Bug In Most Linuxes Can Give Untrusted Users Root

Red Midnight and other readers brought to our attention a bug in most deployed versions of Linux that could result in untrusted users getting root access. The bug was found by Brad Spengler last month. "The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at the moment vulnerable. While attacks can be prevented by implementing a common feature known as mmap_min_addr, the RHEL distribution... doesn't properly implement that protection... The... bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature. ... [Spengler] said many other Linux users are also vulnerable because they run older versions or are forced to turn off [mmap_min_addr] to run certain types of applications." The register reprints a dialog from the OpenBSD-misc mailing list in which Theo De Raadt says, "For the record, this particular problem was resolved in OpenBSD a while back, in 2008. We are not super proud of the solution, but it is what seems best faced with a stupid Intel architectural choice. However, it seems that everyone else is slowly coming around to the same solution."

First post

[wisty]

But you don't know if I didn't just hack the servers ;)

Re:First post

[SnapShot]

If you have an inane first post and +5 Insightful mod, then I'll believe you hacked the server...

Re:First post

[the_B0fh]

Are you a believer now?

Re:First post

[SnapShot]

Yes

So?

[zennyboy]

So, anti-Windows people? Whatcha say now? ;-)

Re:So?

[yttrstein]

I say "I'd rather pay nothing for bugs like this than $400 for all the same borkedness in Server 2008"

Re:So?

[Aim+Here]

Hah, this just shows how EFFICIENT Linux is. Until recently, Windows achieved their local privilege escalation vulnerability rollout by having almost every home user running as fully privileged administrator accounts all the time. Linux achieves all this through a small tweak to the kernel build system, thus getting this feature to 100% of Linux users without any manual intervention at all.

Re:So?

[intheshelter]

Get a Mac!!

Re:So?

Anti-Windows people have already patched this:

For the record, this particular problem was resolved in OpenBSD a while back, in 2008. ... basically they are resisting this for Windows binary compatibility[.] Ironic, isn't it? ... We decided we don't care about Wine.

(Theo de Raadt on the OpenBSD mailing list)

:-)

Re:So?

For every obvious down-mod due to lack of maturity, such as this one, I use a number of "excellent" karma-ed accounts to randomly down mod stuff randomly as "troll".

It's pretty fun, and it works much better than all my "downmodding for opinion isn't nice!" signatures at blowing off a little steam.

I'm not the only one doing it, either, it turns out. There's actually a yahoo group. Wonder!

Re:So?

[morgauxo]

I could say "The... bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature."

I could compare the average time to fix a critical bug between the two platforms.

I could point out that we will never know what bugs Microsoft is sitting on without reporting.

I could point out how Windows servers just don't seem to work well if they aren't rebooted regularly while Linux boxes just seem to go until the hardware wears out.

I could point out that my wife's Vista box is 2 to 4 times faster than my Gentoo box in just about all hardware stats and yet I usually get about 10 times the framerate in games with 3D graphics.

I could point out all the hardware (printers, scanners, etc...) my Windows using friends and relatives threw out because there were no Vista drivers.

I could point out the ease of installing software with a good package manager.

I talk about the wealth of free software available for Linux (yes, some of it has Windows ports)

I could mention the price of Windows, or the prices of most of the popular software that most Windows users claim they need Windows for. (not really relevant when most people pirate it anyway though)

I might go on and on telling all sorts of true stories about Windows vs Linux but who would really want to read them.

Re:So?

[quickOnTheUptake]

Might be feeding the toll but,
Yup, randomly, anonymously taking your anger out on uninvolved bystanders is definitely the way to correct the system.
I guess it never occurred to you that you are doing the same thing that put you in your little temper tantrum to begin with.
Let's hope the people you target are more mature than you.

Re:So?

I might go on and on telling all sorts of FUD about Windows vs Linux but who would really want to read them.

FTFY

And yes, your FUD would be lapped up like crazy around here. This place is a troll-zoo. And apparently you're one of the star attractions.

Cmon ! Do the penguin dance !

Re:So?

[ichthus]

Whoa. Sounds like somebody needs to "get the facts." ;)

Re:So?

[dgatwood]

Actually, in this case, that's probably a very good piece of advice, at least with the 32-bit Mac OS X kernel. If I understand correctly, the only reason this is relevant is that in Linux and Windows, the kernel and user space have non-overlapping virtual address spaces. The Linux kernel uses a 3/1 split, the Windows kernel uses a 2/2 split (by default).

Mac OS X's 32-bit kernel, which uses a 4/4 "split" (completely overlapping address spaces), shouldn't be vulnerable because it should be impossible for code in the kernel to accidentally read data from a page mapped in a user-space process. I have no idea what the 64-bit Mac OS X kernel does in this regard.

Re:So?

[kbielefe]

So, anti-Windows people? Whatcha say now? ;-)

What to say about a bug that's disabled by default in the vast majority of Linux distributions, that was found before an exploit was in the wild, is already patched, and that the main reason people enable is to let them run windows applications? Ah gee, I don't know, I guess you got us there.

Re:So?

[dave87656]

So, anti-Windows people? Whatcha say now? ;-)

Well I don't consider myself anti-Windows but rather a realist, by necessity. I did notice that most Linuxes are not vulnerable:

"The... bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature."

Re:So?

[yttrstein]

Wow, if you saw a temper tantrum there, you really need to start taking your paxil again.

Isn't this a dupe?

[Aim+Here]

Surely this is the same story, from 2 months ago.

Re:Isn't this a dupe?

[Xonea]

Nope, it is a new one, but the same old bugfix still works.

Just type sysctl -w vm.mmap_min_addr=4096 in your box (or any other number > 0) and you are safe.

Re:Isn't this a dupe?

[gzipped_tar]

This is from Fedora running kernel 2.6.30 with minimal customization (almost default, and no tweaking related to this one):

$ cat /proc/sys/vm/mmap_min_addr
65536

The devs seem to be doing an adequate job to mitigate this problem.

Re:Isn't this a dupe?

[tayhimself]

This solution works, please see the links below. However I would reccomend seing what your settings are on your system
$ sysctl -n vm.mmap_min_addr to find what your setting is.
On Ubuntu 8.04 LTS servers (including Xen kernels) and on 9.10 desktops it is 65536. Not a big deal.
http://wiki.debian.org/mmap_min_addr
https://lists.ubuntu.com/archives/ubuntu-devel/2008-July/025805.html
http://www.securityfocus.com/bid/26831/info

Re:Isn't this a dupe?

[Shikaku]

Ran off my Ubuntu 9.10 fresh installed desktop:

#cat /proc/sys/vm/mmap_min_addr
0 ... Oh shit.

Re:Isn't this a dupe?

What? You mean I don't have to wait until patch tuesday? Outrageous!

Re:Isn't this a dupe?

[tayhimself]

Ran off my Ubuntu 9.10 fresh installed desktop:

#cat /proc/sys/vm/mmap_min_addr 0 ... Oh shit.

Is it possible that you are running wine or some other emulator program. The only software similar to an emulator I have is Virtualbox on my 9.10 desktop and it still has the 65536 setting.
Anyone else can shed light on this?

Re:Isn't this a dupe?

[eparis]

No, this isn't the same bug. People confuse two issues. I wrote the mmap_min_addr protections to try to mitigate the effects of a certain class of common kernel bugs which exist because of design choices by Intel. That class of bugs can be summed up as NULL pointer usage. Every time someone finds a new NULL pointer usage bug we get the same story. RHEL (and any system with SELinux enabled) did not have protections for mapping the 0 page by local authenticated users, but did have protections for network facing daemons and the like. Other distros had protections for the local authenticated user but weaker protections for network facing daemons. The mmap_min_addr protections have since been enhanced in SELinux systems such that they have stronger protections, both for local authenticated users and for network facing daemons. My old comments from the first time this came up are at http://eparis.livejournal.com/

But the key to remember is that mmap_min_addr implementation is not the bug that allows elevation of privilege. In this case it was a very very old bug in the implementation of pipes. Previously Spender and friends have found bugs in performance counters (one which was actually much worse as it didn't fit into the very narrow class which might be mitigated by mmap_min_addr), in network sockets, and other places. These are the bugs which cause this to be a new story. Once he finds the real bugs he applies some of the same basic techniques (plus a whole lot of thought) to create an exploit. If the Linux kernel was bug free we wouldn't need mmap_min_addr. If mmap_min_addr was bug free (over the years Spender has found multiple problems with my work) this class of bugs would be just a bit less devastating.

Everyone in the kernel development community needs to think of invalid pointer bugs as a larger security threat then they currently do. The lesson here, keep your systems patched.

Re:Isn't this a dupe?

[Shikaku]

I have VirtualBox and Wine, and VirtualBox uses a kernel module. So it's possible that one of those could have set it to 0. I set it to 65000 just in case and it didn't break Wine or VirtualBox...

Re:Isn't this a dupe?

[0123456]

Ubuntu sets this to zero if you have wine installed.

Re:Isn't this a dupe?

Title: "Bug In Most Linuxes Can Give Untrusted Users Root"

Article: "The... bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature"
What the heck? The title says one thing the article another? Slow news day? This isn't the first time ... or third for that matter ...

Re:Isn't this a dupe?

[Runaway1956]

I have both VBox and Crossover Office running on 8.10 desktop. I also get 65536 back from that command. Using kernel 2.6.27-15 generic x86_64 No, I didn't tweak it, this is Ubuntu's setting.

Re:Isn't this a dupe?

[nevermore94]

So, what if that key doesn't exist at all? Does that mean you are protected, or vulnerable and can't easily fix it? We are a SuSE shop, and I have checked all 3 version that we use in production: SuSE 8, SuSE 9, SuSE 10, and all 3 do not have this key.

# sysctl -n vm.mmap_min_addr
error: 'vm.mmap_min_addr' is an unknown key
/proc/sys/vm/mmap_min_addr: No such file or directory

Re:Isn't this a dupe?

...and uninstalling/purging wine does not restore it to a safe value.

Re:Isn't this a dupe?

[RiotingPacifist]

$cat /proc/sys/vm/mmap_min_addr
65536

My Fedora 11 desktop is safe

Re:Isn't this a dupe?

[Carnivore]

I run SuSE 11.1 64-bit, and it does. Perhaps they changed something for the 11.x release?

Re:Isn't this a dupe?

[PitaBred]

I've got both of those on Ubuntu 8.04, and my mmap_min_addr is 65536 on my machine. I don't think it's either of those, and it's perfectly safe to set it to 65536 with those installed, and they will still run.

Re:Isn't this a dupe?

[PitaBred]

Not on 8.04 (the last LTS release). Any ideas why it would do that?

Re:Isn't this a dupe?

Ubuntu sets this to zero if you have wine installed.

I have ubuntu 8.04 and Wine installed and my limit 65536.

Re:Isn't this a dupe?

[timeOday]

#cat /proc/sys/vm/mmap_min_addr 0 ... Oh shit.

I may have you beat:

cat /proc/sys/vm/mmap_min_addr
cat: /proc/sys/vm/mmap_min_addr: No such file or directory

Hmm, is that good or bad? Running 2.6.25.20. Then again it's a home box so does it even matter?

Re:Isn't this a dupe?

Kudos to you, eparis, for your work. I greatly admire those who put in the hours on Linux, and people like yourself are to be admired. Without getting too deep into the whys and wherefores - as I read this, it requires (like the previous bug) local physical access to the machine. While of interest, perhaps this is being over-hyped? Give me local access to a Windows machine and I'll have it stripped and on bricks before you can say "security lapse".

Re:Isn't this a dupe?

[MaufTarkie]

Not without a reboot. The values are set at boot time, and the specific file for Ubuntu 9.10 + Wine is /etc/sysctl.d/30-wine.conf

You could always reset it by hand if you don't want to reset by using the method described earlier.

Re:Isn't this a dupe?

FYI, it's also 65536 on my 9.04 desktop.

Re:Isn't this a dupe?

[Senjutsu]

Because Wine needs access to the bottom 64k of memory in order to run 16-bit DOS programs

Re:Isn't this a dupe?

[jonbryce]

I have two machines with Open SuSE 11.1 One returns 0, and the other 65535. The one returning zero runs only samba and apache (+webdav module for an ical server). The one returning 65535 runs samba and xen.

Re:Isn't this a dupe?

[WhiteDragon]

sysctl -n vm.mmap_min_addr to find what your setting is.

error: "vm.mmap_min_addr" is an unknown key

Re:Isn't this a dupe?

[GnuAge]

$ cat /proc/sys/vm/mmap_min_addr
4096

$ cat /etc/debian_version squeeze/sid
$ uname -a
Linux sid 2.6.31-0.slh.3-sidux-686 #1 SMP PREEMPT Wed Sep 16 23:41:49 UTC 2009 i686 GNU/Linux

Seems I live another day even with sWINE & virtualbox-ose installed.

Re:Isn't this a dupe?

[Skapare]

Are you sure it is local physical access (where I can tear the machine apart and insert whatever I want, as in the "evil maid" scenario)? Or is it just access to run a (evil) program I provide to the machine (as in a user shell account)? As far as I'm concerned, once you have root access, all bets are off. If you can make your program suid root, you've already exploited the machine. But is the suid reference about root, or about some other user?

Re:Isn't this a dupe?

[PNutts]

Just type sysctl -w vm.mmap_min_addr=4096 in your box (or any other number > 0) and you are safe.

sysctl -w vm.mmap_min_addr=11

Now I'm safer than everyone else.

Re:Isn't this a dupe?

[Al+Dimond]

cat /etc/sysctl.d/30-wine.conf

Re:Isn't this a dupe?

[praedictus]

Slackware 13 here
2.6.29.6 kernel

cat /proc/sys/vm/mmap_min_addr
4096

Wine 1.32 and my EVE sessions work just fine.

Re:Isn't this a dupe?

[cjb658]

Is it even a problem if nobody else uses your computer?

Re:Isn't this a dupe?

Which is why the DOSBox solution is better for those.

Re:Isn't this a dupe?

I thought it was because some viruses need this to function correctly under wine.

Re:Isn't this a dupe?

[dragonturtle69]

It is the same result on Open Suse 11.1.

mmap_min_addr on LInux Insight offers some background for us folks that are less skilled.

Re:Isn't this a dupe?

Solution: use DOSBox for DOS apps :)

Re:Isn't this a dupe?

Nope, it is a new one, but the same old bugfix still works.

Just type sysctl -w vm.mmap_min_addr=4096 in your box (or any other number > 0) and you are safe.

Looking at my servers for this security bug I hope we are at no risk for the bug
I ran
sysctl -n vm.mmap_min_addr
and returned this Value:
error: 'vm.mmap_min_addr' is an unknown key

Are we still at "risk" ?

huh?

DeliberateBug In Most Linuxes Can Give Untrusted Users Root

fixed that for u.

Everyone knows that....don't they?

obvious troll is obvious.

So, anti-Windows people? Whatcha say now? ;-)

Thank god that independent forces are out there finding and reporting kernel bugs in Linux. If only the bug-finders for windows were so altruistic.

Re:obvious troll is obvious.

[zennyboy]

Actually, I was not trolling. Put simply, if this EXACT BUG was discovered in Windows, OS persons would be jumping about like grass-hoppers that THIS could never happen in OS software, MS is EV1L etc. Yet here we are, and several releases later, only NOW is this bug discovered... The Many Eyes theory looks weak...

Re:obvious troll is obvious.

[blueskies]

OS persons would be jumping about like grass-hoppers that THIS could never happen in OS software...The Many Eyes theory looks weak...

You misunderstand then. It's not the point that it could never happen, but that it gets found and fixed. This bug was found in the absence of proof of concept code unlike the reverse situation.

Re:obvious troll is obvious.

[noundi]

You are trolling since you're trying to imply that this is the first time a flaw was found in the Linux kernel. This has happened numerous times, and it has been posted on /. numerous times, and there's always some fucking troll saying "If this was Windows...". Who the fuck cares!? Why make everything into some political bullshit with extremists throwing rocks at eachother?
 
I'm going to drop a bomb here and it might shock you all, but it's the truth, here it goes: Linux is not perfect nor did anybody with half a brain claim it to be so.
 
There now troll elsewhere.

Re:obvious troll is obvious.

[jabjoe]

Bit of a sweeping statement for a single case. So open source software isn't perfect either, course not, it's programmed by monkeys in shoes like all other software. But if you look at the statistics, even weighting for market scale, open comes out on top. This is actually a example of why, exploits are easier to find as researchers can look at, debug, pull apart, the source, unlike when it's a closed box. The fix will be done quickly (maybe in multiple ways by multiple people, until one stands out as best) and then backported to anything required, not only for what makes business sense to the company with the source.

Re:obvious troll is obvious.

[zennyboy]

OK then; I reply to myself rather than attaching this to any one particular reply. But Flaimbait?? Really? I thought it was a reasonably concise, intelligent reply. It may be that my observation had been made before about other similar situations, but then, in similar situations, of-course people will make similar replies. I had not read about the other bugs in the Linux kernel, but I do see people hammering Windows day after day after day. And these comments get modded up day after day after day. Why am I a troll? Why is my comment Flaimbait? It was not intentional but perhaps it reflects Slashdot mentality?

Re:obvious troll is obvious.

[Clairvoyant]

Well the fact that it (the troll) actually found it necessary to post this would mean that it is actually less common than on Windows.
You don't see Linux fans posting "If this were Linux" on all Windows bugs. Apart from the fact that if they would; it might actually be even more annoying! Maybe "we" should start doing that. For every critical Windows bug say "If this were any other OS...". Doesn't sound so smart now, does it, zennyboy?

Re:obvious troll is obvious.

[Waffle+Iron]

Actually, I was not trolling. Put simply, if this EXACT BUG was discovered in Windows, OS persons would be jumping about like grass-hoppers that THIS could never happen in OS software.

As pointed out elsewhere on these threads, most Linux versions already prevent this bug through a kernel memory map setting. However, WINE, which needs to run things in a Windows-compatible way, doesn't work with that setting, so it's turned off, and people with WINE installed remain vulnerable.

So in a way, this *is* a bug with Windows.

Re:obvious troll is obvious.

[Runaway1956]

This ^ What Blueskies says. Everyone in the freaking world needs to take a breath or ten, and THINK about - wait now - NOT the bugs, or even how many bugs, but HOW THE BUGS ARE HANDLED!!

I'm a recent convert to Linux, TBH. I've only been running it for about 5 years. Almost every month, I stumble over some article about a flaw in Linux. Yes, sometimes I get that almost juvenile sinking feeling, "OH NOES, DA PENGUIN IS FORKED NOW!!"

But, with every bug reported, there is a VISIBLE community effort to FIX THE BUG!!

Let's just suppose that starting today, 50 new bugs are reported in Linux and Linux apps every single day for a YEAR. Just suppose that 25% of them are serious bugs. I will STILL FEEL SAFER with Linux, than with Windows. Why, you ask? See that last one-sentence paragraph. With Windows, they often fail to acknowledge that there IS a bug. When they do admit, "There's a bug!", there is no obvious, visible effort to fix the bug. Often times, you can't tell that the bug HAS BEEN fixed. If it is ever fixed, the fix is kinda snuck into the system through automatic updates. THEN, you have to worry if the fix might break something else. Remember Windows XP SP3 and the endless reboot cycle? It bit me on two machines.

Open source is great. It's - uhh - what's the word I want - oh - OPEN!!! Someone says, "Hey, Linus, I think the kernel might be a little borked here." To which Linus responds, "Show me. Hmm, yeah, maybe it is - let's work on it."

Yes, I feel good about Linux - bugs and all. I know that if I ever get smart enough to show Linus a trick or something, he'll say "Thanks, dude!" Windows? Phhht. Show them something they don't know about their operating system, they're as likely to charge me with a trumped up crime for illegally reverse engineering, as anything.

Maybe that penguin doesn't rule, but you can trust the little bastard.

Re:obvious troll is obvious.

[mister_playboy]

Why am I a troll? Why is my comment Flaimbait? [sic]

Want to get out of a hole? First, you have to stop digging.

Re:obvious troll is obvious.

I'm a recent convert to Linux, TBH. I've only been running it for about 5 years. Almost every month, I stumble over some article about a flaw in Linux. Yes, sometimes I get that almost juvenile sinking feeling, "OH NOES, DA PENGUIN IS FORKED NOW!!"

Wait I thought if you forked Linux the result would be more of it, not less.

Re:obvious troll is obvious.

[zennyboy]

I have to say, I smiled IRL at your comment! I am not in a hole and nor will I be. This is Slashdot, not RL! If anyone here actually cares about replies to their comments, they need to look out the window :-) So my comments have sparked discussion (as proven by my inbox) then this is great. This is why we read Slashdot, no? To comment and counter comment? I only object to being smeared as a Troll and Flaimbait'er. People who comment and counter-comment get my vote. People whom click -1 Troll... Psst.

Re:obvious troll is obvious.

[s2theg]

OX : OXEN : : LINUX : LINUXEN

Re:obvious troll is obvious.

[prozaker]

HOW THE BUGS ARE HANDLED!!

you mean like bug #1 on ubuntu launchpad?

https://bugs.launchpad.net/ubuntu/+bug/1

Re:obvious troll is obvious.

[Runaway1956]

Log in / Register
Timeout error

Our edge server has a lower timeout threshold than launchpad.net, so we can catch those before they hit a wider audience. As a member of the Launchpad Beta Testers team, you're more likely to experience them. If this is blocking your work, you can disable redirection.

Disable redirection for 2 hours

Sorry, something just went wrong in Launchpad.

We've recorded what happened, and we'll fix it as soon as possible. Apologies for the inconvenience.

Trying again in a couple of minutes might work.

(Error ID: OOPS-1404H2505)

===================

Oh-kay, I can't look at the bug right now. But, is your complaint with Ubuntu, or with Linux? And, whatever your bug is, are you telling me that no one in Linux land is working on it? Is it so obscured that you can't do anything about it? You'll have to explain....

Re:obvious troll is obvious.

"No. No no. Dig UP, stupid!"

Re:obvious troll is obvious.

Yes, that's exactly how plurals work. Congratulations.

One axe. Two axen. One cox. Two coxen. One fax. Two faxen. One hex. Two hexen. One pox. Two poxen. One tax. Two taxen.

Tit.

Re:obvious troll is obvious.

[blueskies]

I think you had trouble understanding my point. Try reading it again.

Re:obvious troll is obvious.

if this EXACT BUG was discovered in Windows, it would be hushed down until crackers stumble upon it, and a fix may not be issued for too old releases, given m$ track record.
yes i spelled m$ so that win apologists can make the usual ad hominem instead of actually reply.

Re:obvious troll is obvious.

[dave87656]

Noone says Linux has no bugs. But, actually finding a linux vulnerability is news in the Linux world. And, due to the open nature of Linux, it's immediately known. In the Windows world MS issues major vulnerability patches regularly and nobody blinks an eye because we're just used to it.

Re:obvious troll is obvious.

[s2theg]

One box, two boxen :P

Re:obvious troll is obvious.

[Runaway1956]

Actually, the kernel is modified constantly. SOMEONE is agreeing with SOME PEOPLE who detect problems.

"He's running a setuid program that allows the user to specify its own modules"

You don't see that as an administrative problem, rather than a problem with the kernel? Apparently, the kernel was doing exactly what everyone expected it to do, until someone decided to diddle with setuid. If I am permitted to setuid on your system, I believe that I own your system - correct?

Re:obvious troll is obvious.

[prozaker]

bug#1 in ubuntu Microsoft has a majority market share

Bug #1 (liberation)

Bug Description

Microsoft has a majority market share in the new desktop PC marketplace. This is a bug, which Ubuntu is designed to fix.

Non-free software is holding back innovation in the IT industry, restricting access to IT to a small part of the world's population and limiting the ability of software developers to reach their full potential, globally. This bug is widely evident in the PC industry.

Steps to repeat:

1. Visit a local PC store.

What happens:

2. Observe that a majority of PCs for sale have non-free software pre-installed. 3. Observe very few PCs with Ubuntu and free software pre-installed.

What should happen:

1. A majority of the PCs for sale should include only free software like Ubuntu. 2. Ubuntu should be marketed in a way such that its amazing features and benefits would be apparent and known by all. 3. The system shall become more and more user friendly as time passes.

Stupid masturbating monkeys...

...they should've listened to Linus and ignored this until now, like all the others. Linus knows best.

My Unsettling Ubuntu Experience

[Smidge207]

I'd been using Ubuntu 9.04's LiveCD feature at work to migrate Windows profiles. Unlike Windows, which never properly migrates user directories no matter how you coax it, Ubuntu's simple drag-and-drop replacement from network backup makes user migration a piece of cake.

I simply booted, configured the network settings, logged into our network backup, and copied the old user directory over top of the new one (we're on a domain). When the user logged back in, their old stuff was all in place. It had really been a lifesaver, and I'd started reading up on it more and started to set up an Ubuntu workstation. But that's when I ran into some weird problems.

After installing and tinkering around on the GNOME desktop, I opened Terminal. After writing some scripts and creating user accounts, a new terminal window opened. I thought this very odd since I hadn't initiated a new session and none of my scripts would have either. As I was about to close it, I paused my mouse. The terminal session had printed something to the screen, seemingly by itself.

trollaxor@ubuntor:~$
*** DO U LIKE GUYS Y OR N

I typed N and the window disappeared. "How weird," I thought, and figured one of my buddies had installed some third party software or something to covertly mess with me. I couldn't remember when I'd told anyone about this install, but I was content to leave it at that since everything was otherwise fine.

A half hour later, I was farting around in GNOME when it happened again. This time, there was no terminal session even open to begin with; the window just popped up out of nowhere. And again it asked the same question, ominously blinking at me.

trollaxor@ubuntor:~$
*** DO U LIKE GUYS Y OR N

Before I did anything else I opened another terminal session and ran top so I could figure out what the fuck was running in the background that was randomly harassing me. I peered through it, sorted by CPU, memory usage, command name—but nothing. I'm pretty familiar with Linux and I didn't see anything that looked out of the ordinary. At this point I switched back to the frustrating terminal session and typed N and the window closed Only to open right back up and ask again:

trollaxor@ubuntor:~$
*** DO U LIKE GUYS Y OR N

Now irritated, I texted several of my buddies the same question, figuring they'd own up when it became obvious to them their little joke had succeeded. Two asked me "wtf" and another said "no y do u? fag!" No admissions came, implicit or otherwise, and I began running ps with its myriad options in hopes of spotting the offending process. A second terminal window popped up on top of the first with the same damn question blinking at me.

trollaxor@ubuntor:~$
*** DO U LIKE GUYS Y OR N

Finally in desperation I typed Y and hit return in both of the windows. At first, they went away and I sat silently in anticipation. When nothing happened after ten seconds, I returned to editing my GNOME config files when the desktop wallpaper changed all by itself. Instead of the boring orange default, I was staring at something much different. This was no longer mildly irritating or perplexing—now I was freaking out and wanted answers. I logged onto Freenode and joined #ubuntu.

#ubuntu Official Ubuntu Support Channel
hi. i was wondering if anyone ever noticed any versions of ubuntu throwing up terminal sessions with text inside.

Minutes passed as conversations about screen resolution problems on netbooks, laptop fans running non-stop, and permissions errors on an external USB drives ran back and forth—typical IRC chatter—but someone eventually responded to my question.

trollaxor, it's possible but unlikel

Re:My Unsettling Ubuntu Experience

[Runaway1956]

Ahhh, man. Someone mod him up "+1 originality" or "+1 Funny Troll" or something. I'm sitting in front of my StraightBuntu machine laughing my ass off. ;^)

Another story that isnt a story

[Kilz]

The lead in says its "a bug in most deployed versions of Linux"

Then says in the excerpt " in the upcoming 2.6.32 release candidate of the Linux kernel"

Its a release candidate, therefore it cant be in "most deployed versions".
The newest version of Ubuntu (karmic) for instance only uses 2.6.31.

Re:Another story that isnt a story

Read again.

Re:Another story that isnt a story

[Xonea]

It says that it was only fixed " in the upcoming 2.6.32 release candidate of the Linux kernel" - hence everything before that is vulnerable.

But the bug is not exploitable on ubuntu, because they set vm.mmap_min_addr > 0 by default.

Re:Another story that isnt a story

[raddan]

The bug is fixed in the release candidate. The point being that "most deployed versions" of Linux do not have the fix.

Re:Another story that isnt a story

[Shikaku]

# sysctl -n vm.mmap_min_addr
0

On 9.10. Right. Did you try running the command yourself?

Re:Another story that isnt a story

yes, i just did and it returned 65536 :-)

Re:Another story that isnt a story

[Dan+Ost]

The bug is fixed in the RC, but it's not exploitable in older kernels except when vm.mmap_min_addr = 0. I'm running the vanilla 2.6.30.3 kernel on Gentoo and it's not vulnerable, so it seems likely that you're only vulnerable if your distro (or you, if building a custom kernel) decided to change the default value.

Re:Another story that isnt a story

[munctional]

You have WINE installed. It sets the value to 0.

Same Exploit from July?

[eldavojohn]

The bug was found by Brad Spengler last month.

I thought we discussed this in July? Or is this a different exploit?

I think it's pretty clear that De Raadt and others have been discussing this vulnerability for quite sometime. On a list of affected systems, you can see it's been known on that site since August. Here's another fix discussed that involves setting PER_CLEAR_ON_SETID mask to MMAP_PAGE_ZERO and that's from July (unfortunately, as the Register article said, that might cause problems with applications). In fact I think Spengler has been talking about this for quite sometime as I believe you can find exploit code here and a video of it in use here against SELinux. If that's not the same exploit it sure seems to be very similar in nature.

Re:Same Exploit from July?

[RAMMS+EIN]

``I thought we discussed this in July? Or is this a different exploit?''

I have been wondering this, as well. It would be useful if, when discussing bugs, people included some sort of unique identifier, to make clear exactly which bug they are talking about.

Re:Same Exploit from July?

[idontgno]

Well, there's always MITRE Common Vulnerabilities and Exposures, which is a good pretty much dupe-free index of reported vulns. Most professional discussions of vulnerabilities tend to use CVE references.

For instance, this particular vuln looks like CVE 2009-2695. The one discussed in the July /. article appears to be CVE 2009-1897.

The CVE pages are pretty good, complete with cross references to discussions and some pretty detailed analysis of the vulnerability.

Re:Same Exploit from July?

[raffo]

I looked at the exploit code above, it relies on the pulseaudio binary to be set SUID (run as root when executed). The "exploit" is to run pulseaudio and pass it an executable module, the module, obviously, will run as root as well.

If pulseaudio is not set SUID, the "exploit" code terminates with an error message... hilarious.

This seems to me a bunch of "security" experts trying to call attention to themselves.

Re:Same Exploit from July?

[JasterBobaMereel]

So it's really a bad design on Intel chips, that all operating system have to work around, except Windows which requires it to work like this... ...and on most Linux and BSD systems it will not work even if unpatched ... and it has already been patched ... and you need to be able to get a user on the local machine to run an app to exploit it (most users install from the Package Manager and so will never run a random downloaded app), and this does not appear to be a remote exploit?

Re:Same Exploit from July?

[RAMMS+EIN]

Thanks. With the CVE numbers, at least we know what we're talking about.

Re:Same Exploit from July?

[tomtomtom]

I believe the vuln being talked about here is actually CVE 2009-3547 (though full details aren't yet available on the MITRE site). If you google that number, you'll find the Red Hat patches.

Re:Same Exploit from July?

[idontgno]

Naah, CVE 2009-3547 traces on the RH Bugzilla as Bug 530490, "kernel: fs: pipe.c null pointer dereference". Nothing in there about mmapping to page 0. (Pipe filesystem pointer dereferences?)

OTOH, CVE 2009-2695 also googles to a RH bugzilla page, Bug 517830, " kernel: SELinux and mmap_min_addr". The description on that page sounds suspiciously like the subject of current discussion. This page also has RH patches, in this case in two different RH Security Advisory links.

There appear to be another bugzilla pages about this issue: Bug 532938, which is a member of the RH security team saying that vm.mmap_min_addr should default safe (nonzero), turning on page 0 protection by default.

Re:Same Exploit from July?

[rabtech]

What do you mean Windows requires it to work like this? On Windows accessing a NULL pointer is always an exception, no process is ever allowed to map the bottom page of memory. This has been true since Windows has existed. So in fact it is only Windows systems that are immune to this class of exploit because writing programs and kernel code vulnerable to it leads to an immediate crash.

If you wanted to specify this invariant on Linux you could, you'd just break some existing apps that depend on it. Ironically, it seems that Wine depends on this behavior.

Re:Same Exploit from July?

No, it's not inherently a bad decision by x86 architecture. Bad effects from dereferencing a NULL pointer are the responsibility of software, both operating system and application-level. There are apps for which the ability to use page 0 provides significant speed and functionality advantages. Through careful design and coding, an operating system can allow these uses while still protecting itself from NULL pointers, and the OS can do so with no additional runtime costs when page 0 is not used. Linux just hasn't done so yet.

Re:Same Exploit from July?

[200_success]

The problem we are discussing today is CVE-2009-3547. The root cause of the vulnerability is a null pointer dereference in pipe.c. The proper fix is to patch the kernel. It just so happens that if vm.mmap_min_addr != 0 then the bug cannot be exploited to gain root access. Therefore, mmap_min_addr can be used as a stopgap measure until you are able to patch the kernel. It also happens to be a good idea to leave mmap_min_addr set to a non-zero value to guard against other null-pointer dereference bugs that may be discovered in the future.

Re:Same Exploit from July?

[man_of_mr_e]

FYI... "get a user on the local machine" is far more trivial than you might think. For example, exploiting a flaw that allows arbitrary code execution of the current user in any internet connected application such as FireFox (and there have been a bunch of recent flaws in FF of that variety) will work just fine. This is called a blended attack and makes use of several flaws to achieve its goals.

Re:Same Exploit from July?

[idontgno]

You are absolutely right. TFA (the Register article originally cited) has an obscure link at the bottom of the page which points to the CVE-based page at RedHat.

Which, happily, brings us full-circle to the original point: if people explicitly and clearly used the CVE identifier (instead of burying them in an obscure link), there wouldn't be any confusion about which Intel page 0 mmap exploit we're talking about. (And there seem to be a lot of them all of a sudden.)

Re:Same Exploit from July?

[zozie]

The first Windows (1.0) in existence had no NULL pointer protection at all. Real mode Windows up to 3.0 neither.

All mainstream i386 Windows versions (not x64) allow DOS programs to access the zero page in NTVDM. Thus, if a NULL pointer vulnerability were found in Windows it would be sufficient to write a DOS program to exploit (that is, if Windows does not use segmentation to separate user from kernel space, I don't know about that).

Patch

[tomtomtom]

For those who just want to know how to fix it, you need to apply this git commit to your kernel tree and then either recompile and reboot or apply the patch using ksplice.

Re:Patch

[Xonea]

Or, if you want to wait for your vendor patch, set vm.mmap_min_addr manually, if it hasn't been set by your vendor already - the only distribution I have where this is necessary is debian.

You can either do
# sysctl -w vm.mmap_min_addr = 65536
and redo that every reboot or do

# echo "vm.mmap_min_addr = 65536" > /etc/sysctl.d/mmap_min_addr.conf
# /etc/init.d/procps restart
and be done with it.

Re:Patch

Reboot? What's that?

Re:Patch

[jellomizer]

Of course it is obvious to any person all you need to do is that. I love it when windows has a bug everyone is excited saying how unsecured windows is, even if there is a fix the user can do it is not there problem. And will rather get their system infected then run it.

But for Linux if they find the user fix they make it seem like an obvious fix and if it was broken it was user error not Linux.

Re:Patch

[natehoy]

No, it's not obvious at all. Which is why a bunch of people are posting instructions on how to do it. Actually, did either of the posts you were replying to use the term "obvious" or "user error"? I sure didn't see it.

I saw people posting relatively clear instructions to protect yourself until a proper fix is released.

I see the same thing on a lot of bugs, be they Windows or Linux or Mac or iOS or whatever. Someone comes up with a way to mitigate the risk and publishes that method to reduce the number of infections until the vendor/author can release a better solution. People can either take the step to mitigate the risk, or run the risk of infection. It doesn't change the fact that there is an underlying flaw in the code, it just gives you a way to mitigate your risk until a patch comes out.

If you are running a possibly vulnerable version of the operating system in question, and the fix doesn't break something you need to do, then it's in your best interests to implement it. If you choose not to, well, you choose not to. The vendor/author still shares some blame for releasing buggy stuff in the first place, but you've also made your own decision on whether the temporary fix is worth the effort to you.

Re:Patch

Incredibly informative and an easy fix. Thanks, Tom^3! Truly, I tell thee, this is the year of the Linux Desktop!

Re:Patch

That fix is kind of a pain because you have to reboot Linux. I've found a much more logical fix here.

Re:Patch

[gbarules2999]

That fix is kind of a pain because you have to use Windows. I've found a much more logical fix here.

Re:Patch

[Nerdfest]

If you use KSplice, you don't need to reboot. I believe KSplice is already pushing the fix for this bug, although I'm basing this statement on what I remember from the description of the patch. Can anyone out there verify it?

Re:Patch

[JacobSteelsmith]

On Ubuntu 9.10, if wine is installed, there will be a file in the same location, /etc/sysctl.d/ named wine.sysctl.conf that sets vm.mmap_min_addr = 0. This should be commented, unless 16 bit programs are used with wine.

Re:Patch

[wastedlife]

I have some debian 4 servers running as Xen virtual machines:

# sysctl -w vm.mmap_min_addr=4096
error: "vm.mmap_min_addr" is an unknown key

# echo "vm.mmap_min_addr = 65536" > /etc/sysctl.d/mmap_min_addr.conf
-bash: /etc/sysctl.d/mmap_min_addr.conf: No such file or directory

Are Xen kernels not affected? If they are, any ideas on the above? Thanks!

Re:Patch

[rdnetto]

That fix is kind of a pain because you have to use OS X. I've found a much more logical fix here

Re:Patch

[deek]

I'm using debian "squeeze", and my mmap_min_address is fine. There's no sysctl config setting it.

sysctl vm.mmap_min_addr

[MrMr]

If the result is non-zero the vulnerability doesn't exist.
'Most deployed versions of linux'?.
So far only some unpatched RHEL versions allow this local exploit, even the Centos rip-off doesn't have it.

Re:sysctl vm.mmap_min_addr

[ByOhTek]

But I use RedHat you insensitive clod!

Re:sysctl vm.mmap_min_addr

[b00fhead]

vm.mmap_min_addr = 0

on Ubuntu Karmic.

Re:sysctl vm.mmap_min_addr

[MrMr]

That's weird, because 9.04 gives: vm.mmap_min_addr = 65536 and so did the 9.10 desktop version a few posts up...
Anyway, you can fix it with 'systcl -w'.

Re:sysctl vm.mmap_min_addr

[idontgno]

I haven't looked on my household server yet, but since CentOS is a direct clone of RHEL, I assume it's also vulnerable to this by default.

Re:sysctl vm.mmap_min_addr

[0123456]

That's weird, because 9.04 gives: vm.mmap_min_addr = 65536 and so did the 9.10 desktop version a few posts up.

You probably don't have Wine installed. AFAIR Wine needs it set to zero to run some old 16-bit applications, so installing Wine installs a config file which sets it to zero.

Re:sysctl vm.mmap_min_addr

[IBBoard]

Must be an Ubuntu oddity for Wine, then. My Fedora 11 system gives me:

$ sysctl vm.mmap_min_addr
vm.mmap_min_addr = 65536
$ rpm -q wine
wine-1.1.29-1.fc11.x86_64
$

Re:sysctl vm.mmap_min_addr

Interesting...mine's not zero....

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 9.10
Release: 9.10
Codename: karmic

$ uname -r
2.6.31-14-generic

$ sysctl vm.mmap_min_addr
vm.mmap_min_addr = 65536
$

Re:sysctl vm.mmap_min_addr

[whyloginwhysubscribe]

Yes - even the summary says that the bug is mitigated by default by most dists, yet gives the story the title "...most linuxes..."
This is still a serious problem though!

Re:sysctl vm.mmap_min_addr

[0123456]

Must be an Ubuntu oddity for Wine, then.

Yeah, I don't know of any other distribution than Ubuntu which automatically reconfigures it when you install Wine.

Re:sysctl vm.mmap_min_addr

[Coren22]

I am so very sorry, I hope the condition clears up soon, and you can move on with your life.

Re:sysctl vm.mmap_min_addr

[PitaBred]

That's new since 8.10 or later then, because 8.04 doesn't have that problem with wine installed.

Re:sysctl vm.mmap_min_addr

So.... this linux bug is actually caused by Microsoft??

This is rich.

Re:sysctl vm.mmap_min_addr

[mcrbids]

FYI: My CentOS 4 servers all have this value set to zero. Also, between 1 AM this morning and now (10-ish AM PST) a kernel update has come out. (yum) So tonight, after hours, I'll be updating and restarting all our production servers.

Yum (and the good guys and Red Hat / CentOS) makes it so easy to be an admin anymore...

Re:sysctl vm.mmap_min_addr

[WuphonsReach]

CentOS 5 x64 is fixed (and has been since at least 2.6.18-128.2.1.el5). Which came out sometime prior to July 2009. So it was probably fixed before then.

$ cat /proc/sys/vm/mmap_min_addr
65536

(Yes, I need to update that box to the latest CentOS 5 kernel... the latest is 2.6.18-164.)

Re:sysctl vm.mmap_min_addr

[hughperkins]

Yeah, to fix this, edit /etc/sysctl.d/wine.sysctl.conf, and replace:

vm.mmap_min_addr = 0

with:

vm.mmap_min_addr = 65536

... then run /etc/init.d/procps restart to reinitialize this value

Re:sysctl vm.mmap_min_addr

[jd]

"I'm so very sorry" - isn't this what the 10th Doctor would say when he knew someone was about to die?

Re:sysctl vm.mmap_min_addr

[Coren22]

I would definitely consider that a description of someone who willingly uses Red Hat.

One Word:

Surely this is the same story, from 2 months ago.

One word: "Kdawson"

This can't be true

Linux is teh roxerz!!!!onehundredeleven!!!
 
M$ wants to p0wn3d joo.

Full quote from article

[Dareth]

The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at the moment vulnerable.

You know you can click on the article links and actually read them.

standard author/exploiter response?

[Gopal.V]

I'm not a real security guy, but my experiences with security bug reporting shows that nearly all such subtle bugs are pooh-poohed by the original authors till the exploit writer resorts to petulant scaremongering. I'm not sure which one is to blame for either one's behaviour.

All of these attacks IIRC require you to be able to mmap() page zero. Which is why mmap_min_addr is almost never set low enough in a decently protected OS. But the fact is that the exploit is a valid bug for a system which hasn't got that set to 4k. And there is a valid root exploit using pulseaudio (*ouch*) as a vector.

Linus might have been right in saying setuid is a 'vulnerability', but to call it a design flaw is wrong. Setuid is not a design flaw, it is a trade-off - needed for something as simple as 'ping' to function (yeah, ping's got setuid, check it).

Being able to exploit a setuid binary after mmap'ing page zero with executable shell code, via a phpbb vulnerability which is exposed because of lack of php filtering is like saying ... "look, having arranged these six dominoes, I only need to push *one* over".

I'm not denying either of them aren't right in their own way - but invariably original author vs security researcher sets up a very immature exchange of insults (and the ego of both types don't help either).

Re:standard author/exploiter response?

Interesting, I just check in Linux and /bin/ping is Setuid, but curiously enough /sbin/ping in Mac OS X is not Setuid.

Re:standard author/exploiter response?

[Late+Adopter]

Setuid is certainly a trade-off, but it seems a little absurd that you need full root permissions to access just the special resources "ping" needs to function. If anything, vulnerabilities like these are calls for a more fine-grained capability-based security system, that only grants the expected privileges needed for a given process to function.

While I'm dreaming I'll also take sandboxing for user-executed processes. And a pony.

Re:standard author/exploiter response?

[robmv]

That is being solved with Filesystem capabilities. Fedora 11 still has ping as setuid, not sure if Fedora 12 beta already switched it

Re:standard author/exploiter response?

[dkf]

Setuid is certainly a trade-off, but it seems a little absurd that you need full root permissions to access just the special resources "ping" needs to function. If anything, vulnerabilities like these are calls for a more fine-grained capability-based security system, that only grants the expected privileges needed for a given process to function.

You are aware that in order for ping to work at all, it needs raw sockets so that it can write ICMP packets? Those are restricted because they allow you to spoof all sorts of network traffic (e.g., the ethernet address to IP address mapping) Which Would Be Bad.

The only way to remove the setuid requirement from ping (apart from making your system thoroughly insecure) is to allow messages to be sent and received on raw sockets opened by non-root only if they're ICMP ECHO messages (I'm not aware of any other ICMP messages that it's useful for user code to send). Do you want to put such deep packet inspection in the kernel?

Re:standard author/exploiter response?

[sqlrob]

Not necessarily. You can create raw sockets with some limitations without root access on OS X. There's enough control to implement ping, but not enough to forge.

Re:standard author/exploiter response?

[Wrath0fb0b]

You are aware that in order for ping to work at all, it needs raw sockets so that it can write ICMP packets? Those are restricted because they allow you to spoof all sorts of network traffic (e.g., the ethernet address to IP address mapping) Which Would Be Bad.

This seems less bad than kludgy workarounds.

Network services should never trust that the packets sent to it are not forged. Ever. Session-based authentication If the network services were written with this caveat in mind (which can never really be eliminated anyways, since there's no way of knowing whether the client app is mangling packets) then there would be no problem letting userland programs have access to raw sockets.

Re:standard author/exploiter response?

[Late+Adopter]

The only way to remove the setuid requirement from ping (apart from making your system thoroughly insecure) is to allow messages to be sent and received on raw sockets opened by non-root only if they're ICMP ECHO messages (I'm not aware of any other ICMP messages that it's useful for user code to send).

That's absolutely not the only way. You can make raw sockets accessible via a node in /dev, which you can assign to a group, control membership in, and setuid/setgid a NON-root user to "ping".

A *lot* of system resources are controlled in this manner (dri, sound, disks). I still don't think it's a sufficiently versatile security model (cf my comment on sandboxing), but it's a good place to start.

Re:standard author/exploiter response?

Setuid is certainly a trade-off, but it seems a little absurd that you need full root permissions to access just the special resources "ping" needs to function.

You are aware that in order for ping to work at all, it needs raw sockets so that it can write ICMP packets?

Yes, so you give ping raw socket capability, without making it setuid root. Such systems have been implemented already but haven't gained traction. You don't appear to be thinking of the same thing as GP, when he talks about fine-grained capabilities.

Re:standard author/exploiter response?

Ah yes, thank you Wrath0fb0b for letting the network development community know that they were wrong all this time with their tradeoffs, as I'm sure your typical Slashdot basement remark has been clearly thought through. We could use more people than you!

Re:standard author/exploiter response?

[mi]

You are aware that in order for ping to work at all, it needs raw sockets so that it can write ICMP packets? Those are restricted because they allow you to spoof all sorts of network traffic (e.g., the ethernet address to IP address mapping) Which Would Be Bad.

It could be threatening to the network (which should not trust individual nodes much anyway, but many do), but not to the system itself... At least, I don't see how...

... making your system thoroughly insecure ...

How? Thanks.

Re:standard author/exploiter response?

More people like him you say? you know not what you say. More people like him will make more slashdots. Then a slashdot of slashdots will appear. Then several of those. Then a slashdot of slashdots of slashdots. Then ... then the Universe will invoke horror vacui and collapse the internets into a black hole.

On second thought, you're right. We do need more people like him out here.

Re:standard author/exploiter response?

[MattJD]

Except of course being able to generate a million spoofed tcp syn packets that overload different servers w/o taking client resources (beyond bandwidth), or any other similar kind of attack you can think of when you forge packets. Its just not for authenticating streams you know ...

Re:standard author/exploiter response?

... (I'm not aware of any other ICMP messages that it's useful for user code to send)...

traceroute is known to use ICMP type 11 and various other protocol variations in some implementations (also requires setuid).

Re:standard author/exploiter response?

[jd]

Setuid is mostly a vulnerability when you've the notion of a superuser. Linux has some/all of what's needed to do this. I'd consider the requirements to be:

• A user can be assigned access to a specific set of capabilities within the kernel
• A program can be assigned access to a specific set of capabilities within the kernel
• Privileged programs would have access to the union of the two sets of capabilities, unprivileged programs would have access to the intersection of the two sets
• Certain capabilities can be mutually exclusive so that if one is present then others are automatically filtered out regardless of privilege
• Users have access to only a well-defined subset of programs according to mandatory access controls
• There exist certain pseudo-users who can never be used by actual users but which can be assigned tasks/threads by the kernel and/or bootstrap process so that everything is run using the same mechanism, no special exceptions
• It should never be possible for an OS kernel thread to bypass the security kernel
• It should never be possible for an OS kernel thread even control the security kernel - the security kernel should instigate control activity independently

The idea of all this is that you should be able to have a ping program that has access to raw sockets (so you can do ICMP) such that specified users can call the program to perform the ping, but where bugs in ping have exceedingly limited scope for breaking out. Ideally, it shouldn't have any.

In the above scenario, the ping program would have the union of capabilities to add the raw sockets, where raw sockets was mutually exclusive of many normal user capabilities (which then get dumped as a result) and where anything spawned by ping gets owned by an "unreachable" user, so a bug in ping allowing you to run user-supplied code would run that code in a way the user could then do nothing with.

If you think the headaches of SELinux are bad, the pain of running a system outlined above would be exponentially worse. Literally. On the other hand, you can have only two out of the three of "completely secure", "easy to use" and "easy to administer".

The idea of having the security kernel's administration on kernel threads that are internal to the security kernel is that bugs in policy should have only limited ways to allow users who should be unauthorized to change policy. The only way to do that is to have policy actions and almost any other kernel activity mutually exclusive by hardcoding it in. Since policy has got to be settable by something, have a pseudouser and kernel thread that is only entitled to do that and access the necessary files, and nothing else.

Now we're getting to the stage where complexity would make the OS unusable, but if you could use it, it would require compatible vulnerabilities at multiple levels for an attacker to do anything.

Re:standard author/exploiter response?

[greg1104]

The standard way to remove setuid requirements from ping is to implement the capabilities API, which was finally done in 2.6.26 even though the basic idea goes back to the 2.1 kernel in 1998. A good intro is available from IBM.

Ubuntu

Then it doesn't exist in karmic.

"vm.mmap_min_addr = 65536"

Re:Ubuntu

[RAMMS+EIN]

Interesting, on karmic, I have:

$ sysctl vm.mmap_min_addr
vm.mmap_min_addr = 0

Then again, I don't know if my system is actually vulnerable, because I have yet to see a description of how the exploit works.

Re:Ubuntu

[munctional]

Installing WINE on Ubuntu systems sets that value to 0.

Egos in the IT security industry? Say it aint so!

[Viol8]

People who spend their lives looking for exploits and holes in a system whether white or black hat are only doing it so they can puff their egos by getting one over the codes original author and showing the world how l337 they are , so no great surprise when said egos bloat out in arguments.

Somebody fill me in..

[jcr]

I pay very little attention to open-source politics. What's the beef between Linus and Theo? Is it just a matter of dueling egos?

-jcr

Re:Somebody fill me in..

[Daniel_Staal]

It's not Linus and Theo, it's Theo and everybody.

And yes, it's dueling egos. Theo is a very good coder, and OpenBSD is an amazing system, but Theo should stop talking to the public. It never helps. (Even when he's right, which he usually is when the discussion involves something technical.)

Re:Somebody fill me in..

[Dog-Cow]

It's not dueling egos. For there to be a duel, Linus would actually have to care about Theo and his opinions.

Theo seems to have the idea that if security isn't your priority that you are a waste of resources and shouldn't be alive. He basically bashes anyone who doesn't agree with him on anything.

That's because he's a fucking asshole.

Re:Somebody fill me in..

[teknopurge]

Theo is a rock star when it comes to OS code, and as such has the attitude to go along with it. More power to him.

Re:Somebody fill me in..

[teknopurge]

It never helps. (Even when he's right, which he always is when the discussion involves something technical.)

Fixed.

Re:Somebody fill me in..

And Linus isn't?

Look at the various rows on the linux kernel mailing lists and there are assholes in abundance in both camps, Linus for all his brilliance being one of them.

Neither Theo nor Linus tolerate people who disgree with them or think they have a better/more efficent/more secure/more whatever way of doing something.

Re:Somebody fill me in..

[True+Grit]

What's the beef between Linus and Theo?

Theo is in charge of a BSD-based kernel that is only concerned with security, while Linus is in charge of a kernel that has to accommodate a much wider audience (like people who want to run Wine), and, of course, since both of them also have largish egos, they've both managed to say some silly things about each other's kernel...

Basically, unless you're already a Linus or Theo fanboy, their 'bickering' is not that important. :)

Re:Somebody fill me in..

Thanks Theo

Re:Somebody fill me in..

Re the comment in the summary: Theo De Raadt, have you ever heard the saying "A bad driver blames the track"?
The article itself is surprisingly devoid of details on the bug, considering that the Linux kernel is open source, but from what it says it's pretty clear that it belongs to a class of bugs that was already fixed as early as 1995. (VB4 came out then, but I know there were earlier languages without problems like these, I just don't know when they shipped.)

And?

[FlyingBishop]

Torvalds:

That does not look like a kernel problem to me at all. He's running a setuid program that allows the user to specify its own modules. And then you people are surprised he gets local root?

Am I missing something? Torvald's reply actually sounds pretty reasonable to me here. It might be nice if this exploit could be patched, but it seems a little preposterous to me that you could make that work in a way that doesn't leave an exploit. I'd say you need to be locking down your suid binaries more, not blaming kernel management.

Re:And?

[kscguru]

http://en.wikipedia.org/wiki/Security_theater

Torvalds is absolutely correct, the whole issue is idiotic and isn't really an "exploit" because it doesn't result in ANY privilege escalation. (You must be root to run an exploit that gives you, um, root!) However, ego-starved security people get to jump up and down thumping their chests about how they h@x0r3d an extremely common Linux distribution and get their names splashed all over the press. Yeah, and instead of mmapping NULL, you can just 'insmod /my/evil.ko' and get the same effect. Sigh.

Those of us who know anything about security just ignore these "researchers". There are far more important bugs - even far more important security bugs - than a root-to-root non-issue. I'll happily patch my system with the next set of kernel updates, but I don't intend to grab it any sooner. It's more important to me that my system stay up and avoid regressions than fix a root-can-get-root non-exploit.

Re:And?

I think you have to be local to do this. There is no remote attack possible. So this patch, along with rm -Rf / would go hand in hand. I mean one is bad and the other is bad. Locally, I can take an axe to my computer too, and remove a lot of bits also. Should I be worried? Only if I go just a bit too hard with the Wild Turkey(tm).

Bishop bashing bonobos

[LizardKing]

Before people jump on Theo's comment, it's worth pointing out that it was Linus who first described the OpenBSD developers as "masturbating monkeys". That said, it's still bloody childish irrespective of who it's coming from.

Re:Bishop bashing bonobos

They _are_ masterbating monkeys.. they all use OS-X now and are apple fan bois.

Re:Bishop bashing bonobos

[babblefrog]

I thought Masturbating Monkey was Ubuntu 10.10?

Re:Bishop bashing bonobos

Before people jump on Theo's comment, it's worth pointing out that it was Linus who first described the OpenBSD developers as "masturbating monkeys".

Probably true, but BSD has better booth babes. Sexy daemons instead of fat-ass penguins:

http://freebsd-image-gallery.netcode.pl/?gallery=Daemonette

Re:Bishop bashing bonobos

[HisMother]

Oh god I wish I had mod points!

Re:Bishop bashing bonobos

Considering that deraadt is either
a) deliberately mischaracterizing Linus' passing insult as being an article "about" masturbating monkeys
or
b) completely lacking in reading comprehension that he actually believes what he himself wrote

I wouldn't want to trust him with MY security, and he certainly has earned the mastubating monkey moniker.

Re:Bishop bashing bonobos

[teknopurge]

Linus was upset that someone was basing a modern OS on BSD. boo-hoo. Solaris still innovates more than Linux, all Linux does is try to replicate commercial functionality in "Open Source". The case can be made that the OpenBSD project has had more innovation(openssh, CARP, etc.) than Linux.

Re:Bishop bashing bonobos

Wrong *BSD.

Re:Bishop bashing bonobos

Exactly, right before Nymphomaniac Nightingale

Re:Bishop bashing bonobos

[Shikaku]

"masturbating monkeys"

Is that the next Ubuntu release after Lucid Lynx? I can't wait!

Re:Bishop bashing bonobos

[OrangeTide]

OpenBSD doesn't get to claim the coolness of FreeBSD through association.

Re:Bishop bashing bonobos

Ubuntu does spoonerisms

Hardy Heron -> Hairy Hard-on

Masturbating Monkey -> Monster-baiting Mackie

Re:Bishop bashing bonobos

Yeah, but the funny part is nobody gives a shit. OpenBSD is obscure. Very obscure. And as people grow up hearing about Linux more and more, and as the current BSD jackoffs die off, it will become even more obscure.

So boo-hoo indeed. It'll be fun watching OpenBSD fade into obsolescence.

Re:Bishop bashing bonobos

[Tetsujin]

They _are_ masturbating monkeys..

No, no... They're apes - show some respect...

Re:Bishop bashing bonobos

[bill_mcgonigle]

that's gold.

Re:Bishop bashing bonobos

[drinkypoo]

...Orgasmic Orangutan...

Re:Bishop bashing bonobos

Just wait until 10.10 gets shipped with a FreeBSD kernel.

http://linux.slashdot.org/article.pl?sid=09/04/05/222239

Re:Bishop bashing bonobos

[Cro+Magnon]

*wipes off monitor*

Re:Bishop bashing bonobos

[HiThere]

While I'll agree that Theo is abrasive, it was, for me, a very useful comment.
Because of it I checked my system AND found out how to patch the revealed weakness. And if Theo hadn't managed to get Slashdot's attention, I'd probably never have heard of the problem.

He may be unpleasant, but he's a VERY useful person to have around, even if you aren't running a BSD. (Which I'm not. I can't even remember for certain which BSD Theo is associated with. It doesn't matter to *me*, as a Linux user. What matters is that Theo made a criticism that Slashdot picked up, and which various people came up with reasons for and solutions as to how to handle.)

Re:Bishop bashing bonobos

[npsimons]

He may be unpleasant, but he's a VERY useful person to have around, even if you aren't running a BSD. (Which I'm not. I can't even remember for certain which BSD Theo is associated with. It doesn't matter to *me*, as a Linux user. What matters is that Theo made a criticism that Slashdot picked up, and which various people came up with reasons for and solutions as to how to handle.)

Theo is the project leader for OpenBSD, you know, the one with a fantastic security record? Theo's "unpleasantness" is, IMHO, just a side effect (or necessary?) result of his rabid dedication to security: being unwilling to compromise on any one issue is generally seen as a bad thing, but that particular stance often ignores the issue being defended. That being said, I admire and respect people like Theo and DJB. Hell, even if they are a bit more abrasive than necessary, at least they aren't sexists (that I am aware of).

Re:Bishop bashing bonobos

girl shows up at a computer convention, 10 years later grotesque nerds are still masturbating about it

Re:Bishop bashing bonobos

[Trogre]

I think that's the working name for the next OS X release. You know, once they run out of big cat names...

Re:Bishop bashing bonobos

Pedophilic Penguin

Re:Bishop bashing bonobos

... Pornographic Penguin ...

On the bright side...

[gzipped_tar]

... most distro maintainers seem to be doing a good job backporting fixes and features from upstream to the "mainline" kernels. At least this is true with Fedora, whose maintainers keeps cherrypicking fixes from 2.6.31 or rc for the mainline F11 2.6.30 kernels.

Exploit?

[RAMMS+EIN]

Is there some sort of exploit code I can run to check if my system is vulnerable? I tried to find some online, but I only came up with some code for SCO Unix and some code that is so horrendously long that I don't dare running it for fear it might do something I don't want to happen on my system.

meta-trolling

[Gothmolly]

Editors, why troll by quoting the vocal spokesperson of a different OS to comment on a Linux problem?

Re:meta-trolling

[LizardKing]

Increased comments. Increased page views. Increased advertising revenue.

Re:meta-trolling

[MrMr]

They have advertising on slashdot?

Re:meta-trolling

[Tetsujin]

They have advertising on slashdot?

Yeah, apparently if you're well-behaved they give you a checkbox that lets you turn the ads off... It's odd, though, 'cause I never saw any ads here in the first place.

Hm, you think this "ABP" thing in my browser window could have anything to do with it?

Re:meta-trolling

Wellsy, Wellsy, Wellsy. Aren't you quite the dashing fancy pants! You use ad-block plus! Thank you for making sure we all know how clever you are and that you don't see ads. I, for one, have found that my opinion of you has greatly increased due to your cool offhand comment letting everyone know that _you_ don't see any silly adds. Huzzah!, my friend, Huzzah!

Re:meta-trolling

[Tetsujin]

Heh, touche. :)

I'd rather pay $400 for bugs likes this

[coryking]

And know the fix would be back-ported to Server 2003. How many "stable" kernel versions will the fix be back ported to? Will my 2.4.x kernels get a patch?

Re:I'd rather pay $400 for bugs likes this

[RAMMS+EIN]

``Will my 2.4.x kernels get a patch?''

Are they vulnerable?

Re:I'd rather pay $400 for bugs likes this

Will my 2.4.x kernels get a patch?

If they are vulnerable, then most likely yes. 2.4.x kernels are still maintained (last release in September). I'm not sure how many distributions with 2.4.x kernel are still maintained, though :-)

Re:I'd rather pay $400 for bugs likes this

[MikeBabcock]

Lets compare apples to apples. Lets say you have an out-of-maintenance version of Linux (which would be some of the intermediate releases not in use by major distros) and your distro won't be patching you. You have the option of paying someone a lot less than $400 to back-port this patch to your kernel version or doing it yourself.

Now lets say you have an unsupported version of Windows (like NT 3.51) and you find out there's a major security hole in Vista dating right back to 3.51. How are you going to get that fixed? If you answer "by upgrading" then use the same answer with Linux.

The whole point of FOSS is that you're never stuck, you can always just do it yourself or pay someone to do it for you, the vendor can't lock you out of the code running on your systems.

Of course, if you run a maintained version of any Enterprise Linux I'd put good bets down that they'll be patched shortly. If you spun your own distro, then you made the choice to maintain it yourself anyway.

Re:I'd rather pay $400 for bugs likes this

according to the list here, the oldest vernerable kernel is 2.6.23

(That list isn't fully sorted though, 2.6.23.2 is just above Linux kernel 2.6.31-rc5-git3)

Re:I'd rather pay $400 for bugs likes this

[bill_mcgonigle]

Of course, if you run a maintained version of any Enterprise Linux I'd put good bets down that they'll be patched shortly. If you spun your own distro, then you made the choice to maintain it yourself anyway.

Well said. Back when vmsplice was a big issue, a client with an app tightly coupled to an abandoned distro had my company fix their kernel for them. It was a pretty trivial patch - with some testing and QA I think it was pretty close to the $400 mark you mentioned for a half dozen machines to get patched, and that bought them nearly a year to get everything up on CentOS 5. I'd not recommend the approach, but SMB's don't get to dictate a march - when a lead developer moves/passes on unexpectedly suddenly the best laid plans need to change.

Re:I'd rather pay $400 for bugs likes this

[dstech]

Of course, if you run a maintained version of any Enterprise Linux I'd put good bets down that they'll be patched shortly. If you spun your own distro, then you made the choice to maintain it yourself anyway.

The RHEL patch was released yesterday: https://rhn.redhat.com/errata/RHSA-2009-1548.html

Ubuntu not necessarily safe

[daveewart]

But the bug is not exploitable on ubuntu, because they set vm.mmap_min_addr > 0 by default.

That doesn't seem to be generally true.

Ubuntu Hardy 8.04 LTS, 2.6.24-25-generic: vm.mmap_min_addr = 65536; Ubuntu Jaunty 9.04, 2.6.28-16-generic: vm.mmap_min_addr = 0. So, by the above logic, Ubuntu Jaunty is vulnerable, although Hardy is safe.

Also seems like vm.mmap_min_addr = 0 for all the Debian boxes I can get my hands on...

(All my comments above relate to the stock/packaged kernels for the distribution)

Re:Ubuntu not necessarily safe

[pjt33]

It was certainly 0 for Deb. lenny.

Re:Ubuntu not necessarily safe

[eparis]

Installing the wine package on ubuntu automatically sets mmap_min_addr to 0. The default install will have it set higher. Solution, remove wine.

Re:Ubuntu not necessarily safe

[Anonymous+Psychopath]

Also seems like vm.mmap_min_addr = 0 for all the Debian boxes I can get my hands on...

I just looked and it's >0 on my Debian box, which is patched regularly but still uses packaged kernels. So I guess that would be one of the ones you can't get your hands on. :P

Re:Ubuntu not necessarily safe

[daveewart]

Installing the wine package on ubuntu automatically sets mmap_min_addr to 0. The default install will have it set higher

Interesting. (See /etc/sysctl.d/wine.sysctl.conf for some comments).

Solution, remove wine.

Hardly a solution if one needs to use Wine, though, is it? Probably just a good idea to wait for a patched kernel, I should think.

Re:Ubuntu not necessarily safe

[daveewart]

Perhaps it's Wine, then, or another package that has modified it: see http://linux.slashdot.org/comments.pl?sid=1430160&cid=29978100 and further comments.

Re:Ubuntu not necessarily safe

[eparis]

A patched kernel will fix this particular bug, but as long as wine is installed and mmap_min_addr is being set to 0 you have no protections for the next bug. Unless wine can be changed (which some smart people have told me it can't), there's nothing you can do except accept a higher security risk on your system.

Here's a fun tag line, "Windows applications can even make Linux less secure!"

Re:Ubuntu not necessarily safe

[unts]

One of my (Jaunty) servers has > 0, and my Hardy desktop, which has Wine /and/ Crossover Pro installed, also has > 0.

So I'm not sure about wine always being an issue here (unless my wine install won't work for certain apps... I wonder)

Re:Ubuntu not necessarily safe

[PitaBred]

Not on 8.04. I'm running it right now, and I just checked that (and verified that Starcraft still starts up fine in wine).

Re:Ubuntu not necessarily safe

[Chousuke]

Wine will still work even with address zero not memory-mappable. Only some applications will need it; Mostly DOS applications and others that use old APIs which might presume its availability.

I doubt setting mmap_min_addr to nonzero is going to cause problems for most people, and even if it does, in those cases the person probably will know how to configure it themselves and take the necessary precautions.

Re:Ubuntu not necessarily safe

[BikeHelmet]

Do we even need 16bit executable support in Wine?

I know some old game installers are 16bit, but even Microsoft is dropping support that old...

Re:Ubuntu not necessarily safe

It a bug in ubuntu, they should no set mmap_min_addr 0 just because wine is installed.

Wine run win32 apps just fine with mmap_min_addr 65536. It may not work wor DOS apps, but then dosbox or any x86 emulator with freedos installed would be better then Wine anyway.

Re:Ubuntu not necessarily safe

[Smoke2Joints]

Solution, remove wine.

actually no, leave wine installed, and set the mmap_min_addr value higher.

Re:Ubuntu not necessarily safe

[hughperkins]

It's only needed for 16-bit programs in Wine. You can modify the value by editing /etc/sysctl.d/wine.sysctl.conf, changing the vm.mmap_min_addr from 0 to 65536, then running /etc/init.d/procps restart. Note : your mileage may vary. Use at your own risk. Etc...

Re:Ubuntu not necessarily safe

[complete+loony]

So, wine needs this for 16bit dos emulation? And it's broken on x64 but fine on x32 processors? Could wine on x64 use dosbox style emulation for 16bit code to get around this requirement?

Long fixed in Linux stable

[omb]

I for one am getting royally pissed off by shards of Security Dupes as non-tech writers catch up with Security exploits.

All kernels have exploits. This exploit is complicated to excercise, you would need very good low-level knowledge to map page 0 then set page 0, location 0 to a valid (code *) and valid kernel code to set up the exploit, or a published HOWTO, after which any script-kiddie can do it. It was discussed on LKML and fixed in short order, a day or so AFAIR. That fix rapidly made it into the Stable Kernel series, and, ...

You also have to have local shell access first, to a system with compile capabilities or other no-no like ksyms radable by non-root, so yes this was exploitable but with difficulty, not like the many gaping holes in Windoze. It confuses the normal user.

I for one am much more concerned by things like continuous ssh attacks, which you can defend with iptables but really needs support in sshd.

Re:Long fixed in Linux stable

Not "long fixed in linux stable", not a dupe, and you are also an idiot.

Re:Long fixed in Linux stable

[omb]

AC see the Git commit fix referenced in the thread, then die of shame astroturfer

What's the deal with the masturbating monkeys?

[Johnny+Loves+Linux]

I read Theo's comments and he's going on an on about Torvald's fixation with masturbating monkeys. Then some member of the openBSD crowd even offers a link to purchasing "your very own" **masturbating monkey** http://www.wellcoolstuff.com/Merchant2/graphics/00000001/20-Apr-07-05.jpg

Then I read Torvald's comment about the Linux exploit, with Torvald referring to the openBSD developers as being __like__ a "bunch of masturbating monkeys".

Ok, so is this like some kind of secret code used among OS kernel developers? Like saying "my shoe is blue but the cow is hungry" really means "Oh man, this code is leaking memory and crashing my system"? Or is this some kind of secret initiation thing, where in order to truly become a member of the OS development club, you have to first ... masturbate a monkey??!! Can somebody explain it, or maybe do some investigative reporting on this?

Re:What's the deal with the masturbating monkeys?

It's very simple, while Linus is quite a brilliant kernel dev, he's is also a complete and total douche bag. Basically if didn't come from his brilliant mind, you're a fucking asshole for pointing it out, at least to him.
captcha: theology

Re:What's the deal with the masturbating monkeys?

They are Zen speak. What kind of code stink does an empty function body emit? (answer: For a cause, there is a consequence. I is empty.) Not even an exception has risen, is there a still a crash or not? (answer: Mount Sumeru!) Does this scheduler have the property of fairness to it or not? (answer: Wú) What is a kernel? (answer: Three pounds of flax.)

Re:What's the deal with the masturbating monkeys?

It's very simple, while Linus is quite a brilliant kernel dev, he's is also a complete and total douche bag.

I see that you haven't actually met him. Your loss. Not his.

Re:What's the deal with the masturbating monkeys?

[gad_zuki!]

Aging nerds trying to sound cool when they were never good with clever insults to begin with?

Re:What's the deal with the masturbating monkeys?

[bmcage]

It is a word Linus uses from time to time when he wants to make an insult.

Have a look at http://www.youtube.com/watch?v=4XpnKHJAok8, I won't watch it again to give you the minutes at which the word is used, but his body language makes it clear this is not the first time he applies it when a certain situation comes up.

The video gives you an idea of the person he is. You like his style of jokes, or you don't. Perhaps it's something Finnish.

I'm in your Linux box

[LuxMaker]

Getting your root access.

Nothing more than a publicity stunt?

[BhaKi]

Linus's comment: "That does not look like a kernel problem to me at all. He's running a setuid program that allows the user to specify its own modules. And then you people are surprised he gets local root?" Sounds reasonable to me.

Kernel default?

[gweihir]

Just checked my installations (Debian with custom kernel from kernel.org). They are all at 4096 for mmap_min_addr (and hence not vulnerable), but I seem to be unable to find a place where this is set. Does anybody know whether this is the kernel default?

Re:Kernel default?

[Anonymous+Psychopath]

It's 4096 (by default) in the Debian-packaged kernel on my system as well.

Local access has never been secure.

[Vellmont]

I've felt for a long time that giving someone local shell access to a machine is never going to be completely secure. There's just too many degrees of freedom available, and too many different things that need to be secured. This is just another proof of concept of that principle.

With all the various different interfaces we have today, shell access is something only a small percentage of people need. Even those you could likely limit down to a few administrators, some programmers, and possibly a few special cases.

Re:Local access has never been secure.

[RAMMS+EIN]

``I've felt for a long time that giving someone local shell access to a machine is never going to be completely secure.''

Indeed, it is not. There are various nasty things a regular user with shell access can do.

``This is just another proof of concept of that principle.''

No. This is a vulnerability that makes things worse than they should be. There are various ways to limit what regular users can do. A vulnerability that allows these users to become root means the system is broken, so that users actually get _more_ power than they would have, had they just been given shell access.

Re:Local access has never been secure.

[Vellmont]

No. This is a vulnerability that makes things worse than they should be.

All vulnerabilities make things worse than they should be. My point is simply that a root vulnerability given shell level access shouldn't be unexpected.

Re:Local access has never been secure.

[Tetsujin]

With all the various different interfaces we have today, shell access is something only a small percentage of people need. Even those you could likely limit down to a few administrators, some programmers, and possibly a few special cases.

Here's the thing, though: a shell doesn't actually grant you any power that you don't already have. It is an interface through which you can run programs, nothing more. Most window systems have a "run command" dialog, file managers that let you explore the whole filesystem and run whatever you like, and any number of programs installed which might allow users to run any program on the system they have access to - in this environment, disallowing use of the shell is meaningless. It doesn't limit what the users can do, it just makes the interface worse.

A server that provides shared web hosting is a good example of why this kind of usage needs to be safe. Individual users can benefit from using the shell - but even if you were to block shell access, these users need to run PHP, Python, or Ruby, which would grant them the same ability to run programs... It's not so bad if a user on a system like this causes a small amount of trouble (like running a fork-bomb or otherwise grinding the system to a halt) - people will be upset, but the offender has more to lose than to gain in a case like that. But if a user can escalate themselves to root, they can sabotage other users' content, they can take over the system and do whatever they want, etc. This is a much more dangerous capability.

Re:Local access has never been secure.

[RAMMS+EIN]

``My point is simply that a root vulnerability given shell level access shouldn't be unexpected.''

Well, I think it should be. But it depends on your definition of "expect". If you mean "expect" as in "it's normal", I vehemently disagree. I think it's a disgrace. But if you mean "expect" as in "Linux is huge and complex, it's bound to have security holes you can drive a truck through", then, yes, I agree.

Re:Local access has never been secure.

[Vellmont]

Here's the thing, though: a shell doesn't actually grant you any power that you don't already have.

Who's you? You the attacker, you the person sitting in front of the physical computer, or you the person with remote access to the machine?

If it's the person sitting in front of the physical computer, you're right. The other two have different answers depending on what access you have to the machine. The whole point is if an attacker has the ability to execute arbitrary code on the machine, all bets are off. There's just too many different things that have to be secured to have any real assurance of security.

Re:Local access has never been secure.

[Tetsujin]

You said "shell access is something only a small percentage of people need". Well, what do they use instead? A GUI, with a menu system and a file browser? A shell will do nothing that the file browser would not also be capable of. This is true whether you are local to the machine or not.

Re:Local access has never been secure.

[Vellmont]

Well, what do they use instead? A GUI, with a menu system and a file browser?

An email client, a web browser, a windows machine, a telephone, an Internet connected device?

There's multiple ways to access the services offered by a linux machine you don't own and don't have shell access to. You're thinking too narrowly here. The point is really how many untrusted people have the ability to run arbitrary code on a machine they don't own or have physical access to these days? Not many.

15-20 years ago it was a different story. These days having shell or remote access to the box generally means you either own it, administrate it, or have high enough level access that getting root wouldn't elevate your privileges in any meaningful way.

Re: no shell access...

With all the various different interfaces we have today, shell access is something only a small percentage of people need. Even those you could likely limit down to a few administrators, some programmers, and possibly a few special cases.

Right. And most machines don't run code from outside, like, oh, javascript?, flash?, java?....

So it's a windows bug

So it's a windows bug.

Duh?

[adosch]

Why is this even tech news worthy? It's pretty apparent to any *NIX junkie local exploits are JUST as alarming and harmful as external service or remote kernel exploits. If you're only worried about what external threats and this article caught you by surprise, you should probably go back to the drawing board... or read less /. and learn more about the OS you're supporting. In the Linux environment I support at work, my *biggest* threat are users who know just enough how to be dangerous... and if I see any trend, it's that local exploiting and vulnerabilities should hold a bit more focus an attention, especially with the rise with the Linux desktop movement and the Ubuntu bandwagon; regardless if the user is a power-user, Linux breathing fanatic or wanted to try a Live CD, it's the exposure and curiosity that will bite you on the frontline keeping your users in check.

Theo de Raadt is my hero

[OrangeTide]

I'm glad I don't work with Theo de Raadt. He's a tremendous douche when he's right, and a tremendous douche when he's wrong.

Linus' insults show he lost the argument

Linus Torvalds called Theo and Developers masturbating monkeys. That is obviously an insult and insults are the last refuge of the out-argued. Insulting propositions obviously aren't logical but purely dialectical in nature. Doc Johnson and the philosopher Arthur Schopenhauer wrote about insults being the last refuge of the out-argued. Linux is not a good OS in my opinion so I use OpenBSD and NetBSD instead.

What design choice?

[Skapare]

Just what design choice was made (wrong) by Intel, and why is it a bad choice?

Re:What design choice?

[eparis]

My understand in a short and simple answer: before the x86_64 architecture revolution it was possible to effectively have a separate virtual memory space for the kernel and userspace. With x86_64 segmentation was removed.

Intel i686 processors had a pretty big performance hit if you used functionality since there was a TLB flush on every kernel trap. I don't believe many kernels made use of it. The PaX security patch set could and Red Hat's 4g/4g split kernels did (RH called them hugemem kernels, although I don't suggest them to anyone as they had their own issues.) The AMD Opteron processors actually had tagged TLBs so they didn't have to flush and performance didn't suffer nearly as badly.

In any case, with x86_64 that ability is simply gone. SPARC is often named as an architecture which doesn't suffer from this specific class of bugs since it always had completely separate kernel space and userspace virtual memory. I heard rumour their might be a brilliant solution that will hopefully come from the PaX/grsecurity team, but I don't believe anything has materialized just yet.

Re:What design choice?

[Skapare]

And how is page 0 involved in this? And are the references to page 0 talking about virtual page 0 or real page 0? And is this really a cache line conflict at page 0?

Re:What design choice?

[IamTheRealMike]

So, firstly, x86_64 was designed by AMD not Intel.

Secondly, the whole point of x86_64 was to simplify and improve the x86 architecture by removing stuff that nobody used at the same time as adding 64 bit support. And by your own admission basically nobody used kernels with separate address spaces for various reasons, performance on Intel amongst them.

I don't think having kernels run in the same address space as applications can be blamed on Intel no matter how hard one might try. For many years any kernel developer could produce a kernel which used separate address spaces and such things were just curiosities.

Re:What design choice?

[eparis]

Most people expect that dereferencing a NULL pointer will result in some sort of fault. If you map the virtual page 0 and then do this you don't get a fault. Remember that NULL==0.
mmap(0, ..., MAP_FIXED...
char *p = NULL;
*p = 'a';

address 0 now contains the letter 'a' and the program does not fault.

The idea is that if you do the mmap in userspace, fill that area with specially crafted information, then cause the kernel to hit a bug in the software (in this case a pipe) which dereferences a NULL pointer, you can make it operate on data you control. This is due to the fact that userspace and kernel operate in the same virtual address space. Sometimes (often?) this means you can take over the box.

mmap_min_addr tries to address this problem by disallowing a program from mapping the low virtual address space. That means it ONLY affects the class of bugs that involve a NULL pointer. If it's a corrupt pointer instead a NULL pointer mmap_min_addr is totally useless. For either class of bugs hardware segmentation could help. It wouldn't be a security panacea, but it would eliminate the need for the specific hacks which both Linux and BSD use.

Re:What design choice?

[metamatic]

So x86_64 doesn't have this problem? That would explain why sysctl -n vm.mmap_min_addr gives me an error...

Re:What design choice?

[HonIsCool]

Nitpicking: dereferencing NULL gives undefined behaviour and NULL is not necessarily 0; it's implementation defined.

Re:What design choice?

[Rich0]

Here is the thing I don't get.

Why do ANY two processes share the same address space? Shouldn't it all be virtualized? So, two different processes could be assigned a block of memory with the same address, but in reality neither corresponds to the same region in physical memory?

Ok, maybe as some kind of an optimization you do give processes non-colliding address spaces. Well, even then there should be some kind of privilege assignments so that processes can't access each other's memories.

Otherwise, stuff like this can happen.

I'll be the first to admit that I'm not an expert in x86 protected mode, but it just seems like a multi-user OS should completely isolate the memory of its processes from each other. If a process wants to mmap something into address page zero, no big deal - 100 processes can all do it and they'll all be happy and none of them will tread over each other. If you spawn a new process it should get a clean address space - ESPECIALLY if it is suid.

Re:What design choice?

We are not discussing C, we are discussing Linux on x86 machines.

NULL is 0, and the only undefined behaviour is that if you mmap something at address 0, you can dereference a null pointer without crashing.

Re:What design choice?

[Skapare]

So this isn't really a bug in and of itself, but a method by which a known bug can be exploited. I don't see a design fault by Intel in this. Instead, I see it as a fault of the design of the Linux kernel wanting to view both address spaces at the same time AND having the user space be mapped at the same addresses as the user process sees it. Of course we could blame Intel for not including features to make it easier to not do this. Still, this is a complicated requirement because you have to ensure that mmap() cannot allocate user process virtual memory addresses that are the same as any kernel addresses. In a way, you are doing that with mmap_min_addr for one or a few pages. You do point out the issue with respect to corrupt addresses (BTW, I see that more often than NULL address faults).

So is the Intel fault one where they don't allow 2 separated (with separate TLB cache) virtual address spaces and a special instruction to access the alternate for just fetch and store purposes?

Re:What design choice?

Two processes do have different address space. This is not the problem.

The problem is between user space and kernel space. A program mmaps something at address 0. Now null pointer dereferences don't crash. A moment later, *the same program* makes a system call. That system call has a bug, that makes it dereference a null pointer in a certain case (if it always did it, the bug would have been found long ago, as the standard behaviour is to "OOPS").

Kernel and user space aren't separate, unlike different processes, as processes make system calls all the time, unlike process switches which only occur once in a while, and replacing the page tables with those of a different process takes a lot of time (on a CPU scale). Possibly taking 100 times as long as a fast system call.

Re:What design choice?

[Skapare]

I think I understand this now, so I will try to re-phrase and give a different explanation. It is NOT a case of memory being accessed between user processes. Instead, it is a case of memory being access between a user process and the kernel.

The kernel needs to access both its own memory, as well as the memory of the user process. Not all parts of the kernel need to do this, but the parts directly servicing the currently running user process do. For example, the sys_read() function inside the kernel services the read() system call. That function has to be able to store the data it obtained into the user process virtual address space. So it has to have some view of that user process virtual address space.

The view of the user process space COULD have been done by changing the addresses the kernel code sees it as. The catch with that is that it requires a change of segment tables (either reconstructing a new one, or switching to a standby one already constructed) and the corresponding flush of the address translation cache (TLD) which has a performance penalty. So, instead, the kernel changes its view of real physical memory.

Now we have a situation where there can be user-determined data sitting at page 0 as the kernel code sees it. If the kernel hits a place where it has a bug and makes a jump to NULL, which is 0, then the user-determined data is now executing in a kernel context. This problem could happen with the kernel jumping to user code anywhere, but the cases where it jumps to 0 are more deterministic and easier to exploit. If you know of a twisty bug to make the kernel jump to 0 where it would otherwise be a kernel panic at worst (a DoS attack), which has a lower priority to be resolved, you can turn that into a complete capture of the kernel.

If the architecture provided a means to let the kernel access user space in some protected or alternative way, that could be done instead. Kernel code already uses specific macros to access user space where it needs to do that. So if the architecture had a special set of instructions to do it, those could be used. Those special instructions could be a special memory load and memory store that uses a secondary page/segment table with a secondary (or even absent) TLB cache. Or with such instructions, the kernel could potentially run without address translation turned on at all, where these special instructions make use of the address translation that is currently the selected one, even though it is off for all other instructions.

Another PARTIAL solution would be a way to disable execution at page 0. This would not be a complete solution. Instead, the solution currently chosen is to disallow user processes to map memory at page 0 in the mmap() call. The mmap_min_addr setting makes this configurable by root. And an issue raised is that certain distributions have elected to not set this properly. Maybe the kernel should default this to PAGE_SIZE and then let a distribution or system administrator be stupid and set it to 0 if they want to.

Re: no shell access...

[Vellmont]

If javascript, java, or flash is allowing you to do the kinds of things this vulnerability requires, you're already screwed.

If your browser allows outside code to execute any arbitrary code at the user level that means you're essentially 0wn3d. Being able to get root through such a vulnerability is a minor bonus.

system insecurity

[Tetsujin]

... making your system thoroughly insecure ...

How? Thanks.

Well, if you were to allow all user-space processes to access raw sockets, then the system might start to feel exposed and self-conscious...

SUID root yields root... but, wait...

[Tetsujin]

Linus's comment:
"That does not look like a kernel problem to me at all. He's running a setuid program that allows the user to specify its own modules. And then you people are surprised he gets local root?"

Sounds reasonable to me.

Well, here's the thing... For the exploit to work you need either mmap_min_addr to be 0, or you need your process to have CAP_SYS_RAWIO. In other words, if you were running on a system that had mmap_min_addr set to 0, you could run this exploit without already having root authority. Wine needs this, apparently...

The workaround for mmap_min_addr (by exploiting dangerous SUID code in Pulse) was just icing on the cake.

Why is this interesting

[bassM]

Bugs like this turn up all the time and they usually get fixed before they are badly exploited, it's not newsworthy until an exploit pops up or the bug isn't fixed in a reasonable timeframe. Or are bugs like these fixed in response to news on slashdot, maybe file a bug report instead?

Re: no shell access...

[Tetsujin]

With all the various different interfaces we have today, shell access is something only a small percentage of people need. Even those you could likely limit down to a few administrators, some programmers, and possibly a few special cases.

Right. And most machines don't run code from outside, like, oh, javascript?, flash?, java?....

Javascript, flash, and java (on the web, I mean) are all run in environments that implement their own forms of protection. It would, therefore, be very difficult from one of these environments to do something like a null pointer exploit.

So fix it and be happy

[sjames]

It's very simple. If you're running a server, as a few pointed out here, add vm.mmap_min_addr=4096 to your /etc/sysctl.conf to protect the system on future reboots and do echo "4096" >/proc/sys/vm/mmap_min_addr to protect the system now.

If for desktop machines, consider doing the same thing but keep in mind that wine might not work if you do.

Perhaps that value should be the default, but it's not as if the fix is deeply complex or even requires a kernel update. Either way, it is a tradeoff. The various distros arguably should update sysctl.conf to fix this, but then a lot of Wine users might get very surprised.

Not an issue for Win32 Apps

[colourmyeyes]

wine

Only Win16 binaries require the ability to mmap low addresses, Win32 binaries do not. It is recommended that you test your application with the increase mmap_min_addr setting. If the application starts up without issue, then you should not need to remove the mmap_min_addr restriction.

(http://wiki.debian.org/mmap_min_addr)

$ cat /proc/sys/vm/mmap_min_addr shows 4096 on my system, and MS Word 2003 works just swell under WINE.

spendergrsec

[Deanalator]

If anyone wants to watch these exploits being written live, you can follow spendergrsec on twitter.
http://twitter.com/spendergrsec

The rate at which spender has been cranking out kernel exploits is insane. Also it's someone who uses twitter for something for more than informing us what he's eating or when he's pooping, so that's always a plus.

Being Right...

[labradore]

Theo said:

If anyone wants a choice quote from me about the recent Linux holes, this is what I have to say: Linus is too busy thinking about masturabating monkeys, he doesn't have time to care about Linux security.

Being both right and being an asshole still makes you an asshole. People can improve their perspective on technical matters by listening to those who are better informed. However, virtually no one will listen to a better informed jerk just because he's right. Linus has a good point. The user base for windows is an order of magnitude higher than Linux which is Linux has an order of magnitude higher deployment than OpenBSD. Though being more popular doesn't make any system or the people that build the system any better, it's terribly counterproductive to actively alienate the vast majority of those who could benefit a change in thinking about security by being inflammatory to any and all who don't automatically agree.

Re:Being Right...

[petrus4]

Theo is operating from a very different perspective.

There is always a tradeoff between what non-technical end users demand on the one hand, (interface simplicity, and thus implementation complexity) and actual technical quality (stability, security, technical correctness; implementation simplicity, and thus interface complexity) on the other. Linux and OpenBSD exist on different sides of that tradeoff.

The difference between Linux and OpenBSD can be summed up by saying that Linux has native support for Adobe Flash, whereas OpenBSD has readable source code. Which of those two characteristics is more important, is a decision for the individual user.

That does not *excuse* Theo's attitude, no...but it does, to some extent, *explain* it.

CVE-2009-3547

[200_success]

No, this article is about CVE-2009-3547.

Award winning work

[harlows_monkeys]

It was these kind of issues, and the lame responses to them, that won the Linux kernel developers the 2009 Pwnie in the "Lamest Vendor Response" category.

there fixed that for you

s/Linus/Theo/g

Supervisor blocking

[shentino]

If only there was a way to FORBID the kernel from accessing certain pointers.

Usually you want to protect the kernel from the user...

Possible fix: When switching into kernel mode, mark page zero as not present and invlpg. Any access to page 0, which btw is userspace that should be guarded with get_user et-al, would cause a fault. The exception handler, upon noticing the access was NOT done through the appropriate macro, would oops.

Morrons

[CisJokey]

So the uber idiot is calling the next idiot an idiot, because of an idiot architecture... Get a job and get adult you morrons.

More problems from C...

[master_p]

...yeah, yeah, I know, it's the programmer's fault, yada yada yada...

I am not trolling. It's time to move beyond C, to a safer programming language. C is the language of the gods: only gods can make faultless programs with it.

Re:More problems from C...

[timtas]

...yeah, yeah, I know, it's the programmer's fault, yada yada yada...

I am not trolling. It's time to move beyond C, to a safer programming language. C is the language of the gods: only gods can make faultless programs with it.

Absolutely correct! The kernel should be written in javascript or python and all system calls be replaced by web services. The javascript interpreter would be directly implemented in the cpu, as well as the xml parser stuff. I wonder why nobody has done this yet, maybe because everybody except you and me are backwards-thinking, nostalgic idiots. That must be the reason.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion