I'd prefer to use standard queries for networks and not have everyting hidden... Having sshd running with no key-sharing is plenty secure enough for me (well, with obvious nsa-patches.. heh heh heh).
I read ELF as "Extremely Low Frequency" and was thinking "how can a really slow clock lead to an exploit?" Then I read the bleeping header...
The clearance system sounds logical. It is not. It is completely arbitrary. -- John Bolton
Yea, in fact I have come across "random one time bugs" that caused me "to shrug my shoulders" and most of the time they turned up again in the last days before I had to deliver the project, which I wasn't always succesful at.
I'm still trying to figure out what people mean by 'social skills' here.
You just described an exploit where the situation was *easy* to create
If you know the reason it worked in the first place, yes. If there is a one in a 5000 timing chance it will work and you don't know it, recreation becomes a bit more frustration
" a malicious user "
:)
Do we know the identity of this malicious user? If so, can't we just "fix" him?
You missed the point grasshopper. It's a comment on perception, not reality.
Arguably, the world would be a very different and much improved place if they did.
Well, I suppose all Christians would be blind and handless, so it's a start.
I've come for the woman, and your head.