Slashdot Mirror
No ELF Vulnerability in 2.6 Kernel
gaijincory writes "Greg KH, the co-maintainer of the 2.6 kernel has posted a comment on lwn.net confirming that there is indeed no such ELF vulnerability as spelled out by Paul Starzetz on isec. The bug was originally thought to be particularly nasty, allowing a malicious user to gain elevated privileges using a carefully crafted binary which would exploit the kernel's Executable and Linking Format. The bug's author confirmed that no one has been able to repro the exploit."
Give us some time to read the earlier stories first. Why is H posting another story in less than 15 minutes ?
What about the DWARF and GNOME vulnerabilities though? Eh where's your answer now Greg?
I saw this story on OSnews today, but they made it out to be about the Hyperthreading issue. But that didn't make any sense since that is not ans OS bug at all, but a hardware issue. (If it is evan an issue)
Try out fish, the friendly interactive shell.
Is it that hard to spell out reproduce? Even though that's something many on Slashdot will never do.
They've tested it and been unable to reproduce the vulnerability. But vulnerabilities are tricky things. I'm glad they still bothered to patch the kernel.
I am trolling
yay! FP!
Is it a bug, if it can't be reproduced? Not yet, anyway. Did he really create this vulnerability problem, at least once? - so many people get sloppy on scientific method, conditions, variables.. and recording the details. Especially me. And what they think happened, did not.
Mike Harrison -
Well, if the cable modem (router/gateway I assume) has a firewall, it will obviously block all invalid packets, and sometimes DoS attacks.
Otherwise, all (I think) cable modems / routers will give away their IP, BUT they should all protect the users behind them, through natting or dhcp.
But even then, the machine behind can be targeted using various techniques (one is to exploit the router itself).
If you're not talking about a router, then yes, the IP of the Windows machine (like linux) is exposed which means anyone can run checks and such on services which are vulnerable.
But then it really depends on how up-to-date your windows machine is. It's still highly unlikely that it'll be exploited, unless someone (clueless person) clicks on a link to activate a virus or such through an email, or activates a service for back-door entry.
BTW, note that the jpeg flaw was fixed very quickly, and most machines weren't vulnerable anyway (such as mine).
Windows XP is actually very stable, supporting multiple networked users (multi-user and multi-tasking), but lacks in that all accounts by default have admin privilege(!). And that is mostly the reason behind all the viruses, spyware and auto-spam-servers.
Besides all that, since most Windows vulnerabilities aren't based on a kernel attack (unlike linux), but instead the services you have activated, you can simply disable the ones you don't need, and just be sensible about which applications you open through emails (hopefully none!).
But even after all that, a user can come along and browse the web using IE and activate some activex component, or installs some other IE component or JScript which allows entry to the machine.
If the user isn't using IE and isn't running a server (such as httpd), then it's quite unlikely that anything bad will happen. Unless someone specifically targets the machine and scans for all activated services, etc, and launches an attack against an un-patched vulnerability.
I would be brave enough to state that a Win2k / WinXP / Win2003 is just as secure as UNIX / FreeBSD / OSX, if: -
* The user using the machine doesn't have admin rights,
* Windows and related networking software is kept up-to-date,
* Doesn't use IE / related mail product.
"I'm a bug author. Today I've written five bugs!" Sounds like a nice career choice ...
"The bug's author confirmed that no one has been able to repro the exploit"
That's really comforting.
[ominous music]
June the 4th, 1973, was much like any other summer's day in Peterborough,
and Ralph Mellish, a file clerk at an insurance company, was on his way
to work as usual when --- [da dum!] Nothing happened! [dum dum da dum]
Scarcely able to believe his eyes, Ralph Mellish looked down. But one
glance confirmed his suspicions. Behind a bush, on the side of the road,
there was *no* severed arm. No dismembered trunk of a man in his late
fifties. No head in a bag. Nothing. Not a sausage. For Ralph Mellish,
this was *not* to be the start of any trail of events which would not, in
no time at all, involve him in neither a tangled knot of suspicion, nor
any web of lies, which would, had he been not involved, surely have led
him to no other place, than the central criminal court of the Old Bailey.
[muttering voices, Judge's gavel banging.]
But it was not to be [ominous music returns]. Ralph Mellish reached his
office in Dulls-ells Street in Peterborough, at 9:05 a.m., exactly the
same time as he usually got in!
[door opens]
"Morning, Mr. Mellish"
"Morning, Enid"
Enid, a sharp-eyed, clever young girl, who had been with the firm for only 4
weeks, couldn't help noticing the complete absence of tiny but tell-tale blood
stains on Mr. Mellish's clothing. Nor did she notice anything strange in Mr.
Mellish's behavior that whole morning. Nor the next morning. Nor at any time
before or since the entire period she worked for that firm.
"Have the new paper clips arrived, Enid?"
"Yes, they're over there, Mr. Mellish."
[faintly] "Oh..."
But for the lack of any untold circumstances for this secretary to
notice, and the total non-involvement of Mr. Mellish in anything illegal,
the forweight of the law would insure that Ralph Aulds Mellish would
have ended up like all who challenge the fundamental laws of our society.
In an iron coffin with spikes on the inside.
-- MPFC
First, the obligatory joke to set the questions:
According to Starzetz report, the flaw is in the function elf_core_dump(), (...)
That writes itself. Adding in references likening this to bears and woods is optional and subliminal.
Anyhow, if there is an ELF core dump bug and no one else steps in it, does it really matter? Did it really happen?
Do we dump the kernel, insist on a grooming of all ELF involved code, and rebuild and recompile?
What is the threshold anyhow for reproducing a bug? How many people must do it? If only one person reports activating the bug, do we ignore all their documentation of the event as if it was spurious because we couldn't do it? Do we wait till a malware write manages it?
What is the proper level of concern here?
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
It is imperative that I give you the following information, which linux wants concealed from the public. First off, the real question here is not, "To what degree is linux going to tell everyone else what to do?". The real question is rather, "Why doesn't it point a critical finger at itself for a change?" As you ponder the answer to that question, consider that it hates it when you say that it feels obligated to erect a screen of flatulent verbiage to hide the real world from its victims. It really hates it when you say that. Try saying that to it sometime, if you have a thick skin and don't mind having it shriek insults at you. I have never been in favor of being gratuitously ultra-loquacious. I have also never been in favor of sticking my head in the sand or of refusing to create a world in which expansionism, autism, and antidisestablishmentarianism are all but forgotten. As amazing as it seems, there is still hope for our society, real hope -- not the false sense of hope that comes from the mouths of what I call politically incorrect caustic-types, but the hope that makes you eager to lend support to the thesis that its op-ed pieces prove that it did little to no research before concluding that it can walk on water. In all fairness, linux will stop at nothing to leach integrity and honor from our souls. This may sound outrageous, but if it were fiction I would have thought of something more credible. As it stands, I challenge linux to point out any text in this letter that proposes that its expedients provide a liberating insight into life, the universe, and everything. It isn't there. There's neither a hint nor a suggestion of such a thing. I can guarantee the readers of this letter that if Fate desired that linux make a correct application of what it had read about parasitism, it would have to indicate title and page number, since the Pecksniffian, violent organization would otherwise never in all its existence find the correct place. But since Fate does not do this, linux is a faithful student of Sun Tzu, the ancient Chinese strategist who advocated demoralizing one's enemy as the highest art of warfare. Whatever weight we accord to that fact, we may be confident that I would be grateful if linux would take a little time from its rigorous schedule to improve the lot of humankind. Of course, pigs will grow wings and fly before that ever happens. While I agree with others' assessment that linux would rather talk about making changes than actually make them, still, I correctly predicted that linux would extinguish the voices of opposition. Alas, I didn't think it'd do that so effectively -- or so soon.
Linux's callow newsgroup postings can be quite educational. By studying them, students can observe firsthand the consequences of having an organization consumed with paranoia, fear, hatred, and ignorance. Prudence is no vice. Cowardice -- especially linux's lethargic form of it -- is. Essentially, I want to make this clear, so that those who do not understand deeper messages embedded within sarcastic irony -- and you know who I'm referring to -- can process my point.
Linux is so intolerantly devoted to its own prejudices that its perception of reality is thoroughly warped for a variety of reasons. For instance, it's linux's belief that my letters demonstrate a desire to concentrate all the wealth of the world into its own hands. I can't understand how anyone could go from anything I ever wrote to such an illaudable-to-the-core idea. In fact, my letters generally make the diametrically opposite claim, that I'm willing to accept that as linux feels less and less need to conceal its zingers, it makes increasingly open moves towards loathsome gnosticism. I'm even willing to accept that its representatives are the carrion birds of humanity. But it is not uncommon for it to victimize the innocent, penalize the victim for making any effort to defend himself, and then paint the whole repugnant affair as some great benefit to humanity. I am not in any way placing the blame on linux for boisterous wackos who pre
Speaking for myself, and elves everywhere, this is great news. I can finally use my favorite OS without worrying about any attacks I'm opening myself to.
Or it can simply be a fact that modern computer systems (both hardware and software) change states so much every second that its next to impossible to recreate the exact state required without having a rig that recorded the origional state and set it up as a test system. It could be a very obscure bug that requires some very exacting conditions that only occur extremely rarely, thats why noones been able to replicate it. Im sure that in the course of development, all programmers have come across a random one time only bug that causes you to shrug your shoulders, watch out to see if it ever happens again, but get on with life.
They've discovered most of the linux kernel vunerabilities in the latest ~2 years or so, and they've always disclosed them friendly, so I don't think they deserve all this noise. It's better to think that there're vulnerabilities and fix them than the contrary.
We found that almost all the exploits we tried did not work as advertised. Yet the security advisory lists blindly post these as if they work. While the design/implementation issues may be present in a range of kernels, I'm beginning to think that these exploits are not vetted, and that the exploit writers look for a possible weakness and publish a piece of software that sort of pokes at it and claim success. It is very frustrating, since if the vulnerability can be exploited, a bogus exploit gives a false sense of security (since you can't compromise the system using it).
All I can say is, some jerk bit my 2.4.21 system with this bug. This past week has not been a happy week for me.
--Quentin
It could also be that the original analysis as wrong, and the priviledge escalation was due to the exprimental setup, not a problem in ELF.
What keeps me going is my inertia.
Has anyone confirmed the bug in 2.4?
If the conditions for an exploit are so specific that is is hard to create them even if you're trying then the exploit isn't all that dangerous...
Beware he who would deny you access to information, for in his heart he dreams himself your master. -Anonymous
Shouldn't that be:
"no one has been able to repro the 'sploit"
Just to get all your leet abbrev's in one sentence.
I had a project manager once who had a saying: "If it didn't happen twice, then it didn't happen once."
Yes I know the whole world revolves around Linux, but it would still be nice if articles like this wouldn't just take for granted that everyone knows what they're referring to, when it isn't named anywhere.
And I call it job security, FYI.
If it really is a bug, then the people that claim its existence should devise a more reliable means of replicating the bug.
What I didn't say is that there's a certain level of responsibility to the person reporting a problem. If they want a claim to fame, then they should be able to prove its existence, rather than making everyone else work furiously track it down, because for all anyone else knows, it could be a complete fluke at best, or at worst, a total fraud.
Paul has found a metric shit-ton of extremely subtle and interesting flaws in Linux. If you google for ihaquer@isec.pl, you'll see that he's a world class security researcher. I don't know him personally, but as someone who does this kind of research for a living, it's obvious to me that he has the right mix of technical acumen and destructive creativity necessary for doing high-end vulnerability research.
All I'm saying is that if he's wrong, then no one should begrudge him a mistake in light of his other findings. That said, he's probably not wrong.
'I had a project manager once who had a saying: "If it didn't happen twice, then it didn't happen once."'
Was he a zen monk? If you follow that philosophy then all occurances are first occurances and therefore never happen, causing the next occurance to again be the first.
How very wrong..
/tmp/.root/ps exec file that woukld then proceed to copy state from the kernel and then be read back into the real PS. This file would only last 1/1000 of a second before rm got it.
/tmp did not have group sticky on and so it didnt control who overwrote others' files. Turns out if you do a timed attack (of calling ps, moving /tmp/.root/ps to your ~, and then edit it to be a shellscript that calls bash), root was easy to get.
A while back (in '92) there was the 'PS' bug.
Because ps lists full processor charts of whats running, how much cpu time, and how much mem used up, it requires root access (hence a suid root bit set).
When you run it, it would create a
Now, how would you hack a system like this to get root? On this specific SUN system,
Since this depended on a variable on state, you would run it in a script that called ps about 5000 times, and then BAMN! You have root.
I guess getting root isnt all that dangerous when you have to the attack some 5k times... Now is it?
But what about all of those a.out vunrebilities that are out there right now
Yes, but most people don't follow every clever little maxim to their potentially absurd logical conclusions.
I've come for the woman, and your head.
You just described an exploit where the situation was *easy* to create and the poster was talking about a situation where the situation was hard to create.
There was the same obfusication in both. Timing based attacks are 'not cool' unless used in conjunction with other security measures.
In the most likelyhood, some idjit will think this is 'security' and secure a telnetd on a port. Then when they're hacked, oh-nos! Thats when they realize from the logs the attack came from within the ISP. Big surprise.
Anyways, I'd prefer to use standard queries for networks and not have everyting hidden... Having sshd running with no key-sharing is plenty secure enough for me (well, with obvious nsa-patches.. heh heh heh).
I read ELF as "Extremely Low Frequency" and was thinking "how can a really slow clock lead to an exploit?" Then I read the bleeping header...
The clearance system sounds logical. It is not. It is completely arbitrary. -- John Bolton
Yea, in fact I have come across "random one time bugs" that caused me "to shrug my shoulders" and most of the time they turned up again in the last days before I had to deliver the project, which I wasn't always succesful at.
I'm still trying to figure out what people mean by 'social skills' here.
You just described an exploit where the situation was *easy* to create
If you know the reason it worked in the first place, yes. If there is a one in a 5000 timing chance it will work and you don't know it, recreation becomes a bit more frustration
" a malicious user "
:)
Do we know the identity of this malicious user? If so, can't we just "fix" him?
You missed the point grasshopper. It's a comment on perception, not reality.
Arguably, the world would be a very different and much improved place if they did.
Well, I suppose all Christians would be blind and handless, so it's a start.
I've come for the woman, and your head.