Slashdot Mirror

← Back to Stories (view on slashdot.org)

Local Privilege Escalation On All Linux Kernels

Posted by timothy on from the uriah-deems-it-scary dept.

QuesarVII writes "Tavis Ormandy and Julien Tinnes have discovered a severe security flaw in all 2.4 and 2.6 kernels since 2001 on all architectures. 'Since it leads to the kernel executing code at NULL, the vulnerability is as trivial as it can get to exploit: an attacker can just put code in the first page that will get executed with kernel privileges.'"

6 of 595 comments (clear)

  1. Well. by gbarules2999 · · Score: 0, Redundant

    That's not good at all.

  2. Re:Security through Obscurity? by ckaminski · · Score: 1, Redundant

    Yes, it's called hardware level paging, and it's been around for 20+ years. This is a known problem. The problem is from how the exceptional condition (null pointer access) is handled by the kernel, and not the fact that NULL was called. The OS knows EVERY memory access that requires a page to be fetched from disk, that's a function of the memory management unit, and can be told of every access that tries to access an unmapped memory location. This isn't state of the art, this stuff is old hat (Linux and Windows).

    So it's an OS bug, through and through, and yes, it's been fixed. Joy.

  3. Re:pwned by tolan-b · · Score: 0, Redundant

    Oops that's the wrong flaw, though it's also rather bad and MS are also refusing to fix it. Sec I'll find the right one.

  4. Arch kernel by mtemmerm · · Score: 0, Redundant

    mmap_min_addr already set to 4096 there... Plus I don't really see what all the fuss is about: how does this make an affected desktop OS any more vulnerable?

  5. The Rhythm method by Deliveranc3 · · Score: 0, Redundant

    Ok this one is nasty, provides total access. Can we get the results of the search for the code to exploit this?

    Is there a department that searches down people who exploited a vulnerability once we figure out how they did it? It seems sensible to develop such a feedback system, probably won't get the serious hackers but for the hackers who mess up there's probably a trail.

    Worst method of detecting virii:Feel your computer timing is different? Could be a virus. Of course they're taking this from us with SSD but meh... whatever floats the boat.

  6. Re:local... remote... by arndawg · · Score: 0, Redundant

    FAIL! Local explot has nothing to do with PHYSICAL localization. It just means that the hacker needs to run his code on computer as a local user. all the hacker need is an exploit in some software you're using. i.e firefox, flash etc and make you visit their exploit. By hacking your favorite porn site f.ex.