Slashdot Mirror

← Back to Stories (view on slashdot.org)

Local Privilege Escalation On All Linux Kernels

Posted by timothy on from the uriah-deems-it-scary dept.

QuesarVII writes "Tavis Ormandy and Julien Tinnes have discovered a severe security flaw in all 2.4 and 2.6 kernels since 2001 on all architectures. 'Since it leads to the kernel executing code at NULL, the vulnerability is as trivial as it can get to exploit: an attacker can just put code in the first page that will get executed with kernel privileges.'"

7 of 595 comments (clear)

  1. I don't get it... by Anonymous Coward · · Score: 5, Interesting

    Why the bloody hell isn't page 0 hard-wired to panic the kernel / SIGSEGV the userland when accessed?

  2. Guys? by eexaa · · Score: 4, Interesting

    where's the source?! I want to try it. On my box.

  3. Re:Security through Obscurity? by DavidTC · · Score: 4, Interesting

    Yes, but generally exploits get discovered by others if they are used.

    At some point, someone curious will get hacked, and wonder how the hell that happened, and track down the exploit.

    And that's not even including discovery on the cracker's side. (People he works with, etc.)

    The only way to keep an exploit a secret is to (almost) never use it. It's going to be made public within a few months of even low usage.

    --
    If corporations are people, aren't stockholders guilty of slavery?
  4. Re:Security through Obscurity? by spun · · Score: 5, Interesting

    No. If nobody knew it wasn't a security issue. I'm sure there are bugs on every OS with more than 8 years old yet to discover.

    You veered completely off track right about here: "If nobody knew"

    Seriously? Really, that's the best you could come up with? That's your apologia? How do you know nobody knew? You think the real blackhats are going publicizing their 'sploits? Blackhats these days aren't script kiddies and honest hackers, they are hard core Russian mafia doing it for cash. Your Linux systems could have been owned twelve ways from Sunday for EIGHT YEARS without you ever knowing it, and you are claiming 'it wasn't a security issue?' WTF? When did Linux get infested with idiot fanboys? Shouldn't you be slobbing all over an Apple or something? I was using Linux before you even knew what Unix was, I despise Microsoft and love open source, but a bug is a bug.

    Try this one: 'No. Because it's a freaking LOCAL EXPLOIT and nearly no-one uses Linux for multi-user systems now that everyone can afford their OWN FREAKING COMPUTER.' Good lord, kids these days, gotta teach them everything.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  5. Re:pwned by gmuslera · · Score: 4, Interesting

    If this was Windows we'd never hear the beginning of it. How much local privilege escalation vulnerabilities normal windows users worry about? Are the remote vulnerabilities (and the ones that don't need to escalate, as run as the current user) the ones that get lots of publicity. And you got from time to time a number big enough of remote vulnerabilities there to consider them the only ones that matters.

    Of course, if you add a local privilege escalation to a some app remote vulnerability that enables to run code, even if is with low privileges, there you have a potential remote root exploit. Is something to care about, but odds are low that a lot of systems will be affected.

  6. Vulnerable by design by 0xABADC0DA · · Score: 5, Interesting

    In normal configs, Linux is vulnerable to this kind of problem by design because it runs unsafe programs and then for efficiency the kernel also has direct access to it's memory plus the memory for a process doing a syscall. And it's not just a NULL pointer, and preventing maps for page zero doesn't solve the problem... it just means you need to find a bug where you can corrupt a function pointer to point to mappable space.

    What this demonstrates is that the cost of isolating programs from each other by using separate memory spaces has a much higher cost than commonly understood. It either has a ~10%-20% overhead and is insecure by design (kernel map includes calling process memory space) -or- it is far slower than even that, but safe (kernel memory is completely separate from process). Computers are already faster than many users need... maybe it's finally time for an OS with a single memory space, like JavaOS or jxos, or even Singularity.

  7. Re:Security through Obscurity? by Bent+Mind · · Score: 4, Interesting
    About a week ago, I updated to kernel 2.6.30. One of the options that showed up describes itself thus:

    CONFIG_DEFAULT_MMAP_MIN_ADDR: This is the portion of low virtual memory which should be protected from userspace allocation. Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs.

    Unless I am misunderstanding, or the bug is in this code, the Linux kernel is already protected if properly configured. The kernel already prevents this attack.

    --
    Request a Linux Shockwave player here: http://www.macromedia.com/support/email/wishform/