Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bug In Most Linuxes Can Give Untrusted Users Root

Posted by kdawson on from the patchin'-place dept.

Red Midnight and other readers brought to our attention a bug in most deployed versions of Linux that could result in untrusted users getting root access. The bug was found by Brad Spengler last month. "The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at the moment vulnerable. While attacks can be prevented by implementing a common feature known as mmap_min_addr, the RHEL distribution... doesn't properly implement that protection... The... bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature. ... [Spengler] said many other Linux users are also vulnerable because they run older versions or are forced to turn off [mmap_min_addr] to run certain types of applications." The register reprints a dialog from the OpenBSD-misc mailing list in which Theo De Raadt says, "For the record, this particular problem was resolved in OpenBSD a while back, in 2008. We are not super proud of the solution, but it is what seems best faced with a stupid Intel architectural choice. However, it seems that everyone else is slowly coming around to the same solution."

2 of 281 comments (clear)

  1. Same Exploit from July? by eldavojohn · · Score: 1, Redundant

    The bug was found by Brad Spengler last month.

    I thought we discussed this in July? Or is this a different exploit?

    I think it's pretty clear that De Raadt and others have been discussing this vulnerability for quite sometime. On a list of affected systems, you can see it's been known on that site since August. Here's another fix discussed that involves setting PER_CLEAR_ON_SETID mask to MMAP_PAGE_ZERO and that's from July (unfortunately, as the Register article said, that might cause problems with applications). In fact I think Spengler has been talking about this for quite sometime as I believe you can find exploit code here and a video of it in use here against SELinux. If that's not the same exploit it sure seems to be very similar in nature.

    --
    My work here is dung.
  2. I'm in your Linux box by LuxMaker · · Score: 0, Redundant

    Getting your root access.

    --
    I regret that I only have one mod point to give per post.