Linux X.org Critical Security Flaw Silently Patched

eldavojohn writes "On June 17th, the X.org team was notified by Invisible Things Lab of a critical security flaw (PDF) that affected both x86_32 and x86_64 platforms. The flaw deals with escalated privileges of a user process that has access to the X server. The founder of ITL said of the flaw, 'The attack allows a (unpriviliged) user process that has access to the X server (so, any GUI application) to unconditionally escalate to root (but again, it doesn't take advantage of any bug in the X server!). In other words: any GUI application (think e.g. sandboxed PDF viewer), if compromised (e.g. via malicious PDF document) can bypass all the Linux fancy security mechanisms, and escalate to root, and compromise the whole system.' This has apparently been a security flaw since kernel 2.6 was released. From the article, 'On 13 August, Linus Torvalds committed an initial fix, but several patches were added afterward for various reasons. The problem has been addressed in versions 2.6.27.52, 2.6.32.19, 2.6.34.4 and 2.6.35.2 of the kernel.'"

Convenient

[rotide]

So, I'm supposed to click a link to read a PDF about a PDF flaw. You sly boots!

Re:Convenient

[Nadaka]

Another reason Linux is safer is that these problems get due attention when reported, but for the windows team puts effort to fix most problems, it has to be a source of embarrassment for the company.

Re:Convenient

[machxor]

It's not a PDF flaw, it's a flaw in Linux kernel. The malicious PDF file was just an example for an attack vector. You know, the same way it works in Windows. No system is immune to these kind of attacks, the only reason Linux and Macs see them less is because most of the users are on Windows (especially the "stupid" or casual ones). Not even the walled gardens like iPhone, where PDF attack was used to root and jailbreak the system just recently.

You got it spot on. Although in my personal experience I've had more Linux servers compromised than Windows ones. Could be the fact that in general my Linux servers are exposing services to the internet where as my Windows servers are not. Or it could be the fact that at times questionable users (ie: customers) have had access to my Linux boxes. Oh and then there was one time my MS-DOS server was compromised (lol).

In general it's not the OS keeping you secure it's how valuable of a target you are and how vigilant you are at security.

Re:Convenient

[NNKK]

Do you honestly think that Microsoft would do nothing if there was a non-patched privilege escalation exploit in Windows?

What rock have you been living under?

Re:Convenient

[Peach+Rings]

They patched it, I don't know what you expect them to do beyond that. "Silently" just means that slashdot didn't pick up on it or something.

Also,

Do you honestly think that Microsoft would do nothing if there was a non-patched privilege escalation exploit in Windows?

Are you kidding?

Re:Convenient

What are you on about? There a full changelog for the patched code. Do you have any idea how much changes in the linux tree each week? One bugfix is not going to make news other than from a pro-Windows news outlet attempting to make it appear there's a cover up. Try reading LKML if you're stupid enough to think there's a conspiracy going on.

Re:Convenient

[erroneus]

Yes.... yes I do. We have seen it with the process messaging flaw.

Microsoft is a for-profit company. To make a profit, they have to control costs and increase sales. By paying people to patch vulnerabilities, they are increasing costs. This has the effect of lowering profit. On the other hand, their reputation has impact on their ability to make sales (though admittedly, not as much when you are not a monopoly). So if the flaw is well known (which in this case, became the headline of a great many news stories) they might be pushed in the direction of spending the money to fix it, but since they are a monopoly, it takes a much bigger push to get a flaw like that fixed than if they were in competition with other OS makers. And I am sure they work under some sort of formula that says "If cost of fix x 10 loss of sales then ignore it" or something like that.

So yes, if they felt that the threat to their profits is large enough they will take action... else they will not. Lately, Microsoft is facing a lot of competition so yeah, they are more likely to take action now than ever before. But that has not always been the case, especially during their golden years of "embrace and extend" and other standards-trampling behaviors. They could pretty much do whatever they wanted... and did.

Re:Convenient

[betterunixthanunix]

Also, note that this was silently patched with no announcement of the problem.

It was not "silently patched." It would be pretty hard to "silently patch" the Linux kernel, unless you could come up with some other explanation of your changes to the kernel developer. The patch was noted in the changelog like any other patch. No attempt was made to hide it.

Or did you think that the developers should have been screaming about the patch from the rooftops? This is not the first security bug to patch in this way.

Re:Convenient

[blair1q]

Just click the popup telling you that your PC is infected. That'll fix it.

Re:Convenient

[machxor]

Reference please? Which Linux servers? Red-hat? Debian? SELinux enabled?

Sounds like you know a lot about the subject..

This was between 1999 and 2003 when a partner and myself were running a small web hosting/shell company Mach Nine Internet Services, http://www.mach-nine.com/ (under construction now?), http://www.lomag.net/information/news.php

Always Redhat... started with 6 (which was the 2.2 kernel...) and think we ended at 7.1.

In any case this small period of time was the only time I've had Linux servers publicly available on the internet and two of three machines were rooted due to a (2.4?) kernel flaw that made it trivial to escalate privileges if you had a shell (which being a shell provider...). Since then I've had several Windows servers publicly servicing the internet but the difference is that they are for my personal use and not high profile (in relation to my old Linux servers) targets.

My statement was not one about the inherent security of one OS over the other. There is more I could have done to prevent the root attacks on the Linux machines and I don't deny that. I'm repeating myself here but my point was:

In general it's not the OS keeping you secure it's how valuable of a target you are and how vigilant you are at security.

Re:Convenient

[Abstrackt]

Came here to post the same!

Came here to post something completely different! (I just like the attention)

Re:Convenient

[gorzek]

Sure, fixing a bug might take a line or two of code.

But the time required to fully test it and make sure it doesn't break anything else? That's where all the real costs are. It's why Microsoft doesn't generally have a fast turnaround on Windows security fixes.

Re:Convenient

[drsmithy]

Your support of an assertion claiming "countless" unpatched privilege escalation bugs is a single, already patched, bug ?

Re:Convenient

[Score+Whore]

Contrary to the headline written by an idiot, this isn't an Xorg bug. It's a kernel bug that can be exploited through Xorg.

Re:Convenient

1) http://blogs.pcmag.com/securitywatch/2010/08/unpatched_vulnerability_in_all.php
2) http://www.zdnet.com/blog/security/microsoft-warns-of-serious-unpatched-windows-7-flaw/6474
3) http://blogs.pcmag.com/securitywatch/2010/08/unpatched_vulnerability_in_all.php
4) http://www.computerworld.com/s/article/9176944/Microsoft_warns_of_bug_in_64_bit_Windows_7?source=rss_security
5) http://isc.sans.edu/diary.html?storyid=8023
6) http://news.cnet.com/8301-1009_3-10170962-83.html
7) http://www.geek.com/articles/chips/17-year-old-unpatched-windows-vulnerability-discovered-20100120/
8) http://arstechnica.com/microsoft/news/2010/03/exploits-of-unpatched-ie6-ie7-flaw-on-the-rise.ars
9) http://www.h-online.com/security/news/item/Several-known-vulnerabilities-to-remain-unpatched-on-forthcoming-Microsoft-patch-day-947191.html
10) http://www.myce.com/news/microsoft-confirms-windows-shortcut-zero-day-exploit-32107/?utm_source=myce&utm_medium=frontpage&utm_campaign=related_posts

There, 10 vulnerabilities, which either took Microsoft months after visibility to patch, or still aren't patched.

Now, STFU.

Blame Xorg

[betterunixthanunix]

Xorg is a mess. Fedora had to craft a special SELinux policy, which exempted Xorg from a number of restrictions that apply to other applications (for example, the ability to unset the NX bit on a region of memory), because not only does Xorg do so many questionable things, but there is no good way to fix it. That, and the fact that Xorg runs as root, make it a particularly weak link in the chain.

Re:Blame Xorg

[vadim_t]

That should be fixed eventually. With the switch to kernel modesetting (already happening) there shouldn't be any need for X to mess directly with hardware anymore, and without that it should run just fine without root privileges.

Re:Blame Xorg

[Cyberax]

Yep.

On Linux input devices are now moved into the kernel. The only complex thing remaining is modesetting and hardware acceleration. But they are being fixed as well.

In fact, you can run 'rootless X' on Fedora ( http://lwn.net/Articles/341033/ ) and soon on Ubuntu ( https://blueprints.edge.launchpad.net/ubuntu/+spec/desktop-maverick-rootless-x ). Here 'rootless' means that the server doesn't require root privileges to work.

Re:Blame Xorg

[Cyberax]

Yes, it starts as root, but then it immediately drops privileges upon initialization.

Re:Blame Xorg

[shutdown+-p+now]

It does nothing. No one used startx for many years by now.

Actually, quite a few people running "hacker" distros (Gentoo, Arch etc) prefer to boot into console and do startx from there when (and if) needed.

How much more 'silent' was than other bugs?

[master_p]

Do the Linux developers put a news announcement out every time there is a bug and they forgot about it this time?

Isn't it a little sensational to imply that Linus and the other people didn't want this bug to be known because they fear Linux will be characterized as buggy?

Re:How much more 'silent' was than other bugs?

[stagg]

I'd rather hear about a flaw like this after the fact frankly. I don't think an unpatched exploit needs the kind of publicity that /. would get it.

Re:How much more 'silent' was than other bugs?

[Rogerborg]

Isn't that what "New Media" means; sensational?

Sure, because Legacy Media was so focussed on telling people what was important, rather than just what they wanted to... ooooh, OK! magazine have offered Linsday Lohan $1m for an exclusive - must read now!

Re:How much more 'silent' was than other bugs?

[pclminion]

Do the Linux developers put a news announcement out every time there is a bug

No, but all changes to the kernel are documented in the changelog. And security-related bugs are treated the same as any other bugs. They are not explicitly called out as being security related. Linus has been pretty clear on this in the past. A bug is a bug, period. The fact that it's security related is uninteresting (to him, at least).

I think that's a weird attitude but that's what we've got.

Re:How much more 'silent' was than other bugs?

[tuffy]

I don't think it's all that weird. For example, is a bug that corrupts one's filesystem less critical than a bug that allows unauthorized access? Is a root escalation bug more important than a bug that prevents one's video card from working? They all need to be fixed, but I don't think security implications entitle such bugs to special treatment.

Re:How much more 'silent' was than other bugs?

[ultranova]

For example, is a bug that corrupts one's filesystem less critical than a bug that allows unauthorized access?

More importantly, is there a difference? Red Hat 9 had - and perhaps distros still have - this nice system where cron would, once a day, run programs dropped into a directory in /etc with root privileges. Very useful for various packages that required periodical maintenance; but if a filesystem corruption bug would allow one to link an arbitrary file to those directories...

A bug means that a system behaves in a way it shouldn't. There's always the chance that such unplanned behaviour can be used by an attacker to do nasty things. There is no difference between security critical and other bugs, there's only bugs with known exploits and bugs without. Every bug is a chink in the armor, and every kernel bug should be considered security-critical.

Re:How much more 'silent' was than other bugs?

[spitzak]

A filesystem corruption bug that allows one to link an arbitrary file somewhere would allow a much quicker root exploit than relying on cron!

I think you are thinking about extremely old bugs where cron itself could be convinced to run a program without root privledges as root (or really as the cron job). That is from about 1980 or earlier I think.

Re:How much more 'silent' was than other bugs?

[VGPowerlord]

More importantly, is there a difference? Red Hat 9 had - and perhaps distros still have - this nice system where cron would, once a day, run programs dropped into a directory in /etc with root privileges. Very useful for various packages that required periodical maintenance; but if a filesystem corruption bug would allow one to link an arbitrary file to those directories...

I assume you mean /etc/cron.daily which is still around, along with its hourly, weekly, and monthly counter-parts.

Re:What I suggest to people

[stagg]

You do realize that Mac is built on a FreeBSD kernel?

Macs can't be exploited. That's why people paid to get into the walled garden, it's safe in there. LA LA LA LA LA LA I CAN'T HEAR YOU.

Is this news?

[mspohr]

Isn't this the way it's supposed to work?

1. Bug found, responsible parties notified

2. Bug fixed and software updated

3. We are protected from potential future attacks. (Profit!)

Was there an actual attack? No.

Re:Is this news?

[jpapon]

Must be a slow day. Conspiracy articles about HAARP causing Moscow to burn, and an article about a security flaw that has been fixed. Fascinating stuff... What's next?

Re:Is this news?

Quickly? This flaw has existed for 7 years.

Re:Is this news?

[mspohr]

Although this article was about a Linux potential vulnerability and not about Microsoft, you seem to think that Microsoft is treated unfairly with too much publicity. I guess the difference is that Microsoft, unlike Mac and Linux, does actually have thousands of virus infection vectors in the wild and they have been slow to patch their buggy software. It isn't particularly newsworthy when Linux patches a potential vulnerability (with no known exploit) promptly but it is news when Microsoft patches an old bug that has already led to thousands (? millions) of infected machines.

Re:Is this news?

[the_bard17]

Probably since we're not Microsoft. Really.

Who's got access to the Linux kernel's source code? Anyone. Compare that to who's got access to Windows' source code. Who can submit a patch for the Linux kernel? Again, anyone. Compare that to who can submit a patch for Windows.

So if there's an exploit in the Linux kernel, it's our fault... because the only thing holding any of us back from fixing it is our own lack of knowledge, ability, and/or time.

For those Windows exploits, however, we're left at Microsoft's mercy, assuming there's no other way to prevent the exploit than to fix the source code. The same is true for any other closed third party software.

Re:What I suggest to people

[l2718]

You do realize that Mac is built on a FreeBSD kernel?

Actually, MacOS uses the Mach microkernel in a BSD system; some code was taken from FreeBSD -- but not the kernel.

How fancy can you get?

[gzipped_tar]

can bypass all the Linux fancy security mechanisms, and escalate to root, and compromise the whole system.

The author who wrote this certainly didn't count SELinux as one of the "fancy" security mechanisms...

Re:How fancy can you get?

[betterunixthanunix]

Xorg throws a wrench into SELinux; just ask the Fedora SELinux policy maintainers. I still remember the days when my Fedora system would pop up SELinux warnings left and right because Xorg was trying to do something stupid and suspicious. These days, Xorg just gets exempted from SELinux policies in Fedora.

Re:What I suggest to people

[bsDaemon]

Darwin is their codename for what is the open source bits of MacOS X. The kernel is largely based on Mach. Since its a Microkernel, it can have "servers" for different subsystems, including BSD, which aren't really "kernel modules" in the Linux or BSD sense. A lot of the userland and C libraries are derived from FreeBSD, with some GNU stuff, and custom changes to both. They did hire a bunch of big-name FreeBSD people though, like Jordan Hubbard, which just contributes extra confusion to a confusing situation.

Re:What I suggest to people

[DarkKnightRadick]

pedant*

Unless you are actually a piece of jewelery.

2 Months is Acceptable?

[Arainach]

Just a few months ago we were blasting Microsoft for taking five weeks to prepare the Ormandy patch. Now we discover that Linux has had a root-privledge exploit for years, was notified, and took two months to fix it, and we get comments like "Must be a slow day." Stay classy (and unbiased), Slashdot.

Re:2 Months is Acceptable?

[drsmithy]

Whatever. He's calling Slashdot biased. Pot, meet kettle.

But Slashdot *is* biased, quite heavily, towards Linux and Open Source (and against anything not anti-Microsoft). Your previous post is, indeed, an excellent example of that bias.

Re:2 Months is Acceptable?

[drsmithy]

Microsoft has thousands of programmers working full-time; Linux is maintained by volunteers, working in their spare time.

False. The majority of work on Linux is done by fulltime employees of companies like Red Hat.

Root in the kernel == game over

[benjymouse]

I don't get this blind trust in SELinux can do what it was never intended to do. If you compromise the kernel - especially a monolithic kernel like Linux - it really is game over.

Practically every security check (and - yes - that includes SELinux extra hooks) are performed before the actual operation is performed with no kernel lock covering both. Which means that *all* of them are susceptible to concurrent access attacks.

It works like this: The malicious code invokes the syscall passing a structure, e.g. an inode but at the same time the malicious code starts a second thread which after a measured period (clockcycles) modifies the very same structure. By crafting this carefully the attacker can hit the "weak spot" between the security checks and the actual operation. It doesn't work every time due to obvious nondeterminism, but even a 30% hit rate will be exceptionally good in a mass attack.

And you cannot lock down the tools used in this scenario. All processes will need to access memory and spawn threads. Certainly browsers, X servers, pdf readers etc. do.

This is not a bug in the kernel. Avoiding this weakness would involve bigger locks and critical sections which would seriously impede scalability. It is just that the kernel was never designed to withstand attacks from within the kernel itself.

So please stop peddling SELinux as a silver bullet. Once an attacker is inside the kernel it really is game over. SELinux doesn't fix that. Nor was it intended to.

Re:Root in the kernel == game over

[benjymouse]

int vfs_mkdir(struct inode *dir, struct dentry *dentry, int mode)
{
                int error = may_create(dir, dentry, NULL); // line 1874

                if (error)
                                return error;

                if (!dir->i_op || !dir->i_op->mkdir)
                                return -EPERM;

                mode &= (S_IRWXUGO|S_ISVTX);
                error = security_inode_mkdir(dir, dentry, mode); //line 1883
                if (error)
                                return error;

                DQUOT_INIT(dir); // line 1887
                error = dir->i_op->mkdir(dir, dentry, mode);
                if (!error)
                                fsnotify_mkdir(dir, dentry);
                return error;
}

Line 1874 is the "old" permission check.

Line 1883-1885 is actually the SELinux hook. Note how this is a restrictive model rather than an authoritative model, i.e. it doesn't encapsulate the operation. It merely checks to see if you are allowed to perform the operation before proceeding with the very same arguments which were passed to the function (e.g. dentry

Line 1887-1888 is the weak spot. If I were an attacker who passed the "dentry" structure to this function I could still hold a reference to that structure. And holding the reference, I can overwrite the memory. If I time my memory write correctly (easier to do on a multi-core processor where I'm not even required to preempt the first call) I can inject my own parameters *after* the security checks. In this case I can create new directories wherever I want.

Remember, this is *not* something I claim you can do from userspace (haven't investigated that), but from within the kernel this is entirely possible!

I fully expect Windows to be vulnerable to similar attacks from within the kernel.

My gripe is how SELinux is expected to be able to confine malicious code which is already executing inside the kernel. It is a speed bump at best. Code running inside the kernel can modify all writable memory. Certainly it can modify memory it allocated itself.

Note, this is not an attack which is made possible by running as root. You need to be running in kernel - and then it doesn't really matter whether you run as root or not.

Ad hominem

[benjymouse]

Here is a novel idea: Stop misrepresenting what actually happened and stop ad hominem attacks questioning posters' motives .

Microsoft took five weeks to prepare the Ormandy patch. During that time, they made no comment - there was no transparency into whether or not it would be fixed.

They made no comments? Did you actually look or did you just assume?

• Tavis Ormandy reported the issue June 5th (a Saturday). He wanted MS to commit to a 60-days timeline.
• Tuesday (a busy patch Tuesday, no less) MSRT get back to him and say they can present a schedule the upcoming Friday, June 11th (which is less than 5 workdays after the bug report).
• Not good enough for Ormandy he goes public immediately, Wednesday June 9th on the 3rd workday after reporting the bug

Now to your claim that they "made no comments":

• Microsoft blogs about the issue June 10th: http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspx
• June 10th Microsoft makes another blog entry on the issue (2nd that day): http://blogs.technet.com/b/msrc/archive/2010/06/10/security-advisory-2219475-released.aspx
• June 26th, Microsoft updates the blog entry from June 10th: http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspx (scroll down for update)
• June 30th, Microsoft reports on how code similar to Ormandys PoC code is used in attacks: http://blogs.technet.com/b/mmpc/archive/2010/06/30/attacks-on-the-windows-help-and-support-center-vulnerability-cve-2010-1885.aspx
• July 16th Microsoft releases a security bulletin: http://www.microsoft.com/technet/security/advisory/2286198.mspx.
• August 2nd Microsoft updates the bulletin from July 16th,

Hardly a "no comments" approach. If you click through those posts I think you'll find them smack full of info. And I've even excluded their communication on the preliminary "fix it" tools.

Admit it. You are biased, but not classy.

Like your misrepresentation and ad hominem demonstrate more class?

It seems to me that it is indeed interesting that this fix was 2 months in the making (responsibly disclosed). And that is only measuring the time until the kernel had been fixed. Now the distros would have to pick up on it and perform their own regression testing, prepare packages/updates etc.

GP did raise some really interesting questions. For some reason you chose to disregard them right away and go straight for the mans posting history.

Will you be publishing stats on my posting history as well. Am I a shill, too?

There's still a hole.

[Animats]

There's still a hole. See Xorg Large Memory Attacks, section 4. Opening a one-page gap in mapped memory at the top of the stack is a workaround, not a fix.

This looks like bad design. Someone got too cute with the MMU. The basic problem is shared memory between a privileged and a non-privileged program. That just screams "security hole". It was put in to get a performance advantage for graphics-heavy applications on X, probably games. "MIT-SHM" shouldn't be enabled on a production server.

Re:There's still a hole.

[scribblej]

I wouldn't put X11 on a production server in the first place. Why would you?

Assuming you're not serving X11, I mean.

Re:What I suggest to people

[evilviper]

Since its a Microkernel, it can have "servers" for different subsystems, including BSD, which aren't really "kernel modules" in the Linux or BSD sense.

Except, of course, it isn't a microkernel. They ripped that out, first thing, made it monolithic for performance.

I'd love to see a common operating system using a microkernel. That seems to be the only way forward in a world of imperfect programmers and increasing attention towards turning every little flaw into vulnerabilities.

Re:Modus operandi

[Alex+Belits]

Static analysis produces massive amounts of false positives that are easier to "fix" than to verify.

I believe, it would be a safe bet that there are still no actual vulnerabilities found and successfully exploited by this method -- and the actual exploitable vulnerability the article is about, was not and could not be found by such analysis.

So no, changelog is not a "gold mine" for anything, most of the time if will give you massive load of starting pointers that if/when you will find one that is a genuine security bug and produce an exploit based on it, not even the oldest network-accessible installation of Slackware will have them.

This is a rare exception, though it hardly stands out in the changelog, and only coincidence with Xorg [otherwise completely valid and reasonable] behavior makes exploit possible.

Re:Running X as root?

[grantek]

On a Linux system it's generally "setuid root", which means the filesystem permissions allow program can be run by any user, but there's a special flag that tells the kernel to actually give it root privileges, exactly so that it can do special hardware stuff.

You have to be very careful when writing a program designed to run with an effective ID of root, because it's one of the fastest ways to compromise a system if there's a flaw.

Newer versions of Xorg are moving to an architecture where they can be run without root privileges - there's already patches available, and it's an area of interest for a lot of people.

Open Source Workdays

[benjymouse]

Workdays was important because that is what was used in the responsible disclosure guidelines. Which recommends waiting 5 workdays of non-communication before taking a vulnerability public.

Responsible disclosure which Google strongly supported until one of their researchers broke it:

From Googles website (emphasis mine):

"This process of notifying a vendor before publicly releasing information is an industry standard best practice known as responsible disclosure. Responsible disclosure is important to the ecology of the Internet. It allows companies like Google to better protect our users by fixing vulnerabilities and resolving security concerns before they are brought to the attention of the bad guys. We strongly encourage anyone who is interested in researching and reporting security issues to observe the simple courtesies and protocols of responsible disclosure. Our Security team follows the same procedure when we discover and report security vulnerabilities to other companies.

Tavis Ormandy knew this. That is why he made a stupid claim that acted in his personal capacity, not as a Google researcher. Even though he used Google resources, Google colleagues and Google paid time.

Also I see no technical discussion of the problem on any of the links you posted, nor any steps that can be taken until MS gets a update out to fix it.

The technical info is there. If you cared to follow the "fix it" links from their blog entries you would see that they designed workarounds.

But the interesting thing here is that after this debacle, 60 days was put forward as an absolute maximum a vendor should spend analyzing and designing+implementing a fix for a vulnerability. With this Linux bug we see 2 groups need to sit down together to work things out. And they spend 60 days before the distros got their hand on the fix. Just interesting, that's all. This was pointed out by the GP of the post I responded to. And he was immediately attacked.