Slashdot Mirror

← Back to Stories (view on slashdot.org)

Root Privileges Through Linux Kernel Bug

Posted by timothy on from the who-needs-windows? dept.

Lars T. writes "The H has a story about a Linux kernel bug that allows root level access. 'According to a report written by Rafal Wojtczuk (PDF), a conceptual problem in the memory management area of Linux allows local attackers to execute code at root level. The Linux issue is caused by potential overlaps between the memory areas of the stack and shared memory segments.' SUSE maintainer Andrea Arcangeli provided a fix for the problem in September 2004, but for unknown reasons this fix was not included in the Linux kernel. The bug is not related to the X Server bug found by Brad Spengler." As the linked article notes: "SUSE itself has the fix and SUSE Linux Enterprise 9, 10 and 11 as well as openSUSE 11.1 through 11.3 do not exhibit this vulnerability."

44 of 131 comments (clear)

  1. Unrelated? The PDFs are the same! by Anonymous Coward · · Score: 4, Informative

    How can the two bugs be unrelated? both articles have the exact same link to the exact same PDF! (Hint: the pdf's filename is xorg-large-memory-attacks.pdf on both).

    1. Re:Unrelated? The PDFs are the same! by NeverVotedBush · · Score: 4, Insightful

      I think what it is is that the Xorg server is an easy attack vector for the Linux kernel memory management issue.

      The memory management issue is the thing that enables using a flaw in the X server to escalate privilege. If you fix the X server to not allow that kind of manipulation, you still have the kernel memory management issue that could be used by some other application to escalate privilege.

      I think that fixing the X server - one mitigation is to disable the MIT-SHM extension as discussed in the pdf - really reduces the exposure but since the real problem is in the kernel, it doesn't completely remove the threat.

      At least that is how I understand it...

    2. Re:Unrelated? The PDFs are the same! by Tumbleweed · · Score: 2, Funny

      How can the two bugs be unrelated? both articles have the exact same link to the exact same PDF! (Hint: the pdf's filename is xorg-large-memory-attacks.pdf on both).

      The identical links are caused by another bug called PEBKAC.

    3. Re:Unrelated? The PDFs are the same! by lortho · · Score: 5, Informative

      It's because both articles are actually about the Wojtczuk report, and they both mis-quote Joanna Rutkowska as stating the bug is related to Spengler's X-Server flaw. She clarifies in an update to H-Online's version of the article that she was misunderstood and that they are actually unrelated.

    4. Re:Unrelated? The PDFs are the same! by Peach+Rings · · Score: 4, Informative

      Also if you read linus's patch notes they're the exact same problem.

    5. Re:Unrelated? The PDFs are the same! by bjourne · · Score: 2, Informative

      I think that fixing the X server - one mitigation is to disable the MIT-SHM extension as discussed in the pdf - really reduces the exposure but since the real problem is in the kernel, it doesn't completely remove the threat.

      The shm extension is integral to all modern xorg servers. You *may* be able to run xorg without shm, but many programs will refuse to work and performance will drop to a few percent of what it is with shm enabled. It's the transport the X server uses for communication with its client. With shm (shared memory) disabled, it has to serialize all objects and send them over a socket which of course is dog slow.

      --
      Football Odds
  2. Re:Long live to SUSE??? by valeo.de · · Score: 2, Informative

    No, just that this particular bug has been patched in SUSE for six years, while mainline has only just gotten the fix.

    --
    cat: /home/valeo/.sig: No such file or directory
  3. Nothing to see here.... by interfecio · · Score: 3, Informative

    From the RedHat bug report: Eugene Teo (Security Response) 2010-08-12 21:44:06 EDT Linus has committed a fix for this issue: http://git.kernel.org/linus/320b2b8de12698082609ebbc1a17165727f4c893

    1. Re:Nothing to see here.... by JohnFluxx · · Score: 5, Insightful

      I don't agree that it's "nothing to see here" - something has gone wrong if it took 6 years for this to happen.

    2. Re:Nothing to see here.... by Americano · · Score: 4, Insightful

      Nothing to see here? Will you say the same thing when Microsoft waits 6 years to apply a fix to WinXP? :)

      Yes, these things are less likely to happen with Linux. That doesn't mean Linux kernel processes are above reproach, and can't be made more responsive & accountable in cases like this where somebody obviously dropped the ball on merging a patch somewhere. I hope they spend a little time reviewing how this got missed, to make sure it's not a flaw in their process that could allow it to happen again.

    3. Re:Nothing to see here.... by Beelzebud · · Score: 3, Funny

      "Nothing to see here....." says Lt. Frank Drebin, as the fireworks factory behind him burns to the ground.

    4. Re:Nothing to see here.... by Anonymous Coward · · Score: 2, Funny

      Here at Linux Vintners, we will commit no bug fix before its time.

      This properly aged bug fix boasts an intense, highly indented C syntax and fragrant blackberry, vanilla, and dark chocolate comment style with just a hint of peppercorns. Richly textured and firmly structured, its lavish blackberry, ripe black plum, dark cherry and spice flavors are enlivened by crisp lint-warning-free compilations. Given its superb balance of fruit, oak, acid and tannin, this sumptuous contextual patch aged beautifully for 6 years, and is now ready to be enjoyed with 2.6 kernels on every platform.

    5. Re:Nothing to see here.... by petermgreen · · Score: 3, Insightful

      Agreed it would be good to know where the breakdown in communication happened. Did it get ignored because the submitter didn't realise it was a security issue and report it as such? Did someone just miss an email somewhere? (and if so why wasn't there a system in place to keep track of current security bugs and make it bloody obvious which ones still needed fixing along with someone responsible for looking at that list and fixing them). Was the breakdown on the SUSE side or the upstream side?

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    6. Re:Nothing to see here.... by Warll · · Score: 4, Funny

      He's right, real men don't look at explosions.

    7. Re:Nothing to see here.... by jittles · · Score: 4, Interesting

      My guess would be an oversight at kernel.org. I submitted a kernel patch to the USB HID driver back in the days of 2.6.10 and 2.6.13. The driver was incorrectly suspending its state (I can't remember what it was doing off the top of my head) while it held onto a spinlock. The result was 100% CPU utilization when you called certain ioctls made available by the driver. The patch didn't make it in until 2.6.17 if I recall correctly, and not until someone with a name submitted a patch for it.

    8. Re:Nothing to see here.... by Target+Practice · · Score: 2, Informative

      It's not, but the Linux kernel is... and that's where the vulnerability is...

      --
      There's a 68.71% chance you're right.
    9. Re:Nothing to see here.... by LingNoi · · Score: 2, Informative

      Race?

      The most popular distros already patched it days ago and others are currently in testing.

      Redhat patched it 2 days ago.
      Ubuntu patched it 2 days ago.
      Fedora is currently testing the patches. Not sure if it's already live.
      Debian Lenny has patched it.

    10. Re:Nothing to see here.... by _Sprocket_ · · Score: 2, Funny

      That's actually an inside joke. I did have a box that I had originally racked and set up on the rack KVM. Almost 2 years later, I was intending to walk up to the box and boot it in to single user mode to find out that someone had decided we never used the KVM port and had set it up for some other system. When I asked around, the best guess was that I had lost my spot on the KVM at least a year ago. I wondered aloud whether I needed to run a screensaver banner that claimed ownership of the KVM port to keep it.

      And yes - the vast majority of interaction with that box was via SSH (although I had no reason to put it on a non-standard port).

    11. Re:Nothing to see here.... by LinuxIsGarbage · · Score: 2, Interesting

      How great does the serial console work if the system won't boot?

  4. Re:Linux! "It just works!" by nomadic · · Score: 5, Funny

    Indeed, 5 years old and no exploit. Patched several years ago by the distros. The question is why didn't it get back into the kernel tree.

    Why not ask the kernel developers? Nah, I'm not just joking, don't ask those nutjobs anything, they'll just freak out and start yelling at you.

  5. Re:Wait... what? by Short+Circuit · · Score: 2, Informative

    If I read the git patch correctly, if said root process has a memory-mapped page coincident with a non-root process, and the non-root process can write to said memory mapped region (via having it memory mapped into their own process), then said non-root process can affect the behavior of the root process.

    What was broken, and appears to have been corrected, is that an application's *stack* could grow into a memory-mapped page and corrupt the data in the root process while it's at it. (The stack is a piece of memory that hold data about the functions currently executing in a particular thread in your program.)

    (enter educated guess section; I spend most of my time coding userland apps on Windows, not Linux.)

    The case where this seems most possible to exploit is the loading of shared libraries. I don't know if the same mmap mechanism is used by the kernel, though. While it's entirely probable that writing to that region is protected, so long as the application is doing so under its own memory privilege level, it's possible that there's a syscall into the kernel that expands a thread's stack when the allocated memory for that stack is nearly exhausted. The syscall's operations run with kernel privileges, and it looks like the stack page allocator wasn't sufficiently checking the properties of the userland address it was allocating stack into.

    (end educated guess section; I'm probably wrong, anyway.)

    --
    tasks(723) drafts(105) languages(484) examples(29106)
  6. Re:Ummmmm, a local exploit. by maxwell+demon · · Score: 2, Insightful

    No, normally access to the machine at user level should not imply access to the machine at root level.

    --
    The Tao of math: The numbers you can count are not the real numbers.
  7. Re: Ask the Kernel Overlords by xiando · · Score: 4, Interesting

    Why not ask the kernel developers? Nah, I'm not just joking, don't ask those nutjobs anything, they'll just freak out and start yelling at you.

    I've seen many similar statements, so there may be some truth to this, but my experience is that they give you a short-as-possible only-most-relevant question such as "Can you bisect?" or reply like "Patch rejected: missing signoff". It appears their time is very valuable or they have to pay $5 pr. typed letter.

    --
    9/11: Never forget it was a false-flag operation
  8. Re:Wait... what? by mandelbr0t · · Score: 4, Informative

    Actually, no, this is a simple Stack Buffer Overflow. Basically, by causing a running privileged process (e.g. X Server) to make a recursive call, the stack will grow into memory space owned by the unprivileged user. Now, all the unprivileged user has to do is put some code somewhere (perhaps by exploiting another buffer overflow) and rewrite the return address, which lives in its memory page.

    The fix adds a guard page between the shared memory region and the system stack to protect against the stack growing into memory where it is no longer protected. At any rate, ProPolice would have prevented this mistake from being exploitable.

    --
    "Please describe the scientific nature of the 'whammy'" - Agent Scully
  9. Re:Ummmmm, a local exploit. by Beelzebud · · Score: 2, Interesting

    If it's a non-story then why did Linus patch it today? Apparently he didn't agree with your flippant way of looking at OS security.

  10. Re:Linux! "It just works!" by MobileTatsu-NJG · · Score: 3, Insightful

    I wonder how many bugs like this are lurking in closed source products, just waiting to be discovered and exploited?

    I wonder how many bugs like this are lurking in open source projects, just waiting to be discovered and used against people that assume that the software they use is secure because they read Slashdot comments.

    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

  11. Re:ZOMG!!! by Dunbal · · Score: 3, Insightful

    What part of "local attackers" do you fail to understand?

    --
    Seven puppies were harmed during the making of this post.
  12. Tuesday by dandart · · Score: 2, Funny

    At least we don't have to wait for four Tuesdays' time for the fix...

    You're holding it wrong.

    1. Re:Tuesday by Gadget_Guy · · Score: 4, Funny

      At least we don't have to wait for four Tuesdays' time for the fix...

      No, we had to wait over 300 Tuesdays for the fix to the kernal. That's 75 times better!

  13. Re:Linux! "It just works!" by Nerdfest · · Score: 2

    Sometimes people make mistakes.

  14. Re:ZOMG!!! by GameboyRMH · · Score: 4, Funny

    Cut the guy a break, he's a Windows fanboy. He probably thinks a local user is just anyone in the same geographic region.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  15. Re:Long live to SUSE??? by alanebro · · Score: 5, Informative

    Cut my post too short.

    "SUSE maintainer Andrea Arcangeli provided a fix for the problem in September 2004, but for unknown reasons this fix was not included in the Linux kernel"

  16. Re:ZOMG!!! by cbhacking · · Score: 2, Insightful

    He's a troll, but that doesn't mean that there isn't a grain of truth to what he implies. Most Windows exploits are also technically local attacks, as are Trojans (by definition). Somebody thinking that they're safe (because the software runs with limited permissions) would be in for a nasty surprise if an attacker exploited this.

    --
    There's no place I could be, since I've found Serenity...
  17. Re:Linux! "It just works!" by Hatta · · Score: 4, Insightful

    Indeed, 5 years old and no exploit.

    How do you know?

    --
    Give me Classic Slashdot or give me death!
  18. Re: Ask the Kernel Overlords by Zero__Kelvin · · Score: 4, Informative

    "I've seen many similar statements, so there may be some truth to this, but my experience is that they give you a short-as-possible only-most-relevant question such as "Can you bisect?" or reply like "Patch rejected: missing signoff". It appears their time is very valuable or they have to pay $5 pr. typed letter"

    Behold the phenomenal power off Open Source! The time of each and every kernel developer is in fact a highly valuable commodity, yet I get the benefit of the fruits of their labor without shelling out a sixpence! And the best part? This was fixed last week.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  19. Already fixed in Ubuntu by LingNoi · · Score: 4, Informative

    So I read the PDF...

    The Linux kernel versions that include the commit 320b2b8de12698082609ebbc1a17165727f4c893 from Linus tree are fixed.

    which is the patch.. "Patch "mm: keep a guard page below a grow-down stack segment" has been added to the 2.6.32-stable tree"

    and meanwhile my ubuntu update managaer pops up and shows an update for the kernel and gives the following link to the changelog...
    http://launchpad.net/ubuntu/+source/linux/2.6.32-24.41/+changelog

    * mm: keep a guard page below a grow-down stack segment - CVE-2010-2240

    Nice to see people are on the ball with security updates, even if it shouldn't have been happened in the first place.

  20. Re:Wow! Linux is really Secure. by jours · · Score: 4, Insightful

    Look at this graph: http://linuxinsecurity.blogspot.com/

    Please do. Notice how the graphs show Windows with 10-12% of the issues unpatched?

    That's the problem. Well that and the missing graph showing "time to patch"...

    --
    This sig intentionally left blank.
  21. Re: Ask the Kernel Overlords by smash · · Score: 3, Interesting

    So, only 6 years late then? SuSE just went way up in my book.

    --
    I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
  22. Re:0h n03z! by Spy+der+Mann · · Score: 2, Funny

    a redundant first post...?

    Yes, there was a redundant x in "h4xx0r5".

  23. Compare to Apple... by Myria · · Score: 2, Interesting

    Compare this to Apple, which still hasn't fixed my Darwin kernel ring 0 exploit, which I reported in June.

    It's x86-only, so no, it can't be used for the second step of an iPhone jailbreak. =(

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
  24. you didn't do it right by Chirs · · Score: 4, Informative

    If you really want to get a fix in, the correct procedure is to keep pestering the maintainer for that area until they accept your patch. If you can't get them to accept it, you go up the chain.

    Yes, in an ideal world all maintainers would be perfectly organized. In the real world things get lost, they get distracted, other issues pop up, and the patch doesn' t make it in.

    If you care about it...make some noise.

    1. Re:you didn't do it right by Kjella · · Score: 2, Insightful

      But the problem is that often if you know about it, it's not really a big issue to you. If I know about an ugly pothole in the road, I can with little effort drive past it. So why then should I spend my valuable time pestering the road maintainers about it? Granted, maybe not in this specific case as you can't avoid the security hole but bugs in general you can often avoid the condition triggering the bug.

      The first time you tell them, then maybe the only reason it's not fixed is because nobody told them about it. It's only other people who, having run into the pothole and wrecked their car and learning that the maintainers were in fact notified about it that get pissed. Like in this case, SUSE has been fixed for a long time so why should SUSE maintainers work their butts off getting it upstream?

      At times, upstream seem to think it's their god given right that downstream should feed them with everything they do. They don't, the only reason they do is if the benefit of getting it in the upstream tree outweighs the cost of doing it. If you need to pester upstream then that balance may tip in the favor of "Whatever, we'll just keep this in our own branch. Have a nice day." It's a loss for the community but you can't expect everyone to constantly work for the "greater good" and not their own itches.

      --
      Live today, because you never know what tomorrow brings
  25. Obligatory... by Pete+Venkman · · Score: 4, Funny

    This won't be a problem for me since I don't run Linux.

    Now the shoe's on the other foot!

  26. Re:Wow! Linux is really Secure. by rolfc · · Score: 2, Informative

    Yes, something is seriously wrong with this comparison. You compare a clean and unused operatingsystem with a fullfledged Linuxdistribution with a lot of applications.

    Of course the Linuxdistribution will have more bugs, but you dont have to install all the software that comes with it. On the other hand, to be able to use the Windows server to something useful, you have to install more Microsoft and/or thirdparty software. It isnt even a webserver without installing more software in Secunias statistics. IIS has its own category.

    Dont compare apples and pears, you will only fool yourself.