Linux Kernel Exploit Busily Rooting 64-Bit Machines

An anonymous reader writes "Running 64-bit Linux? Haven't updated yet? You're probably being rooted as I type this. CVE-2010-3081, this week's second high-profile local root exploit in the Linux kernel, is compromising machines left and right. Almost all 64-bit machines are affected, and 'Ac1db1tch3z' (classy) published code to let any local user get a root shell. Ac1db1tch3z's exploit is more malicious than usual because it leaves a backdoor behind for itself to exploit later even if the hole is patched. Luckily, there's a tool you can run to see if you've already been exploited, courtesy of security company Ksplice, which beat most of the Linux vendors with a 'rebootless' version of the patch."

But wait

[drinking12many]

I thought only windows got exploited this way.... oh thats right All OS's do.

Re:But wait

[sirrunsalot]

oh thats right All non-Apple OS's do.

FTFY.

Re:But wait

[similar_name]

Ah if that is true then it only means Linux is more popular that Apple. Zing.

Re:But wait

[IICV]

It's a local user privilege escalation exploit. Every OS has those. What it means is that if someone can get in to your computer as a local user (or gain control of a process that runs as a local user, such as the web server process), then they can gain root access to your system.

However, the first step - getting in as a local user - is really really hard on most servers. Unless you're handing out local user accounts to people left and right (like a university cluster or something), it's going to be nearly impossible for Joe Random Hacker to get control of a local user account.

You know how it's generally held to be true that if you have physical access to a running machine, the only thing stopping you from getting root access to it is time? Well, the next step up (in terms of difficulty) is not having physical access, but having access to a local user account.

The exploits that work on Windows, on the other hand, are ones where someone who doesn't even have local user privileges - who's just looking at your website - can get root access, like the one Slashdot posted here.

Re:But wait

I'm surprised you can type so well with Steve's cock in your mouth.

Re:But wait

[man_of_mr_e]

Uhh.. dude. Seriously. Did you even think about this?

Your web browser runs as a local user. If there is a flaw in your web browser (and all of them have had plenty), then they can use that flaw, just by looking at a web site, to gain root access to your machine using this vulnerability.

So yes. This *IS* the kind of flaw that just looking at someones web site can exploit, if they can also attack your web browser (which is typically pretty easy to do as most people aren't always up to date).

Re:But wait

[udippel]

Nope. If you are no fool. Because any good web server is set up to run as a local user, yes, but one without any command interpreter. For example /bin/false. Or /sbin/nologin.
"Please, go away!" is what you might get.

And don't get me started on chrooted/jailed/zoned Apache.

Re:But wait

[man_of_mr_e]

What part of Web *BROWSER* did you not understand?

I said nothing about a server. Even so, you don't need a shell to execute arbitrary code. You just need to be able overflow a buffer or some other kind of attack. A shell is meaningless.

Re:But wait

[udippel]

Conceded.
And who gets local access on your local browsing machine? That would have to be a malicious site. And then, there is nothing to be seen here; because those exist by the thousands, with or without this exploit. No, I don't want to play down this big, bad, hole.

Re:But wait

[Edzilla2000]

You mean, like the iphone and the pdf exploit that allowed any website to root it?

Re:But wait

[Joce640k]

The trick is to combine this with another exploit that would normally only get you normal user access.

Re:But wait

[node+3]

Except it was never actually exploited. Everything out in the wild that used this did it in order to aid the user's intentions.

Not that this has any bearing on this whole thread of nonsense, just clarifying a point.

Re:But wait

[TheRaven64]

No, Apple devices do not have security vulnerabilities to exploit. They do sometimes have remote-user-friendly jailbreaks, but that's an entirely different thing.

Re:But wait

root can easily break out of chroot. And the login shell is only used if you actually log in to the account. If you just inject code into the webbrowser or webserver, once you've broken out of the chroot, you'd just exec /bin/sh.

Re:But wait

[grumbel]

Your web browser runs as a local user. If there is a flaw in your web browser (and all of them have had plenty), then they can use that flaw, just by looking at a web site, to gain root access to your machine using this vulnerability.

If you are talking about web browser, you are likely running them on your desktop, not your server. And on your desktop gaining access to your user account is already so damn close to the worst case, that gaining root access in addition hardly makes much of a difference.

Gaining root is really only a big issue when it comes to multiuser machines.

Re:But wait

[xaxa]

Conceded.
And who gets local access on your local browsing machine? That would have to be a malicious site. And then, there is nothing to be seen here; because those exist by the thousands, with or without this exploit. No, I don't want to play down this big, bad, hole.

No matter how malicious a site, it shouldn't be able to do anything bad to the computer running the web browser. If it can, there's a bug. If it can get root access, there's a severe bug.

Re:But wait

[Edzilla2000]

How exactly do you know it was never exploited?

Re:But wait

You idiot. A shell is nothing more than an application that is designed to run external processes according to the user interaction. Do you actually believe that exploits are written in Bash?

Re:But wait

[MrHanky]

Except that was never actually reported.

Fixed that for you.

Re:But wait

[Lumpy]

Exactly, so if the twit cant get into your machine he cant root it.

Welcome to slashdot - the Tabloid of the tech world...

Tomorrow: "New exploit will ROOT your computer even if it's off! See all the gory details in our EXCLUSIVE! it works on every OS that exists!"

Re:But wait

[Lumpy]

I agree, the web browser is highly insecure. Anyone that cares about security will not run one.

Re:But wait

[CarpetShark]

What part of Web *BROWSER* did you not understand?

IE's rendering engine? ;)

Re:But wait

[owlstead]

As a home user, I'm always a bit aghast when people determine that preventing access to root is my biggest priority.

If they've got access to my browser, this means that they now have access to all of my documentation, and have the ability to run programs (e.g. through my .bin and .profile files) including full access to the internet.

I mean, they've got my data, they've got the power to run applications and they've got full internet access. I'm personally not that worried about root access - if they break through the browser barrier I'm basically f*cked already.

(yes, yes, I know, SELinux and such could protect me if I configure them correctly. Not even I can easily do that however, and nobody that I know would go that far).

Re:But wait

[Gazoogleheimer]

It's a feature!

Re:But wait

[man_of_mr_e]

Really? Tell that to the army of zombies out there running on single user machines.

Re:But wait

[ultranova]

Even so, you don't need a shell to execute arbitrary code. You just need to be able overflow a buffer or some other kind of attack.

Yeah. If only we had some way to prevent that - some kind of programming language feature where all buffer accesses were automatically checked by the machine. But Real Men Manually Manage Memory, and usually badly.

Re:But wait

[Abstrackt]

That's why I run emacs instead!

Re:But wait

[WindBourne]

Of course, the big difference is that when security firms are running around screaming about Windows roots, it turns out that you really have been rooted. OTH, when these same security firms scream about the same thing on Linux, what they forget to mention is that somebody had to be on your system (difficult on Linux), or that it was exactly the 5'th monday after the 10th chinese year, etc. etc. etc.

IOW, just like MS, these security firms lie esp. when it comes to Linux. At the least, they blow up the story and make it something that it really is not.

Re:But wait

[Thelasko]

yes, yes, I know, SELinux and such could protect me if I configure them correctly. Not even I can easily do that however, and nobody that I know would go that far

Apparmor for Ubuntu isn't too difficult. The default settings are good for most users, you just have to install them and set them to enforce.

IIRC it's something like
sudo apt-get install apparmor-profiles
sudo enforce firefox

A nice instruction manual can be found here.

Re:But wait

[jedidiah]

> I thought only windows got exploited this way.... oh thats right All OS's do.

No. On Unix you've got to run the local exploit yourself.

On Windows, the local exploit will happily run as some sort of disguised PDF or screensaver.

It's not the exploit so much as it is the attack vector.

Re:But wait

[jedidiah]

> I agree, the web browser is highly insecure. Anyone that cares about security will not run one.

Or you can just run with scripting off by default.

Running untrusted binaries disguised as documents isn't something that you should be doing and it's not something that your OS and applications should make easy for you either.

A local root exploit doesn't matter so much when all of your own personal data is already deleted.

Re:But wait

[Culture20]

What part of Web *BROWSER* did you not understand?
I said nothing about a server. Even so, you don't need a shell to execute arbitrary code. You just need to be able overflow a buffer or some other kind of attack. A shell is meaningless.

GP was obviously confused because you replied to GGGP with a mention of a web browser, but GGGP was talking about web servers:

The exploits that work on Windows, on the other hand, are ones where someone who doesn't even have local user privileges - who's just looking at your website - can get root access, like the one Slashdot posted here

Re:But wait

[GameboyRMH]

(yes, yes, I know, SELinux and such could protect me if I configure them correctly. Not even I can easily do that however, and nobody that I know would go that far).

Just use AppArmor, it's super easy. On Ubuntu AppArmor profiles are even installed automatically now with apps like Firefox and evince, and IIRC AppArmor has been on by default since Karmic. And it doesn't get in the way and bitch all the time like SELinux, once the profile's set up properly (and I haven't had to mess with one in a long time) you don't even notice it's there.

Re:But wait

[PenisLands]

Hah hah hah hah, you're a real cocker now. What part of *PENIS* do you not understand?

Re:But wait

[Scott+Wood]

The point is that zombies, and many other things that you really don't want to happen to your single-user machine, can happen without root access (though probably with reduced ability to hide their activities).

It's increasingly making sense to put security boundaries between apps (especially Internet-facing ones), not just users -- at which point this is not just relevant to "multi-user" systems.

BTW, desktops can certainly be multi-user, whether it be multiple people that have legitimate physical access to the machine, a desktop that's also doing some server duties, etc.

Re:But wait

[dropadrop]

For a *nix admin it's far more difficult to clean up after somebody who had root access rather then somebody who did not. I expect 99.9% of everybody (assuming there where others then the one server mentioned in the headline) who had their machine rooted over this was hosting providers / universities offering shell's to users. Yes, this could also be exploited via other mechanisms (some not so serious remote exploit used to get local access, then this to gain root), but this is the most likely scenario.

Also from somebodies point of view who has worked as both an admin and in security teams, I've seen plenty of cases where vulnerabilities such as this where downplayed (as nobody untrusted will have local access). I've also seen cases where some trivial vulnerability in a library was used to upload and run code that used another exploit to gain root... Actually I would imagine lots's of companies are still running vulnerable versions of Apache Struts - or at least where for months while waiting for the maintainers to get their head out of their ass and release a patch (few weeks ago) for a vulnerability which was being actively exploited during the months it took to get through the users voting process.

Re:But wait

[Compaqt]

Real men run Lynx^H^H^H^H wget!

Re:But wait

[GameboyRMH]

Tomorrow: "New exploit will ROOT your computer even if it's off! See all the gory details in our EXCLUSIVE! it works on every OS that exists!"

It wouldn't be the first time. With a 5-digit UID you must have seen one of the many stories hyping physical access "exploits" like this.

Re:But wait

Why yours is so small.

Re:But wait

[Rockoon]

For a *nix admin it's far more difficult to clean up after somebody who had root access rather then somebody who did not.

Not in this little place we call reality.

In reality you never know if they had root access or not, so regardless of whether they did or did not, you must assume that they did..

This idea that OS's that make an effort to protect their own files are somehow easier to clean up is absurd. The act of running malware, no matter how unprivileged its session, means the whole machine now cannot be trusted.. and any user with access that is up to no good, also means the whole machine cannot be trusted. The airlock is only good when it remains closed.

Re:But wait

[FoolishOwl]

I tried using my browser with NoScript for a few months. In practice, I found that every Web site I visited had scripting -- the only exception to that rule was a simple Web page I'd written to test whether a Web server was working. So, visiting a Web page always involved temporarily enabling scripting, then reloading the page.

In effect, Web pages are now frameworks for scripts. No scripts means no Web use.

Re:But wait

[CheerfulMacFanboy]

You mean, like the iphone and the pdf exploit that allowed any website to root it?

Errm, first of all those were two unrelated exploits. Second, the same PDF exploit also worked on Linux. And together with TF exploit we're talking about here, any website can root Linux. Ooops.

Re:But wait

Exactly. How many times do we have to listen to this crap. Local user privilege escalation holes are a dime a dozen. This isn't Windows though where anyone and everyone is a local user. On a Linux server, you need to be made a local user with a full shell access, and only idiots give that to people in 2010 even on school servers.

Is it a problem, you betcha. Is it worth making a fuss about? Nope.

Steven

Re:But wait

[phoenix321]

Cleaning up is a whole lot easier when the OS protects itself reasonably well. Infecting is a whole lot harder as well.

Take a known-good machine, burn a virus scan live CD from a known-good image, scan the machine in question while its OS is not running. If no virus or rootkit is found, treat the machine as trusted. Keep the image in a safe place to repeat the process in 2 weeks, when newer signatures can be downloaded by the live CD.

That is not perfect, but in the real world, no one can reinstall the whole machine every day after a malicious website has been visited by a user.

The difference between an OS that protect itself vs. an OS that doesn't can easily be observed by connecting two Windows machines directly to the Internet. One running Win95, the other Win7. With both of them having a public, routable IP, they will sooner or later get infected. The OS that gets infected last is the winner.

Re:But wait

[bonch]

Yeah, let's ignore public market share figures saying otherwise.

Re:But wait

[CarpetShark]

some kind of programming language feature where all buffer accesses were automatically checked by the machine.

God, yes! Visual BASIC could save us all, if we'd only repent and believe.

http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx ;)

Re:But wait

[Lokitoth]

Or you need to find a hole in a program that the local user ran on a piece of data supplied by you.

Re:But wait

[owlstead]

Yeah, super-easy. Just learn YET ANOTHER fucking configuration file setup, figure out why usr.bin.firefox is in the /etc/apparmor.d/disable folder, figure out that you have to use the "enforce" command line utility, figure out why that does not change any status for firefox and figure out why the fuck I am bothering in the first place. And that for something for which I wonder if it is still maintained at all. Reading the FAQ was interesting, but do you really want users to care if the system uses inodes or paths? More to the point: *should* users know that kind of crap?

Common guys, when are you going to learn that this way of handling systems is something for sysadmins that care to know what the system does? I don't have the time to go into this, let alone prove that it actually works for my setup.

Thanks for pointing out the app, but I'll pass.

Re:But wait

Sure, just about every site wants to run scripts these days. But how many of them *require* the scripts to run to be usable? In my experience, quite few. Many of the sites that require scripts to be usable are garbage, barely usable to begin with, and aren't worth visiting anyway--relying purely on Flash (band and movie sites). And it's even more rare to require even a single one of those (sometimes dozen-plus) third-party scripts to get the page to work correctly.

I run NoScript and only allow the sites I frequently use and trust to use scripts; all others are not allowed by default, and they get "temporary" permissions. At the very least, it wouldn't hurt anyone to allow just the top-level domain to run scripts by default, and manually add permissions later for third-party sites if you need to. The biggest pain in the ass with NoScript is that it seems every time you wake up, eat, shit, etc., the damn thing wants to update... that gets f***ing annoying. All the damn time. It's even worse when you run it on more than one computer.

Re:But wait

[Zalbik]

2 things:

1) Getting local access (as indicated), just requires taking advantage of a flaw in any software you run that connects to the internet. The difficulty in exploiting one of these flaws depends on how savy the user is, and what software they run.

2) The exploit you mention doesn't give the user root access. Or even local access. It lets the attacker read cookies, download browser local encrypted data, or download raw .aspx files from the server. That's it. The flaw got spammed to a zillion anti-Microsoft sites due to a sensationalist description by the group that discovered the flaw, and misreported as something much more serious than it was. There is a very simple workaround for it, and any .NET developer worth their salt already would have configured a sensitive production server as described in the workaround.

Other than that, your post was spot on!

Re:But wait

[exomondo]

Except it was never actually exploited.

Wow...you don't get much more ignorant than that. You don't know it wasn't exploited, you just assume that because you didn't hear about it, and - assuming it was done right - you wouldn't hear about it.

Re:But wait

How was that modded +5 insightful?

I don't log into a server on the internet and run a browser in an X session on it in order to view the web content it hosts. That was the point you failed so incredibly to understand. Your web browser is on YOUR machine, the server is on A DIFFERENT machine. You don't have local access when you view the page.

Your 'example' would require a clear documented security flaw of the web browser that allowed arbitrary code execution by insertion of malicious code in a website ALONG WITH the unpatched 64 bit kernel.

If those stars aligned for you, AND you visited a site loaded with the malicious code THEN you could be affected.

That's a lot of IF's to worry about before you patch your kernel.

Re:But wait

[Bryan+K.+Feir]

Me, one of the things I do is run my browser under a separate ID from my normal operations. Makes it a lot harder for someone to use the browser to access the rest of my files...

Re:But wait

[node+3]

Ah yes, so since the iPhone has never been exploited (except for the one that targeted jailbroken iPhones), you have to imagine exploits. Bravo.

And you claim I'm the ignorant one...

Re:But wait

[node+3]

How exactly do you know it was never exploited

In absence of evidence, the only rational position to take is that it hasn't been. Had an exploit ever made it into the wild, it would have made the news, and would have definitely found its way onto the various anti-virus makers' sites.

You can't prove a negative, so sure, it might have been exploited. But that's not how it works. If you want to make the claim that is has been, you'll need some evidence. Evidence, by the way, which would not be difficult to come by at all were it to be the case.

Re:But wait

[node+3]

Except that was never actually reported.

Fixed that for you.

I see. So imaginary exploits are on equal footing with actual exploits now? "Oh no! Linux has actually been exploited, so in order to maintain my notion that it is superior to anything Apple could possibly create, I'll have to just pretend that iOS has been exploited!"

That's the problem with tying ideology with real-world things (like the Free Software ideology with Linux). There is no ideology that coincides with reality, so the only way one can maintain their ideology is to lie about reality.

Fact: Linux has been exploited. Many times. There is plenty of evidence for this.
Fact: There is no evidence that the PDF security flaw has ever been exploited outside of the deliberate jailbreak community. There has only ever been one other exploit for iOS, and that was for jailbroken iPhones.

But don't let reality get in the way of theory!

Re:But wait

[MrHanky]

OK, I know you're a giant fanboy, but the jailbreak hack is in fact an exploit. You're the one with the notion that OS X is superior and that there's no exploit out there, you're simply projecting your own retardedness over on me.

Re:But wait

[CheerfulMacFanboy]

http://www.zone-h.org/archive

Re:But wait

[node+3]

OK, I know you're a giant fanboy, but the jailbreak hack is in fact an exploit. You're the one with the notion that OS X is superior and that there's no exploit out there, you're simply projecting your own retardedness over on me.

What are you talking about? This Linux kernel exploit is something that's *real* and is *actively being used* to exploit *actual* Linux boxes. The PDF exploit is only being used by people who want to jailbreak their own iPhones. They're not the same thing.

If there were PDFs out that that hacked into people's iPhones, that would be something different entirely. But you can't wish away facts just by calling me a "giant fanboy" or "retarded". That's not how reality works.

I'll restate my facts from above:

Fact: Linux has been exploited. Many times. There is plenty of evidence for this.
Fact: There is no evidence that the PDF security flaw has ever been exploited outside of the deliberate jailbreak community. There has only ever been one other exploit for iOS, and that was for jailbroken iPhones.

The only thing I'll add, which is for clarity and doesn't change what I meant by it, is that when I say "exploit", I mean something that's actually being used to attack the devices outside of the owner's intentions, and not a tool to otherwise compromise the device. This should be clear from the context, but you're prone to deliberately misinterpreting things in order to rip on Apple.

Re:But wait

[MrHanky]

Fact: you don't know that the iOS hole hasn't been exploited by others.

This story is about a local root hole. Apple has them, Linux has them, Windows has them, OpenBSD has them. To use it, you need to make the computer run the code, you need an infection vector. Linux is more or less exclusively exploited as a server OS, as it has services running and accepting connections from the outside 24/7. OS X is no different. Not at all. Etc, etc. As a desktop or phone OS, I've never heard of Linux being targeted, but at least I'm not saying it's never happened.

Why is desktop Linux and OS X targeted so rarely? Think about the infection vector: either getting people to install a trojan, or planting malicious code e.g. on a web server, and then hoping that a bunch of random users should stumble across the site, hopefully running the correct versions of the right browsers -- it just wouldn't be very effective. So you don't get widespread infections, and they aren't reported. If such an exploit were to be worthwhile, you'd expect it to be targeted to a specific user or organisation with a known software stack, using your ordinary social engineering skills to lure people into clicking a link, for instance. This shouldn't be too hard, and it would more often go undetected. Perfect for spying. The same goes for iOS, of course, although it's a lot simpler, for obvious reasons.

Re:But wait

[node+3]

Fact: you don't know that the iOS hole hasn't been exploited by others.

This isn't a pertinent point, however. I can't defend against imaginary exploits. You might as well make me defend the statement that there are no polka dotted orangutans. Until you can demonstrate a reason to believe otherwise, the only rational stance to hold is that they don't exist.

This story is about a local root hole. Apple has them, Linux has them, Windows has them, OpenBSD has them.

Correct. The difference is, as I've stated more than once, this one is being actively used to compromise Linux computers, while the PDF exploit has not been used to compromise iOS devices. Also, there has been no other exploit by third parties (i.e., not the user jailbreaking their own phone) except for one that targeted jailbroken iPhones that had ssh set up with a default password (there may have been others, but I don't think they've been actually exploited, and all of them that I'm aware of targeted jailbroken devices).

I don't disagree with the rest of your post (also notable is the lack of calling me giant retarded fanboy this time). But it's not really pertinent to the point I was making. Someone said that iPhones were being exploited by the PDF flaw, and I stated that they weren't. You're right that I can't *prove* this, but it's not a position that is supposed to be proven. What's supposed to be proven is that it *has* been exploited. You can't generally prove a negative. If it makes you feel better, you can interpret what I wrote as, "there's no reason to believe that it has been used in an actual exploit", but it's really just a more verbose way of saying the same thing.

On the one hand, I do like the way phrasing like that does away with ambiguity (at least, there is less ambiguity than the original phrasing), but one can't go around writing/talking like that. It's annoying and adds little value to a conversation.

Re:But wait

[MrHanky]

Oh, so you can't talk like that. "There's no evidence it was actively exploited" is a lot more convoluted than "Except it was never actually exploited", right? Hardly. Whereas the first statement is to the point and likely correct, the second makes a bold claim with no evidence. When said in defence of someone claiming Apple's OSes don't get exploited, it smells of fraudulent advertising, and that's one thing Mac fanboys specialise in.

Re:But wait

[exomondo]

since the iPhone has never been exploited

So you really think that if someone was stealing your contact details, messages, emails, etc...they would notify you beforehand?

Re:But wait

[uninformedLuddite]

When are you geeky nerds going to wake up and realise that EDLIN is your friend?

Re:But wait

[man_of_mr_e]

Who said anything about a server? I was talking about someone running Linux on their desktop. I'm not quite sure what your point is? That servers are secure? No, because if the server is internet facing it has to have some services it's exposing to the internet and any of those services could be an attack vector (HTTP, SMTP, DNS...).

But regardless, the fact that you think blended attacks are virtually non-existent says a lot.

Blended attacks, where multiple vulnerabilities are used in conjunction with one another, are quite common these days.

In fact, I have no idea what your point is, since it neither applies to an internet facing server, nor a desktop user connecting to the internet.

And no, it doesn't require a 'clearly documented' security flaw. Have you never heard of a 0-day exploit?

Re:But wait

[owlstead]

That's probably the most easy way to handle it. I do it the other way around: I run a user that does administration and has access to my documents. That user just browses to well known sites (and hopes that they are keeping up with the latest patches). That's however a bit of a chore though - I always forget that I'm in the restricted user setting.

It does not work that well though. My restricted user and the real me are actually one and the same person. And this person uses GMail, orders tickets online etc. etc. So basically, this real person needs access to files of both identities anyway - at the same time.

The problem is that Linux (or better: current desktop OS's) just don't have clear restrictions for applications. Multiple ID's, SELinux, AppArmor and even VM's are just sub-optimal ways of dealing with the situation. It's evolution in action, but you have to wonder if current operating systems can be "patched" this way.

Re:But wait

[thejynxed]

And that would be Windows 95, since malware written for Win98 and above is incapable of running on it, whereas every piece of malware from Windows 95 on is capable of running on Windows 7.

Gotta love compatibility mode and the APIs it exposes.

virus scanner

Oh no, now I need a permanently running virus scanner... may as well switch back to M$ :-(

Re:virus scanner

[socceroos]

A virus scanner isn't going to do much against a rootkit.

Re:virus scanner

[zaphod777]

this is an exploit to gain "root" (administrator) access not a rootkit which is a malicious program built to hide itself from the operating system.

Re:virus scanner

[dougmc]

this is an exploit to gain "root" (administrator) access not a rootkit which is a malicious program built to hide itself from the operating system.

But the exploit leaves a backdoor (hell, it's right there in the summary) which *is* what a rootkit does.

Rootkits do typically hide themselves -- but only so they aren't removed, so they can provide root access at a later date. Their primary function is to provide root access at a later date -- which this exploit does, according to the summary.

Re:virus scanner

[DarwinSurvivor]

Leaving a backdoor does not necessarily imply a rootkit. A rootkit hides itself in the underlying levels of the OS (kernel, drivers, API rewrites, etc). Leaving a backdoor could be as simple as creating a user with admin privileges and a pre-defined username/password for easy future access.

I have not read the article yet, so it could be that it *is* a rootkit, I'm just stating that you can't reach that conclusion from the summary.

Re:virus scanner

[man_of_mr_e]

A rootkit doesn't (necessarily) leave a back door. Yes, a rootkit can, but so can any other kind of exploit. A rootkit is a rootkit because it installs itself at a low level of the OS to hide itself from the tools you might use to find it (for instance, it installs itself as a kernel module and then it patches api's that pull lists of processes to remove itself from the list).

None of this has to do with backdoors.

Re:virus scanner

[Sir_Lewk]

A rootkit is software that enables continued privileged access to a computer...

Read: "back door".

Hiding itself is a means to an end. In the case of rootkits, that end is continued access to the system. Unsophisticated rootkits can skip this step and still be considered rootkits (though they will be of questionable utility). A patched copy of 'login' can be a 'rootkit' using the real definition of the word.

Re:virus scanner

[man_of_mr_e]

No. Read nothing. You're seeing something in that link that isn't there.

Continued priviledged access is not a back door. A back door is when you allow someone to access a computer via a non-normal access mechanism that is typically unknown to the authorized user(s).

As I said, while a rootkit *CAN* expose a backdoor, it doesn't need to do so to be a rootkit.

For example, the Sony rootkit did not expose a backdoor. But it was still a rootkit.

Yes, a patched copy of login is a backdoor, it is not a rootkit.

Re:virus scanner

[Sir_Lewk]

A back door is when you allow someone to access a computer via a non-normal access mechanism that is typically unknown to the authorized user(s).

...thus allowing continued privileged access....

You are using the word in the layman sense, disregarding it's origins. Why do you think it's called rootkit? It's a term used to describe a "kit" of software that allows the attacker to regain root access later on. Patch login to always allow a second predefined password, drop it into place, and you have yourself a rootkit. The techniques that rootkits developed to hide themselves have been borrowed by malware, and the term has been usurped too (in a similar fashion to what happened to the word "bricked", which now seems to mean "requires a power cycling or re-flashing".

That doesn't make that usage correct.

Re:virus scanner

[dave420]

Is it really difficult to understand?

Rootkit = software installed on a machine to serve some unsavoury purpose.
Backdoor = A method of accessing a system, generally hidden from the user and/or administrator of a machine

A rootkit can open a backdoor, but then so can poorly-configured machines, or kernel vulnerabilities. They are not the same.

Re:virus scanner

[X0563511]

Dammit.

A rootkit and a backdoor are two completely different things. A rootkit can include a backdoor, but not the other way around.

They usually go hand-in-hand in an intrusion, but rootkits are a relatively new occurance whereas backdoors are not.

Re:virus scanner

[CarpetShark]

A virus scanner isn't going to do much against a rootkit.

Might slow it down.

Re:virus scanner

[man_of_mr_e]

No. A backdoor doesn't even have to give any priviledged access. It can just give them normal user access. A backdoor doesn't even have to be intentional, it can be the result of poor programming or a hole in the configuration of the machine.

While the two may often be used together, they are not the same thing.

Re:virus scanner

[Score+Whore]

A rootkit takes over the root of your OS and hides itself. It has nothing to do with user 'root' and everything to do with embedding itself so tightly that you can't even detect it. It replaces software in the / (root) filesystem, things like ps, ls, kernel modules, whatever is necessary.

That wikipedia page was written by someone who apparently wasn't there when these things started showing up in the wild. One clue is that rootkits were around in the 1990's and every bloody reference on that wiki page is from 2000+.

Re:virus scanner

[CarpetShark]

But the exploit leaves a backdoor (hell, it's right there in the summary) which *is* what a rootkit does.

A backdoor could be as little as a hidden, free account on a game. It has little to do with rootkits.

Re:virus scanner

[Lokitoth]

Unless the AV is itself a rootkit.

Re:virus scanner

[adaviel]

A rootkit as I understand is a software package run after one has got root. The intent of the rootkit is to hide the nefarious activity (IRC server, warez stash etc.) from the user or admin. LKM rootkits tell the kernel to ignore certain process id's, ip addresses etc. while old-style rootkits overwrite programs like ps, top, ls with modified ones.
A rootkit might contain a backdoor as part of the kit.

Re:virus scanner

[Sir_Lewk]

software installed on a machine to serve some unsavoury purpose.

That sounds more like a definition of 'malware' than 'rootkit' to me...

Re:virus scanner

[Sir_Lewk]

"normal user access" to people that are not supposed to have it may as well be "priviledged access".

Furthermore, your new definition of backdoor precludes the possibility of a patched 'su' binary that gives normal users root access being a backdoor.

At least try to be consistent.

Re:virus scanner

[Sir_Lewk]

Some people in this thread don't know their history.

One clue is that rootkits were around since the 70s or 80s, when the parent post thinks they've only been around since the 90s.

Re:virus scanner

[Score+Whore]

The parent poster knows they were around in the 90s, having followed the work done with SunOS in the early nineties. Additionally, the parent poster is aware of Ken Thompson's "Trusting Trust" and other works regarding well hidden security concerns.

At no point did the parent poster express the idea that "they've only been around since the 90s." Learn to read before you pop off in a cute little fit of nerd rage. You'll seem less stupid.

Re:virus scanner

[mysidia]

A simple reboot of the system to apply the updated kernel fixes the "backdoor".

What you have in memory until you reboot is a kernel that has already being exploited.

Which the folks at Ksplice probably want to call a backdoor, because they're selling a "rebootless" patch product, based on the idea you should be able to fix the bug without restarting the kernel.

That's a fine idea, but turns out to be a complete garbage notion, if your Kernel has already been tampered with in memory, so the resident binary doesn't match the source code. Turns out the "rebootless" patch probably doesn't work so well, if your kernel's in-memory state has already been changed as a byproduct of an exploit.

That is true not only of this exploit, but probably many kernel vulnerability exploits, especially any that involve memory corruption, or installing a code stub to facilitate the exploitation process.

If you have a kernel exploit you invoked, the exploit successfully messed with kernel memory, and want your system back to a pristine boot, you must reboot.

I would not call it a rootkit, unless the "backdoor" were intentionally placed there for the purpose of being a hidden backdoor or enabling covert hacker activity, or (specifically) intended to continue to work either remotely or after you patched, after you rebooted, etc.

Re:virus scanner

[man_of_mr_e]

Jesus, are you really this stupid? Do you really have such a hard time understanding the written word?

I did not say that a backdoor does not give you priveledged access, I said it doesn't need to give you privledged access to be considered a back door. Wow. You are just fucking dumb as a bag of hammers... seriously. I'm surprised you even know what a computer is.

And a patched su binary is no different than a patched login binary. In fact, login and su are essentially the same thing.

It's simple. A backdoor gives you access, a rootkit ensures that you keep access without being detected. A rootkit can open a backdoor, and a backdoor can be part of a rootkit, but they are two seperate functions, and you can have either without the other.

Re:virus scanner

[Sir_Lewk]

Patched binaries allow continued access that goes undetected (unless you look hard enough). Just like more modern rootkits.

The only reason I switched from using login as an example to su is because under normal circumstances su is not available remotely, and you seem to mistakenly believe there is a fundamental difference between privilege escalation and unauthorized access.

A backdoor, by definition, gives access. The distinction between "privileged access" and "normal user access" is meaningless, any access given to people that are not supposed to have it is "privileged access". Whether it gets you in as root or gets you in as a regular user... doesn't matter. The distinction doesn't even exist on plenty of systems.

Rootkits by definition involve backdoors. They provided continued unprivileged access by installing a backdoor, and making an attempt at keeping it secret. It is only in the modernized sense of the word that continued access is left out of the definition. Excluding the incorrect modern usage, you can have a backdoor without having a rootkit, but you cannot have a rootkit without having a backdoor.

Try reading a book or two. Preferably at least one on forming reasoned arguments. Tip: childish insults win you nothing.

Is Slashdot advertising now?

[fluffy99]

Why does the summary and articles read like a paid advertisement for Ksplice?

Re:Is Slashdot advertising now?

[tomhudson]

Because the article is alarmist bs? You are probably NOT being rooted even as you read this. Every ksplice story slashdot has carried has turned out to be no big deal. I'm going to ignore it, based on their previous performance.

Re:Is Slashdot advertising now?

More to the point, why does the summary suggest its being exploited 'left and right'. Its still a local exploit right? That means they're getting to your machine either through visiting a website, reading an email or via another remote exploit. Seems a might sensationalist.

Having said that, way to stuff up - kernel devs. Whoever reverted that patch needs a swift kick in the go-nads.

Re:Is Slashdot advertising now?

[clang_jangle]

Because the article is alarmist bs? You are probably NOT being rooted even as you read this.

***Ding ding ding***

We have a winner -- Don Pardot, tell Ms. Hudson what she's won!

Re:Is Slashdot advertising now?

[tomhudson]

iWeb caught it running on ONE shared-hosting server. Are you running a publicly-facing shared-host serveer? No? Then don't worry about it, and when your distro comes out with a new kernel, just update.

Ksplice are attention whores.

Re:Is Slashdot advertising now?

[clang_jangle]

Hey Pardo, don't make me tell you again -- if you don't clean up that potty mouth you're outta here!

Re:Is Slashdot advertising now?

[jcwayne]

How else are they supposed to complete with Gawker?

Re:Is Slashdot advertising now?

[tomhudson]

I bite. Should we rename you "Stumpy?"

Re:Is Slashdot advertising now?

[Anpheus]

Even if you are, shouldn't you be using virtualization by now? Sure, you might cut into your margins if your hypervisor can't share pages between VMs (and even that can sometimes doesn't help as the VMs become more and more out of sync), but I'd say the security benefits outweigh the downsides.

This is perhaps the single greatest reason for moving to VDI versus shared remote desktops on a single server.

Re:Is Slashdot advertising now?

Why does the summary and articles read like a paid advertisement for Ksplice?

Not only that, but has anyone else noticed that pretty much every time Ksplice or their blog gets linked to from /., the article is always submitted by "an anonymous reader?" And when it's the Ksplice blog, they usually try to frame the submission in terms of MIT students? Just a couple examples:

http://linux.slashdot.org/story/10/08/31/191228/
http://developers.slashdot.org/article.pl?sid=10/03/16/2216258

Classy, guys.

Re:Is Slashdot advertising now?

[drsmithy]

Why does the summary and articles read like a paid advertisement for Ksplice?

Because it's being read by someone who has a juvenile fascination with server uptime ?

Re:Is Slashdot advertising now?

[inflex]

Because sensationalism sells and best of all, people on the other side of the fence (eg, MS) can then link to the article as way of providing "proof" of how insecure Linux really is. Facts be damned, let's just spray some more fear-mongering around and scare the dillys out of every person. It's just not a /. story anymore unless it's an advert or traffic-whore.

Re:Is Slashdot advertising now?

[Arrepiadd]

Because Ksplice relied on the fact that the Slashdot editors don't edit anything to have their advertisement pass as an important story?

Re:Is Slashdot advertising now?

[drolli]

Yes.

If i get it right this was a regression of an old bug, which means that everybody could have found it by regression-testing with enough manpower.

And now having a patch installed 1 day earlier, for a bug probably known to some bad guys for 2 years, does not save the day.

Re:Is Slashdot advertising now?

> based on their previous performance.

What previous performance? ksplice works well for me.

Re:Is Slashdot advertising now?

[dargaud]

Because the article is alarmist bs? You are probably NOT being rooted even as you read this. Every ksplice story slashdot has carried has turned out to be no big deal. I'm going to ignore it, based on their previous performance.

Well, here at work they were alarmed quite enough to turn off access to the racks upon racks of grid servers until a patch is available. That certainly impacted us, and if a company comes out with a patch quickly, they deserve their name wherever.

Re:Is Slashdot advertising now?

[X0563511]

Yea, and guess what? When someone breaks into $LAME_PHP_CODE and runs something, that something is running locally, no?

Re:Is Slashdot advertising now?

[rumith]

Don't know it this is a slashvertisement or not, but the original post on the Ksplice blog sounds much more adequate and calm to me. I wouldn't bet that the AC who posted this works for Ksplice.

Re:Is Slashdot advertising now?

[dkleinsc]

Err, wouldn't that be "Mr Hudson"? I don't know too many Ms's named Tom.

Re:Is Slashdot advertising now?

[bdrewery]

People never seem to understand this.

Re:Is Slashdot advertising now?

A free gender and/or name change to the gender of his/her preference.

Re:Is Slashdot advertising now?

At HostingCon this year, the Ksplice people were walking around with t-shirts that read "I never reboot" around the conference.

This "info-vertising" is just along the same lines and designed to get their name out in the press.

Guess what... Mission accomplished.

Re:Is Slashdot advertising now?

[tomhudson]

They haven\t patched it. Please RTFA.

Re:Is Slashdot advertising now?

[tomhudson]

All their previous blog entries were garbage. One was "look at this new coding technique to make the smallest ELF file possible" - which turned out to be old back in 1999. The code almost looked like a cut-n-paste - except that the original code had a follow-up that was MUCH better than the ksplice krap kode.

The worst part was that if they had searched for 1 minute, they would have found the original.

I'm not going to lose any sleep over it.

Re:Is Slashdot advertising now?

[bill_mcgonigle]

Why does the summary and articles read like a paid advertisement for Ksplice?

Probably because the Ksplice guys offer a solution to a problem for admins who have standalone servers that can't be rebooted and nobody else does.

I don't understand the Ksplice hate here - they're filling a niche. I'd advise my clients (should I slashvertize too?) to instead go with a redundant clustered solution, preferably with automatic failover and/or live migrations of vm's so reboots don't hurt. But, that's more expensive than Ksplice, if really all you need is a single server (there being other benefits to clusters, naturally, but they do cost more) so it's not the best solution for everybody.

Either is better than staying unpatched if you have folks using your machines who don't deeply understand security. One buggy cgi and a local root exploit makes your day pretty rotten.

Re:Is Slashdot advertising now?

[C0vardeAn0nim0]

because it is ?

AND... if the summary is right (won't bother reading TFA), it's a _LOCAL_ exploit. which means, if you don't run telnetd, have all system accounts locked and have a strong passwords on your user's account, even if you have sshd running it shouldn't be a big deal.

now, if:

- you have a webserver;
- it allows uploads OR allows users's code to create files on /tmp;
- whatever temp dir the webserver uses allows execution (i.e. doesn't have "noexec" on /etc/fstab);
- your PHP/phyton/ruby whatever is not configured to deny execution of system commands;

then you DESERVE to be rooted, just so you can learn how to properly secure your server the next time;

disclaimer: yeah, this is how i learned.

Re:Is Slashdot advertising now?

[uberjack]

Mrs. Scum, you have won... the entire Norwich City Council!

Re:Is Slashdot advertising now?

[fluffy99]

I agree. If you truly need 100% uptime, the implement a fault-tolerant setup that allows single server down times. Ksplice is basically a bandaid and I can see how it might be useful, but on the other hand how many vulnerabilities to security or reliability does Ksplice itself introduce?

Re:Is Slashdot advertising now?

[fluffy99]

Why does the summary and articles read like a paid advertisement for Ksplice?

Because it's being read by someone who has a juvenile fascination with server uptime ?

Huh? You trolling?

Personally server uptime is a farce and the only people I know who brag about it is the Linux community. Folks in the real world just implement clusters and fault tolerant setups, which give them the ability to actually reach 100% uptime and do maintenance.

Re:Is Slashdot advertising now?

No. http://slashdot.org/~tomhudson

Welcome to Barbie's world!

It's "The Online Me" (t.o.m., aka "tom")

I guess I should see about changing the account name. I could always create another account, but this one has a relatively low uid and lots of history. And the IT industry is extremely sexist. -

Off-line, I'm just Barbara (Barbie to my friends), though my dogs probably think of me as "the slave".

Hmmm...

First root! Oh crap...

Scriptkiddies these days

[Pseudonym+Authority]

Acidbitches..... In my day, naming your ubeR l3e7 h4xX0r 6r00p MEANT something.

Re:Scriptkiddies these days

[socceroos]

Excuse me, Mr. ID 1591027, but your day hasn't even begun yet. =)

Re:Scriptkiddies these days

[Miseph]

Isn't it a little past your bed time, Mr. 1374367?

Re:Scriptkiddies these days

[socceroos]

Speaking from the grave I see, Mr. 979059. =D

Re:Scriptkiddies these days

[Xacid]

You guys are cute.

Re:Scriptkiddies these days

[PapayaSF]

All you kids, keep it down in there!

Re:Scriptkiddies these days

[smash]

quiet, children.

Re:Scriptkiddies these days

[Pseudonym+Authority]

I used to have a 4 digit UID, but it was stolen by Ac1db1tch3z.

Re:Scriptkiddies these days

[socceroos]

Guys, come look, its Abraham!

Re:Scriptkiddies these days

[Xacid]

Wait, no. What I mean to say is - get off my lawn.

Re:Scriptkiddies these days

SEEEEE!!!! That guy rooted your Linux box for your low account number! No better than Windows thanks to this masterpiece from that scrub Torvalds.

(-1 Troll, Incoming woosh)

Re:Scriptkiddies these days

[HeronBlademaster]

Psh, wake me up when Methuselah logs on again.

Re:Scriptkiddies these days

[caferace]

no, you.

Re:Scriptkiddies these days

[Runaway1956]

Someone woke Methuselah - now there will be hell to pay!

Re:Scriptkiddies these days

[dlb]

Would you kids get off my lawn?

Re:Scriptkiddies these days

[hpycmprok]

Dang kids.

Re:Scriptkiddies these days

[Travoltus]

Aw rats, you beat me to it.

Re:Scriptkiddies these days

[Bill_the_Engineer]

Don't make me turn this thread around!

Re:Scriptkiddies these days

[muckracer]

> I used to have a 4 digit UID, but it was stolen by Ac1db1tch3z.

You mean 64-digit UID... :-)

Re:Scriptkiddies these days

[Binestar]

I like being in the low 5's. Not old enough to be dirt, but way wiser than those 6 digit's nubs.

Oh Noes

[symbolset]

Yes, there's an available rights escalation vulnerability in recent Linux Kernels that's best patched by updating your system with the latest updates. The breathless nature of the fine summary betrays an eagerness to get Linux admins to click the links before they've done so. I'd rather not. Social engineering is such a powerful exploit mechanism after all.

The Windows geeks obviously will want to paint this as a native Linux vulnerability that they don't have - and it is marginally true. That's fine - but it's an escalation bug, not a remote root, and they've several dozen remote root bugs to close before they point fingers.

Re:Oh Noes

[syousef]

The Windows geeks obviously will want to paint this as a native Linux vulnerability that they don't have - and it is marginally true.

"Marginally true"??? What's that? Is it like marginally dead or perhaps marginally pregnant? Wait a second. That can't be true. Everyone knows Linux users don't get rooted ;-)

Re:Oh Noes

The Windows geeks ... they've several dozen remote root bugs to close before they point fingers.

Care to point them out?

Re:Oh Noes

[93+Escort+Wagon]

The Windows geeks ... they've several dozen remote root bugs to close before they point fingers.

Care to point them out?

Just subscribe to the SANS newsletters - they point them out every week (for all OSes, not just Windows).

Re:Oh Noes

Wait a day or two. Another will make the headlines. And then another, and another...

Re:Oh Noes

[symbolset]

>Care to point them out?

No.

I don't want them fixed. I am aware of several dozen remote root exploits for Windows and am sure there are hundreds I'm not aware of. But I don't have to prove it. I can say it, and Microsoft could sue me. Between the time they sued me and the time we got to court they would have to span two years of updates, in which they would have to admit several dozen remote root exploits and concede their case. They are there, and if you trawl the darker corners of the Internet you can find them. It's been twenty years and I see no evidence that Microsoft is even interested in pursuing this level of discovery - and that says a lot.

I want these faults to be exploited over and over. I want business and government to suffer until they see that this is crazy. I want them to find the answer by themselves because obviously they won't listen to me, though we've all tried to tell them many times. I want these IIS .NET websites to divulge the financial details of their members, and make them suffer, because that is the only way they will learn. Yes, some bad guys will turn a profit in the interim, which is a bad thing, but there's some pain involved in educating the fool.

If you want a secure desktop you don't consider Windows first, second, third or ever. You dismiss it out of the gate. Your proper choices are OS-X, Linux and BSD. OS-X is fine for general use, especially now that you can get Photoshop and AutoCad for it. Linux is cool for office staff - it includes office software. BSD is for the finance department and other paranoid people because the feature that can't be implemented securely in BSD won't be implemented in any serious distribution. If the question is utility versus security, the BSD community would rather have security.

But no, your question is "do you care to point these vulnerabilities out". No. No I don't. They're as plain as day for anyone who honestly looks. You can find them if you want to. If you don't see them I have to ask why? Why do you not see them? The only possible answer is that you don't want to.

Re:Oh Noes

[abigsmurf]

It's an escalation bug. That means any exploit or hole in any application can potentially become a remote root so long as it delivers this code.

You can't paper over the fact that this is a very dangerous hole.

Re:Oh Noes

[ToasterMonkey]

The Windows geeks obviously will want to paint this as a native Linux vulnerability that they don't have - and it is marginally true. That's fine - but it's an escalation bug, not a remote root, and they've several dozen remote root bugs to close before they point fingers.

Is a preemptive finger point backing really necessary? It's not like Linux hasn't ever rubbed its own users the wrong way before.
Believe me, you don't need to be remotely on par with Windows vulnerabilities for people to have a good and justified (Nelson) Haw Haw! at Linux's expense.

Hey, to all the "I don't need to reboot Linux" guys, as you're commenting out exclude=kernel from yum.conf, don't forget to update ocfs, powerpath and God-only-knows what other third party drivers you might have. (with gusto) Haw Haw! You don't have a stable driver (or anything ftm) API!

Re:Oh Noes

[LinuxAndLube]

Are you ready to put your money where your mouth is? I set up a Windows server and you have 24 hours to remotely root it. If you succeed, I give you 1000 USD. If not, you give me 1000 USD.

Re:Oh Noes

The Windows geeks ... they've several dozen remote root bugs to close before they point fingers.

Care to point them out?

Just read the list of changes that WindowsUpdate offers to make each month. It's usually about 2-6 instances of "an unauthenticated remote attacker could take control of your computer".

Re:Oh Noes

[symbolset]

Do you really want to start playing the disclosure game with me? Are you sure about that? Did you get clearance from your boss to play that game with me? I can go there if you want to, but I want to know you asked me to that dance with proper approvals from headquarters. Once you dance with the devil you _must_ pay his fee.

Re:Oh Noes

Yes, there's an available rights escalation vulnerability in recent Linux Kernels that's best patched by updating your system with the latest updates. The breathless nature of the fine summary betrays an eagerness to get Linux admins to click the links before they've done so. I'd rather not. Social engineering is such a powerful exploit mechanism after all.

With you so far...

The Windows geeks obviously will want to paint this as a native Linux vulnerability that they don't have - and it is marginally true. That's fine - but it's an escalation bug, not a remote root, and they've several dozen remote root bugs to close before they point fingers.

I didn't see a mention of windows in TFS. Actually, you're providing us the first mention of it.

So, let's ignore that completely uncalled-for remark and get back to the real issue: there is a local exploit in the kernel.
Now are you going to:
A. Take the necessary steps to keep your systems safe (eg. wait till a patch is available, or do something beyond that),
B. Take a piss at people who are vulnerable, just because you don't happen to be vulnerable, or
C. Take a pre-emptive piss at the folks in the B category, just in case?

I, for one, prefer security problems without the smell of urine.

Re:Oh Noes

Oh come now, with something as subjective as truth such a comparison is poor. While it is potentially ambiguous, at the very least it indicates that it is true, but its value as truth is marginal. That is, the way in which it is true is useless :)

Re:Oh Noes

Bitter koolaid-drinking nerd rage alert!

This is the most retarded bullshit I've ever read on slashdot. Ignorant, incorrect and childish.

Re:Oh Noes

Linux is cool for office staff - it includes office software.

LOL - no it doesn't. It includes Open Office which may be fine if you write the odd letter, but the Calc isn't fit for general spreadsheet duties IMHO. Why must -nix always be best solution? I'm no windows fanboy but for general office duties you can still not beat Microsoft Office. Or even get very close to be honest.

Re:Oh Noes

i am a windows geek. how can we paint this as a vulnerability that windows doesn't have? we have thousands of vulnerability.

plus linux is more stable and free. only reason i don't switch is lack of support for games, like BF2, NFS shift, so on and so on.
windows gets rooted all the time, and i laugh a little inside then Joe User buys the fake antivirus and is too damn lady to take 5 minutes and learn how to run spybot (among others)

Re:Oh Noes

[shadowrat]

That's good. I was wondering how someone would got access to my ubuntu box. It is little more than a web server and ssh. Sounds like you need to give the attacker an account first. Shared hosting: vulnerable. Single user box at home: probably not a problem.

Re:Oh Noes

Dude hes just an angry anti-ms nerd. Let him be. His ranting provides us with much entertainment. I'd mod all his posts +5 funny if I had the mod-points :(

Re:Oh Noes

lol

you're sounding like a butthurt little prick. if i were you i'd give it up yourself if you care so much about your precious karma.

Re:Oh Noes

[bonch]

Whew! Thanks for patting everyone on the back for using Linux. Reporting on Linux vulnerabilities is "breathless." You even made sure to close with a completely irrelevant bash on Windows for absolutely no reason. Thanks for making us all feel better about this!

EH

This is a local exploit so I'm not horribly concerned and here is why.

You should always treat your systems as if an exploit already exists for both remote and local connections.

The systems I maintain are part of a bit of an elaborate network. There is a huge investment in controlling incoming and outgoing traffic as well as managing who actually has access to systems. While a local exploit a big deal it's not like there are a great number of places for users to inject this code. If someone could compromise an input vector and piggyback the exploit that still wouldn't get them very far. In fact, without knowing key details regarding the network infrastructure they would simply nab a host that could not reach the outside world.

With that said we do have a bit of reliance on lbs, traffic inspection, firewalls and a good bit of monitoring equipment. However, there is a solid investment in specific purpose network and security protocols to accomplish these goals. In a bit of a cheaper shop I'm wondering what others do to maintain security and get some of the same tools. (I'm being very vague about our setup intentionally, but there have to be some decent foss network tools as well).

Re:EH

[GNUALMAFUERTE]

THIS ^^^^^^

I understand why you are posting as AC and being vague about it, I'm fucking paranoid about revealing details of the entrails of my network too.

People don't understand how security works. If I told you the alarm in my office will fail to detect movement in zone 7 if you do X and Y, would you say that my office is absolutely compromised? No. I still have a security guy, bars, security doors, CCTV, and most things of real value inside is doubly secured (source code is encrypted, money is in the safe). A simple glitch doesn't mean I'm getting robbed.

The problem is that there are many admins out there that do it by the book, and just think that patching systems is enough. You have to work with the OS to keep it secure, not just rely on it. Of course, securing a platform like windows is fucking impossible, that's why we don't use it (not even in the desktops). But if you have a reasonably secure OS, you have to use the rest of your architecture plus some level of monitoring and log-watching to keep things safe.

Re:EH

[uvajed_ekil]

A simple glitch doesn't mean I'm getting robbed.

But, you see, some anonymous reader said you are probably already rooted. He said probably, which indicates there is greater than a 50% chance you are already screwed, so it must be true. Nevermind that that the summary reads like an ad, looks very fishy, and is preaching doom and gloom, it got approved here, so believe it!!! .01% insecure from an inside job means YOU ARE SCREWED!

Re:EH

[GNUALMAFUERTE]

Damn dude, you owe me another one of these:

http://www.sarcasmdetector.com/product.html

Re:EH

If I'm understanding this code properly, it's not a remote exploit. The attacker must already have a shell to be able to run the exploit code. If you have 64 bit machines that have shell accounts, you have some cause for concern. The Slashdot title and article heading are misleading and/or appear to be an attempt to instill FUD. Below is part of the exploit code that determines if the shellcode was successful and root status attained. If so, a local root shell process is created. /* exec */
    if(getuid() == 0)
    {
        pid_t pid;
        __pppp_tegddewyfg("$$$ bl1ng bl1ng n1gg4 :PppPpPPpPPPpP\n");
        pid = fork();
        if(pid == 0)
        {
            char *args[] = {"/bin/sh", "-i", NULL};
            char *envp[] = {"TERM=linux", "BASH_HISTORY=/dev/null", "HISTORY=/dev/null", "history=/dev/null", "HISTFILE=/dev/null", "HISTFILESIZE=0",
                                            "PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin", NULL };
            execve("/bin/sh", args, envp);
        }
        else
        {
            int status;
            waitpid(pid, &status, 0);
        }
    }
    else
        __pppp_tegddewyfg("!!! y0u fuq1ng f41l. g3t th3 fuq 0ut!\n");

    close(s);
    return 0;

Re:EH

[man_of_mr_e]

And this is why so many people get compromised. You think "Oh, it's just a local vulnerability".

The problem is, virtually anything you might do that goes out onto the internet could potentially exploit a local vulernability. Unless you don't allow people to access the internet at all, your web browser, email client, streaming radio player, Instant Messenger, etc.. all of them can (and probably do) have flaws that could be used in conjunction with a local root vulnerability to gain root access. Let's say you're one version behind on Firefox, well any malicious hacker can own your computer by combining this vulnerability (or any of several others) with this local root vulnerability and you're owned.

All you have to do is visit the attackers site. Bam. Ownage. Should someone actually want to do so.

Re:EH

[Cylix]

This is of course why many many places have separate network segments for both desktops and server environments.

I'm not saying it's not a valid and good tactic for attack. Indeed, all of the big ones in recent years generally came from the desktop environment. Juicy ones such as microsoft source and the half life source code were directly launched through user mail.

This also another reason why corporate environments also invest heavily in deployment and security on the desktop. ie, why corporate desktop images suck balls.

Re:EH

[ToasterMonkey]

This is a local exploit so I'm not horribly concerned and here is why.

You should always treat your systems as if an exploit already exists for both remote and local connections.

But then we can't stand by our "UNIX (and Linux by extension of magic) is a multi-user operating system designed with security in mind. As opposed to you know, the other guys.

I'm being serious, and I know you are too. If you don't trust your system to protect itself then that's that, it's just not secure for a multiuser environment. Add to that nobody really trusts any x86 hardware enough to run more than one critical application at a time and you end up with buttloads of them. As the number of systems scales up, you have to trust the OS to take care of itself. A handful of admins can't keep up with all of the hundreds of servers they're often tasked with babysitting. Most places don't even have a comprehensive list of all of them.

If someone could compromise an input vector and piggyback the exploit that still wouldn't get them very far. In fact, without knowing key details regarding the network infrastructure they would simply nab a host that could not reach the outside world.

1. Just as breaking into someone's user account is more worthwhile than rooting their desktop, rooting your web tier might be more than enough to steal reams of valuable information. Think about what goes into and out of your web tier. With such an elaborate network setup, I bet you're trying to protect something valuable in the back, huh?
2. Insider. *coughgooglecough*

Re:EH

Exactly the reason why discovering some vulnerability for windows/office or some shit doesen't really matter. Because you should have several layers of security. But of course that don't matter when slashdotters are in winbashing mode.

Re:EH

and most things of real value inside is doubly secured (source code is encrypted, money is in the safe)

Agree with your point, but not your example. These days, most competitors would treat your source code like it was a bomb waiting to blow up in their faces. You'd make more money from them if they had your source code than they would.

For the companies I've worked for, people could copy our product but it's not like they could turn around and sell it to our customers and target market. Copying it verbatim would get them sued and make them lose credibility (and possibly even give us positive publicity ), reinventing it would take them time.

In most cases, people don't need the source code to copy your stuff/ideas.

As for the cash, only drug lords keep around massive amounts of cash. So the finance guys (internal or external) have a better chance of hurting your company more than some thief stealing your hard cash :).

Most companies don't really have any "crown jewels" worth spending millions on tech and procedures to secure. There's no need. The reason why McD, KFC and Coca Cola have many customers is not because they spent millions keeping their recipes secret. Did the actual leak of the iphone 4 really hurt Apple? I doubt it.

That said, there's stuff like customer credit card info, medical records, and "other people's money".

Point is you should keep things secure, but being too obsessive and paranoid about it is a waste of time and resources for most companies.

Re:EH

[shaitand]

"As the number of systems scales up, you have to trust the OS to take care of itself. A handful of admins can't keep up with all of the hundreds of servers they're often tasked with babysitting. Most places don't even have a comprehensive list of all of them."

As an Enterprise security guy I have to disagree. The gp is on the right track and his idea can be implemented at the firewall.

An Juniper SRX/SSG firewall can easily isolate everything from everything else and perform IDS/IDP checks for known malicious traffic on everything else that is allowed. Fscking fast for what it is too.*

Where enterprise fails is paying closer attention. First this was patched before you ever heard about it (duh, its a revert, the patch was written a long time ago). Enterprise environments will be painfully slow about applying it. Especially since its a kernel patch.

Second Enterprise assumes that simply having fancy intrusion detection and firewalls means they don't have to actually manually look at anything when there are signs of an attack.

* Yes, that was a juniper device I just recommended. But by all means, keep paying $40k to get a switch that can run at true wirespeed. I'll stick with recommending $2k juniper devices that can do the same.

*Yawn* Local Root Exploit

[Greyfox]

If hostile users have local access, you're pretty much boned anyway.

Re:*Yawn* Local Root Exploit

This doesn't require being physically close to the computer. For example, a web hosting company might give people limited permission ssh accounts on a web server, and the people could then use this exploit to get root.

Re:*Yawn* Local Root Exploit

[mlts]

Pretty much Greyfox sums it up right there. The days of having hundreds to thousands of users with shell access on a university or public access machine are long gone. Instead, the focus of security has moved from keeping users out of root [1] to keeping people from getting to the machine in the first place, and if they get to the machine via a networking protocol, not being able to execute code in any meaningful context on the machine.

The only time I'd worry about this is if someone could get a shell or execute code in an application's context (say they manage to do a buffer overrun and are able to stick a user shell on a port, for example.) However, this is what AppArmor and SELinux are designed to stop anyway, so even with root context, and attacker is limited to what they can do.

[1]: This isn't to say that user to root priv exploits are something to be completely neglected, of course.

Re:*Yawn* Local Root Exploit

[mysidia]

A web hosting company might give people the ability to run PHP scripts on the web server. The user could cross-compile an exploit binary, upload it to the web server, then write a PHP script to cause the exploit binary to run non-interactively as a means of opening a backdoor where further access could be obtained.

Re:*Yawn* Local Root Exploit

[mysidia]

The exploit in question actually includes a SELinux bypass. SELinux and AppArmor are not as great as you think; they are understood well enough that hackers can defeat them, and they are deployed on enough systems that hackers write their exploits so these protections are defeated.

Re:*Yawn* Local Root Exploit

[langelgjm]

The days of having hundreds to thousands of users with shell access on a university or public access machine are long gone.

What makes you say that? All of the three universities I've been at in the past eight years have provided shell access for all students and faculty to at least one cluster, and often more than one. The current university uses Solaris, so this particular issue isn't relevant, but I would be more surprised to hear of a university that doesn't offer shell access.

Re:*Yawn* Local Root Exploit

[0123456]

SELinux and AppArmor are not as great as you think; they are understood well enough that hackers can defeat them, and they are deployed on enough systems that hackers write their exploits so these protections are defeated.

SELinux and Apparmor can't do much if you have an exploit that allows you to execute arbitrary code inside the kernel (which I believe this does). But they'll certainly stop the kind of random buffer overflow exploit that's been the most common avenue of remote attack.

Re:*Yawn* Local Root Exploit

[oiron]

The exploit in question actually includes a SELinux bypass. SELinux and AppArmor are not as great as you think; they are understood well enough that hackers can defeat them, and they are deployed on enough systems that hackers write their exploits so these protections are defeated.

Cue scary Theremin music

Re:*Yawn* Local Root Exploit

[mysidia]

SELinux and Apparmor can't do much if you have an exploit that allows you to execute arbitrary code inside the kernel (which I believe this does). But they'll certainly stop the kind of random buffer overflow exploit that's been the most common avenue of remote attack.

They will stop the simple use of a buffer overflow exploit to do something the program with the vulnerability couldn't do.

That is: a buffer overflow exploit allows running arbitrary code in the context of the program. SELinux limits what files can be accessed by arbitrary code based on security labels.

However, if there is also a vulnerability in the kernel. SELinux cannot stop a buffer overflow in a program from being used in conjunction with a kernel vulnerability, to run arbitrary code in kernel mode.

Basically: buffer overflow in a program + kernel escalation bug = SELinux or AppArmor fail

Re:*Yawn* Local Root Exploit

[IICV]

Heh, I think you don't quite understand what "local access" means.

It means that the user has an account on the machine, which may be used remotely. It doesn't mean that they have physical access to the computer.

Local user accounts are generally considered to only be a short step up from actual physical access in terms of how big your vulnerability surface is. College students have been proving for years that once you give someone a local user account, you've almost certainly given them root access at some point in the future.

Re:*Yawn* Local Root Exploit

[Sulphur]

The exploit in question actually includes a SELinux bypass. SELinux and AppArmor are not as great as you think; they are understood well enough that hackers can defeat them, and they are deployed on enough systems that hackers write their exploits so these protections are defeated.

Cue scary Theremin music

Well Theremin was a spy.

Re:*Yawn* Local Root Exploit

[man_of_mr_e]

Fail.

Open web browser, go to site which exploits a flaw in your browser. Hostile attacker can run arbitrary code as you, the user. Hostile attacker executes local privilege escalation exploit. You are owned. Game over.

If you use code to access any remote data, there's always a chance that attackers can exploit you locally.

Re:*Yawn* Local Root Exploit

[DarwinSurvivor]

Actually, lots of (good) hosts offer ssh access with limited shells (file management and the ability to reload some settings, etc).

Re:*Yawn* Local Root Exploit

[microbee]

Mod the parent up. It's funny how certain folks try to down play a security hole like this just because it happens on Linux.

Re:*Yawn* Local Root Exploit

[drsmithy]

If hostile users have local access, you're pretty much boned anyway.

All a hostile user has to do is convince a non-hostile user to trust them. The vast, vast number of successful Windows "exploits" that rely on this process should hopefully provide sufficient evidence that it's not a particularly difficult feat to achieve.

Re:*Yawn* Local Root Exploit

A local user like "nobody", "www", "apache" or whatever it's called on your system...

If you combine this with an Apache bug, you have a remote root exploit.

Re:*Yawn* Local Root Exploit

[SorcererX]

The last university I was at provided shell access to 64-bit Linux and Solaris to all students, but also AIX if you had supercomputing classes. It'd be interesting to know if the 64-bit Linux system was exploitable, but I'd rather not give it a try.

Re:*Yawn* Local Root Exploit

[Antique+Geekmeister]

I don't know where you attend, but where I've worked, people always have shell access to at least one testing host environment and often have NFS access to home directories. Coupled with local root exploits, that leaves any no-password SSH keys and subversion or CVS stored passwords, and jabberd daemon stored passwords or poorly encrypted .htpasswd server files running on a server that they can reach out tol, quite accessible. Then there is VNC, which stores passwords in $HOME which are encrypted, but only DES encrypted and therefore often crackable, and which does not enforce password changing policies. And there are the continuing stream of fools who teach students "Just set 'xhost +' and set your X display to your local machine, and your remote X programs will work correctly". I continually have to educate sophisticated users about that one.

Students often have virtualized environments running on their desktops or laptops for access or access or running servers they care to test with, and those are often not under the management of IT sufficiently to enforce upgrades. It's a big security problem. So yes, local root exploits remain an ongoing issue.

Re:*Yawn* Local Root Exploit

[Travoltus]

I despise university shells. Give me internet access and Linux/FreeBSD on my own machine with the proper apps for a given class and I'm off to the races. Of course sometimes you need apps that are only available on their systems. Argh. That's when I wish there was a GPL version of Citrix or something like that.

Re:*Yawn* Local Root Exploit

SELinux and AppArmor are going to catch the low-hanging fruit. Basically to keep you from doing stupid mistakes. It's not much more then a permission system on steroids (more then regular file system permissions it protects in finer detail and protects things that aren't traditional files such as network ports).

Nothing is the end-all be-all of security. Instead, we layer things together so that attackers have to get past multiple defenses in order to cause damage or access data.

Layers like:

- Controlling how you can access the server remotely
- Who can access and what they're allowed to do
- No more plain-text authentication tokens over the network
- Password strength or public-key authentication
- File system permissions
- SELinux / AppArmor
- Buffer-overrun checks or NX bits
- Keeping processes separate in memory
- Limiting open ports
- Operate on "least privilege" basis
- Design the system to limit damage potential

Just to name a small handful... so even if one defense is broken, or even a handful, the attacker's job is made at least an order of magnitude more difficult. Either their code gets more complex or they don't succeed as often as they like due to fragile attack code.

Re:*Yawn* Local Root Exploit

The days of having hundreds to thousands of users with shell access on a university or public access machine are long gone.

Some people still run a Beowulf cluster you insensitive clod!

Re:*Yawn* Local Root Exploit

[Greyfox]

It doesn't particularly matter if it's this flaw or another one. Once a hostile party has local access, you're pretty much boned anyway. They can just drop a backdoor somewhere under your non-privileged user account and come back later, or they can start going down the list of all possible local privilege escalations until they find one that works.

I agree that all security holes should be patched, but this isn't one I'd feel the need to take my computers off the internet for while I recompile my kernel.

Re:*Yawn* Local Root Exploit

[bill_mcgonigle]

If hostile users have local access, you're pretty much boned anyway.

So, with this exploit you're one buggy CGI away from being pwned. And that's buggy as in "for some reason one user's script won't run in perl taint mode so he turned it off", not "we sell shell accounts to second graders for fifty cents a month". Outside of security research labs, we can thus reduce the O() this problem to:

If you have local users, you're pretty much boned anyway.

This approximates the possibility, not the certainty, of course. And, yes, there's some guy somewhere who has SELinux setup so that this can't happen - I just mean the other 99.9%.

Re:*Yawn* Local Root Exploit

You obviously haven't been around a university recently, or a web host for that matter. There are still lots of "public access" machines with thousands of users. And to boot, a large number of those users know just enough to be dangerous.

Re:*Yawn* Local Root Exploit

perhaps english is a second language, but when someone says this is a "local exploit", they don't mean physical location.

you essentially just repeated and proved the grandparent's entire point.

when you have a unix or linux box, and there's a local exploit, the person doing the exploiting must already have a regular user shell login.

hence the term "local".

ssh is implied.

Re:*Yawn* Local Root Exploit

[Atomm]

It doesn't matter if your host gives you SSH or not. I lock all of my websites down through Jail Shell, but one little XSS via an open source software (because I'm lazy and don't stay on top of every single update) allows them to upload PHPShell. From there, they have Shell access via a webpage on your site.

If you run PHP as an apache mod, then all the commands executed via PHPShell run as the apache process. It's amazing the trouble they can create with this.

It's part of the reason I've started running PHP as cgi, but even that has it's problems.

Re:*Yawn* Local Root Exploit

[QuantumBeep]

You had me until the last word.

Re:*Yawn* Local Root Exploit

80% of all security breaches occur from within a company, usually by people who have been explicitly granted local access.

All to often security focuses on stopping external violations (remote exploits). Which means they spend 80% of their energy to stop 20% of the threats. Not hard to see why the 80% number has remained rock steady for well over, at least a decade now.

Re:*Yawn* Local Root Exploit

You do realize that AppArmor and SELinux are protection features that are enforced by the kernel right? Once a kernel exploits hits and smashes your TCB (trusted computing base) to shreds it's not worth shit.

Re:*Yawn* Local Root Exploit

Who the hell modded parent flamebait?

Re:*Yawn* Local Root Exploit

[judeancodersfront]

Heh, I think you don't quite understand that web hosts are being taken down with this exploit:

http://blog.iweb.com/en/2010/09/incident-panelbox-s001-affected-by-linux-vulnerability/5433.html

Re:Bad Publicity...

[JDmetro]

I have 64 bit hardware but I run x86 based distros. 64 bit is only good for the extra ram maybe to the desktop user. And there still is a lot of issues getting older programs to run on a 64 bit distro.

Re:Bad Publicity...

[cybrthng]

1. MS & Windows shills may laugh about this, but only because they feel your pain. Beyond that, what does making this statement even mean?
2. 64bit hardware is cheap. You can buy an AMD64 X2 5000 Dual Core CPU for 38 bucks shipped.. add a mobo for another 45 and if you need ram, another 50. eBay for more savings

k/x/ubuntu should be patched by now

just checked my kernel version against the ubuntu advisory, all good.

I guess the real story here is how quickly the holes are patched. No one should claim linux is perfect...but at least things like this should be fixed very quickly.

In this case...all is well - thank you ubuntu team (and those of other distros) !

Re:k/x/ubuntu should be patched by now

So, the regression testing is all done? Testing all thousands of different hardware configs to make sure it didn't break anything? Testing all the thousands of different kernel modules to make sure they still work? Yeah.. Apparently checking in 5 lines of code into a git repo means "fixing" it in the F/OSS world. Thats why 1% of the world uses Linux on their desktop.. no sane person should install an untested patch like this.

slashdvertisement ... and full of crap.

[GNUALMAFUERTE]

Now Ksplice is really starting to piss me off. This is at least the fifth time we've get this kind of crap on slashdot.

Besides that, this is an escalation vuln ... it's local, ok? Not a remote exploit. And, regardless of all that, there's already a fix, which was promptly released before this got out of hand.

So, between the ksplice assholes that abuse each vulnerability that is published to blow it out of proportion and somehow imply that if you require ksplice to patch this without loosing your job (I mean, come on, If your service is critical enough that it can't accept 2 minutes of downtime for a reboot, then you have redundancy and can update machines one by one without any real downtime) ; and the winslow assholes that don't understand shit about security and somehow think that this means that GNU/Linux is insecure and as bad as their shitty system, I'm going nuts every time there is a new vuln in the kernel.

Re:slashdvertisement ... and full of crap.

[sdasher]

Actually, RHEL and CentOS have still yet to release a fix. So for your average Linux sysadmin out there, there still isn't an easy-to-use fix. Well, besides Ksplice anyway.

Re:slashdvertisement ... and full of crap.

Now Ksplice is really starting to piss me off. This is at least the fifth time we've get this kind of crap on slashdot.

To be fair, they were mentioned as kinda an afterthought.

Also, there are like 2 or 3 average-to-fugly chicks on that team of weirdos and neckbeards, and you know how most of Slashdot's readership start pocketpooling themselves the second they see boobs and vaginas within 3 feet of a computer.

Signed, Your pal,
Ethan Fuentes

Re:slashdvertisement ... and full of crap.

[GNUALMAFUERTE]

Come on. RHEL sucks, and the only people using it are noobs and sysadmins that didn't have the balls to tell their managers "fuck you, I'm installing slackware".

CentOS is the same, but for cheap bastards.

Regardless, you don't need an "easy fix". No qualified sysadmin uses the stock kernel that came with the distro in any critical server. If there's a patch, you'll just apply it to your sources and recompile. Only desktop users and not-critical services should rely on distro's updates. If you are relying on your distribution's updates for critical fixes on any service even remotely important, you are either fucking nuts or absolutely incompetent.

Re:slashdvertisement ... and full of crap.

[shutdown+-p+now]

it's local, ok? Not a remote exploit.

Ironically, a local exploit is somewhat more serious for Unix systems, because Unix hosters are much more likely to give shell access to their customers (effectively giving "local" access), while the most a typical Windows hoster will do is let you connect with IIS admin console.

Re:slashdvertisement ... and full of crap.

[dbIII]

RHEL (or CentOS) are what the vendors of commercial software on linux demand you have as a platform if you are ever going to get as far as a support person that has finished high school. You keep at least one in stock configuration so they can't blame it on anything else when their application has problems.

Re:slashdvertisement ... and full of crap.

[GNUALMAFUERTE]

Well, what kind of proprietary crap are you running? choose better software, it's still your fault.

Re:slashdvertisement ... and full of crap.

[drsmithy]

Regardless, you don't need an "easy fix". No qualified sysadmin uses the stock kernel that came with the distro in any critical server. If there's a patch, you'll just apply it to your sources and recompile. Only desktop users and not-critical services should rely on distro's updates. If you are relying on your distribution's updates for critical fixes on any service even remotely important, you are either fucking nuts or absolutely incompetent.

Or your servers are being used for more important things that running a torrent server in your mother's basement.

Re:slashdvertisement ... and full of crap.

[RAMMS+EIN]

``assholes that don't understand shit about security and somehow think that this means that GNU/Linux is insecure''

It _is_ insecure. There are plenty of vulnerabilities being found and reported, and there are several things that many distributions could do to improve security. To name a few examples, many distros ship with stack smashing protection and address space layout randomization disabled, and allow pages to be writable and executable by default. Also, usually, many operations are reserved to the root user, and the root user can do everything which means that more programs than necessary run as root, and root has more power than necessary. These are not the properties of secure systems; it's not even close to state of the art security.

``as bad as their shitty system''

I am not sure that such derogatory language makes the world a better place. I'm not even sure comparing the security of Linux with that of Windows is useful. If you do compare them, you will find that, at the very least, Microsoft has improved the security picture on Windows a great deal. In some cases, such as running with reduced privileges by default and only elevating privileges for programs that need it, they have merely caught up with Linux systems. But since Windows Vista, Windows ships with address space layout randomization and non-executable pages (Microsoft calls it DEP) enabled for many libraries and executables. Newer versions of Internet Explorer (certainly 8, but also newer versions of 7 if I'm not mistaken) are among those applications, and also include a "protected mode" where most of the program can't do very much at all, and all potentially harmful operations are concentrated in a small, trusted kernel running in a separate process. These are the sort of security measures taken by a vendor who takes security seriously. On the *nix side, you will find this kind of stuff in OpenBSD and a few specialty hardened Linux distros, and that's about it. Ubuntu has AppArmor, but hardly uses it.

If you look at vulnerabilities, like the privilege escalation vulnerability in the story, I would not be surprised to find that more of these are being found and reported in Linux than in Windows these days. What that means about the relative security of Linux and Windows, I don't know. But clearly, serious security flaws are being found in Linux. As far as I am concerned, Linux's security track record is far from stellar, and there certainly isn't a strong security culture that will make this better in the near future. Easily applied security measures (see first part of my post) are being left on the table, and we have far too much code running in all-powerful kernel mode for me to be comfortable with (just one data point: I have over 100 MB of kernel modules on my system, and on the order of tens of megabytes in the running kernel image).

Considering all the above, I would certainly refrain from calling names or making derogatory remarks against users of non-Linux systems. I don't profess to know which system is the most secure, all things considered, but I'm a firm believer in not needlessly stepping on people's toes.

Kind regards,

Your friendly neighborhood Linux guy

Re:slashdvertisement ... and full of crap.

[minus9]

"Regardless, you don't need an "easy fix". No qualified sysadmin uses the stock kernel that came with the distro in any critical server. If there's a patch, you'll just apply it to your sources and recompile. Only desktop users and not-critical services should rely on distro's updates. If you are relying on your distribution's updates for critical fixes on any service even remotely important, you are either fucking nuts or absolutely incompetent."

This is quite possibly the wrongest post I've ever read.

Do you honestly believe sysadmins, real ones, not people with an old PC in their basement dick around installing slackware and compiling custom kernels for thousands of servers?

They run RHEL/Centos or SLES.
They only use software from outside the repositories as a desperate last chance measure.

Re:slashdvertisement ... and full of crap.

Fuck yeah! and SuSE is for European metrosexual socialist lesbofags.

And Ubuntu -- well, I guess y'all know already it's "Linux for human beings" -- i.e. for bucktooth hayseeds to install in between banging their sisters and watching NASCAR.

Did we miss anyone?

Re:slashdvertisement ... and full of crap.

[ToasterMonkey]

and the winslow assholes that don't understand shit about security and somehow think that this means that GNU/Linux is insecure and as bad as their shitty system, I'm going nuts every time there is a new vuln in the kernel.

Well at least Windows admins don't lash out at YOUR OS every time THEY have a vulnerability to deal with. Why is it every time Linux has a vulnerability you lash out like it's their fault? Who is attacking whom each time a flash, adobe, or core Windows vulnerability is announced? Why the anger?

(I mean, come on, If your service is critical enough that it can't accept 2 minutes of downtime for a reboot, then you have redundancy and can update machines one by one without any real downtime)

Hey theory, come meet practice.

and the winslow assholes that don't understand shit about security

This is funny because there is a 99% chance the Windows admins where you work (you have a job?) already have the infrastructure in place to report & patch & reboot on greater numbers of systems than you have due to the frequency of their critical patches and volume of corporate desktops. Meanwhile, have fun double checking your fstab, init scripts, and 3rd party drivers, and scrapping together a complete list of affected servers. Go brutalize a hundred servers with cat semiuptodatelist | while read s; do ssh -n $s yum -y update; done

If it sounds like I'm bitter, it's because I've been there.

Re:slashdvertisement ... and full of crap.

[fwarren]

You must have plenty of time on your hands to keep up on security enough that you know you need to patch and know where to get the patch.

That is one of the nice services a good distro offers. Paying attention to all the security issues and patching the kernel for them.

Re:slashdvertisement ... and full of crap.

GNU has nothing to do with the Linux operating system. GNU has own operating system called HURD (GNU Mach microkernel running the servers of the HURD).
GNU development tools and system software are not affected by security flaw in the operating system running them, was the OS Linux (kernel), HURD or even any other like FreeBSD.

You do not even understand that "GNU/Linux" the the development platform and not the operating system, what the Linux kernel is, as Linux is monolithic kernel and not microkernel, even how much GNU people like to talk about Linux being a such [microkernel].

Re:slashdvertisement ... and full of crap.

[drinkypoo]

Ironically, a local exploit is somewhat more serious for Unix systems, because Unix hosters are much more likely to give shell access to their customers (effectively giving "local" access), while the most a typical Windows hoster will do is let you connect with IIS admin console.

If you can run CGI then you can upload and run and it doesn't matter. Also having shell access doesn't matter either because there are numerous shell interface emulators for php hosts.

Re:slashdvertisement ... and full of crap.

[drinkypoo]

On the *nix side, you will find this kind of stuff in OpenBSD and a few specialty hardened Linux distros, and that's about it. Ubuntu has AppArmor, but hardly uses it.

Uh, AppArmor is a capabilities-based security system like selinux, albeit not as good. Its functionality is not available on Windows! Linux also implements ASLR and NX. AFAIK windows does have a superior implementation of ASLR. As an aside, last I heard OSX had a useless implementation of ASLR, and has for several minor versions. But maybe they finally fixed that.

If you look at vulnerabilities, like the privilege escalation vulnerability in the story, I would not be surprised to find that more of these are being found and reported in Linux than in Windows these days.

Given that Microsoft finds some new ones every week, and they have less eyes than are on Linux, I would be very surprised if you were right.

As far as I am concerned, Linux's security track record is far from stellar,

...and yet, it is dramatically better than Windows'. Are you a troll? I don't see how else you could possibly believe that Windows is more secure than Linux. Sure, I get security updates almost every day... but most of them are in applications, and on Windows I have to depend on each application to update itself, where on Ubuntu (or another Linux, but that's what I use now) I actually GET the updates. That suggests that the typical Linux server is a more secure package in practice even if you put the operating system aside. But if you don't, then it compares even MORE favorably. There's been plenty of remote privilege escalation exploits in Windows that went unpatched all too long. How long did it take them to fix RPC again?

Re:slashdvertisement ... and full of crap.

[GNUALMAFUERTE]

Ah, come on. This thread is full of windows fanbois lashing at us.

Re:slashdvertisement ... and full of crap.

Slackware is for people who think the Church of the SubGenius is still funny.

Re:slashdvertisement ... and full of crap.

the winslow assholes that don't understand shit about security

Way to invalidate your comment. Anyone that says winslow, m$, windoze, etc is just demonstrating how idiotic they are.

Plain facts:
There is an exploit in 64bit Linux.
There is a patch
Ksplice love to over-emphasize exploits like this.
End of story

Re:slashdvertisement ... and full of crap.

[segedunum]

It _is_ insecure. There are plenty of vulnerabilities being found and reported

Wow, really? Which part of 'this isn't a remote exploit' did you not understand, because that's what he was getting across. If you use and give out shell access then it's going to be something you'll want to update. There's no big deal about that. It happens, or does the fact that this is required occasionally on a Linux system mean that the sky has suddenly fallen in?

Also, usually, many operations are reserved to the root user, and the root user can do everything which means that more programs than necessary run as root, and root has more power than necessary. These are not the properties of secure systems; it's not even close to state of the art security.

Yer, that's why they're reserved for the root user and thanks for telling us that the root user has unlimited powers. I would never have guessed that, nor that there is a way around. Quite incredible. The majority of services run under their own username and environment and that has been standard practice for some time. Unlike Windows which tries to run a great deal as 'System' and thinks it is safe........ A user above administrator. What a stupid idea.

If you do compare them, you will find that, at the very least, Microsoft has improved the security picture on Windows a great deal. In some cases, such as running with reduced privileges by default and only elevating privileges for programs that need it...

Oh, what a suprise. A shill. What systems do you think forced Microsoft into doing all these things, and did them first?

Your friendly neighborhood Linux guy

I'm sure you are...........

Who the hell modded this insightful?

Re:slashdvertisement ... and full of crap.

This is full of crap.

Local root == remote root after a while, but it has NOTHING to do with anyone giving others Unix accounts.

1. If they're desktops, there is man-in-the-browser attacks, crap from Adobe, pidgin, and any other security nightmares that let attackers bypass the firewalls. If an IPS in the way doesn't kill the packet, you're done for. The modern desktop (Windows OR Linux) is only safe if it is never allowed to connect to any unsafe network.

2. If they're servers and provide any network services, the service can be attacked. If that service is vulnerable to something, the attacker is now a local user, and can use any local root bugs to become root (if he wants to. botnets don't need anything but a local user to send spam).

Re:slashdvertisement ... and full of crap.

[hesperant]

To Friendly neighborhood Linux Guy,

I applaud you for an attempt at breaking down the differences and coming to the rescue of Microsoft (who has indeed gotten better with Server 2008 and WIn7). However you sound quite informed unless the person reading it knows about what your talking about. I have run into this type of verbiage often in my career which usually ends up mis-educating some would be entrepreneur into thinking they are more aware than their IT team. Frankly you have mis-represented quite a few points and they need to be cleared up before totally contaminating the understanding of the untrained.

a: In the linux world, services do not always run as root, most do not run in the same group as root. Only custom apps will have the user root utilized when the developer needs to get something to work, then figure out what happened to permissions. Some times the dev will fail to complete that part of the project, opting to show a quick running version. Security in Linux is very good though not foolproof, there are 9 steps to make an application run automatically on a server, (Download, compile/execute, Meet dependancies, Find dependent Libraries, ModKernel, Load modified Kernel, Cron/init, and finally maintain the open port). Each stage requires more than a simple entrance via exploitable web code, which can compromise the web server easily resulting in off running services such as PHP Mail agents for spam lists or partial TCP requests nestled in a complete TCP packet for DOS/Overflow attempts.

b: The concept of Windows running services in protected separate running Kernels is great. However even Vista still runs a serial application stack which means non related applications can bring each other down. Services are all based on a single run process engine. While the engine can instantiate itself, this is the result of the system loosing access to the original running engine. Now with MS Windows there is protected memory space, which is designed to render data non readable in an overflow/dump attack. Linux has that to, it is called a best practice policy for operating systems.

To summarize, please do some research on current technologies and advertising dogma before you use them in policy, project, or posting a response. Companies usually have two options when fixing problems with their products. 1. Fix them, (remember it is technology nothing is perfect). 2. Produce deceptively similar terminology to downgrade the alarm of the issue to the point of non existence. Unfortunately in the long run, option 1 is the cheapest and best practice, while option 2 is the most used.

Re:slashdvertisement ... and full of crap.

Windows security equates to this "Are you supposed to be here? Click yes or no. Yes? Here's the keys to the kingdom!" The only reason Linux is reported with so many vulnerabilities is that it's an open source system able to be scrutinized by anyone who can read and understand programming. Imagine what would happen if suddenly Windows became open source. There would be 55 gallon drums burning in the middle of office cubicles with terrified admins applying for federal firearms licenses anticipating armageddon similarly to how people in the south flood grocery stores for 8 months of supplies when a 1/4" of snow falls.

I use both Windows 7 and CentOS. 7 on my desktop system I work from and CentOS running on our hosting servers. I trust the fact that legions of hackers are working hard trying to exploit vulnerabilities in open source software every minute of the day and that when something is found, it is patched quickly. The frequency at which this happens is comforting because it isn't that often. Windows on the other hand is closed source and most exploits discovered in the wild are stumbled upon or at best the result of educated guesses. There are a fraction of people with access to Windows source code compared to the multitudes who can see Linux source code. Compare that with the frequency security updates are released for both systems. How many security holes do you believe exist in Windows that we don't see compared to the ones we're told about?

I trust my Windows 7 machine to do what I expect it to, give me something easy to work from where I don't have co-workers anywhere to come invade my machine (I work from home). What good is all the fancy data execution prevention when somebody can walk right up and simply click Yes when asked if they're the admin? If I'm ssh'd into our work servers doing admin tasks, I could walk away from the prompt and know that if anyone were to walk up they would have to work hard to escalate themselves to root status unlike my windows machine they could simply click yes on.

As far as your statement that "there certainly isn't a strong security culture that will make this better in the near future" when referring to Linux. Your 23rd chromosome is showing.

Re:slashdvertisement ... and full of crap.

[JonJ]

Actually, RHEL and CentOS have still yet to release a fix. So for your average Linux sysadmin out there, there still isn't an easy-to-use fix. Well, besides Ksplice anyway.

RHEL/CentOS wasn't affected, so they really don't have to release a fix.

Re:slashdvertisement ... and full of crap.

[muckracer]

> Do you honestly believe sysadmins, real ones, not people with an old PC in their basement
> dick around installing slackware and compiling custom kernels for thousands of servers?

Well, as a real Sysadmin you should know, that an official Slackware kernel (security update) comes as a package just as it does on RHEL or whatever. Of course you COULD compile your own, but then ditto for RHEL etc..

Re:slashdvertisement ... and full of crap.

[muckracer]

> RHEL/CentOS wasn't affected, so they really don't have to release a fix.

You're wrong. RHEL 5x (64-bit) IS affected. RHEL 4 and 3 are not.

Re:slashdvertisement ... and full of crap.

[TheCRAIGGERS]

...and yet, it is dramatically better than Windows'. Are you a troll? I don't see how else you could possibly believe that Windows is more secure than Linux.

I think it depends on what one means when they say "more secure". Is it the actual amount of security vulnerabilities in a system, or is it the likelyhood that they will be used, or is it the speed that vulnerabilities are fixed, or is it one of the many other questions one could fixate on? Or maybe all of the above?

Do I think Linux is more 'secure' than Windows? Yes. Do I think that, if some 'leet haxor' wanted to 'pwn my box' (and unlike most people that say that actually had the skills to pull it off) that he could? Yes. Of course one could state that no matter what OS was in question.

Just out of curiosity, when was the last time you reviewed the the new source of an update to your linux system before compiling it yourself? If not, how do you know somebody didn't sneak some vulnerable and/or malicious code in there?

Point is- All OSes are insecure, even your pet one. Trying to figure out the one that is most secure is impossible to pin down because of semantics and statistical variables. It's not really worth ranting about.

Re:slashdvertisement ... and full of crap.

[drinkypoo]

Just out of curiosity, when was the last time you reviewed the the new source of an update to your linux system before compiling it yourself? If not, how do you know somebody didn't sneak some vulnerable and/or malicious code in there?

I don't know, but I have a better chance than with Windows.

The continued prevalance of Windows XP brings Windows' security record down substantially, but even given modern software I only trust Microsoft to ship me vulnerable malware anyway.

Re:slashdvertisement ... and full of crap.

[RAMMS+EIN]

``Are you a troll?''

No, I'm quite serious. But I might have led a few people astray by not stating my point more clearly.

Let me start by saying that I am *not* claiming Windows is more secure than your favorite Linux-based OS. Nor am I claiming it's the other way around. I believe the relative security of these systems is undeterminable. If anyone does come up with a good definition of relative security, and a test that yields meaningful scores and rules out bias, I'm all ears. For now, I am just going to say that I don't know which of two complex systems is more secure.

Now, since I believe it is impossible to determine whether or not Windows is more secure or less secure than whatever OS you would like to compare it to, I think words like "the winslow assholes that don't understand shit about security and somehow think that this means that GNU/Linux is insecure and as bad as their shitty system" are uncalled for. Especially considering that Microsoft has been hard at work to improve the security of Windows, while popular Linux distros are making absolutely no haste with including security solutions that have already been developed. That is the point I was trying to make.

Maybe it's fun to point and laugh at the poor Windows-using sods and ridicule the poor security track record of their system, but, without a good security culture on our side, I'm afraid we might end up looking mighty foolish when the exploits start coming our way. And frankly, if our security culture consists of pointing and laughing and ignoring security solutions that _even Windows_ has adopted, I think we're in very bad shape. I don't care if we're doing better than someone else, I care that we aren't doing as well as I feel we should.

Need help patching/checking

I have an Ubuntu 10.04 cloud server and want to make sure everything is patched and not rooted. Does apt-get update/upgrade fix this particular exploit at this time? I also tried to run the Ksplice tool to see if I'm already rooted but it tells me this when I try to run it:

$ ./diagnose-2010-3081
Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.
(see http://www.ksplice.com/uptrack/cve-2010-3081)

$$$ Kernel release: 2.6.33.5-rscloud
!!! Error in setting cred shellcodes

Any advice?

Re:Need help patching/checking

[0123456]

Ubuntu released the patch last week. Unfortunately you don't seem to be running an Ubuntu kernel.

Re:Need help patching/checking

[larry+bagina]

post your ip address and root password and I'll check it for you.

Re:Need help patching/checking

[nacturation]

post your ip address and root password and I'll check it for you.

127.0.0.1
hunter2

Re:Need help patching/checking

[Bobakitoo]

Ubuntu do not have root password. It is disabled by default and all login attempt will fail, just like you.

Re:Need help patching/checking

You will probably need to compile the source of the "diagnose" tool to get an accurate assessment. If you're operating in a cloud environment then you probably can not update your kernel using the package manager I would be more concerned about the web applications that are installed and any user accounts that may have shell access. For example, Joomla and phpMyAdmin are popular targets. Check your web content directories for files created by the web server user (www-data if I recall on Ubuntu) in the last week or so. Image upload directories are a good place to start. It isn't uncommon for out-of-date web applications to be exploited, the end result being a PHP shell sitting in a public directory. Have a look at your authentication and ftp logs as well. If you're seeing successful authentications from ip addresses that look out of place then you may be dealing with a compromise. Keep in mind this is advice in the most general sense but it should allow you to have some peace of mind until your cloud provider provides a patched kernel.

Re:Need help patching/checking

YEAH! I r00ted your system and ran rm -fr / now you're screwed.

Re:Need help patching/checking

post your ip address and root password and I'll check it for you.

127.0.0.1
hunter2

Err..how did you know my password?

Re:Need help patching/checking

216.20.162.10
M@F1AA

Re:Need help patching/checking

[cynyr]

dang! i thought i was the only one with that password...

could the GP check me too
IP ::1
pass "hunter2"

Re:Need help patching/checking

[QuantumBeep]

I can't see the password for some reason.

Re:Need help patching/checking

try this:

  sudo su -

YOUR password is the ROOT password, OK?

Re:Need help patching/checking

[theendlessnow]

Moving my IP address to 127.0.0.2 so we don't conflict. Do you think I should move it further down? What if everyone does this?

Re:Need help patching/checking

[gasgesgos]

You didn't post your password, it just came up as

127.0.0.1
*******

Oh what rubbish

[Nursie]

First you need remote access to my home machine, which is behind a NAT'd router and doesn't expose any services outside. That means that drive-by scanning won't work, and even if it did you'd have to find your way in via the only open port - ssh.

My systems in the commercial space are properly firewalled. It's a bad thing if anyone has shell access to them at all, let alone root.

Re:Oh what rubbish

[catmistake]

NAT routers are nice... like a honey trap, but functional. Unless it's wireless, too... that's sort of like having a house with a decent heavy front door... but no roof.

Re:Oh what rubbish

[DeathFromSomewhere]

Cool anecdote bro. Thanks for reminding us all that every network on the internet is configured exactly like yours.

Re:Oh what rubbish

[mysidia]

You don't necessarily need shell access, just the ability to run a binary as any user.

This could be done, for example, if it is a web server and there is a PHP script with a vulnerability. If a hacker can run arbitrary PHP code, then they can run code to accept an upload of the binary.

Once the binary is uploaded to a world-writable directory such as /tmp or /var/lib/php/sessions, the hacker can use the ability to run arbitrary PHP code again to invoke fchmod(), make the binary executable then use the system's dynamic loader and execute the binary, as in passthru("/lib/ld-linux.so.2 /path/to/some/exploit/binary");

Re:Oh what rubbish

[Nursie]

1. Wireless security has got a lot better. I don't run WEP

2. To get in that way you have to get up close and personal, you can't do it from a continent away.

Re:Oh what rubbish

[oiron]

Pretty much any decently setup service is, these days. Except for some specific use cases.

In other words, 99% of users won't be affected even on 64bit

Re:Oh what rubbish

[Nursie]

Well, not on my machines, but point taken, there are remote vulnerabilities in badly configured or badly written services.

As ever it comes down to being bloody careful what you expose to the internet.

Re:Oh what rubbish

[QuantumBeep]

You had better be using certificate-based encryption, or you have almost nothing.

OK, I partially retract that. Bog-standard wireless encryption is enough to keep people from stealing your internet connection. For people who aren't worried about being deliberately targeted for data they possess, WEP could be enough.

Re:Oh what rubbish

[Nursie]

What do you base that on?

AFAICT, WPA2-PSK is safe for now, if used with a decently long PSK. No?

WEP, OTOH is not even good enough to stop a lot of people using your net connection. Casual folks, sure, but anyone that wants to can break it.

Not running it...

[Dragoniz3r]

Am I the only person who says "hell no" to running that "diagnosis" program? After looking through the code real quick, I have no interest whatsoever in running a program that performs the very exploit I'm supposed to be scared of, cuz I don't have time to make sure ksplite neutralized it properly. Also, since it's only a local exploit, I'm not concerned enough about it to run a diagnosis tool that implements it.

And good lord god almighty, what 12 year old wrote this code, that they think having function names like put_your_hands_up_hooker() makes them cool?

Re:Not running it...

probably explains why they r stuck at some dead-end IT job doing hacking at night -- not mature enough to grow up and capitalize on the brains they got

Re:Not running it...

[cpghost]

Am I the only person who says "hell no" to running that "diagnosis" program?

Testing it in a quick throw-away VM (e.g. in VirtualBox) is always instructive though. Just don't run it on your real machine.

Re:Not running it...

I don't know, glancing at the code it looks fairly clean.

The naming convention, on the other hand, reverses all attempts to make the code tolerable.

Maybe I am just getting old, but WTF is stuff like this about?

__yyy_tegdtfsrer("!!! Un4bl3 t0 g3t r3l3as3 wh4t th3 fuq!\n");

Really? Writing, "!!! Unable to get release, what the fuck?\n" was too hard?

Re:Not running it...

There is some seriously weird stuff in that code. Anyone know what the point of this stuff is?

#define __dgdhdytrg55 unsigned int
#define __yyrhdgdtfs66ytgetrfd unsigned long long
#define __dhdyetgdfstreg__ memcpy
#define TMAGIC_66TDFDRTS "/proc/timer_list"
#define SELINUX_PATH "/selinux/enforce"
#define RW_FOPS "timer_list_fops"
#define PER_C_DHHDYDGTREM7765 "per_cpu__current_task"
#define PREPARE_GGDTSGFSRFSD "prepare_creds"
#define OVERRIDE_GGDTSGFSRFSD "override_creds"
#define REVERT_DHDGTRRTEFDTD "revert_creds"
#define __gggdfstsgdt_dddex(f, a...) do { fprintf(stdout, f, ## a); } while(0)
#define __pppp_tegddewyfg(s) do { fprintf(stdout, "%s", s); } while(0)
#define __print_verbose(s) do { } while (0)
#define __xxxfdgftr_hshsgdt(s) do { perror(s); exit(-1); } while(0)
#define __yyy_tegdtfsrer(s) do { fprintf(stderr, s); exit(-1); } while(0)

Re:Not running it...

Perhaps the hooker helped him with the code....

I doubt he's a 12 year old though. Looks more like a 14 year old wrote it.

/yes, I went through the code

Re:Not running it...

[Mr+Thinly+Sliced]

Looks like a poor mans attempt at humour.

I'd say from looking at it those were a bunch of sensible #defines before the code was released and in a fit of humour said author thought it would be funny to do a find and replace on the original ALL_CAPS_SENSIBLE_NAMES.

It just looks cheap, if you ask me.

Now back in my University days we had to implement the producers consumer problem in lisp and whilst I don't have the code to hand I do remember that I came up with the poem the code was going to say _before_ I wrote the code that solved the producers consumers assignment....

The only thing that still sticks in my head is the first line:

(hold_your (trousers) (lovelytrousers))

Yes, the queue was a pair of trousers, and the widgets were sausages.

Was fascinating, I tell you. And totally high class.

Re:Not running it...

[The_mad_linguist]

This is all really transparent.

You obviously get __yyrhdgdtfs66ytgetrfd to turn into __yyy_tegdtfsre by the addition of a reverse polish goto callback, an obscure function performed by overloading TMAGIC_66TDFDRTS and calling it every clock cycle.

Using PREPARE_GGDTSGFSRFSD and OVERRIDE_GGDTSGFSRFSD is standard procedure when dealing with credentials that are formatted in octal precision trinary floating point, and reverting them via REVERT_DHDGTRRTEFDTD is a result of taking GGDTSGFSRFSD and applying the ')(' operator.

And, of course, any competent CS professional who passed his first freshman year introductory course knows that gggdfstsgdt_dddex is the result of your cat walking across the keyboard.

Re:Not running it...

i saw it too, but i won't compile it until i know which is the payload and what the shellcodes do, the naming convention is not important.

Re:Not running it...

[sjames]

That and it is packed full of such clear identifiers as dyn4nt4n1labeggeyrthryt and KERN_DGGDYDTEGGETFDRLAK.

Re:Not running it...

While I'm no C programmer, the Ksplice program appears to have copied code verbatim from the publicly available exploit code.

I don't think Ksplice would publish a binary (and source) that would do anything bad. They depend on the Linux community for revenue. (and also on Slashdot, it seems, for helping them boost revenue with scare tactics)

Re:Not running it...

[radio4fan]

And good lord god almighty, what 12 year old wrote this code, that they think having function names like put_your_hands_up_hooker() makes them cool?

This is copied directly from Ac1db1tch3z's exploit.

So the answer is Ac1db1tch3z thinks function names like put_your_hands_up_hooker() makes him cool.

Re:Not running it...

I don't know, glancing at the code it looks fairly clean.

What the hell are you talking about? Do you know what instructions those binary arrays contain by just glancing at them?

If code like this isn't scary, than I don't know what is.

Compiling and executing this code is essentially the same as downloading a binary and executing it. There's no way that you could determine how safe it would be by just glancing at it.

No wonder people are able to sneak exploits into Open Source projects...

Re:Not running it...

[shadowrat]

I'm usually pretty forgiving in code reviews. If get_your_hands_up_hooker() is well commented and there is good use of whitespace, it can probably slide.

Re:Not running it...

[Julz]

You know that it's also entirely possible that KSplice's site has been hacked by using the exact exploit code that we're all being told about and that this small piece of C code is in fact, as some of it definitely looks like, the exploit. With perhaps a few extra bits and pieces thrown in the divert attention. The thing that really worries me most is that in there is a very obvious statement that we're going to run this exploit and show you what's happening! Holy crappoly batman.

It sounds like crap...It looks like crap...It certainly smells like crap...OMG it is crap!

Re:Not running it...

I've never understood why exploit writers have to obfuscate their code.
Anyone able to actually spin his own version and claim he is an elite hacker himself can reverse engineer that quite easily.
Use the damn inline assembly feature. And cut off the stupid gangsta bullshit.
I'd be impressed with his abilities if I could see the code. Now I only assume the actual exploit is dirt easy and he sucks at writing back-doors and at actual underhandedness, needing tons of byte-code and pre-processor obfuscation.

Re:Not running it...

My mom tells me my function names make me cool.

Re:Not running it...

[Junior+J.+Junior+III]

This is nothing to be alarmed about, they are merely reusing code from Grand Theft Auto.

Re:Not running it...

[exomondo]

And good lord god almighty, what 12 year old wrote this code, that they think having function names like put_your_hands_up_hooker() makes them cool?

gees, it's like he's written the first program that his teacher isn't going to look at so he call his functions whatever he wants. how exciting.

Re:Bad Publicity...

[mattventura]

You don't even need that. PAE makes 64-bit unnecessary for a lot of things. Whenever I install linux on a USB drive with the intention of using it on multiple computers, I usually stick to a PAE-enabled 32-bit kernel, since it will work on older hardware and still support more than 4GB of RAM.

Re:Bad Publicity...

[simcop2387]

There is something to be said though about going to a 64bit operating system. The fact that there are a little more than twice as many general purpose registers in the CPU available means that code can be compiled to not need to do memory fetches anywhere near as often which means that the code will run faster. the extra addressing space has always been a red herring argument (e.g. i only need it if i have more than 4gb of ram).

Patch on its way...

[Korbinus]

Downloading the fix from Ubuntu as I read this article :-)

Re:Patch on its way...

[jadedoto]

Me too. Let's see Microsoft get a patch out that fast. ;)

Re:Patch on its way...

Me too. Let's see Microsoft get a patch out that fast. ;)

Yeah really fast 2+ years!

Re:Bad Publicity...

@JDMetro my x64 distro handles x86 programs just find #osxftw #linuxsux

FUD

[proxima]

Running 64-bit Linux? Haven't updated yet? You're probably being rooted as I type this.

C'mon now. As others have pointed out, and has been mentioned earlier on /., this is a local root exploit. It's bad, it affects a lot of users (in theory), but to write this is to simply spread fear for most of those using Linux.

Why? Because the systems that inexperienced users run also happen to be those with a few, generally trusted users. Think netbooks. Sure, all local root exploits are bad and should be patched asap. But that doesn't mean "you're probably being rooted as I type this". It means that a remote attacker needs user-level privileges (say, with a browser or plugin vulnerability) first. Since Ubuntu and probably other major distros have already patched this, and the default settings for updates on these systems is to check fairly frequently, most end users will have the patched kernel quickly.

That leaves multi-user systems. The admins of these servers certainly benefit from finding out about the vulnerability asap, and they did (including through previous stories here). By now, though, most admins should have something in place if they don't have full trust in their users. If they don't, they should definitely be looking at whether this was exploited.

The bottom line is that there are many local root exploits which come out every year. This is the latest one, with a patch already available. Responsible admins of multi-user systems are used to dealing with this, and home users are almost certainly going to be patched before it causes any issues. For them, the latest Flash vulnerability is more worrisome. Even the extremely rare remote exploit of a service isn't usually an issue, since most modern distros don't start much of anything by default (including ssh, IIRC).

Re:FUD

[fnj]

Absurdly sensationalistic line in the summary.

Re:FUD

[man_of_mr_e]

First, unless you're using ksplice, you have to reboot. So it may download and install the new kernel, but unless the user reboots they're still vulnerable.

Second, There's tons of apps that access the internet that can be potential points of ingres. Browsers, Flash, Acrobat, Media Players, etc.. many hackers sit on exploits to these kinds of programs so they can use them when a big flaw like this one is exposed, so unless you're completely isolated from the internet, you could potentially be vulnerable.

Re:FUD

[proxima]

First, unless you're using ksplice, you have to reboot. So it may download and install the new kernel, but unless the user reboots they're still vulnerable.

Yes, but the latest version(s) of Ubuntu ask if you want to reboot after installing kernel updates. So the user at least knows they're supposed to reboot as soon as they can.

many hackers sit on exploits to these kinds of programs so they can use them when a big flaw like this one is exposed,

Except that flaws like this one are discovered quite regularly. Just look through security updates for stable distributions like Debian.

Re:FUD

GIven a known flash vulnerability in the wild, that Adobe can't be bothered to fix promptly, that could be combined with the kernel hole to yield a remote root.

Although there may not be enough 64 bit linux users who have jumped through all the hoops needed to get flash working, since its 64 bit support is so lame. Every cloud a silver lining.

Re:FUD

[proxima]

Although there may not be enough 64 bit linux users who have jumped through all the hoops needed to get flash working, since its 64 bit support is so lame. Every cloud a silver lining.

I think a lot of us use the 32 bit plugin either with the wrapper or with a 32 bit browser. I certainly switched away from the 64 bit plugin after that last vulnerability. I also use NoScript to enable it only on demand, but I'm not 100% sure it blocks it before anything is sent to the plugin.

That said, most of the new Linux users I know use it on their netbooks, running Atom processors which don't support 64 bit instructions anyway.

Re:FUD

[Rick17JJ]

I use a 64-bit Kubuntu Linux computer at home, but am not a professional computer person. But despite being concerned, I doubt that I am being rooted as I type this (at least I hope not).

Several security and other updates have been downloaded and installed during the last several days. One of them seems to have been an updated version of the kernel. When I type "cat /proc/version," it says that I am using is the 2.6.32-24-generic kernel. It was one of those rare updates where I was actually asked to reboot my computer.

A security notice at Ubuntu.com said that with Ubuntu 10.04 LTS, said that the linux-image-2.6.32-24-generic was on the list of packages which would correct the problem. So, it appears that the vulnerability on my computer had already been patched about a day or so ago.

I am the only user on my system and am not running a server. With my firewall, I always keep all the inbound ports closed and in stealth. In the outbound direction I have only a few ports open. I also have SSH blocked, in both directions. I have both the firewall on computer and the firewall in my DSL modem configured that way. I do not have wireless at home, just a CAT5 cable to my DSL modem.

I use both the NoScript and Adblock Plus add-ons for Firefox. I only allow the use of scripts on websites which I use regularly and trust, or on certain websites where enabling scripts seems to be necessary.

Ubuntu Security Notice USN-988-1 September 17, 2010

Re:FUD

[man_of_mr_e]

Yes, local root vulnerabilities are often found, but they usually only affect a small percentage of the Linux population (usually because they're isolated to a particular distro's custom kernel). What makes this unique is that it basically affects all versions of Linux.

OMG GNU + Linux machines being rooted?

Whats new in that? Tons of GNU + Linux webservers are rooted & defaced every single day. Yawn... most non-zealots already knew that.

Re:Bad Publicity...

[uvajed_ekil]

I'm not rich enough to afford 64bit hardware, but still this is not good...

Dang, my 3 year-old laptop, mid-level (at best) when it was news, runs 64-bit operating systems, and so does the $200 desktop I just built for my mom. There's plenty of decent 3-4 year-old hardware available used for dirt cheap that is 64-bit. this isn't a new thing any more, and you don't have to be rich. That comment just sounds odd in 2010, unless you are not in an English-speaking country or Western Europe.

Re:Bad Publicity...

[HTMLSpinnr]

... until you get closer to 16GB of RAM and you start running out of lowmem (especially on older 2.4 kernel systems).

Re:OSS Strikes Again

[0123456]

Tell us how great OSS is.

OSS is great... my Ubuntu machines were already patched a day before the first scare stories about this exploit appeared here on Slashdot.

It appears to be safe. (was: Re:Not running it...)

I'm not the king of all C coders, and please for the love of all that is good and holy don't trust some random stranger on the internet, but I read the source and if it's doing anything bad, it's doing it quite sneakily -- more so than I'd expect the teenager who wrote the exploit source to be capable of, frankly.

Now, do I wish the ksplice guys would've cleaned up/de-obfuscated their 'borrowed' code to make it a little less alarming-looking? Yep. Do I wish they weren't doing their ridiculous Chicken-Little routine in a transparent attempt to move some product? Also yes. Could that binary be pretty much anything? Uh-huh.

Is anything bad going to happen to you if you compile and run that C code? As far as I can tell, no.

Obvious

[Konster]

The obvious way to have the most fum with this is to run a W7 host with a Linux client in a VM so you can be rooted while you are being rooted. ;)

Re: Obvious

[Black+Parrot]

so you can be rooted while you are being rooted

rooted * rooted = square rooted ?

Re:Obvious

[LocalH]

The obvious way to have the most fum with this is to run a W7 host with a Linux client in a VM so you can be rooted while you are being rooted. ;)

Fum? Is that the Web 2.0 version of fun?

Re:Bad Publicity...

[marcansoft]

Microsoft already felt the pain, because the Xbox 360 hypervisor got owned by the same exact hole . It would almost be the same instruction-by-instruction identical bug were it not for the fact that the 360 is a PowerPC system and this is an x86_64 hole. Yes, they, too, used a 32-bit compare to check the system call humber, then indexed into the array using the full 64 bits, exactly the same bug that caused this Linux hole.

Then perhaps do as the GP asks

[Sycraft-fu]

Point out a current remote root exploit in Windows. To the best of my knowledge, there are none. Which means that the original poster is just fluffing his feathers trying to divert attention from the Linux issue.

While this isn't something that means Linux is majorly insecure or anything, it is a Linux issue. However fanboys don't like that, they can't just say "Yep, there's a problem." Instead they want to try and deflect it, make it about something else. So he deflects the issue by claiming there are some nebulous "remote root bugs," without any specifics.

Re:Then perhaps do as the GP asks

[Hackeron]

Just a quick google search: http://secunia.com/advisories/41122

There are quite a few listed on secunia, it's a really good site. Currently lists 10 unpacked vulnerabilities in Windows Vista, none for Linux surprisingly, it must be a conspiracy against Microsoft and those damn Linux fanboys.

Re:Then perhaps do as the GP asks

[IICV]

Uhm how's about this one, that's like three posts down from here? It's not quite a remote root exploit, but it is an exploit that, for a great many asp.net installations, will inevitably lead to you getting remote root.

Re:Then perhaps do as the GP asks

[internettoughguy]

Point out a current remote root exploit in Windows. To the best of my knowledge, there are none. Which means that the original poster is just fluffing his feathers trying to divert attention from the Linux issue.

While this isn't something that means Linux is majorly insecure or anything, it is a Linux issue. However fanboys don't like that, they can't just say "Yep, there's a problem." Instead they want to try and deflect it, make it about something else. So he deflects the issue by claiming there are some nebulous "remote root bugs," without any specifics.

Point out a current remote root exploit in Linux.

Re:Then perhaps do as the GP asks

[IICV]

Argh hyperlink fail. The proper link should be this: http://it.slashdot.org/article.pl?sid=10/09/19/1941258 (or you could just go to http://www.slashdot.org/ and scroll down a little bit)

Re:Then perhaps do as the GP asks

[shutdown+-p+now]

The attack you mention is not ASP.NET-specific (the initial paper describing it actually used JSF to demo the vulnerability, and Rails is also affected), and it does not lead one to getting "remote root" at all.

Re:Then perhaps do as the GP asks

[DeathFromSomewhere]

That exploit requires user interaction. Even then it doesn't provide administrator access. Try again.

Re:Then perhaps do as the GP asks

[DeathFromSomewhere]

Point out where anyone claimed there was one. Oh wait this is just another silly diversion tactic. My mistake.

Re:Then perhaps do as the GP asks

[IICV]

Did you skip the end of the video where the demonstrator opens up a command prompt on the remote machine running as the NT Network Authority? That's as close to "remote root" as makes no difference.

Re:Then perhaps do as the GP asks

[Hackeron]

There are plenty of privilege escalation and remote access exploits on that site. Some patched, some unpatched (not everyone keeps up to date with updates). Did you even look at the list there?

Anyway, a lot of exploits there are remote access exploits. The exploit talked about in this story is a local privilege escalation exploit way down on the severity list and it was patched before it became public.

Re:Then perhaps do as the GP asks

[DeathFromSomewhere]

The onus is not on me to demonstrate a remote administrator exploit. Although I did look at the list for server 2008 and didn't find a true unpatched remote exploit.

Re:Then perhaps do as the GP asks

[symbolset]

>Point out a current remote root exploit in Windows. To the best of my knowledge, there are none.

You're kidding right? They're enumerated the second Tuesday of each month. We even have a word for it now: "Patch Tuesday". It's an IT anti-holiday. How do you not know about this?

Re:Then perhaps do as the GP asks

Did you skip the end of the video where the demonstrator opens up a command prompt on the remote machine running as the NT Network Authority? That's as close to "remote root" as makes no difference.

That's only because DotNetNuke allows remote uploading of untrusted, arbitrary code. That's a gaping security hole in DotNetNuke which is exploited through a credentials attack via IIS.

Re:Then perhaps do as the GP asks

[LinuxAndLube]

Are you ready to put your money where your mouth is? I set up a Windows machine. You have 24 hours to remotely root it. If you succeed, I give you 1000 USD, if not you give me 1000 USD. Deal?

Re:Then perhaps do as the GP asks

[KiloByte]

Most local exploits are outright dismissed by Microsoft as "not a bug".

For a big example, although one that Microsoft later partially mitigated due to the outcry, look for the "shatter attack".

Windows may not be as defenseless to remote attacks as it used to be, but locally, it'd be a lunacy to claim it has even semi-working security. Allowing programs root access left and right doesn't help, either.

Re:Then perhaps do as the GP asks

[Yaur]

What the exploit actually allows you to do is to read arbitrary files inside of the virtual root directory that the IIS application. Every thing else you see is from a third party CMS (DotNetNuke) and a shitty configuration. No doubt this is bad but its a far cry from remote root.

Re:Then perhaps do as the GP asks

Which means that the original poster is just fluffing his feathers trying to divert attention from the Linux issue.

While this isn't something that means Linux is majorly insecure or anything,

No, but it shows that Linux _users_ are pretty insecure.

Re:Then perhaps do as the GP asks

[shaitand]

With a functional network connection and in its default state... and not behind the protection of added hardware and/or software like a nat router/firewall.

Re:Then perhaps do as the GP asks

[TheRaven64]

If you're comparing like-with-like, it would have to be a bug in the NT kernel (unless you want to compare the default install of a Linux distro). Flaws in the standard libraries wouldn't count any more than flaws in glibc or X.org would count for Linux. Just comparing kernel holes, I'm fairly sure that Linux is in the lead this year (and well ahead of other open source *NIX systems).

Re:Then perhaps do as the GP asks

[Hackeron]

I'll do you the opposite for my Linux box

Re:Then perhaps do as the GP asks

You have to plug it in to power. Heck, I can make Windows secure by turning off the machine. I think that works with most other OSes too.

Re:Then perhaps do as the GP asks

"To the best of my knowledge" is a problem with that claim. If you track security vulnerabilities, you'll notice that every month or so, some hacker publishes a new Windows vulnerability that they've published to Microsoft, has not been addressed, and they've only published to the world after months or even years of waiting. If we guess at a wait of about 3 months before publication, and try to balance in holes discovered by people unwilling to publish an unpatched hole, and people who don't bother to wait, I'd estimate that there always at least 3 relatively new holes available.

If there are more than a few old unpatched holes, the numbers get far worse. And it's very difficult to assess how many exist: CERT, the US Computer Emergency Response Team, refuses to publish information about such vulnerabilities. Do hop over to http://www.us-cert.gov/current/ for some idea of what vulnerabilities are active right now, but also remember that open source projects are public and willing to admit when they patch something: Microsoft has a long tradition of burying their security fixes inside bundles of patches, and never admitting the existence of a bug until after someone else publishes exploit code.

Re:Then perhaps do as the GP asks

[LinuxAndLube]

I would deploy the server (default installation & updates) on AWS. Deal?

Re:Then perhaps do as the GP asks

[LinuxAndLube]

Is that a refusal?

Re:Then perhaps do as the GP asks

[boxwood]

depends on which services you install. Setting up a server with no open ports would be difficult to exploit. But if you install an older version of IIS and MSSQL server because some software that your company uses requires that version... yeah that could be easy to exploit.

And oh yeah this exploit for linux requires me to have a local user account... give me an account on your windows box and see how long it takes to get admin access.

Yes you can set up a windows box to be secure. But can you set up a windows box that actually does stuff and make it secure?

Re:Then perhaps do as the GP asks

[LinuxAndLube]

I would be a default Windows Server 2008 installation with all updates installed. Interested?

Re:Then perhaps do as the GP asks

You're kidding right? They're enumerated the second Tuesday of each month. We even have a word for it now: "Patch Tuesday". It's an IT anti-holiday. How do you not know about this?

There are thousands of root exploits for Linux that we are unaware of. It will take a long time to patch them if they get patched at all. The bug mentioned in the article is just one of them. Good luck with your infested Linux distribution, have fun.

Re:Then perhaps do as the GP asks

But he said "remote root". That requires the local user to open a file on a samba share, i.e. local action is required. If that counts as a remote exploit, then any web browser security hole is also a remote exploit.

Remote root means I can hax0r your machine via a network without touching it or getting you to do anything. It's hard to believe such exploits still exist in Windows, now that a full firewall is the default.

Re:Then perhaps do as the GP asks

Then I guess my Ubuntu box must be the most insecure piece of shit as I get patch notifications almost every single day. Its probably a mistake trying to engage with anti-ms trolls like you.. but oh well..

Re:Then perhaps do as the GP asks

[bill_mcgonigle]

Flaws in the standard libraries wouldn't count any more than flaws in glibc or X.org would count for Linux

You could break it down like that, but if there were a glibc vulnerability that gave local users root access, most people wouldn't care, except academically, which part of the system was the weak link. We care if our machines can be taken and controlled remotely.

That said, I honestly don't know how many local-Administrator-level compromises NT-based systems have had this year. Perhaps it is zero, but that would be an improvement from usual. Anybody?

Re:Then perhaps do as the GP asks

[QuantumBeep]

I don't think you get an out for Windows Firewall, if that's what's on your mind.

Re:Then perhaps do as the GP asks

[shaitand]

Only if it isn't left in its out of the box configuration.

What I had in mind was sitting the windows box behind a linux or bsd firewall running embedded on a device. Which is a pretty typical deployment.

There is also a difference between a hardened Windows and a completely out of the box windows.

I wasn't accepting the challenge. I'm normally the guy defending the system not attacking it. I was just clarifying the terms.

His test still gives him an advantage over most installations. AFAIK the most common attack vectors for windows these days target clients and not the server OS and utilize holes in client apps (browser, media player, etc) and then priv escalation exploits. The people paying for 0-days are spyware firms so thats what people are looking for.

Re:Bad Publicity...

[0123456]

Fortunately, I'm not rich enough to afford 64bit hardware, but still this is not good...

An Atom-330 and motherboard costs about $80... and I think the 230 is 64-bit for a few dollars less.

Ya

[Sycraft-fu]

Our UNIX admin has the philosophy that anyone with local access can get root if they want it bad enough. Security isn't done by presuming you've made that impossible. Rather security is done by making sure you don't give access to just anyone, and to monitoring what people do. Local escalation exploits are things to be fixed, since they can always make a remote exploit worse (someone exploits something remotely, gets unprivileged access, exploits the local exploit to get root) they aren't a critical threat usually.

However I will say you don't make things much better when you start with name calling with regards to Windows and the people that run it. That smacks of being the sort of asshole that knows little about the other platform that you are painting them to be. That you have a preferred platform is great. One would hope it is based on good reasons. However name calling on another platform indicates it is more likely based on zealotry than anything else.

Re:Ya

[GNUALMAFUERTE]

Well, that "other platform" hasn't published its source, provides no real documentation as to the internals of the system, doesn't conform to any published standard, and doesn't even have a published roadmap. Therefore, we all know very little about that platform, except for the actual coders. That is, in itself, a valid enough reason to completely disregard that platform as a reliable alternative. To make matters worse, it has such a ludicrous security record, and some oh so obvious design flaws that are apparent to anyone even without using the system (the mandatory graphic interface, for instance), that any further investigation into it seems pointless.

Does that answer your question?

Re:Ya

[Sycraft-fu]

Yes it does. You are a zealot, interested in dogmatic belief what you believe to be the one and only way of doing things. Thus you insult anything that doesn't conform.

Re:Ya

[TrancePhreak]

Just to be clear, you're talking about OSX, right? http://www.microsoft.com/whdc/system/platform/server/default.mspx

Re:Ya

That isn't documentation. Those are docs for end users. I'm talking about design.

SUS, LSB, etc. Those are specs, those are docs.

You just linked to a fucking manual.

Re:Ya

[GNUALMAFUERTE]

Ok, please correct me then.

Tell me to what published specification does Windows conform to?

Past the links, punk, or STFU.

Re:Ya

Obvious troll is obvious. Spreading outdated FUD and doesn't even have the decency to login to post replies.

Re:Ya

[Noughmad]

From the link:

Windows Server 2008 advances control and manageability, increases flexibility, and provides a solid foundation for more secure, more robust server environments.

It certainly conforms to the buzzword specification.

Re:Ya

[black3d]

In your zealous rush, you've misunderstood him. You asked him a question, "Does that answer your question?". He replied "Yes it does".

You've then incorrectly presumed he was saying "Yes it does" as a contradiction to points in your post and in an angry mad rush, hammer out "Past (sic) the links, punk, or STFU." You don't appear to have made your choices on level-headed, balanced decisions. It's zealotry. You make his point admirably.

He didn't say "Yes it does [conform to published standards]." He was simply replying to the only question in your post - "Yes it does [answer your question]."

Re:Bad Publicity...

Stop perpetuating this fucking myth. There are other good reasons to use a 64-bit build besides the address space it gets its namesake from. I can run crufty old 32-bit software just fine on a 64-bit Linux.

There have been plenty of benchmarks pointing to 64-bit being no worse and in many cases outperforming their 32-bit counterparts. Things like SSE being enabled for all 64-bit binaries by default with GCC, extra registers, NX bit, and so on all standard on 64-bit Linux machines.

As for compatibility, I want to know. WTF doesn't run on a 64-bit Linux that actually affects more than some obscure corner case that maybe 10 know about and three of which actually care about? I hear it all the time, but never actually see it. What is this compatibility problem?

Its just a bunch of crap that has been regurgitated on the internet because it once had some amount of truth many years ago. Go ahead with your i386 and i586 packages built for 1993 and act all smug.

Tomorrow's article: Linux exploit story sends

Linux exploit story sends the Slashdot crowd into a hissy fit lol.

Talk about a biased group. Mention a Linux exploit, a very serious one in this case, and look at them up in arms. More biased than Fox News and CNN combined.

Oh and you missed the "defective by design" tag on this article.

Re:Bad Publicity...

[oiron]

Pretty much everything since Prescott on the Intel side and, err... everything on the AMD side is 64bit. If you have anything you bought since late 2006, good changes that it's a 64bit system...

Reason for *bsd

[itsybitsy]

http://tinyurl.com/linuxbad. Reason for http://openbsd.org/ and http://freebsd.org./

Re:Reason for *bsd

[iGaucho]

Don't forget NetBSD! http://netbsd.org/

Re:Bad Publicity...

[MobileTatsu-NJG]

Microsoft and their associated Windows shills are loving this.

You lot stopped just short of calling Linux 'unsinkable'. Of course people are going to have fun with it, it's just not limited to shills.

Re:OSS Strikes Again

[picoboy]

Tell us how great OSS is.

Tell us how much better Linux is.

Tell us how badly Microsoft sucks.

I'm a PC, and using Windows instead of Linux was my idea.

I knew it was just a matter of time before Ballmer showed up as an AC on Slashdot.

Re:Bad Publicity...

[dougmc]

I have 64 bit hardware but I run x86 based distros. 64 bit is only good for the extra ram maybe to the desktop user. And there still is a lot of issues getting older programs to run on a 64 bit distro.

The x86_64 architecture has more registers than i386 and can do some operations 64 bits at a time rather than 32 bits. This means that programs compiled to run on a 64 bit architecture are often significantly faster than those compiled to run on 32 bit architectures.

I think an average figure is 20% faster or so on the same hardware -- you get this simply by installing a 64 bit distribution and using 64 bit binaries. Your system can probably still run 32 bit binaries (if it has the right libraries) but they won't be faster.

The advantages go beyond a larger address space.

Re:Bad Publicity...

[dougmc]

I should also mention that the issue about getting "older programs to run" used to be a big deal -- but isn't any more. The old 32 bit binaries typically work after installing the 32 bit libraries needed (and they're usually part of the distribution) and most programs that have been maintained in the last five years or so compile and work on 64 bit distributions just fine.

Slashvertisement

[Cruciform]

As a long time user I get the option to disable advertising. I don't. I even whitelist Slashdot in Adblock because I support the site and the banner ads are rarely obnoxious.
These poorly disguised articles-as-ads are quite annoying though. Just make KSplice pay for a banner like everyone else.

Re:Slashvertisement

[DigiShaman]

I don't mind Slashvertisements, and in fact enjoy them on occasion. Unfortunately, they're passed off as a genuine grass-roots posting to the casual non-slashdot member. AKA astroturfing.

If Slashdot would actually flag the story as a "Slashvertisement", I think we as a community would have far an away much MUCH more respect for the story and wouldn't think so much of it. That's the point really. Keep it honest and the intention transparent.

Re:Slashvertisement

I'm a long time AC. Slashdot flash ads taking 100% cpu 5-6 years ago were the reason I installed Adblock in the first place.

My current policy is: Any site that ever uses 100% CPU in an advertisement earns a lifetime ban.

Re:Slashvertisement

[drinkypoo]

If Slashdot would actually flag the story as a "Slashvertisement", I think we as a community would have far an away much MUCH more respect for the story and wouldn't think so much of it.

And this is why subscribing to slashdot is an idiot move. They took away tag editing at least in part, I am sure, because we were using it to flag slashvertisements and you just can't have that. (You also weren't allowed to tag things "slashdot" which is just pathetic. The first rule of Slashdot is, you don't talk about Slashdot. At least, not on slashdot. Not accepting stories about yourself is the quickest way to prove you're evil.

Re:Slashvertisement

[ledow]

I subscribed years ago and hence have the ads disabled button. I did not join to disable the ads, I disabled the ads because I saw the box and it makes the page load quicker (every now and again, the code changes and my pretty-minimal layout goes wrong again and I have to fiddle with the options, but at the moment it loads pretty smoothly).

However, I have actually stopped clicking on a lot of stories (and even filtering authors) which I've never done before because, well, slashvertisements, old news, dupes and absolute bollocks keep showing up on my front page. The old news? Fair enough, but sometimes it's by YEARS. Dupes? If *I* know it's a dupe from memory and only check the frontpage a couple of times a day, how do the posters manage to miss that? Slashvertisement, however, are really starting to annoy me. Various indie games (MULTIPLE times), various software, etc. all the time posting to get a frontpage link for their product. I'm really not interested any more and I come to sites like this in order to have some moderation and filtering applied to the stuff I see. But lately, if it's not on The Register first, it's a slashvertisement, or a kernel release or something equally as dull.

I tell you, Slashdot is slowly weaning me off itself.

poorly described

[MikeFM]

What is annoying me about these issues is that they are described so poorly that I'm not certain if I have a problem. I run 64-bit Linux but no 32-bit code and there are no local users other than for the services I'm running (http and ssh). So do I need to take the time to do something or can I wait for a normal update?

Re:poorly described

[fluffy99]

What is annoying me about these issues is that they are described so poorly that I'm not certain if I have a problem. I run 64-bit Linux but no 32-bit code and there are no local users other than for the services I'm running (http and ssh). So do I need to take the time to do something or can I wait for a normal update?

Short answer - it depends on whether your kernel has the vulnerability. Seriously, Slashdot is the worst place to find out more into about vulnerabilities. At least it did give the CVE which you can use to get more details and determine if you're affected.

Re:poorly described

[Runaway1956]

Run the tool in TFA ./diagnose-2010-3081 Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc. (see http://www.ksplice.com/uptrack/cve-2010-3081) $$$ Kernel release: 2.6.32-24-generic !!! Not a RHEL kernel, will skip LSM method $$$ Backdoor in LSM (1/3): not available. $$$ Backdoor in timer_list_fops (2/3): checking...not present. $$$ Backdoor in IDT (3/3): checking...not present. If you're suspicious of the binary, download the source, examine it to satisfy yourself that it's not malicious, and compile it. It's not hard to figure out if you're affected - even a dummy like me can do it!

Re:poorly described

I have another solution: I don't run my server on port 80. I have yet to log a hit that wasn't me, although most peculiar, my ISP shuts down inbound requests on my random port every now and then. Still haven't figured that one out, but easy enough fix through SSH, which they haven't blocked yet.

Re:poorly described

[buchner.johannes]

Function names like wtfyourunhere_heee, p4tch_sel1nux_codztegfaddczda and datatypes like __yyrhdgdtfs66ytgetrfd as well as hex-code doesn't make the code look less suspicious.
I can't be sure that the rootkit (or a different one) is not in there.

You are a dummy for downloading from a http website without a checksum. No thank you.

Re:poorly described

[DMiax]

why the fuck do they need to

#define __yyrhdgdtfs66ytgetrfd unsigned long long

apart making the code horrible? Seems like an entry for IOCCC. I don't trust this check at all! Wtf is doing this?

*((__yyrhdgdtfs66ytgetrfd *)(r1ngrrrrrrr + R0TDGFSRSLLSJ_SHSYSTGD)) = _m_cred[2];

Regardless, it fails on my pc at

_m_cpu_off = (__dgdhdytrg55)get_sym(PER_C_DHHDYDGTREM7765);

A little search shows they just took the public exploit and mangled names plus other small changes. Are they joking?

Re:poorly described

[Runaway1956]

LOL - virtual machine!! I wanted to see what it did, so I downloaded to a VM and ran it. It didn't do anything really strange, and it's not on my real machine, so I'm cool. ;^)

Re:poorly described

[cpscotti]

Did you forget "static void put_your_hands_up_hooker(int argc, char *argv[])"??? That's actually IN the "diagnose" code. Well, if you check both the exploit and the diagnose, they are quite the same and obviously the diagnose code inherited most of the code from it.
Now, the question is: do you trust ksplice or even (as cited below) the naive http download?

Re:poorly described

[QuantumBeep]

Running a web server in a way that wouldn't work for most people isn't a solution to a kernel exploit. It's a workaround.

Re:poorly described

[darkfire5252]

If I had to take a guess, it looks like the original code was run through some obfuscation routines in order to deliberately make it harder to view what it performs by looking at the source... Not something I'd run on my machine...

Re:poorly described

[mehemiah]

dont forget to build it first, make diagnose-2010-3081 returns cc diagnose-2010-3081.c -o diagnose-2010-3081 and THEN you'll have your binary. (unless you just got the RPM

Re:poorly described

[DMiax]

Not something I'd run on my machine...

Agreed, that is why demangled and run through gdb. I mean, bytecode? without explanation? What kind of "security" do they speak about?

Re:poorly described

[Progman3K]

Looks like the bug is part of an auditing module... If you're using per-cpu-task accounting.

Re:poorly described

[TheRealGrogan]

I completely agree. I didn't run that "diagnose" program from Ksplice, because I'm not compiling ANYTHING that uses obfuscated code. Anyone who does that can just fuck off... real hard.

Re:It appears to be safe. (was: Re:Not running it.

[Meriahven]

Is anything bad going to happen to you if you compile and run that C code? As far as I can tell, no.

You are very likely correct in thinking that adding yet another anonymous recommendation on the internet will make more people run the code. However, this is Slashdot, where the users are slightly more security aware than on an average internet site.

You see, If I were to attack all those nifty linux boxen out there, what would be a better attack vector than advertising your exploit on slashdot, which is known to accept almost anything on the front page, and yet is very likely to contain the biggest active linux user community on the nets? By looking at the code it seems obvious that the tool contains enough binary code to contain an exploit or three. If it is never used in a malicious way, it is somewhat difficult to say. So, outside a security lab setting, it is hard to tell if the provided code is not the exploit itself. Definitely "You are probably getting hacked right now! Check for viruses for free!" has been one of the more common attack vector against Windows users.

Whatever the case, I would not recommend running code that looks like this:

static char dis4blens4sel1nuxhayettgdr64545[] and
static int wtfyourunhere_heee(char *out_release, char* out_version)

Re:Bad Publicity...

[DarwinSurvivor]

I'm pretty sure more than 10 people know about and more than 3 people use flash. As much as I hate flash, until we DO get rid of it, it is pretty much required if you want to watch more a dozen videos online. Oh yeah, did I mention thunderbird's lightning extension. I went for about 6 months before I could get that to work!

I've been running 64 bit on my machine for years, but there are still some developers that simply don't realise how many of us do.

Re:Bad Publicity...

[Anpheus]

Not only is it cheap, but even the Atoms are getting 64-bit across the range with the next revision. I don't think there will be any non-64 bit chips in AMD or Intel's lineup at that point.

Re:Bad Publicity...

where do you get that numbers?

Going to 64 bit means your instructions will be 64 bit, which means doubling the cache mem usuage.

Depending on how the os/app uses the cache you may even find an slow down on performance.

From performance point of view, if you don't really need 64 bits ( probably most of users will be fine with 4GB ram in next years) stay at 32 bits.

The diagnostic program doen't run

Does anybody know what this means? The system is already patched. I just wanted to know if someone left a backdoor before I could apply the patch and reboot. $ ./diagnose-security-issue-2010-3081 Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc. (see http://www.ksplice.com/uptrack/cve-2010-3081) $$$ Kernel release: 2.6.35.4 !!! Error in setting cred shellcodes

Re:Bad Publicity...

[camperdave]

Some people here are students, and until you can find this kind of stuff in a dumpster... man, there are priorities (aka pizza and beer)

Re:Bad Publicity...

[X.25]

2. 64bit hardware is cheap. You can buy an AMD64 X2 5000 Dual Core CPU for 38 bucks shipped.. add a mobo for another 45 and if you need ram, another 50. eBay for more savings.

Everybody lives in America. Right?

Moderation abuse

[symbolset]

Y'know, sometimes there are posts that are poignant, interesting, on-topic, and yet are modded down as a troll for no better reason than people who have mod points are more interested in squelching challenging ideas. That's fine, and slashdot has a mechanism to deal with that, called Karma.

Because I have good /. Karma I can call your attention to the parent post even though I believe it's been badly moderated. Because I'm a Slashdot subscriber, I get an extra point to add to this post, which calls attention to the parent. I have enough good Karma that even if this post is moderated a troll I will have lost nothing.

I'm making this amplifying post because the parent post was moderated down in one second. It was born silenced. Obviously there were moderators prepared to prevent you from hearing my response to the question asked. Some of you might for this reason alone find my words above meaningful or intriguing.

Re:Moderation abuse

[symbolset]

>With your penchant for vague, unsupported assertions and callous lack of empathy, you'd be excellent upper management - possibly even C-level - material. That, or a RIAA lawyer.

OK, that hurt.

I do care. I would prefer that we went with persuasion. Unfortunately I've tried persuasion and it doesn't work. We now have to deal in pain.

wow!

[ILuvRamen]

Wow, I don't think "pretty much all" windows machines were ever infected with the same thing. Good thing Linux is sooooo much more secure. I mean other than the fact that no it isn't, people just don't target them. I think people got way too comfy and caused this dire situation.

Re:Bad Publicity...

Well if that's how you feel then go ahead and enjoy yourself while you can -- the next winderrz catastrophe will be along in just a matter of minutes. :D

Re:Bad Publicity...

[EricX2]

What does that have to do with anything? You can't buy 5 year old technology at discounted prices in countries other than America? I have a stack of P4's that are compatible with 64 bit, I'll give them to you if you pay shipping. Thank Dell and their 3 year warranty and motherboards that are guaranteed to die after 3.5 years.

Oh my goodness

[symbolset]

How badly can the /. moderation system be abused? I'm not sure. Please read the cousin post and the parent and decide for yourself whether the moderation system has been abused by me or somebody else.

If it's me, I can bear it.

Ksplice does not work with with 2.6.35

[WarJolt]

I run ubuntu 10.04, but I use a 2.6.35 kernel from the maverick kernel ppa. I need it because I have an WPC300N linksys 802.11n wireless card. The broadcom sta driver wouldn't work when I was running 2.6.32. It would be cool if ksplice supported more kernel configurations, particularly maverick kernels.

Um, no, I'm not getting "rooted as you type this"

[Punto]

because this is a local exploit and I don't have any public ports. wtf is this FUD?

Re:Bad Publicity...

[MobileTatsu-NJG]

Without a doubt.

But I don't trust my computer anyway. Fuck malware. I'm a good power surge or hardware failure away from data loss anyway. If anything, I'm kept on my toes to do things like have a decent plan for making backups and keeping them fresh.

I don't have a false sense of security, so it's fun witnessing the folly of people that do. In a small way it's a pity that this story is almost certainly sensationalized.

Burn up all my karma? Yes.

[symbolset]

If you're wondering if I'm willing to burn up all my established good reputation to buy the reader the chance to read my parent comment, the answer is yes.

Now the question is how many mod points have you got?

There are two bugs

[phtpht]

Just to clarify I understand that there are two zero day root-providing bugs. (Everyone talks about THE bug.)

CVE-2010-3301 patched by http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=36d001c70d8a0144ac1d038f6876c484849a74de and http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=eefdca043e8391dcd719711716492063030b55ac

CVE-2010-3081 patched by http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c41d68a513c71e35a14f66d71782d27a79a81ea6

Who modded this insightful?

[symbolset]

Sometimes I wish /. moderation was trackable.

Re:Who modded this insightful?

[shutdown+-p+now]

That's what metamods are for.

Though even that is hardly needed. The incorrect part of my post (that it's not rootable - which, while true in general, is not true when a web app allows privileged users to upload & run arbitrary code server-side) was promptly pointed out in comments and modded up Informative, so it's visible to anyone who'd see my comment. The other point - that the attack is by no means ASP.NET-specific - still stands.

Re:Who modded this insightful?

[symbolset]

You're so cute. You would make a good pet. Do you have a nice mane?

bwahahahaha

hahahahahahaha....wait...I'm running 3 servers with it. Crap.....

Re:Bad Publicity...

Yep, even Windows limits RAM to 16GB when running 32-bit with PAE in it's 3G/1G split mode for the same reason. (It defaults to 2G/2G split, unlike Linux.)

Forget the self-advertisement, it's a real issue

[adaviel]

The situation appears to be exactly as described by Ksplice.
CVE-2010-3081 has been discussed on RedHat forums and elsewhere.
The Ac1db1tch3z exploit published on the full disclosure list http://seclists.org/fulldisclosure/2010/Sep/268
does indeed appear to contain a backdoor (0p3n1ng th3 m4giq p0rt4l).
From the comments, the vulnerability was found in 2008 and the exploit has been used by the author for some time, and may have been circulating in the underground. When the vulnerability was found and disclosed by Ben Hawkes, the exploit was published to a wider audience.
A number of sysadmins may well have run the exploit on their systems to prove to themselves that this was a real threat. In doing so they may unknowingly have left a backdoor.
More commonly, proof-of-concept exploits posted on full-disclosure lists are crafted by security researchers, do not contain backdoors, and are relatively easy to read. In this case, the disclosed exploit is crafted by a hacker, may well contain a backdoor, and is written with leetspeak runtime messages and obfuscated code.

I admit I do not fully understand the code in the exploit or in the detection tool, or indeed the nature of the backdoor. However, on a Fedora 9 system, running the detector says there is no backdoor. After the exploit is run, the detector says there is a backdoor, so
the exploit must have changed the state of the system in some way. The detector looks for 3 separate backdoors; the one on my
test system disappears after reboot. As I thought the fix was to update the kernel to a patched version, which requires a reboot, I'm not sure how the backdoor could survive. I do not see how having the backdoor is riskier than having an unpatched system.

I can say, though, that the vulnerability exists in stock kernels 2.6.25 - 2.6.36, and was back-ported by RedHat into 2.6.18 used
in RHEL 5 (hence CENTOS 5). As stated by others, an unprivileged user account is required in order to exploit the vulnerability, which exists only on 64-bit x86 systems which also can run 32-bit code. One published mitigation step, which does not require a reboot, is to disable 32-bit compatibility mode by writing into /proc.

WTF is with this crap on slashdot?

"You're probably being rooted as I type this. " .. Oh no a privledge escalation exploit...the world is doomed..ksplice save us.

If there is not going to even be the appearance of editorial integrity then what is the point?

Re:Bad Publicity...

I'm running the 32-bit flash plug-in on my 64-bit MythTV box, what is the problem?

Oh it's not paid

[uofitorn]

The /. editors fall hook, line, and sinker for these advertisements for Ksplice submitted by an 'anonymous reader' every 6-8 weeks. Get used to them.

Re:Oh it's not paid

[kj_kabaje]

Perhaps they're not as dumb as we think they are. They have bills to pay, too.

Hope

[nashv]

In recent years, any mention of Linux reminded me of how religious leaders in some quarters address their Prophet - you know, "Mohammed, praise be on his name" or "Jesus Christ, blessed be thy name".

Maybe this will end the "Linux, it has no malware" illusion that many seems to have.

Re:Hope

[erroneus]

Come back in three months to see if this is still an issue. No, come back in a month... no a week. Hell, come back tomorrow to see if this is still an issue. It's bad timing that this all came out over a weekend, but you can bet this will get handled a lot faster than Microsoft typically handles things.

Re:Hope

[pandrijeczko]

Maybe this will end the "Linux, it has no malware" illusion that many seems to have.

Erm, it doesn't. This exploit isn't malware, it's a security vulnerability, big difference. (Malware is something that gets downloaded and run, a vulnerability is something that already exists and needs to be patched or updated.)

Nobody ever said Linux was secure. Here, I'll even give you some ammunition you may want to use in future - Linux & UNIX are more susceptible to directed buffer overflow attacks on vulnerable services than Windows is, it always has been the case.

That's why you don't run services you don't need, run those you do with non-root permissions, and update regularly.

But we Linux & UNIX sysadmins & security people have it under control, so don't worry your pretty little head about it.

Yes, these vulnerabilities happen from time to time. End of story.

Re:Hope

[nashv]

Something exploits the vulnerability? Then it is malware.

"Malware, short for malicious software, is software designed to secretly access a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.[1] The term "computer virus" is sometimes used as a catch-all phrase to include all types of malware, including true viruses.

Software is considered to be malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, spyware, dishonest adware, crimeware, most rootkits, and other malicious and unwanted software. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of several U. S. states, including California and West Virginia.[2][3]"

But we Linux & UNIX sysadmins & security people have it under control, so don't worry your pretty little head about it.

And condescension is hardly a good argument for anything.

Re:Hope

[pandrijeczko]

Something exploits the vulnerability? Then it is malware.

Thanks for the definition but I know what I'm talking about.

Like I said, it's a vulnerability caused by a software bug. How that vulnerability is exploited is irrelevant.

Failtastic...

Their diagnostic tool doesn't even work properly. Tried it on up-to-date Sabayon system and it failed.

Re:Bad Publicity...

[TheThiefMaster]

Actually, the extra virtual memory space program-side is far more important than the extra physical memory space ever was. Typically, a 32-bit program is limited to 2GB of address space, including actually used ram, memory mapped files, reserved but unused pages (e.g. the stack growth area), memory mapped device memory (e.g. graphics mem) and the program and its dlls. Thanks to fragmentation of the address space by all of these, a program can fail to allocate memory without even getting close to 2GB of ram use. I could, as a proof of concept, write a program which will fail to allocate a 512MB block while only using kilobytes of ram, simply by requesting one 4kB memory page from every 512MB through the address space.

64-bit software resolves that problem (at least until we get programs trying to allocate exabytes of ram in one block)

Re:Bad Publicity...

[TheThiefMaster]

Actually, the extra virtual memory space program-side is far more important than the extra physical memory space ever was. Typically, a 32-bit program is limited to 2GB of address space, including actually used ram, memory mapped files, reserved but unused pages (e.g. the stack growth area), memory mapped device memory (e.g. graphics mem) and the program and its dlls. Thanks to fragmentation of the address space by all of these, a program can fail to allocate memory without even getting close to 2GB of ram use. I could, as a proof of concept, write a program which will fail to allocate a 512MB block while only using kilobytes of ram, simply by requesting one 4kB memory page from every 512MB through the address space.

64-bit software resolves that problem (at least until we get programs trying to allocate exabytes of ram in one block)

Mod story down

[lanner]

Story sucks. Alarmist advertisement poop.

My own Computer - Dude!

[spineboy]

Dude! - I am SO going to root my very own computer!

Re:My own Computer - Dude!

[tuxgeek]

Yep, there is a very BIG difference between someone rooting your machine locally, or through the internet. If someone can root my box locally, I have much bigger worries to contend with, such as someone is in my house, where is my gun

As long as someone can't root my Linux 64 box through the internet, this is a non-issue.

Nothing to see here, please move along

Re:My own Computer - Dude!

[DJRumpy]

For a home user, not a big deal. For an business environment, much more so. Dismissing it as 'nothing to see' is shortsighted at best, especially when considering the backdoor left by the hack.

Re:My own Computer - Dude!

[uninformedLuddite]

OMG I have finally met my first technosexual

Anonymous Coward

Damn these kids and their acid. *squints his eyes*

Re:Bad Publicity...

[buchner.johannes]

Obviously both copied from SCO. Namely their 64 bit code.

Re:Bad Publicity...

[TheRaven64]

Going to 64 bit means your instructions will be 64 bit, which means doubling the cache mem usuage.

Not true. x86 and x86_64 both use a variable-length instruction encoding. You actually get slightly better instruction density with x86_64, because a number of instructions that used to only work with eax now work with any target register, so for a couple of bits extra in the longer version of the instruction you avoid two register-to-register moves.

Pointers are 64-bit, but you'd need your program to consist entirely of pointers for this to double cache usage. In practice, you do see a small increase in data-cache usage, but it's offset by other things.

From performance point of view, if you don't really need 64 bits ( probably most of users will be fine with 4GB ram in next years) stay at 32 bits.

If we were talking about PowerPC or SPARC, you'd be (basically) correct. x86-64, however, is not just x86 with 64-bit pointers. It also gives you these other advantages:

• Guarantees the existence of SSE. Generating code for x87 is painful. Even using SSE for scalar arithmetic is usually faster than using x87, and you can also get a 2-4x speedup from vectorisation in some cases. Any code that is floating-point intensive benefits from x86-64. x86-64 also doubles the number of SSE registers; there are now 16, making it even easier to generate fast floating-point code.
• Twice as many general-purpose registers, means that you have much less register spill. You're spending less time copying between registers and the stack, and reshuffling registers, and more time actually computing stuff.
• Most instructions no longer have fixed destination operands, so you reduce register churn more.
• Better addressing modes make position-independent code faster. If your program uses any shared libraries, it will benefit from this.
• 64-bit registers. If your code does anything with 64-bit integers, this effectively doubles your register set size again. x86 pairs registers for 64-bit operations, so you effectively only have two registers that you can store 64-bit values in, meaning any 64-bit operations involve some register spill. x86-64 gives you 16, making them a lot faster.
• Reusing some short instruction codes. x86 is binary-compatible with the 8086, so some of the shortest instruction sequences are for operations that no one uses anymore. x86-64 reuses these for operations that people actually do use, increasing instruction density.

Re:Bad Publicity...

[TheRaven64]

Well, the last machines I picked up for free was an UltraSPARC. My local university computer society just got given an SGI machine with 16 MIPS64 chips. The computer labs are on a 3-year rolling upgrade cycle, and the machines that they threw out (into the arms of conveniently placed students) were all 64 bit. Low-end x86-64 machines are pretty easy to find these days.

Re:Bad Publicity...

I don't know how you got informative. Most 64 bit programs that use a reasonable amount of memory run slightly slower, due to increased memory bandwidth needs and cache effects. There is certainly no 20% boost to be had, as can be found by googling any 32 vs 64 bit benchmark.

Re:Bad Publicity...

[janisozaur]

I'm all in favor of x86_64, but as proven by one of dev blogs (no longer available) for a facebook-ish website using custom python code, it doesn't necessarily bring speedups/advantages everywhere. Their point was that python uses *a lot* of pointers. Tests showed, that even though switching to 64 bits brought some really minor improvements, it also brought much more memory usage to their servers, effectively worsening their performance. They've stayed with x86. They conducted tests some 2 or 3 years ago, I wonder what would be the result today?

Re:Bad Publicity...

Exactly. It is also good to mention other AMD64 goodnesses such as SSE extensions and the NX bit, which are nice additions to what x86 offers.

Re:Bad Publicity...

I think we'd all be interested to see where you came up with that 20%.

Obviously if your program just works on 64 bit floats or integers it will be faster, however doubling the bus width doesn't really make cache misses any faster. Sure you get a little more register space, but context switches still kill you. Pulling out a arbitrary percentage is like saying "for every core you add to an N core cpu, you should expect to see an N/2 percent speed up over a single core version."

My apologizes if that seems some what flamey, but it is just important to mention any potential speed ups are largely dependent on the specific workload at hand. Most programs don't see any speed up worth mentioning as they spend their life waiting for IO; the portion of their life doing actual work is nominal.

Uh, windows admins DO lash out at linux

Uh, windows admins DO lash out at linux. The CEO calls Linux unamerican, GPL a cancer and insists that 237 patents (he's not going to tell you) are being infringed by linux.

And the fanbois lash out at linux when an exploit turns up just like linux fanbois do. There's more windows fanbois, though, so even that is not even handed.

Then there's the windows fanboi who ignores the fact of windows existence as a negative force, like you.

Re:Bad Publicity...

Uh....no

Since your pointers now doubled in size, the memory required to store them (cache them) has also doubled.
How expensive is a cache miss?
How expensive is it when you have to bring in twice as much data (for the double wide pointer)?

The extra registers don't buy you nearly as much as you think.
Modern out of order processors can hide the small register space with renaming. Furthermore, the spilling and filling out of 8 registers can be hidden by store->load forwarding logic.

Supposed diagnostic tool fails

I downloaded the diagnostic tool linked in the story (https://www.ksplice.com/uptrack/cve-2010-3081.ssi.xhtml), and after an admittedly cursory check to see if it's something nasty, compiled it (exact command: gcc diagnose-2010-3081.c). But when I executed the a.out binary, it errors out with:

Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.
(see http://www.ksplice.com/uptrack/cve-2010-3081)

$$$ Kernel release: 2.6.3[...]
!!! Error in setting cred shellcodes

Re:Bad Publicity...

[master_p]

Yet another problem coming from the programming language...I wonder when people will admit that the tools we are using for O/S development and systems programming are not good enough!!!

LOL

[boxwood]

did anyone check the source code for that diagnose command?

static void put_your_hands_up_hooker(int argc, char *argv[])

WTF?

Re:Bad Publicity...

[daveime]

And as proof of concept, you are trying to seed the same comment randomly through the Slashdot "page" space ?

In-band checksums with downloadable files

[CarpetShark]

You are a dummy for downloading from a http website without a checksum. No thank you.

What exactly is the point of supplying a checksum by the same route/download method as the file in question? Surely if the file can be modified, so can the checksum. Maybe it would be useful if people got the checksum and verified it was the same checksum everyone else saw, then verified the file with it, but that just doesn't happen.

Re:In-band checksums with downloadable files

[buchner.johannes]

Apparently neither you nor your moderator have heard of public key encryption. You are right, but what you argue against is not what I was suggesting. https is of course a solution.

Re:Bad Publicity...

[TheThiefMaster]

I posted the comment and it didn't show up. Looks like it did eventually.

Re:Forget the self-advertisement, it's a real issu

"I'm not sure how the backdoor could survive"

Compromised GCC ?

"I do not see how having the backdoor is riskier than having an unpatched system."

Everyone on the planet accessing your machine vs local users ?

A little fuckup goes a long way

[way2trivial]

Damn man.. well written, reasoned- no raving-- that was a BEAUTIFUL POST until you ruined it by asserting something I knew flawed....

See, when I read an opinion piece, I can really get behind the authors point of view unless I see GLARING OBVIOUS MISTAKES... which ruin the emphasis of the entire rest of your post. I think, "if he's wrong about this basic FACT, how much can I trust his premise?"

What's my problem?
"OS-X is fine for general use, especially now that you can get Photoshop"

Photoshop-- is and has been the penultimate MAC app

Photoshop arguably MADE Macintosh what it is today....

in the 80's- financial sector used IBM PC compatibles,
and EVERY design shop/art whatever used macs and photoshop

Re:A little fuckup goes a long way

Photoshop-- is and has been the penultimate MAC app

I don't think penultimate means what you think it means.

Re:A little fuckup goes a long way

[way2trivial]

Yer right.. I learn something every day.
this was todays lesson...

well, if my argument is correct about one mistake, then my rebut is is wrong..

ironic indeed....

Re:A little fuckup goes a long way

Well, his ignorance about photoshop certainly puts the rest of his comment in a poorer light. I was going to write a reply about it, but then I saw yours and instead commented on that word ;-)

Re:It appears to be safe. (was: Re:Not running it.

[BruceCage]

While you do make a valid point (be careful about what you run) and I personally can't actually understand the code provided I have to say that sometimes you have to put a little trust in others. Do you inspect and thoroughly understand every update that your distro suggests? Considering the fact the tool is distributed through Ksplice's website, you have to be seriously paranoid to think Ksplice would even dare to do anything like that.

Re:Bad Publicity...

And the disadvantage is that pointers take twice as much memory, and require structures to be 64-bit aligned, resulting in additional memory usage. This can result in non-trivial increase of memory usage and throughput, often severely reducing performance both from the extra bus pressure and earlier onset of paging, less IO caching.

Re:Bad Publicity...

[owlstead]

Last time I checked most systems come with 4 GB RAM now. I just looked at a cheap (550 euro) Dell laptop that has 4 GB RAM. Personally I'm running 64 bit Linux because my system has 8 GB RAM (I needed to compile the OpenJDK a few times, and I decided that compiling to RAM disk was worth the additional 120 euro's or so - output is some 1.5 GB, excluding intermediate files).

Thanks, Ksplice!

[Jahava]

While I certainly appreciate the effort, in the future please don't semi-obfuscate your publicly-released source code. That really doesn't give me the confidence that I need to run it on my machine.

Re:It appears to be safe. (was: Re:Not running it.

[moonbender]

I think if you're in a position where you apparently own Ksplice's servers, it'd be easy enough and far more damaging to quietly add a security hole to lots of systems using their patch infrastructure. Seems like a better attack vector than spreading an odd source file via a site full of distrustful/inquisitive geeks...

Re:Bad Publicity...

[CronoCloud]

Adobe released a new 64 bit Flash for Linux last week.

Typo?

This certainly has to a highly unlikely series of typos. Let me fix that for you...

An anonymous reader writes
"Running 64-bit Windows? Haven't updated yet? You're probably being rooted (or pummeled with UAC requests) as I type this. WhosYourDaddyTrojan, this week's second high-profile local root exploit in the Windows kernel, is compromising machines left and right. Almost all 64-bit machines are affected, and 'Ac1db1tch3z' (classy) published code to let any local user get a root security wizard. Ac1db1tch3z's exploit is more malicious than usual because it leaves a backdoor behind for itself to exploit later even if the hole is patched. Unfortunately, there's isn't a tool you can run to see if you've already been exploited. Don't you wish you were running Linux, which has never had a single bug or exploit?"

Back to 32 bit

[denshao2]

I'm glad that I switched back to 32 bits two weeks ago, after 3 years of using 64 bits. I got tired of the Flash issues and a few other incompatibilities.

that was

[alien9]

Worth noticing:
http://info.abril.com.br/noticias/internet/locaweb-sofre-ataque-cracker-17092010-33.shl
They just defaced every page in many compromised hosts.
Some said this exploit meant 30% of .br web domains was showing that Ataturk protraits.

Re:Bad Publicity...

Why haven't you upgraded to the recently-released 64-bit Flash yet? Is your distro that slow?

Re:Bad Publicity...

[TeknoHog]

32-bit Windows had extra layers to support 16-bit binaries. So this kind of backwards compatibility is not a new idea, but it should not be needed in open source at all. I personally like having a clean system with a single architecture.

Re:Bad Publicity...

[TeknoHog]

Going to 64 bit means your instructions will be 64 bit, which means doubling the cache mem usuage.

Depending on how the os/app uses the cache you may even find an slow down on performance.

AFAIK, cache is also used for data, and data is not doubled in size by the architecture change. But I agree that memory/cache usage is somewhat increased when going from 32 to 64 bits.

However, x86-64 has other improvements over 32-bit x86, so you often get a net speedup. Other posters have already mentioned extra registers and guaranteed SSE2.

In other architectures, such as PPC, there are none of these extra improvements. Thus many people choose to run a 32-bit userland on 64-bit PPC (usually with a 64-bit kernel).

Looks to be just a conglomeration of other attacks

Fairly badly written and mostly full of comments designed to blow smoke up his own arse.
This isn't a group of leet haxors, it's an undergrad trying to big up a RHEL kernel whole that I'm not sure will reliably work.

Worried? Moi? Bring it on kiddies.

Re:Bad Publicity...

[LWATCDR]

Yep everything you say is correct.
But I do agree most people can live with 32 bit for now. For most users CPU performance isn't a bottleneck anymore.
For scientific users, gamers, video editors, and servers of all kinds 64 bit is the way to go.
Of course Microsoft in their wisdom decided to do one thing that drives me crazy with their 64bit OS.
WHY THE HECK DID YOU PUT 32 bit PROGRAMS IN Program Files(x86)!
You should have put the NEW 64 bit programs in the new directory and kept the older programs where they where for compatiblitly.

Re:Bad Publicity...

[jedidiah]

I actually tried to get some Atom/ION hardware from the UK because it hadn't made it to the US yet. Unfortunately, Amazon refused to ship that sort of thing to my location. A little later on, I nearly imported it myself from Japan because I was getting tired of waiting for the stuff to be finally here in America.

The US doesn't necessarily get the newest stuff first.

64-bit has been around for a VERY long time.

Re:It appears to be safe. (was: Re:Not running it.

[Meriahven]

Do you inspect and thoroughly understand every update that your distro suggests

Of course not. This is because it is considerably more difficult to compromise a distro's packet distribution system than it is to compromise or spoof a website. Tricking my browser should be even easier.

Things might have been different had I spotted any kind of digital signature (or even a checksum) anywhere near the download page, or if the download had even originated on a SSL verified server. This is very likely to be because of incompetence of the guys running the site, but on my list of reasons for adding things to the kernel, incompetence is not exactly on the top.

Re:Bad Publicity...

[QuantumBeep]

You have to rethink what it means to be "poor". I live in the US, work a full-time job in the IT industry, and I can't afford a hamster.

Re:Bad Publicity...

[GameboyRMH]

Plus you could run the 32-bit version of Flash on 64-bit Linux anyways, it's just more work:

http://www.linux.com/archive/feature/142075

And I haven't had any trouble running any other 32-bit binary blobs.

Re:It appears to be safe. (was: Re:Not running it.

[Culture20]

I think if you're in a position where you apparently own Ksplice's servers, it'd be easy enough and far more damaging to quietly add a security hole to lots of systems using their patch infrastructure. Seems like a better attack vector than spreading an odd source file via a site full of distrustful/inquisitive geeks...

Unless they realized you think of that, and pulled a double-reverse psychological maneuver?

Re:Bad Publicity...

[dougmc]

It's not a compatibility layer. It's that programs compiled against 32 bit shared libraries need those 32 bit shared libraries to run, and this is going to be difficult to get past, short of making everything a static binary.

The additional speed and such makes the small amount of additional complexity well worth the trouble.

And really, under Linux in 2010, you don't need 32 bit programs for anything except some commercial software where they don't offer 64 bit versions. (To be fair, the situation is the same under Windows, except that since you don't get source to everything, you're stuck with what they provide -- and it's usually a 32 bit binary.)

Re:Bad Publicity...

[TeknoHog]

It's not a compatibility layer. It's that programs compiled against 32 bit shared libraries need those 32 bit shared libraries to run, and this is going to be difficult to get past, short of making everything a static binary.

True, it's not like emulating another architecture, because the CPU can run in different modes. But you still need some level of OS support for this mode switch.

I thought the case with 16-bit on 32-bit Windows was exactly the same, since the CPU can run in 16-bit mode as well. Or is there a key difference?

Re:Bad Publicity...

[wildstoo]

Try Ramen instead. It's not quite as satisfying, but it's cheap.

crap!!

What is this... bullshit?

Those sort so shitty 'optimization' progs are for windoze fools..

Re:OSS Strikes Again

[Culture20]

my Ubuntu machines were already patched a day before the first scare stories about this exploit appeared here on Slashdot.

That's not a great measure of anything; Duke Nukem Forever was released last year, but /. is still posting stories about how it will never get produced.




Psych! DNF is still a leprechaun riding a unicorn. But /. is a little slow to pick up news at times.

Deobfuscation

[michaelmior]

Here's a semi-deobfuscated version. My assembly skills aren't really up to snuff, so I doubt I'll go much further. http://gist.github.com/588199

INFORMATIVE PARENT

[shaitand]

Mod parent up

Are you trying to pwn us?

[AlgorithMan]

"You're probably being rooted as I type this"
don't you know what a LOCAL-root exploit is or are you by any chance trying to scare us into executing malware with root privileges?

Re:Are you trying to pwn us?

[Harik]

Good news! You don't need to execute it with root privileges, it gets those for itself.

OMG!

[CarpetShark]

Stop perpetuating this fucking myth.

OMG, fucking is a myth?!

Re:OMG!

[axp_bofh]

Stop perpetuating this fucking myth.

OMG, fucking is a myth?!

This is Slashdot after all.

BEWARE: The tool doesn't check for CVE-2010-3080

The tool isn't good for non-Redhat kernels. It checks for CVE-2010-3081 only, but not for CVE-2010-3080.
The latter wasn't "backported" to RHEL5, but is still wide open elsewhere:

$ ./diagnose-2010-3081
Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.
(see http://www.ksplice.com/uptrack/cve-2010-3081)

$$$ Kernel release: 2.6.33.3
!!! Could not find symbol: per_cpu__current_task

A symbol required by the published exploit for CVE-2010-3081 is not
provided by your kernel. The exploit would not work on your system.

$ ./robert_you_suck
resolved symbol commit_creds to 0xffffffff81071b90
resolved symbol prepare_kernel_cred to 0xffffffff81071840
mapping at 3f80000000
UID 0, EUID:0 GID:0, EGID:0
sh-3.2#

Re:Forget the self-advertisement, it's a real issu

Yes, the initial problem was a real issue. But this one ONLY affects Ksplice users, because "th3 m4giq p0rt4l" left by Ac1db1tch3z's code resided in memory only. If, after updating, the one reboots like one is meant to, there is no problem. However, if the kernel is updated in memory while running (not a good idea in any case) as is done by Ksplice, the vulnerability remains. If one uses the "rebootless" patch after running Ac1db1tch3z's code, then you'll still have to reboot to fix the problem.

tl;dr Ksplice created a problem which only affects its own users and now slashdot is trying to convince us that it affects everyone. Story is moot.

Re:Bad Publicity...

[Score+Whore]

They're only human, no need to call them tools.

Re:Forget the self-advertisement, it's a real issu

[Harik]

Well, for one both the exploit and the detector are broken by default - it's looking for per_cpu__current_task for >=2.6.30 kernels and not every kernel has that - it's just 'current_task' on 2.6.36-rc4. Turn off that check and both the detector and exploit work. Ignoring the l33+, the important bits are the shellcode and any remnants of the exploit when run.

The exploit itself is trivial to understand - compat_alloc_user_space() didn't check the bounds, and one user didn't properly handle the checking first.

Here's the actual exploit:
getsockopt(7, SOL_IP, MCAST_MSFILTER, 0x804b4a0, 0x804b8a8) = -1 EFAULT (Bad address)
and a quick glance at net/compat.c shows that no check is made on optlen. The rest is just stack-trashing and shellcode,
your basic exploit.

Exaggerated out of proportion ...

[Jerry]

The patched was announced by Canonical (Ubuntu) the same day that Ben Hawkes announced the exploit and published a proof of concept code.

The required kernel update is "2.6.32-24.43" or higher. That kernel was automatically updated on my 64bit Kubuntu 10.04 system with:
-rw-r--r-- 1 root root 757586 2010-09-17 10:04 /var/cache/apt/archives/linux-headers-2.6.32-24-generic_2.6.32-24.43_amd64.deb
and, 11 hour later, again:
-rw-r--r-- 1 root root 770132 2010-09-17 21:05 /var/cache/apt/archives/linux-headers-2.6.32-25-generic_2.6.32-25.44_amd64.deb

the same day that Hawkes announced it. Most 64bit Linux desktops are single user, and not susceptible if the owner did not hand out local accounts to his or her kids (and even then?), and most corporate Linux users would not advertize that their servers or workstations were exploited, so claims that Linux systems are being "compromised left and right" are spacious, to say the least, or FUD or outright lying at worst.

Re:Bad Publicity...

[Lokitoth]

16-bit also had the annoyances involved with stepping out of protected mode on top of the bitness switch, which is why it was so easy to bring down the operating system form inside a poorly behaving program or shim driver.

Fixes released

[biohazd]

CentOS 5 fixes are available - see http://bugs.centos.org/view.php?id=4518 Redhat 5 also has new kernel - see https://rhn.redhat.com/errata/RHSA-2010-0704.html GO GO GO !!!

SELinux

[jdc18]

Does anyone know if SELinux prevents this. I thought this was one of those things that falls on to SELinux will protect you unless you are using oracle or some other dumb program that makes it impossible to run SELinux correctly.

Re:OSS Strikes Again

[jdc18]

I'm a PC, and using Windows instead of Linux was my idea.

You are a PC??? Nice to meet you PC i am a human

Re:Bad Publicity...

[DarwinSurvivor]

Yes, but given their recent track record, I'm betting any money they'll do it again for quite a while. Besides, that version of flash completely messes up webkit if you are using qt4.6 (current in most distros) forcing either a non-package-manager upgrade to 4.7 (not easy on some distros) or not using the new flash.

Re:Get it secured from the step first

[WebKing279]

Comparing to linux, windows are most vulnerable is the experience of the most of the administrators. But from knowledge point of view it also depends on who is administrating your system. The post is very well written and alarming for those who aren't up to date with administrating their systems. If you are looking for secured servers get it from unichost. For me they are most reliable so for !

GHD hair straighteners

[shiji007]

It is really a very very good article, GHD Hair Straighteners and CHI Flat Irons onlinestore - ghdhairsiron.com. Discount GHD Straighteners, CHI Hair Straighteners, CHI Nano Ceramic Flat Iron hot sale. Include CHI Original Flat Iron, CHI Earth Flat Iron, CHI Pink Dazzle Flat Iron, CHI Camo Flat Iron, CHI Classic Flat Iron, CHI Digital Flat Iron, CHI Guitar Flat Iron, CHI Turbo Flat Iron, CHI Wee Flat Iron, GHD Kiss Hair Straighteners, GHD Mini Hair Straighteners, GHD MK4 Hair Straighteners, GHD MK5 Hair Straighteners, GHD Precious Hair Straighteners, GHD Radiance Hair Straighteners, GHD Salon Hair Straighteners and GHD New Hair Straighteners - Choose Your Destiny - GHD Green Envy Hair Straighteners, GHD Blue Serenity Hair Straighteners, GHD Red Lust Hair Straighteners, GHD Purple Indulgence Hair Straighteners. We provide good service, our GHD IV Hair Straighteners, CHI Nano Flat Iron, CHI Ceramic Flat Iron free shipping and fast. Buy CHI Ceramic Flat Iron Original, CHI Ceramic Flat Iron Pink, CHI Ceramic Flat Iron Thermostat Blue, CHI Flat Iron Dazzle, CHI Flat Iron Pink Dazzle, CHI Digital Ceramic Flat Iron, CHI Ceramic Flat Iron Guitar, CHI Turbo Flat Iron 1", CHI Turbo Flat Iron 2",