Slashdot Mirror

← Back to Stories (view on slashdot.org)

Local Privilege Escalation On All Linux Kernels

Posted by timothy on from the uriah-deems-it-scary dept.

QuesarVII writes "Tavis Ormandy and Julien Tinnes have discovered a severe security flaw in all 2.4 and 2.6 kernels since 2001 on all architectures. 'Since it leads to the kernel executing code at NULL, the vulnerability is as trivial as it can get to exploit: an attacker can just put code in the first page that will get executed with kernel privileges.'"

24 of 595 comments (clear)

  1. Security through Obscurity? by MarkvW · · Score: 3, Insightful

    Does this mean that Linux was never more secure than Windows--only more obscure?

    1. Re:Security through Obscurity? by Anonymous Coward · · Score: 5, Insightful

      uh huh..and the 8 years it took to discover don't matter, eh?

    2. Re:Security through Obscurity? by Bandman · · Score: 3, Insightful

      Yeah, I can't buy this, and neither should you.

      Really, just because they're not common knowledge doesn't mean that no one has found them.

      --
      Check out my sysadmin blog!
    3. Re:Security through Obscurity? by recoiledsnake · · Score: 5, Insightful

      Does this mean that Linux was never more secure than Windows--only more obscure?

      It's hardly obscure since they could look and find it, evidenced by the fact they found it.

      Go try that with the Windows kernels!

      In addition, there is already a patch out for this, which by end of the week will be pushed down from the distro managers. We don't have to wait years after finding it for the fix to be released, as Microsoft historically does.

      In fact, why just assume this similar bug is NOT in the windows kernel? Did you check? Did any reputable security company check?
      I'm not saying it is there, only that you can't easily prove otherwise.

      *that* is the security being spoken of.

      As far as I know, only one OS claims no exploits, and that is OpenBSD.

      The transparent thing works both ways... it's easier for black hats to find holes too, by your own logic. And they can keep it secret and exploit it as long as they can. A similar bug existing in Windows doesn't prove anything and is irrelevant here. After all 'M$ can't code shit'. Linux and FOSS is commonly claimed to be more secure because of it's development model and bug free here in these parts. Any data that runs counter to this is routinely downplayed by commenters and moderators... just like your post got modded up.

      --
      This space for rent.
    4. Re:Security through Obscurity? by amorsen · · Score: 3, Insightful

      Sure, it was patched, but it wasn't exactly all over the news. Neither is this one for Linux, but it managed to get mentioned on Slashdot.

      Local privilege escalation is hard to guard against with current mainstream operating systems. The attack surface is very large and it is hard to completely verify interfaces. That said, Linux team seems to be doing fairly well overall. We're certainly a long way from the "good" old days when crashme would crash pretty much any Unix system. OpenBSD is doing even better, masturbating monkeys or not.

      --
      Finally! A year of moderation! Ready for 2019?
    5. Re:Security through Obscurity? by Vexorian · · Score: 4, Insightful
      It was fixed much faster than MS after it was announced. I guess it is 100000 times faster than your usual MS flaw. So, yeah Linux is more secure.

      Also, did you bother reading what this exploit does? It is very bad because it allows user programs to gain administrator privileges. This is insecure because it puts Linux in a category that's as insecure as all pre-vista windows computers and also the UAC-enabled-because-else-it-is-useless vista and 7 computers. That's the problem here, it moves Linux to a windows state...

      Finally, it is easier to find flaws in Linux, this increases the chances blackhats found bugs, but it also increases the chances someone else will find it in paralel, preventing your hypothetical situation...

      Ironically, it is because of some artificial obscurity that this bug was present and took so long to find. Most vulnerabilities aren't caused by obscure optimization issues, and are findable in source code, those were a non-issue thanks to the lack of obscurity. So this actually proves obscurity != security.

      --

      Copyright infringement is "piracy" in the same way DRM is "consumer rape"
    6. Re:Security through Obscurity? by jmac_the_man · · Score: 5, Insightful
      Theoretical nefarious hackers who discovered the flaw before Travis and Julien would have been trying to hide it. Just because something isn't known doesn't mean it doesn't exist.

      Security through obscurity does mean the thought that that as long as no one knows about it, it's not an issue. Being open source doesn't make you immune to this. What would make you immune to this would be formal testing and security audits of every component, like is done on things like the space shuttle. This is generally prohibitively expensive for situations where actual life and limb danger isn't a factor, which is why no commonly used operating system implements this strict security level. Sure, having a lot of eyes looking at the Linux kernel helps (and it eventually worked in this case) but just being open source doesn't mean it's secure.

  2. Local Privilege Escalation On All Linux Kernels by sofar · · Score: 5, Insightful

    sudo

    Please, this is a _local_ privilege escalation. It's not like code red infecting your box remotely. A sledgehammer is also a local privilege escalation.

    1. Re:Local Privilege Escalation On All Linux Kernels by jandrese · · Score: 5, Insightful

      The thing is, local privilege escalations can become remote privilege escalations when combined with buggy services that allow for code injection. This is especially bad for people who are forced to run services that they don't trust and thus place them in jails, only to discover that if the exploit happens at the kernel level then your jail means nothing.

      My guess is that rootkits are being updated as we speak, so get your kernels patched people.

      --

      I read the internet for the articles.
    2. Re:Local Privilege Escalation On All Linux Kernels by athakur999 · · Score: 3, Insightful

      But if you have any programs that access the Internet that have a bug that allow running arbitrary code, couldn't a remote cracker could exploit the vulnerability in that program to invoke this bug, and through that gain root access to the machine? It sounds like the program being exploited could even be running as a regular user.

      --
      "People that quote themselves in their signatures bother me" - athakur999
  3. Re:pwned by Anonymous Coward · · Score: 5, Insightful

    If this were Windows, we'd first hear about it when our machines get owned by some malware, and then it would take months for a patch to be released. Since this is Linux, expect a fix in a week or less.

  4. Re:The REAL impact here by Bazman · · Score: 4, Insightful

    How can you trust that a user hasn't used a privilege escalation to install a rootkit already? You can't trust apt-get, or yum, or anything.

    Fresh install time, surely? Back to the bare metal.

  5. Re:pwned by lukas84 · · Score: 4, Insightful

    Expect a source fix with no regression testing in a week or less. Wait months for the big distribution makers (RedHat, Novell) to release it to the masses.

    Expect people manually rebuilding their kernel in panic, having machines rendered unbootable because they decided the 250$ bucks for the iLO Advanced license wasn't worth it since Linux never crashes, etc. pp.

    Face it: IT sucks. The OS matters little.

  6. local... remote... by spun · · Score: 3, Insightful

    As was stated before: if someone has a local account on your Windows machine, they already own you. You DO know the difference between local and remote exploits, right? I mean, NOBODY on Slashdot would go spouting off on topics they know nothing about just to score some points for their favorite OS.

    Yeah, this is a serious bug. But honestly, how many people are running real multi-user systems with multiple honest to God local users? Okay, I am, but I figure I'm probably in the minority nowadays.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
    1. Re:local... remote... by Anonymous Coward · · Score: 4, Insightful

      nobody (the apache account) is a local user.

    2. Re:local... remote... by Anonymous Coward · · Score: 4, Insightful

      Local exploit in kernel + arbitary code execution exploit in network service = remote exploit.

      You know, like running WordPress.

      It would be quite an accomplishment to introduce a remote exploit directly in the kernel.

  7. Re:I can hear the OpenBSD users laughing already.. by tres · · Score: 3, Insightful

    There's a theme of comments that occur every time another Windows vulnerability happens. It goes something like this:

    Windows FanboiIt doesn't matter. Marketshare marketshare marketshare blah blah business drivel Linux has no marketshare!

    It's ironic to now see the Linux 31337 in this meme; trying to redirect from security vulnerability to lack of marketshare by a competing OS.

    But I guess maybe it goes along with the whole tired 'BSD is dying' theme.

    --
    Notes From Under *nix: blas.phemo.us
  8. This reminds me of why I use linux... by calmofthestorm · · Score: 3, Insightful

    Because we fix it instead of hushing it up until it becomes fairly well known and then waiting a month to fix it.

    That said, it's nice to see the occasional vuln in Linux. Helps shut up the fanbois and keep everybody sharp. Because while under many eyes, all bugs are shallow, that only works if the eyes are actually looking.

    --
    93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
  9. Re:pwned by Real1tyCzech · · Score: 3, Insightful

    The flaw has been around since 2001.

    There goes your theory. ;)

  10. Re:pwned by amicusNYCL · · Score: 3, Insightful

    Yes, hardened windows is reasonably secure. After you spend an hour or two installing all the third party software and configuration settings you need to prevent being owned in under five minutes. Or you can just install Ubuntu.

    Yes, Ubuntu. Which apparently you don't need to configure at all to get owned.

    Seriously, in a story about how trivial it is to get code to execute as root you post a comment about how much more secure Ubuntu is than hardened Windows?

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  11. Re:I don't get it... by 0123456 · · Score: 3, Insightful

    It's somewhat ironic that this is only exploitable if you have selinux running.. (afaics)

    AFAIK it's not SELinux, it's poorly-designed SELinux policies which allow any process to map pages at address zero even if they're not root or not otherwise allowed to do so.

  12. Re:pwned by arndawg · · Score: 4, Insightful

    Parent is not a troll. Local Exploit still means a bug in firefox can leave your box totally "PWND!" A local exploit is more dangerous for a desktop computer than a server. but is still a very real concern.

  13. Re:pwned by magarity · · Score: 4, Insightful

    How much local privilege escalation vulnerabilities normal windows users worry about?
     
    They probably don't worry about it at all because the vast majority of Windows users log in and run with an administrative level account in the first place.

  14. Re:Vulnerable by design by True+Grit · · Score: 3, Insightful

    In normal configs, Linux is vulnerable

    The problem you're describing is not an issue just for Linux but most current 'conventional' OSes. On any OS with a shared memory space as you described, if you can a) 'hack' a pointer, and b) move or map your own code to where that 'hacked' pointer is now pointing to, and c) combine this with some other exploit/bug to get elevated privileges in the code you inserted earlier and take immediate advantage of this, then you can theoretically pwn the system whatever its OS (as always, it depends on the specific circumstances).

    As you say, this is fundamentally a weakness of the hardware-assisted approach to process isolation, because in a paradigm that allows modifiable pointers in userland code, neither the hardware nor the OS can ever *really* know what the pointers are actually pointing to.

    It either has a ~10%-20% overhead and is insecure by design (kernel map includes calling process memory space)

    Not sure I'd go as far as 'by design', at the very least its not an easy exploit to accomplish (not withstanding this latest problem), since it depends on finding at least one bug/flaw in the OS to let you do the first step of 'hacking' a pointer (and usually at least one more bug/flaw to be able to do something really dastardly), but yes, there is an overhead, and its certainly not a perfect model (what is?).

    maybe it's finally time for an OS with a single memory space, like JavaOS or jxos, or even Singularity.

    If they can get it right, absolutely.

    In fairness however, these OSes accomplish their goal by restricting you to a type-safe language(s), in effect, they (try to) avoid the problem of pointers being 'hacked' by eliminating the presence of writable/modifiable pointers that *can* be 'hacked' within running code. They use the strictness of the language as the protection mechanism, rather than hardware assistance. This however is not trivially easy to accomplish either (see jxos and their 'Isolates' mechanism they're having to shim into their system), which is why these OSes remain work-in-progress research projects. Then, once they do get it right, we won't be able to just 'port' all our current software over and take off, nope, all the software we use now will have to be rewritten in a type-safe language that that OS supports (or thrown out!), so the switching over process won't happen anytime soon. :(

    It is a 'cool' idea though, if for no other reason than it avoids the overhead of the hardware assisted model, and eliminating modifiable pointers (at the source code level) in code will allow smarter static/jit compilers to safely do *far* more aggressive optimizations than they can do now, as modifiable pointers (especially if they can also be aliased) are the single biggest headache for any optimizing compiler.