Slashdot Mirror
Root Privileges Through Linux Kernel Bug
Lars T. writes "The H has a story about a Linux kernel bug that allows root level access. 'According to a report written by Rafal Wojtczuk (PDF), a conceptual problem in the memory management area of Linux allows local attackers to execute code at root level. The Linux issue is caused by potential overlaps between the memory areas of the stack and shared memory segments.' SUSE maintainer Andrea Arcangeli provided a fix for the problem in September 2004, but for unknown reasons this fix was not included in the Linux kernel. The bug is not related to the X Server bug found by Brad Spengler."
As the linked article notes: "SUSE itself has the fix and SUSE Linux Enterprise 9, 10 and 11 as well as openSUSE 11.1 through 11.3 do not exhibit this vulnerability."
Watch out for the 133t h4xx0r5!
How can the two bugs be unrelated? both articles have the exact same link to the exact same PDF! (Hint: the pdf's filename is xorg-large-memory-attacks.pdf on both).
So, is he trying to say that only SUSE is protected, and bug free, and hack free, and.........what is the reason to not have this fix in main kernel tree? For me, it sounds like some very nasty and dirty war.
Root privilegies allow me a higher priorite -> First post!
Except, y'know, when it doesn't.
Indeed, 5 years old and no exploit. Patched several years ago by the distros. The question is why didn't it get back into the kernel tree.
From the RedHat bug report: Eugene Teo (Security Response) 2010-08-12 21:44:06 EDT Linus has committed a fix for this issue: http://git.kernel.org/linus/320b2b8de12698082609ebbc1a17165727f4c893
I don't understand TFH / TFS / TFA. Are we talking about local privilege escalation by overwriting the memory space owned by processes running as root?
Yes, it's sarcasm. Deal with it!
I wonder how many bugs like this are lurking in closed source products, just waiting to be discovered and exploited?
I Am My Own Worst Enemy
Indeed, 5 years old and no exploit. Patched several years ago by the distros. The question is why didn't it get back into the kernel tree.
Why not ask the kernel developers? Nah, I'm not just joking, don't ask those nutjobs anything, they'll just freak out and start yelling at you.
And the relevance of your post other than a weak attempt at deflection is what?
And that's the point, in the case of closed source software you can only wonder. :-)
But that would indicate the attacker has access to the machine, and once that happens it a lost cause regardless. This is a non story.
Why not ask the kernel developers? Nah, I'm not just joking, don't ask those nutjobs anything, they'll just freak out and start yelling at you.
I've seen many similar statements, so there may be some truth to this, but my experience is that they give you a short-as-possible only-most-relevant question such as "Can you bisect?" or reply like "Patch rejected: missing signoff". It appears their time is very valuable or they have to pay $5 pr. typed letter.
9/11: Never forget it was a false-flag operation
Windows is so unsafe!! Linux is so much better. Micro$oft is evil...their software is buggy. Linux is teh best eva. Linux + firefox is for real users. Windows and IE are for people who want to get hacked!!!!
ZOMG!!!! Windows is so lame!! Linux is teh best eva made and is so uber smart to use!!!
I wonder how many bugs like this are lurking in closed source products, just waiting to be discovered and exploited?
I wonder how many bugs like this are lurking in open source projects, just waiting to be discovered and used against people that assume that the software they use is secure because they read Slashdot comments.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
At least we don't have to wait for four Tuesdays' time for the fix...
You're holding it wrong.
Sometimes people make mistakes.
Amazing that SUSE fixed this in it's distro. In the proprietary world they'd still be waiting for the OS maker to fix it. SUSE just fixed it themselves. Many windows bugs could have been fixed but yet remained waiting for years until MS got around to it.
Indeed, 5 years old and no exploit.
How do you know?
Give me Classic Slashdot or give me death!
Behold the phenomenal power off Open Source! The time of each and every kernel developer is in fact a highly valuable commodity, yet I get the benefit of the fruits of their labor without shelling out a sixpence! And the best part? This was fixed last week.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I thought only Microsoft wrote Bugs and Linux has no security holes.
What happened?
Look at this graph: http://linuxinsecurity.blogspot.com/
Certainly, someone is wrong!
minutes. At home, sales and so On, aNd some of the Fortunately, Linux company a 2 a super-organised those uber-asshole another troubled FROM THE FREEBSD
So I read the PDF...
which is the patch.. "Patch "mm: keep a guard page below a grow-down stack segment" has been added to the 2.6.32-stable tree"
and meanwhile my ubuntu update managaer pops up and shows an update for the kernel and gives the following link to the changelog...
http://launchpad.net/ubuntu/+source/linux/2.6.32-24.41/+changelog
Nice to see people are on the ball with security updates, even if it shouldn't have been happened in the first place.
Bugs are apart of software as a whole. Every program open or closed is vulnerable to some kind of bug. The difference being however that with linux bugs I tend to hear about them after I already downloaded the fix.
So, only 6 years late then? SuSE just went way up in my book.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Compare this to Apple, which still hasn't fixed my Darwin kernel ring 0 exploit, which I reported in June.
It's x86-only, so no, it can't be used for the second step of an iPhone jailbreak. =(
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
If you really want to get a fix in, the correct procedure is to keep pestering the maintainer for that area until they accept your patch. If you can't get them to accept it, you go up the chain.
Yes, in an ideal world all maintainers would be perfectly organized. In the real world things get lost, they get distracted, other issues pop up, and the patch doesn' t make it in.
If you care about it...make some noise.
Yes, and with OSS we know exactly how many unpatched and undiscovered bugs there are!
Oh, wait..
Every year cheap aion gold the percentage for holiday makers keeps on increasing in Napa valley. People from all over the world love to travel in this exotic place with their loved ones for various reasons. Through its charming beauty and sightseeing it has cheap wow power leveling made many visitors to turn up here again and again so as to have a comfortable and relax-able stay. During your stay in this valley aion kina region you will never develop a feeling of saying that you are staying away from your home town. This is for the reason that valleys welcoming nature and friendliness of people who are staying over aion online gold are ready to serve you in a much better way.
The reason aion kinah that lies behind the popularity of this valley region is their breathtaking wineries and wines. Yes you heard it right; along with other touring options ffxiv gold this valley region allows you to have your visit in their wineries too. It doesn’t end here along with your visit in wineries you are even buy ffxiv gil permitted to taste their vibrant wines which is served to you right from their wine storage facility. It means wines which are readily prepared and are ready for supply all over there world is made available for cheap ffxiv gold you.
In this trip along with your visit in wineries and tasting of wines you are even allowed to witness the process of wine making. Individuals who are willing to watch the buy aion kinah activities of harvesting aion online account can have their stay in mid-September through October. During this period activity like picking of grapes, sorting table, crushing and fermentation process will be performed. Grapes are one of the aion time card most important resources in Napa valley that is used for producing wines. Varieties of grapes are grown so as to produce varieties of wines.
In Napa valley wine tours you can enhance your buy aion account knowledge in wine making as well as you will even come to know about the origin of wines. If you are visiting for the first time then there is no buy wow game card point in getting worried as for the reason there are many tour operators who are ready to guide you in every step. You can choose your operators based on your budget and depending on the accommodation purpose too. They wow powerleveling will make sure to take you to world’s renowned wineries that are present over here. Along with visit in wineries and wine tasting you world of warcraft cd key are given an option of viewing their art galleries, witness the beauty of valley, and go for sightseeing along with the option of having picnic ffxiv power leveling lunch in their vineyards. Napa valley wine tours will never come to an end as there are many things to watch it will thrive you to
This won't be a problem for me since I don't run Linux.
Now the shoe's on the other foot!
So, only 6 years late then? SuSE just went way up in my book.
SuSE just went way down in my book, to join the "we-don't-upstream" vendors such as Canonical.
Really, there may have been an excuse for not upstreaming this during the linus-doesn't-scale period, but other distros have explicit "patch-review-in-order-to-upstream" initiatives, this one should have been caught by SuSE some time in the last 6 years, and reviewed by their kernel maintainers, and re-submitted.
So SuSE managed to patch every new kernel they incorporated in their system to include their patch for 6 years and didn't bother to tell it upstream (again)? It should have rung a bell every time they had to reapply their patch.
Suse developers suggested a fix for this vulnerability six years ago http://linux.derkeiler.com/Mailing-Lists/Kernel/2004-09/7904.html however for reasons unknown it wasn't noticed or merged.
Indeed, 5 years old and no exploit.
You can't be sure of that.
Mmmh.. isn't Suse an OS maker ?
I don't care if they get the kernel from somewhere else, they are selling me an OS.
It's funny to see the windows people taking such satisfaction in Linux bugs and completely disregard the time it takes from disclosure to a fix is available. Usually I've already installed the fixed version before I read about it on slashdot. It's just a matter of subscribing to my distro's security announcement mailinglist and upgrade if I run the affected software.
So in most cases, when i read about bad bugs in Linux it's 'old news'.
(Blatantly ignoring the six years it took to actually get the fix into the kernel this time)
Comment removed based on user account deletion
You're lucky to get a "Can you bisect?"
All I got was a "Does it blend?" and a derisive snort.
WARNING: Smartphones have side effects--most of them undocumented.
It's really quite interesting story. Nice ghoulish article very fitting for the season and impressively damn interesting. That was awesome! Probably one of the more interesting reads in awhile. http://www.worldpixelmile.com/
every kernel release after 2.6.35.2 dealt with this issue (which is why a few apps i use crash when they store too much data without setting a larger buffer). unless you're running oh...a version of linux dating that far backk and have never bothered to bet the updates, you have no issue. anybody using linux not only gets kernel updates, but new kernels (which is why i routinely purge the old files out of /boot and the modules out of /lib/modules...both to keep from having a ton of unwanted garbage to sort through as force of habit, and a throwback to when space was a premium...and of course edit the menu.lst file.
what's next...rehashing problems with netscape 4?
Parent is not a troll. The fact that the patch has lingered in SuSE kernels for six years with no-one trying to re-submit it to upstream shows a serious flaw in their process. I wonder how many other SuSE-only patches they have?
We don't know if there is an exploit or not, but given that no one has seen it, i tend to think that it doesn't exists. Especially because gaining root at a server is interesting, but not many servers have X11.
I can audit the code myself, or pay someone else to audit it. Also thousands and possibly millions of people are already auditing it, for free! I can fix the bugs myself, or pay someone to fix them.
I Am My Own Worst Enemy
The difference being however that with linux bugs I tend to hear about them after I already downloaded the fix.
That's called a false sense of security.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
What about the race to all the people who need to update these kernels? ...someone somewhere there will be vulnerable boxes perhaps forgotten about, administered by monkeys or installed from CDROM.
How long does it take for a vanilla Ubuntu to be owned connected directly to internet?
No, it's simply a small piece of evidence that Linux gets fixed faster then windows does.
Right. Like I said, a false sense of security. Think about the ramifications of what you're saying.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
I view this as SuSE seeing the critical nature of the patch and including it irrespective of what Linus or the other kernel team guys think.
That this was not included after submission was a fairly serious error.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.