Slashdot Mirror
Local Privilege Escalation On All Linux Kernels
QuesarVII writes "Tavis Ormandy and Julien Tinnes have discovered a severe security flaw in all 2.4 and 2.6 kernels since 2001 on all architectures. 'Since it leads to the kernel executing code at NULL, the vulnerability is as trivial as it can get to exploit: an attacker can just put code in the first page that will get executed with kernel privileges.'"
If this was Windows we'd never hear the end of it.
Now STFU.
So that's what the NULL pointers were for.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
I use Windows!
Does this mean that Linux was never more secure than Windows--only more obscure?
Why the bloody hell isn't page 0 hard-wired to panic the kernel / SIGSEGV the userland when accessed?
Here's the real one- linked from (mostly) useless article.
http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html
Or I would be able to, if there were any
Long live the BSD license
Within a few days, patches will be released to all the OSS vendors. Admins will be inconvenienced by a reboot.
In my case:
# yum -y update && shutdown -r now;
*Yawn*
I have no problem with your religion until you decide it's reason to deprive others of the truth.
That's not good at all.
In the Linux kernel, each socket has an associated struct of operations
called proto_ops which contain pointers to functions implementing various
features, such as accept, bind, shutdown, and so on.
If an operation on a particular socket is unimplemented, they are expected
to point the associated function pointer to predefined stubs, for example if
the "accept" operation is undefined it would point to sock_no_accept(). However,
we have found that this is not always the case and some of these pointers are
left uninitialized.
This is not always a security issue, as the kernel validates the pointers at
the call site, such as this example from sock_splice_read:
[snip]
But we have found an example where this is not the case; the sock_sendpage()
routine does not validate the function pointer is valid before dereferencing
it, and therefore relies on the correct initialization of the proto_ops
structure.
We have identified several examples where the initialization is incomplete:
[snip]
sudo
Please, this is a _local_ privilege escalation. It's not like code red infecting your box remotely. A sledgehammer is also a local privilege escalation.
Is this something that SELinux would protect against?
Oh how I wish 'ksplice' was more widely adopted in my deployed distro at work...
You could bother to read the article.
A patch already was made.
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98
I use Ubuntu with Ksplice. Fixing this will be a matter of downloading a new kernel and reloading it. Suck on that Mac/PC users.
This is the first time it's been publicized... not discovered.
Linus committed a patch correcting this issue on 13th August 2009. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98
where's the source?! I want to try it. On my box.
I wonder how many people are logging into guest accounts right now trying out this "bug."
I am! And I'm a DeadBSD user!
Then why did Linus check in a patch today to fix it?
http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
You could measure it with a stop watch. Pretty rare to find such a serious flaw in Linux.
In other news, I noticed my Windows box automatically restarted last night. Your computer has recently been updated. No kidding.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Sure there are. And they are both laughing.
everyone go hax the internets! rootkit everything!!!
As was stated before: if someone has a local account on your Windows machine, they already own you. You DO know the difference between local and remote exploits, right? I mean, NOBODY on Slashdot would go spouting off on topics they know nothing about just to score some points for their favorite OS.
Yeah, this is a serious bug. But honestly, how many people are running real multi-user systems with multiple honest to God local users? Okay, I am, but I figure I'm probably in the minority nowadays.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
If only there was some way to formally verify the correctness of an OS kernel! :)
Are you sure they aren't laughing because they found some more "edible" gunk between their toes?
Hey! =/
I like the fact that the two people who found this are from the Google Security..koodo's
Theo and Theo's girlfriend?
... I don't get it... Stallman uses Linux...
From http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html:
-------------------
Mitigation
-----------------------
Recent kernels with mmap_min_addr support may prevent exploitation if
the sysctl vm.mmap_min_addr is set above zero. However, administrators
should be aware that LSM based mandatory access control systems, such
as SELinux, may alter this functionality.
It should also be noted that all kernels up to 2.6.30.2 are vulnerable to
published attacks against mmap_min_addr.
I have checked my default Ubuntu and CentOS/RHEL boxes, and both of them are set well above 0:
root@Ubuntu:/proc/sys/vm# cat mmap_min_addr
65536
[root@CentOS /proc/sys/vm] cat mmap_min_addr
65536
[root@RHEL /proc/sys/vm] cat mmap_min_addr
65536
Check out my sysadmin blog!
April or not, I want to know why it's taken eight years to find this flaw.
You are welcome on my lawn.
beatches while I go compiler a kurnul. I'm so glad I am a linuxtardo.
For crying out loud... learn how to write English, please!
don't run services you don't need. Why didn't I think of that? Well, none of my systems run any of the services mentioned.
Security starts at the front door and never stops.
Theo and Theo's "girlfriend"?
Fixed the for you
Ya, because Linux is such a pathetic piece of shit.
I would love to know if this has ever been used as an attack before this announcement and by who to whom.
An Education is the Font of All Liberty
I didn't know his hand could laugh.
There's a theme of comments that occur every time another Windows vulnerability happens. It goes something like this:
Windows FanboiIt doesn't matter. Marketshare marketshare marketshare blah blah business drivel Linux has no marketshare!
It's ironic to now see the Linux 31337 in this meme; trying to redirect from security vulnerability to lack of marketshare by a competing OS.
But I guess maybe it goes along with the whole tired 'BSD is dying' theme.
Notes From Under *nix: blas.phemo.us
Because we fix it instead of hushing it up until it becomes fairly well known and then waiting a month to fix it.
That said, it's nice to see the occasional vuln in Linux. Helps shut up the fanbois and keep everybody sharp. Because while under many eyes, all bugs are shallow, that only works if the eyes are actually looking.
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
'nearly no-one uses Linux for multi-user systems now that everyone can afford their OWN FREAKING COMPUTER.' Good lord, kids these days, gotta teach them everything.
You mentioned kids. It turns out that they can't necessarily "afford their OWN FREAKING COMPUTER." For the entire history of mass-market personal computers in the United States, home of Slashdot, laws prohibiting child labor have been in force.
It looks like RHEL's mmap_min_addr (cat /proc/sys/vm/mmap_min_addr) is set to 65536 by default. According to the vulnerability posting:
Recent kernels with mmap_min_addr support may prevent exploitation if
the sysctl vm.mmap_min_addr is set above zero. However, administrators
should be aware that LSM based mandatory access control systems, such
as SELinux, may alter this functionality.
So, if you're running stock RHEL 5.3 without SELinux, you should be safe?
Seriously, how hard is it for the OS to just blow up whatever program is running if it tries to access the memory location NULL, period?
That depends on whether you're running this OS on a PC or a C64. Programs on a C64 are expected to access memory-mapped I/O registers at $0000 and $0001.
And from all across the globe came the sound of geeks crying, for they would soon see their beloved "uptime" reset to zero.
Oh...
So it was disclosed the 11th of august and linus has a patch today, HUH?
There are YEAR OLD bugs with this exact level of danger that microsoft simply has not patched and still refuses to patch.
Fuck you, I love my os BECAUSE i know beforehand that it will be fixed in no time....
Windows people are just plain stupid, really.
NO SIG
Yeah, that was my fault. Sorry about that. I knew it was there, I just kept putting off fixing it or telling anyone.
Just echo something greater than 0 to /proc/sys/vm/mmap_min_addr
Which ya'll should've set during config, anyway.
Which part of "local" are you not understanding?
"Local" doesn't necessarily imply physical access. It simply means that you have gained permission to run arbitrary code as a user on the given system. For example, if you have logged into an SSH account that is local to a given machine, you are local. So first you use a remote exploit to gain local privilege, then you use a local exploit to elevate from there.
There's no need.
The folks who write that shit won't write any malware for Linux. It would be like a Muslim terrorist group attacking Mecca.
Linux is safe because of ideology. This discovery of the security flaw was just an intellectual exercise.
Bank accounts that are mostly managed by Linux servers now.
> As far as I know, only one OS claims no exploits, and that is OpenBSD.
Actually, they claim only one remote exploit in the default install for the past however many years. Because they actually did find a remote exploit once, not to mention that there have been plenty of local exploits (though relatively few by comparison).
If you're gonna woosh, or meta-woosh, at least make it funnier than that!
I think that's his point. You have, in fact, been able to escalate without privilege for a long time. It wasn't known you could, but that doesn't mean the bug wasn't there. It was "obscure". The reason Linux was secure from this kind of arbitrary escalation was because people didn't know the trick to doing it, not because the security was such it couldn't be done.
I'm not saying I agree with the GP 100% or anything, but he raises an interesting point. One of the oft lauded advantages of open source is the "many eyes" thing. It is claimed that there aren't major holes since so many people can look at the code. Well, this demonstrates that isn't always the case. This is a LONG standing bug. However, despite the people looking at the code, it wasn't noticed. Only now has someone discovered it.
Hi Dan Lyons! Looks like you got the facts wrong again. No compiling is necessary, a live kernel patch is done using the same system update tools as for any other application.
In normal configs, Linux is vulnerable to this kind of problem by design because it runs unsafe programs and then for efficiency the kernel also has direct access to it's memory plus the memory for a process doing a syscall. And it's not just a NULL pointer, and preventing maps for page zero doesn't solve the problem... it just means you need to find a bug where you can corrupt a function pointer to point to mappable space.
What this demonstrates is that the cost of isolating programs from each other by using separate memory spaces has a much higher cost than commonly understood. It either has a ~10%-20% overhead and is insecure by design (kernel map includes calling process memory space) -or- it is far slower than even that, but safe (kernel memory is completely separate from process). Computers are already faster than many users need... maybe it's finally time for an OS with a single memory space, like JavaOS or jxos, or even Singularity.
mmap_min_addr already set to 4096 there... Plus I don't really see what all the fuss is about: how does this make an affected desktop OS any more vulnerable?
The next time someone quotes me an absurd uptime number I am going to compare it against this date.
I will not mourn that which I never had to lose. - Unknown
Maybe the world simply forgot to check for Y2K++ bugs.
"I'm not much interested in interoperability. I want substitutability. I want to be able to throw your software out."
Posting anonymously for a reason... I knew about it 3-4 years ago. I discovered it disassembling some hack/crack code and verified it against the kernel sources. I used it myself quite a bit before changing careers. I know slashdot doesn't want to hear it, but having access to the source code helps find and verify root exploits.
This is not exploitable if the zero page is not mappable. Which means, most of the time. If you have a mappable zero page then you will get owned sooner or later, because it makes the whole concept of NULL as used in C invalid.
Those who would give up liberty to obtain working drivers, deserve neither liberty nor working drivers.
Fixed bug in two days. Thats all I have to say.
Windows has, TODAY, KNOWN, available in the WILD, remote root exploits unpatched for 8 years now.
NO SIG
True, but Ubuntu 8.04 x64 Hardy Server LTS has that set to 0! This is on thoroughly-updated systems too (and a lot of servers will be running the LTS release, not 9.04).
"with their freedom lost all virtue lose" - Milton
Is my pr0n safe? Dude, no way do I want it compromised.
Ok this one is nasty, provides total access. Can we get the results of the search for the code to exploit this?
Is there a department that searches down people who exploited a vulnerability once we figure out how they did it? It seems sensible to develop such a feedback system, probably won't get the serious hackers but for the hackers who mess up there's probably a trail.
Worst method of detecting virii:Feel your computer timing is different? Could be a virus. Of course they're taking this from us with SSD but meh... whatever floats the boat.
// leeches.c:Aug 11 2009
August, not april. Where the fuck did you get april from?
secunia.org
There is your linky...
Hell, at least you get PAID for being a MS fanboi.
NO SIG
See, calling me a MS fanboi has no basis. Just like your arguments. This is why you are a fanboy (notice how close fanboy is to fanatic? And how fanatic sounds like zealot? Have you ever looked up the meaning of those words?). As for the April thing - read the thread. It's right there. It might be WRONG, but it's there. No really - READ SOMETHING. Try it. Might hurt your head a little, but being a fanboy isn't really good for your health anyway. As for your link - nice try. If you actually WENT to the link, and USED the database, you'd see that your assertion isn't correct. Want to try again, little fanboy?
Oh hey, watch this! I'm sure this'll blow your mind - I'm sure it's never happened for you before. I'm going to admit something - I was wrong! It wasn't April - I misread the comment. It WAS report August 11th, 2009. Sorry, that part I was wrong about.
If you'd care to continue "discussing" the rest, feel free to respond. I'm sure the fact that it was "reported" only two days ago means you can completely ignore that it's been there since 2001. And you can ignore the fact that your assertion about Windows having bugs around that long that are reported and unpatched is completely unfounded.
No need to say anything else, "foe" (i think you're the only person that uses the friend-foe system at /.).
No company, person or group can be accused of fixing what they dont know about. If there hasn't been any kind of in-the-wild exploit for this, and for know it hasnt (there will SURE be some very soon, but thats only because of this particular disclosure and can be thwarted by updating), then its safe to say that all that COULD be done, was done for fixing this bug and in no particular way does it make the Linux kernel less secure than any of its competitors.
On the other hand, the timely fashion in which it was patched leads me to conclude that the FOSS model is much more secure as it gets patches faster out the door once an exploit has been discovered.
Now... do YOU care to discuss intelligently?
NO SIG
Of course I want to discuss this intelligently. I don't expect that from you, of course - which is why I've made sure to mod your comments to oblivion (that system works - it removes a lot of the FUD). I don't think the Linux kernel is less secure than its competitors. I'd even suggest it is likely MORE secure. However, your original comments were idiotic, and very fanboy. This isn't what you said at first. You called Windows users idiots, and praised Linux because it is just so awesome - ignoring the fact that this was a pretty shitty bug - and that it's been there for a long time. As for it not being exploited - well - that we know of. Hard to say anything solid about that, is there? I AM impressed it was patched so fast, and I will be patching my myriads of Linux servers at first opportunity. I am a little impressed that you've managed to mostly shutter the fanboy crap you've been spouting in this post, but my impression hasn't yet changed. Did you want to back up any of the other assertions you've made that I challenged you on? Or are you ready to let those go? I'd honestly love to have my impression of you be wrong - that this was just a shitty day for you or something. So please - do prove me wrong again.
Wait....theres another one?
Ah...
How the hell can you mod if youre posting? Do you keep an extra account with modpoints somewhere or get help from friends? Wow, pretty sophisticated.
Or do we have a bitch ass whiner account now @ /. to report "offensive" posts? It would be a crappy day for me if this was the case.
And no. You like to tag me as a fanboi because of what I said. Here:
Oh...
So it was disclosed the 11th of august and linus has a patch today, HUH? GOOD THING: QUICK PATCH
There are YEAR OLD bugs with this exact level of danger that microsoft simply has not patched and still refuses to patch. ABSOLUTE TRUTH TO ANYONE IN THE SECURITY INDUSTRY
Fuck you, I love my os BECAUSE i know beforehand that it will be fixed in no time.... For this case, even you say im right
Windows people are just plain stupid, really. I dont think YOU are a windows user, I pitty you if you are forced to be one.
NO SIG
Well since I am a Windows (and Linux) user, your GP post called me stupid. I'd like to respond in kind, but I don't believe it is nice to call folks with mental aberrations names. So you get a pass there. However, REMOTE EXPLOIT vulnerabilities in Windows unpatched 8 years? Link to something other than some random nut's blog or it doesn't exist. Where's the CVN number or the Secunia bulletin or the like? Oh, right - this doesn't actually exist and you were smoking crack again...
Oh, and you do know that a real remote exploit is not an enticement attack, right?
"Sure there are. And they are both laughing."
Such a brave front. Their OS is dying, yet they show no fear.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
I would guess it's been used by pr0n and social networking sites, exploiting moz/opera/whatever, against whoever visits, feeding gathered personal information to centralized databases that are distributed to government and employers. Your ability to climb the social ladder is then less related to your performance and more related to whether or not you browse the same material as your corporate superiors. You know those days when it seems that some of the people in the hallways know when you've been looking at pr0n? Guess what. They do.
It would not be that difficult. Most browsers tell the remote server what browser they are. How difficult would it be to load the server with pages which contain exploit code which can be swapped in accordingly? There's a project on the web that's devoted to creating building block copy and paste exploits to insert trojans... I forget what its name is.
Linux is ready for the desktop!
You're both right. I got physical access and local account mixed up in my brain. My excuse is long day. Oops.
Oh well. Time for a reinstall anyway. Can't complain 'bout 4+ years uptime.
Hahahahahahahaha ...
Hey!
It would be quite an accomplishment to introduce a remote exploit directly in the kernel.
Here you go : that's not that hard to achieve (well, it is, but that's not impossible) : http://dvlabs.tippingpoint.com/advisory/TPTI-06-02 (Driver BO will run on kernel-mode obviously), so remote BO's on kernel side are not that never heard of.
Read and Comment at my BLOG
!!!
OpenBSD has less users, because only people that care about security use it.
A normal user sees that his 3D games run slower and goes back to Lindows. People that care about security, however, learn that it is slow because does more to protect you.
Linux and Windows devs just set CC -O3 and release. Maybe the compiler optimized out their memory protection, or encryption, or replaced the RNG by a PRNG that always returns 1337.
I would love to know if this has ever been used as an attack before this announcement and by who to whom.
Although I haven't yet looked at the patch for this hole or the discussion about it...
Historically - certainly throughout the entire 1990s - it was necessary to read Bugtraq regularly to learn about new holes and commonly patch them yourself. At first a patch for the hole would be debated in security circles rather than mailing lists associated with the application.
More importantly, however, is the consistent pattern that holes were discovered by hackers and kept private. Obviously it would get shared slowly - each new person having the ability to go public and claim they discovered it.
Independent discovery was very common, of course. I'm sure you had independent discovery of certain holes by government agencies, multiple hacker groups (or at least informal sets of friends that shared things within that clique), and security businesses. (although the security businesses learned about a lot of holes by employing hackers. Consider that a lot of the major security businesses today probably were started in an age when there would be a motivation to also keep a repository of unknown security holes, to be released on a schedule deemed most beneficial for PR reasons. Considering the huge motive, it makes one grateful that we can trust that it never happened due to the integrity of those involved.)
Being awarded financial benefit (credibility as a discoverer of security holes was beneficial to companies selling security products and individuals wanting to be hired by those companies) changed the landscape, and shortened the time between discovery and public knowledge.
Except for the government, of course, who does not have the same kind of profit motive.
And yet the government does on occasion make a security hole public..
I am still waiting for Bill Gates to patch my windows 3.11 vulnerability. What do you think? Will he patch it himself?
>which is why I've made sure to mod your comments to oblivion
Brilliant. You've made me read every one of his posts since I had to see what you were replying to.
The reason this bug was not detected sooner is that there was a check for a null pointer, which GCC optimized out! No one is checking for these kind of bugs - ones where analysis of the source code does not match what was compiled.
Time to re-read Reflections on Trusting Trust http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
And here's the quote that it wouldn't have happened if not for gcc:
http://lwn.net/Articles/342420/
Yet another link in the chain of failure is the removal of the null-pointer check by the compiler. This check would have stopped the attack, but GCC optimized it out on the theory that the pointer could not (by virtue of already having been dereferenced) be NULL. GCC (naturally) has a flag which disables that particular optimization; so, from now on, kernels will, by default, be compiled with the -fno-delete-null-pointer-checks flag. Given that NULL might truly be a valid pointer value in the kernel, it probably makes sense to disable this particular optimization indefinitely.
Why is it that all the nerds dream about Power6 architecture processors and the return of the Alpha 21364 Valkyries to usher their /var into the Great Halls of Justice?
And you want to settle for a snotty-nosed twat that has downtime every month for a week at a time and can't even return the answer to simple arithmetic?
Get off my /. astroturf!
Is fixing this problem as simple as recompiling the kernel with a tweaked makefile or something, to tell GCC not to optimize that type of code out?
Because while under many eyes, all bugs are shallow, that only works if the eyes are actually looking.
For eight long years no one was looking. Tell me again how the geek spins this story in a way that inspires confidence in Linux and FOSS?
That's a good point.
To really be 'safe', you'd probably want to boot from a known good CD/DVD, install the fixed kernel from the CD/DVD, then reboot from the new kernel on the hard drive, yes? I mean, if your kernel is owned, the rootkit might protect itself somehow from you trying to install a fixed kernel.
It was as if a million mirror sites cried out, and were suddenly silenced under the upgrade onslaught.
Why the bloody hell isn't page 0 hard-wired to panic the kernel / SIGSEGV the userland when accessed?
Well, for one, DOSBOX wouldn't work so well anymore. When you set up for vm86 mode, you allocate things into your own memory space at the addresses you wish them to be at in vm86 mode. It would also affect any attempt to use VESA video drivers since the pointer to the handler of interrupt 0x10 is in page zero.
The sensible thing would be to redefine NULL to be a completely useless pointer (like, -1, for example) rather than choosing what has to be the single most useful number in all of computing. The first address is rather useful since anything might be there, whereas the last address isn't quite so useful since nothing more than a single byte could possibly be there anyway. ...but, if you think we have problems now, just imagine the confusion caused by a NULL that isn't zero.
Wait! I have a better idea. Let's just give up C. I think we can all agree that pratically every bug ever has been caused by the fact that it forces programmers to constantly re-invent the wheel, creating their own string and memory management to make up for the fact that what is supplied in the language is barely functional at all. Programs written in langauges with proper string and memory management don't have to worry about null pointers and buffer overflows.
Perl scripts aren't bothered by buffer overflows, whereas the average C program apparently can't so much as accept a password without a buffer overflow. If they could at least do that much they'd limit damage to people with access privleges, but every year or so some important piece of software like SSH has some vulnerability which doesn't even require a proper login. Apparently it's impossible to keep the bugs out of even that small portion of the code that deals with rejecting people without proper credentials, nevermind the rest of the code that does everything else.
Obviously what the world needs is an easier programming language because C is just too fucking difficult.
have you ever thought what life would be like if you had no asshole? Things would get quite miserable, very quickly.
There are animals without an asshole, like anemones, and they don't seem to be particularly miserable. They have just one opening into their body cavity, which handles the functions of both mouth and asshole.
Hmm. Given what comes out of some politicians mouths, maybe they don't have assholes either...
This actually is a flaw in x86. Under the x86 segmentation model, it is impossible to transfer control from ring0 code to lower-privileged code. This is precisely to prevent this type of attack, where you can trick the kernel into calling a function inside user-controlled memory. (You can, of course, transfer control from ring0 to a less privileged ring, but it's far more deliberate process).
However, Linux doesn't really use the segmentation system all that much. Instead it relies on the paging model to enforce the user/supervisor distinction. Problem is, the x86 does NOT prevent code running from a supervisor page from transferring control to a user page. Intel's excuse for this is that "you can use segmentation to achieve that protection" but as we all know, nobody uses segmentation for shit.
Let me say this all over again. The bug is not in the kernel -- it was performing a NULL check which gcc was optimizing away. It is not a bug in gcc, because according to the ANSI C standard, NULL cannot be dereferenced, and therefore a dereference followed by a NULL-check is redundant and can be optimized. It is a bug in the kernel build system (for not setting the proper flags to tell gcc that's it's not compiling ANSI C code, it's compiling kernel code) and it is also a bug in the CPU itself (for allowing direct transfer of control from supervisor pages to user pages)
The difference is that while the windows fanboys are serious about it, the similar comments about BSD in this thread were quite clearly jokes. Seriously nobody denies that this is a serious bug, nor do I think you will find many people ( even Linux developers ) who deny that OpenBSD is one of the most secure general purpose operating systems there is. You do however have some people who have clarified exactly what problems this bug does and does not cause. In case you didn't catch it already I'll summarise:
-This bug on its own does not cause a remote exploit
-However, If you are running a service, and that service has an exploit in it, then this bug could allow an attacker remote root access.
-This bug could allow programs that are run without root privileges to obtain them, and this is a serious issue on multi-user set-ups.
-If you really must compare it to windows then Windows XP in its default configuration allows programs to do this BY DESIGN
So basically. Yes it is a very serious bug. Yes the fact that XP is retarded enough to allow this thing by default is not a reason for Linux users to be complacent. No this does not mean that Linux is not a lot more secure than windows.
Don't get me wrong, I'm not taking up a flag in the holy war; I'm a happy and grateful user of both BSD and Linux. I'm just making an observation about something that bears a lot of resemblance to the response made by the poor lot stuck with Windows. It seemed an interesting irony.
Notes From Under *nix: blas.phemo.us
Seriously? Windows and Mac vulns get the tag, why not Linux?
Linux exploits are no laughing matter, maybe?
Looks like I wasn't fast enough learning BSD or Solaris :(
Sigh.
Is anyone working on a Plan 9 64bit clone?
Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
Slashdot doesn't want to hear it but your detailed explanation is so convincing that we have no choice.
It's also worth noting that kernel 2.6 alone contains 186 advisories for 352 vulnerabilities with 6% unpatched. Windows Server 2008 contains 40 advisories for 82 vulnerabilities with 0% unpatched.
Your comparison is very flawed and meaningless. Linux kernel 2.6.0test was released in 2003--IT HAS BEEN AROUND 5 YEARS LONGER THAN SERVER 2008! If you want your math to actually make a real point try integrating the vulnerability rate of each OS over the same time domain. Simply put, you have to look at the combined vulnerabilities reported by Windwos Server 2003 AND 2008 when comparing against Linux 2.6.x kernel based OSes.
More proper numbers for Windows would be 242 advisories for 341 vulnerabilites. Slightly lower vulnerability count but quite a few more advisories. 6% of these vulnerabilities also remain unresolved. These numbers do not show Microsoft having any meaningful advantage in quality over the Linux kernel
And, to be more fair still, you should compare OS to OS as you said, rather than OS to kernal. For RHEL5 OS the stats are 272 advisories for 828 vulnerabilities and zero unresolved (suggests that one advisory and pne patch probably solves many separately counted vulnerabilities--perhaps because Linux-based OSes leverage shared libraries far more than Windows?) Keep in mind, however, that Comparing SLES or RHEL strictly speaking wouldn't be a complete comparison either, because in Linux OS distributions many applications are included where the equivalent in Windows would be separate (possibly extra-cost) add-ons.
Furthermore only counts are considered above, with no factor for intensity. Windows server 2008 has more than double the rate of "highly critical" vulnerabilities (35%) than does RHEL5 (16%) and it is well known that Linux exploits are far less likely to be directly remotely exploitable than is the case for Windows exploits.
Yes, MSFT has made great strides in closing the quality and security gaps in ther server OSes (quality is still sorely lacking in their desktop offerings), but even if Windows was perfect I'd still prefer a Linux OS or OpenBSD:
* can't afford Ballmer'$ ga$
* Windows is closed--I don't trust what nobody but the vendoar/author can see. Secunia et al can only report what they can observe from behaviour. As in this reported Linux exploit, third-parties can perform extremely detailed analysis with source code at hand, often releasing the patch to plug the exploit right along with the exploit itself.
* licensing and actrivation take a lot of time and resources that serve no practical purpose than to enforce an increasingly questionable business model--Activation is pure bulls**t. I've wasted FAR too much time on clients issues where the root cause of functional deficiencies was improperly activated/licensed closed software (be it Windows or others). I've HAD it with closed crippleware.
* I like to tinker. I like to build. The playing field is for more flat in Free software land than in Windows land. I can reconfigure kernel modules, choose which web server, DNS server, email server I want to use and evaluate them truly on their merits. In Windows, if you think IIS or Exchange or MS DNS Stinks, you can try the alternatives but they always seem hobbled by comparison. MSFT never lets third parties play by the same rules, especially when server apps are considered "windows componenets" like with IIS and DNS. They get to leap MSFT's long-professed "chinese wall" to get total access to OS internals info others do not have. ANYONE who wants to write server apps on a Free platform has the same access to info.
Ken Thompson's "Reflections on Trusting Trust" is a recurrent Slashdot link but people never link to the counter argument article David A. Wheeler's "Countering Trusting Trust. It doesn't give a complete view to leave out the second article...
Of course this is probably BS but I'll bite any way...you didn't tell anyone so you could use it against others? How nice of you. Luckily the code is open, so unlike with closed code like with Windows, secrets won't last as long. ^^
(not to mention with the help of the power of the typical GNU/Linux OS with all the monitoring and power tools that are available to find out about such exploits)
Promote true freedom - support standards and interoperability.
Yeah, 8 years are nothing in the world of Linux...
The only difference between Linux bugs and M$ bugs is that when they become known, an informed user could fix his system in hours.
Though i agree, the GP is most likely bullshitting.
And i'm still in shock how could something like this stay invisible for such a long time.
Patents Drive Free Software as Hurricanes Drive Construction Industry
Well, it seems to be an obscure macro error, which only revealed itself to be a bug when digging deeper. So, since there isn't a dedicated team reading through ALL the code lines carefully thinking about the implications in the code, these things just happen. I bet there are even older bugs in the kernel code that just haven't been found.
nobody (the apache account) is a local user.
That nobody guy is really smart.
I often tell people that nobody is smarter than me.
Vote for Nobody!
Nobody tells the truth!
(http://thecynicaleconomist.com/wp-content/uploads/2009/07/vote_nobody.jpg)
Howdy fuck, that guy is completely gross. I didn't know Stallman was that dirty. That is the most disgusting thing I have seen in a while.
Ubuntu is an African word meaning 'I can't configure Debian'
It would seem a possible workaround is to disable all vulnerable socket protocols via modprobe.conf (or equivalent) so that user space cannot open e.g. ppp socket at all.
Mostly these vulnerable protocols are not needed in a typical server.
No, eight years isn't nothing, and yes any software can have bugs and holes, but like we said open source means more fixable. If it was being exploited though, it probably would have become quickly patched, so most likely only a small few knew about it, if anyone. I'd much rather have the world community see and fix code than have one small company in comparison hide their code from everyone else.
Promote true freedom - support standards and interoperability.
I'm not modding anything. Hello? Where is that coming from? I honestly have no idea what you are freaking out about. All I've done is:
1. Tease you for being a fanboy
2. Respond and challenge you on your assertions
3. Mark you, personally, as a "foe" so I don't have to read your craptastic fanboy b.s. that I saw, time and time again, after reading through a sampling of your "comments" from various topics
And yes, I'm tagging you as a fanboy because of what you said and how you said it - and that is from just about every reply you've made in this thread. I'm sorry that you can't prove my disdain from you misplaced. You have yet to even bother admitting to the many mistaken assertions you have made in this very thread, that I took the time to point out. Have a great day - don't expect to hear from me again (I won't even know you are there!).
In this you are right. It was an exageration. My first post is much more on the nose: there are unpatched local privilege escalation bugs in windows unpatched and known for years now.
NO SIG
Available here. Does not try to get around mmap_min_addr. Use at your own risk.
Why on earth would the kernel have the execute bit set on its mapping of pages in userspace? What is the purpose for having the capability of executing code in userspace from the kernel?
The numbers mean nothing if there is no indication of what they are measuring. You can really only consider how severe each individual vulnerability and think of things that way unless you want to win a meaningless argument comparing the number of apples to aardvarks. That's the situation we're getting from a marketing point of view where this numerology is used as a distraction in an attempt to show the only platform compatible with malware doesn't have a problem with malware. Meanwhile things are steadily getting fixed on both platforms by people that would find the argument annoying and pointless.
M$ employees have been trolling Slashdot by astroturfing and posting FUD. One notable M$ employee has Numerous accounts on slashdot for the sole purpose of astroturfing for M$ and spreading FUD. I have wondered about you for some time and now your latest post all but confirms you account is merely a troll account for M$.
--
Friends don't help friends install M$ junk.
Friends do assist M$ addicted friends in committing suicide.
Let's get this out of the way first. To all of you cat lovers, I'm sorry for being an insensitive clod.
If I have local access to a computer, in many cases I can just use a Live Linux CD to gain access to just about anything I'd want on the box. For more badness later, couldn't I also then move or rename the right security files, reboot and insert an exploit, reboot with the CD again to restore the security files, reboot again without the CD, and be on my way without leaving a trail? I've never tried such a thing (really), but wouldn't someone with enough motivation and talent be able to do that to almost any computer?
My Fedora install also has mmpa_min_addr set to 65536. I wonder how many other distros do this?
What, not standing there with a superior sneer on their faces, taking a short break from driving off potential users by being assholes?
Of course this explains why there seem to be more than 2 OpenBSD users--they are such assholes they seem legion.
Pues les aclaro que el fallo sÃlo ocurre en redes que utilizan en el obsoleto protocolo Appletalk de Apple, no en el TCP/IP que generalmente utilizamos.
El mismo Linus dice en su commit (http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98)
âoeDoes anybody really care about sendpage on something like Appletalk? Not likely.â
Saludos,
adrruiz
Windows users are also fat virgins who brown nose up their PHB's hemmoroid infested ass all day espousing bullshit about ROI that they don't really understand. And windows users tend to have neat hair.
Point is you are too stupid to exist you goof.