Hole In Linux Kernel Provides Root Rights

oztiks writes with this excerpt from The H: "A vulnerability in the 32-bit compatibility mode of the current Linux kernel (and previous versions) for 64-bit systems can be exploited to escalate privileges. For instance, attackers can break into a system and exploit a hole in the web server to get complete root (also known as superuser) rights or permissions for a victim's system. According to a report, the problem occurs because the 32-bit call emulation layer does not check whether the call is truly in the Syscall table. Ben Hawkes, who discovered the problem, says the vulnerability can be exploited to execute arbitrary code with kernel rights. ... Hawkes says the vulnerability was discovered and remedied back in 2007, but at some point in 2008 kernel developers apparently removed the patch, reintroducing the vulnerability. The older exploit apparently only needed slight modifications to work with the new hole."

Serve them right

That's why those of us in the know stick to 8-bit Linux kernal.

Re:Serve them right

[iGaucho]

And that's why I use OpenBSD :)

Re:Serve them right

I thought that was because you were a pretentious wanker?

Re:Serve them right

[DiegoBravo]

Thank you Adobe! you saved my machine!

Re:Serve them right

[jamesh]

And those even more in the know use a two-bit operating system like Windows :)

Re:Serve them right

[jc42]

And that's why I use OpenBSD :)

I thought that was because you were a pretentious wanker?

It's quite possible to have two independent reasons for doing something.

Re:Serve them right

[grcumb]

1 bit operating systems are totally impossible to infect though.

That's true!

... Or false...

Re:Serve them right

[Kymermosst]

Linux is often the better choice for desktop usage when security is not an issue.

Security is *always* an issue. Especially on the desktop. One merely needs to look at the large botnets comprised entirely of zombie Windows machines to understand why.

Re:Serve them right

[allaunjsilverfox2]

http://lng.sourceforge.net/ Always provide your sources. :p

Re:Serve them right

[Gordonjcp]

While OpenBSD doesn't have a perfect record for security

OpenBSD has got a *terrible* record for security. The illusion of security is only maintained because every time someone discovers a gaping exploit in OpenBSD, Theo moves the goalposts on what he considers a security hole. Just look at all the descriptions of "errata" for OpenBSD - bugfixes for security holes!

Theo is like that kid who, no matter what game you were playing, would always start making up bullshit rules whenever he started losing. Like, "Tag! You're it!" "No I'm not it, that tag didn't count because I'm uh... I'm near this rock".
Don't be that kid. That kid is a dick.

Perhap the kernel's size is becoming too unweildy

I mean this is what, the third 'reverted' security patch we've heard about in the recent past that needed replacement?

Maybe it's time to seperate out core kernel code and the arch specific stuff into seperate modules with seperate administration. Git would make this easy, so why aren't we seeing it done?

Patch

For those who compile from source, here is the patch:

---kernel.c
+++kernel.c
@@ -1,1 +1,1 @@
- void goatse(long cx) {
+ void goatse(int cx) {

The change from long to int closes the massive hole.

Re:Patch

[larry+bagina]

The C standard doesn't specify sizes but requires that

sizeof(long) >= sizeof(int) >= sizeof(short) >= sizeof(char)

so if a char is 32-bit, a short must be 32-bit (or more) as well. C-99's <stdint.h>, requires typedefs (eg, uint8_t, int8_t) for 8, 16, and 32-bit signed and unsigned integers.

Re:Perhap the kernel's size is becoming too unweil

[siride]

You're talking about git submodules and I'm gonna go ahead and guess that the answer you'll receive from the kernel folks about that is a big fat "no". Maybe if Git had usable project hierarchies, things might be different.

Also to note: even Git can't fix stupid policy or stupid programming decisions.

Re:Perhap the kernel's size is becoming too unweil

And that has to do with linux?... Oh thats right nothing.

Pointing at what other people are doing wrong so you can look better makes you look like an ass in the long run. People notice it. Stop doing it and worry about what you are doing...

Root escalation is a serious issue but instead of figuring out 'hey how can we stop this from happening again' you are busy saying 'look see teh windowz sux'.

uh ok...

Re:Perhap the kernel's size is becoming too unweil

[AnonymousClown]

He is probably referring to the bout of security fixes for windows 7 with the same wording.. there has been quite a few of them lately.

And that's relevant to this thread how again?

Might as well start posting stuff about Chewbacca.

Maybe Linux' kernel is too big?

Chewbacca lives on Endor wihout any Linux or Windows computers ....

Re:Doesn't work

[93+Escort+Wagon]

You are too stupid to live....

I guess for people like you, next time I need to add...

*** BEGIN JOKE ***

and

*** END JOKE ***

If that's still not enough - I can incorporate the blink tag and some colored fonts.

Error in title

Root is a privilege, not a right.

Patch

[Frankie70]

You can get a patch here.

Re:Doesn't work

[TheRaven64]

protip: If you need markup to indicate your joke, you might be using a different definition of 'joke' to your readers.

Patches are available

[Athanasius]

If you know how to drive git you could try applying these:

• commit eefdca043e8391dcd719711716492063030b55ac:
  x86-64, compat: Retruncate rax after ia32 syscall entry tracing
• commit 36d001c70d8a0144ac1d038f6876c484849a74de:
  x86-64, compat: Test %rax for the syscall number, not %eax

there is a workaround of disabling 32bit binaries (I'd paste a link if Google Chrome dev channel would let me... for some reason I can only paste into /.'s comment box before I've typed anything else, I'll follow-up with it), but of course you may need them depending on what your machine does.

There's also a separate issue that also gives local root, fixed by:

• commit c41d68a513c71e35a14f66d71782d27a79a81ea6:
  compat: Make compat_alloc_user_space() incorporate the access_ok()

I'm running a kernel base don 2.6.35.4 but with all 3 of those commits applied (note the last one tries to modify an arch/tile/ file which doesn't exist in 2.6.35.4, just ignore that) and can confirm that neither exploit works.

Re:Patches are available

[dumfrac]

It is already patched in Debian: http://www.debian.org/security/2010/dsa-2110http://www.debian.org/security/2010/dsa-2110

Re:Perhap the kernel's size is becoming too unweil

[Runaway1956]

No, Linux sucks, but it sucks a lot less than Windows. I mean, the "fix" is already out. My update reminder has been sitting in the taskbar ever since I woke up. Every time my mouse rolls over my autohidden taskbar, I get a flash of red to remind me about the kernel update. I've ignored it, because the exploits are simply not deployed. Unlike Windows, where there are thousands of exploits deployed, some of them sitting on servers waiting for the opportunity to do a "drive by" installation. When it is convenient for me to do so, I'll download the update, and apply it.

Re:But...but...

[houstonbofh]

Linux is better than Windows.

better != perfect

Bit late to be news

[0123456]

Ubuntu, at least, has already released the patch as a kernel upgrade; it was fixed early in the week so I presume most other distros have too.

Re:Bit late to be news

[melikamp]

Slackware forum has a link to the white hat's page. Here you can get a very neat proggy that will root you in less than 200 if you are still unpatched.

Re:Bit late to be news

[jroysdon]

RHEL was never affected. Red Hat BugID 630551 states:
"This issue did not affect the version of Linux kernel as shipped with Red Hat
Enterprise Linux 3, 4, and 5 as it did not include upstream commit 7034632d
that introduced the problem. It did not affect Red Hat Enterprise MRG as the /dev/sequencer device file is restricted to root access only."

Further, Red Hat states for CVE-2010-3080 that the commit upstream that brought the bug back was never allowed into Red Hat kernels:
"This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and 5 as it did not include upstream commit 7034632d that introduced the problem."

I guess you get what you pay for.

I'll be curious to see in the next few days if downstream from Red Hat followed Red Hat's same kernel compile options. Some prominent downstream versions would be CentOS and Oracle's OEL.

Re:Perhap the kernel's size is becoming too unweil

[wampus]

Not interesting enough. Rewriting something that already works is where it's at.

Re:Perhap the kernel's size is becoming too unweil

[X0563511]

I've seen far too many rooted servers to agree with you about the deployment issue.

Re:Perhap the kernel's size is becoming too unweil

Also, since the kernel is fairly 'well documented', we should be able to tell WHO is responsible for removing the patch, and reintroducing the vulnerability.

Perhaps, we could ask them why such a thing happened, and whether the linux community needs to backtrack this specific dev/s, kernel patching to date.

You want to talk about 'quality control' in the open source world, here it is right in front of us. Will it be done properly and thoroughly?

code comments?

[Cyko_01]

Hawkes says the vulnerability was discovered and remedied back in 2007, but at some point in 2008 kernel developers apparently removed the patch, reintroducing the vulnerability

and this, my friends, is why we add comments to our code

Re:code comments?

> and this, my friends, is why we add comments to our code

It's also a good argument for regression testing.

Re:Perhap the kernel's size is becoming too unweil

[mysidia]

Yeah... at this point i'm wondering if there are some kernel developers who like there to be security bugs in the kernel?

Why else would they revert the security patch? Polticial reasons? They don't like the fix?

Or perhaps some of the kernel developers a black hats working covertly, and the 'fixes' cause them problems exploiting their secret bugs.......

Re:Perhap the kernel's size is becoming too unweil

[melikamp]

A LOT of hosts still get rooted because of weak passwords. A LOT of valuable hosts get rooted through social engineering. Just because you've seen rooted hosts, doesn't mean that there is any wide-scale deployment of anything.

Re:exploited

[koreaman]

<META content="MSHTML 6.00.2900.2180" name=GENERATOR>
<META content=FrontPage.Editor.Document name=ProgId>

Classy.

Re:Let's pretend Slashdotters are clueless

[ifiwereasculptor]

I believe (consider to be the truth) you're nitpicking.

Re:Why is there anything 32 bit on a 64 bit server

[dbIII]

I've got some very expensive commercial software on my nodes which is produced by utter idiots that have put 32bit binaries in directories called "linux64". They've been migrating their stuff from 32bit to 64bit since 2003 so they'll get there eventually. Until then it's a mixed system with a lot of undocumented messing about to install their software.
Everything else on there was compiled for 64 bit.

Re:Perhap the kernel's size is becoming too unweil

[MichaelSmith]

You're talking about git submodules and I'm gonna go ahead and guess that the answer you'll receive from the kernel folks about that is a big fat "no". Maybe if Git had usable project hierarchies, things might be different.

Also to note: even Git can't fix stupid policy or stupid programming decisions.

If ever there was a case of missing the forest for the trees, it's this right here.

Its a bug tracking issue, not a a version control issue.

Re:Perhap the kernel's size is becoming too unweil

[mysidia]

1 reverted security patch is a mistake.
2 reverted security patches is a major mistake
3 unintentionally reverted critical patches in 6 months is a pattern of major fuck-ups.

I'm not saying people don't make mistakes. Part of the purpose of version control is to prevent such accidental reversions.

A pattern of reverting security changes, and not detecting those reversions before the software goes to world-wide release is pretty inexcusable, in most reputable development firms... people would get fired over this.

I suppose an interesting characteristic of the OSS development module is you can't fire people for screwing up, because they're not paid in the first place, they can follow slipshod practices as much as they like, with 'accidental' reversions or other changes all over the place

Gentoo Hardened nomultilib

[Laebshade]

News like this makes me smile that I decided to use Gentoo Hardened 64-bit nomultilib whenever I built servers. Makes it harder if the software needed to run is only available as 32-bit binaries, but I haven't run into any yet that I've needed.

Since it has no 32-bit emulation layer, this is probably one of the few 64-bit linux not affected (without a patch).

Re:But...but...

[wampus]

It's also part of the reason behind the slow turnaround time on patches coming out of Redmond. They do regression testing.

Re:Confirmed

That's what you get for using Ubuntu on a server!

Immediate community action and timely patches?

If that's what we get, then thank you, Ubuntu.

Re:Why is there anything 32 bit on a 64 bit server

[melikamp]

The vulnerability is affecting kernels compiled with 32-bit compatibility support. Enabling this option seems to be the default, even on x64 systems that do not have 32-bit libraries and cannot execute 32-bit binaries. You can say

zcat /proc/config.gz | grep CONFIG_IA32_EMULATION

to see if you have it on. More info, and the origina hack.

Re:Doesn't work

[Bing+Tsher+E]

Who the fuck calls that superuser?

All I had to do was turn around and reach at the bookshelf behind me:

"But we must warn you: there is a special user on every UNIX system, called the super-user, who can read or modify any file on the system. The special loginm name root carries super-user privledges...."

from page 52, "The UNIX Programming Environment", Brian W. Kernigan & Robert Pike, Prentice Hall, 1984.

Re:Unit Tests

[psyclone]

In theory, you can write a unit test to cover anything and everything you want. In practicality, the amount of code to perform expansive unit tests quickly dwarfs the amount of code in the product you are testing.

Like the summary said, the old attack didn't work exactly, it had to be tweaked slightly. Even if you had a unit test for this situation, it most likely would have passed (meaning the test exploit would fail).

Re:Unit Tests

[mysidia]

The test doesn't have to detect exploitability, only that the bug is still present (or not).

Re:Perhap the kernel's size is becoming too unweil

The offending patch was authored and committed by a Redhat developer. Since this guy made his own company's product insecure for their clients, I'd say that Redhat could very well fire him. Whether they will or not depends on the company. Besides, do you know of a Microsoft (or any closed source software company) employee being fired based on their coding vulnerable software? How about a CEO being fired for selling vulnerable software to the public? Where's the accountability there?

Errare Humanum est

[cyrilc]

The fact that because we can't fire developers makes it an incentive to bad coding practices is not an argument:

for some people (esp. Linux developers where pride is an important fuel to their creativity), being pointed out in public by such bad behavior is much worse than being fired in the equivalent closed software company.
Moreover, you will never know how many developers in a closed model had turned a simple patch into a remote exploit and if the culprit was really fired afterward esp. if it's a core developer (the one that knows everything and that you can't fire).
I think I can remember at least one Windows bug few years ago that was very much like another that was closed but there are some many 0-day and remote exploits that is becomes difficult to keep track.

Re:Why is there anything 32 bit on a 64 bit server

All 64-bit systems from Intel and AMD also come with some level of SSE. It comes along the address space "for free" because it became a standard feature by the time 64-bit machines came around. GCC, by default takes advantage of SSE when you target x86_64.

Many distributions do not enable stuff like SSE when compiling 32-bit packages. It wasn't there for i386 or i586. Whats more is the same 32-bit packages built for the all 32-bit installs are used to provide the 32-bit land on 64-bit systems. I tried some time ago to make a 32-bit program preform just as fast as the 64-bit program. No matter what flags I threw at the compiler the 32-bit version always lagged behind the 64-bit version because the 32-bit user space wasn't optimized to take advantage of newer processor features. In short I would have had to recompile all of 32-bit land to match performances.

I've yet to encounter a situation where 64-bit builds were slower. It is at least no worse, and often better. In my experience switching to a 64-bit system is about more than just address space. I'm sure you could build a 32-bit system to preform nearly as well... but really what's the point?

I may not need the extra address space, but it certainly doesn't seem to hurt me any. Given the tag-along-extras I get with it... seems like a good deal to me.

Re:Perhap the kernel's size is becoming too unweil

in most reputable development firms... people would get fired over this.

Which dream world do you live in?

Re:Doesn't work

[x2A]

cd /usr/src/linux &&
grep -ilE 'super.?user' `find . -iname *.[ch]`

arch/avr32/mm/cache.c
arch/h8300/include/asm/cachectl.h
arch/ia64/kernel/unaligned.c
arch/m68k/include/asm/cachectl.h
arch/m68k/kernel/sys_m68k.c
arch/parisc/hpux/sys_hpux.c
arch/x86/kernel/apm_32.c
arch/x86/kernel/ioport.c
drivers/char/apm-emulation.c
drivers/char/rio/errors.h
drivers/char/rio/rioctrl.c
drivers/net/wireless/airo.c
drivers/scsi/megaraid.c
drivers/scsi/megaraid/megaraid_mm.c
drivers/staging/vt6655/iwctl.c
drivers/staging/vt6656/iwctl.c
fs/cachefiles/daemon.c
fs/ext4/mballoc.c
fs/fcntl.c
fs/namei.c
fs/ntfs/super.c
fs/smbfs/file.c
fs/ubifs/budget.c
fs/ufs/ufs_fs.h
fs/unionfs/sioq.c
fs/utimes.c
fs/xfs/quota/xfs_qm.c
fs/xfs/quota/xfs_qm_syscalls.c
fs/xfs/xfs_quota.h
include/linux/acct.h
include/linux/dqblk_xfs.h
include/linux/fd.h
include/linux/keyboard.h
include/linux/random.h
include/linux/sched.h
include/linux/shm.h
include/net/sock.h
kernel/kexec.c
kernel/sys.c
kernel/sysctl.c
kernel/time/ntp.c
mm/mempolicy.c
mm/migrate.c
mm/oom_kill.c
net/core/dev.c
net/core/sock.c
net/netlink/af_netlink.c
net/netrom/af_netrom.c

(full disclosure: I also piped it thru |sed -e 's/^\.\///g' for formatting purposes (slashdot puts it all one one line if they begin with ./ for some reason) and |sort because I'm just like that)

Re:exploited

[mr_mischief]

You should have included the next two as well:

A Windows-specific character set and a looping nonexistent background sound. Heh.

Re:Why is there anything 32 bit on a 64 bit server

[mr_mischief]

Around 15% to 25% of revenues going to customer acquisition and retention (marketing, sales calls, rebates, incentives, whatever) is a pretty common budgetary decision in US businesses. So yeah, after payroll, facilities, and other operating costs marketing and sales are a major expense. The most common advice I get as a small-business owner both online and in person from other business owners is 20%.

I've heard as low as 10%, but that's still a big chunk of the budget. I've also heard of people spending as high as 40% of revenues for a short period when entering a new market segment.

It's informative to stick "how much to spend on marketing" into a search engine and see what the different magazines, forums, and blogs say. Different industries of course have slightly different needs, but at least 10% and not more than 30% under normal circumstances should be a decent starting place for considering what to spend.

Re:Perhap the kernel's size is becoming too unweil

[Bungie]

Yeah but none of those exploits is in the Windows 7 kernel itself (which is rarely ever patched). They'll all be related to other components distributed with the operating system. This could be many things including Windows Media Player and IIS. If you want to compare the number of Linux patches with Windows Updates you would need to compare the Windows patches to the patches of s Linux distro not just the Linux kernel itself.

Re:Perhap the kernel's size is becoming too unweil

[jeremyp]

I don't believe ridicule was mentioned.

Anyway, no matter how painful it might be for the person who reverted the patch, the issue does need to be investigated in order to find out how to detect other instances and how to stop it from happening again.

Re:Perhap the kernel's size is becoming too unweil

[asquithea]

Actually, I think it's a code quality issue.

Look at http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.35.y.git;a=commitdiff;h=d4d67150165df8bf1cc05e532f6efca96f907cab

It seems to me that the critical line of code reloading EAX was deleted because the committer couldn't see why it was necessary, and there was no comment in the code to explain its purpose. With no comment, and no unit test to guard against regressions (and I recognise that isn't always practical), this was an accident waiting to happen.

Re:Perhap the kernel's size is becoming too unweil

[jedidiah]

> So if you can't find any real reason why Linux is better, you just lie about the competition?

Lying simply isn't necessary.

Windows is in the habit of running untrusted binaries often without knowledge or permission of the user.

THIS aspect of WinDOS makes it far more vulnerable than anything else to any sort of problem that starts out as a local root exploit.

Re:Perhap the kernel's size is becoming too unweil

[jedidiah]

> Well, vast majority of pwned Windows boxes end up that way due to
> operator error, not some code exploit - you know, users clicking
> on boobies!.jpg.exe links in mails and such. It's not something
> you can truly fix, short of making an iPad.

Nonsense. You can make it a little harder for end users to do stupid things when prompted by a website.

Talk about "moving goalposts".

NO ONE using ANY OS should ever have to worry about the act of loading data causing malware to run instead.

This is just retarded and should have been stopped a long time ago.

Re:In Soviet Russia!

[Tony-A]

Unfortunately the Burroughs refused to run mainframe software with such bugs. Burroughs died.
IBMs ran such software without complaint. IBM survived.
Since the programs certainly had some design errors, it really becomes a question of which erroneous behaviors are silliest. Often the "most correct" are the silliest.

Re:In Soviet Russia!

[BrokenHalo]

I'm sorry, but as a Burroughs B3700 guy, it's really hard to watch a VMS guy get a chuckle at somebody else given their chosen OS's inferiority and not have a chuckle about it myself.

And yes, I actually was a B3700 guy. Now get off my lawn. ;-)

Re:Doesn't work

[Kjella]

try for example "man su":

NAME
              su - change user ID or become superuser

or sudo, but you'll have to all the way down to the description:

DESCRIPTION
              sudo allows a permitted user to execute a command as the superuser or another user

Outside geek circles "root" doesn't mean anything, but superuser is at least somewhat meaningful. Though most don't actually deal with it at all anymore, they're in a sudo group so they only ever user their account and some applications ask them to reenter their password to become administrators. To most people "root" is more like "system" than "superuser" to most people these days.