Slashdot Mirror

← Back to Stories (view on slashdot.org)

RDS Protocol Bug Creates a Linux Kernel Hole, Now Fixed

Posted by timothy on from the what-does-the-sky-think-as-it-falls dept.

Trailrunner7 writes "The open-source Linux operating system contains a serious security flaw that can be exploited to gain superuser rights on a target system. The vulnerability, in the Linux implementation of the Reliable Datagram Sockets (RDS) protocol, affects unpatched versions of the Linux kernel, starting from 2.6.30, where the RDS protocol was first included." The article goes on to say, though, that "Linux installations are only vulnerable if the CONFIG_RDS kernel configuration option is set, and if there are no restrictions on unprivileged users loading packet family modules, as is the case on most stock distributions," and that Linus Torvalds has committed a fix.

24 of 89 comments (clear)

  1. A local exploit only by h4rr4r · · Score: 4, Informative

    They should mention in the summary this is a local privilege escalation exploit only.

    1. Re:A local exploit only by jgrahn · · Score: 2, Insightful

      And they should say who actually has this code /installed/. RDS surely falls in the same category as SCTP -- might be useful in the lab at CERN, but not on any normal server, and certainly not on some random Ubuntu user's desktop.

    2. Re:A local exploit only by CannonballHead · · Score: 2, Insightful

      Hm. By default? I don't know, but the article mentions testing the exploit on Ubuntu 10.04 x64.

    3. Re:A local exploit only by synthesizerpatel · · Score: 4, Funny

      Listen, not a year goes by, not a year, that I don't hear about some escalator accident involving some bastard kid which could have easily been avoided had some parent - I don't care which one - but some parent conditioned him to fear and respect that escalator.

    4. Re:A local exploit only by tom17 · · Score: 5, Informative

      It's everywhere. I just tested it on a random newish Ubuntu install (Well, 10.04) and the exploit works. It *does* say in the article that it's set up this way as default.

      I'd expect this is a pretty common vulnerability out there.

    5. Re:A local exploit only by Athanasius · · Score: 2, Informative

      What? No Auto-load of it on trying to use the protocol it utilises? I ask because the workaround is to turn that particular feature off: echo alias net-pf-21 off > /etc/modprobe.d/disable-rds

    6. Re:A local exploit only by drumbug1 · · Score: 3, Informative

      If the system is completely up to date it's already patched in Ubuntu. Details on the kernel package needed for each currently supported release is here: http://www.ubuntu.com/usn/usn-1000-1

    7. Re:A local exploit only by tlhIngan · · Score: 4, Insightful

      They should mention in the summary this is a local privilege escalation exploit only.

      Local exploits become remote exploits througha vulnerable service or bad passwords. Just because something can only be done locally means nothing. It just means all I need to do is gain any sort of access then use the exploit. Instant root. And all I needed was just the ability to run a bit of my code. Or if I've previously gotten access in but not used it because running things as "nobody" isn't terribly useful, now with the ability to get root makes it very useful.

      It's the same sort of thing that let that jailbreakme.com thing work - Safari downloads a PDF, the PDF display code tries to display it and fails, and runs the exploit code. Exploit code runs as Safari, uses a priviledge escalation hole to get root access, then does lal the jailbreak stuff as root.

    8. Re:A local exploit only by Oceanplexian · · Score: 4, Interesting

      Only? Only a local root exploit?

      That kind of attitude makes me upset because I endure a lot of it where I work. A local root exploit is the hard part of owning a server. Getting
      unprivileged access through some vulnerability is comparatively a piece of cake.

  2. Fixing a hole where the rain gets in... by digitaldc · · Score: 5, Informative

    Reliable Datagram Sockets (RDS) provide in order, non-duplicating, highly available, low overhead, reliable delivery of datagrams between hundreds of thousands of non-connected endpoints."

    Gives new meaning...

    Recommendation:
    Users should install updates provided by downstream distributions or apply the committed patch [3] and recompile their kernel.
    Preventing the RDS kernel module from loading is an effective workaround. This can be accomplished by executing the following command as root:
    echo "alias net-pf-21 off" > /etc/modprobe.d/disable-rds

    --
    He who knows best knows how little he knows. - Thomas Jefferson
    1. Re:Fixing a hole where the rain gets in... by h4rr4r · · Score: 2, Insightful

      Better question do any distros ship with this on by default?

      They mention 10.04, but do not say if they had to enable it first. I guess I will have to check what modules my desktop has at home to see.

    2. Re:Fixing a hole where the rain gets in... by tom17 · · Score: 2, Informative

      It's enabled by default. I tested it.

    3. Re:Fixing a hole where the rain gets in... by AlphaZeta · · Score: 2, Interesting

      Just tried on my home machine (Ubuntu 10.04 64 bit) and it couldn't get the root shell. It's running 2.6.32-25-generic.
      [*] Linux kernel >= 2.6.30 RDS socket exploit
      [*] by Dan Rosenberg
      [*] Resolving kernel addresses...
        [+] Resolved rds_proto_ops to 0xffffffffa0bc4860
        [+] Resolved rds_ioctl to 0xffffffffa0bbd000
        [+] Resolved commit_creds to 0xffffffff8108aee0
        [+] Resolved prepare_kernel_cred to 0xffffffff8108b2c0
      [*] Overwriting function pointer...
      [*] Triggering payload...
      [*] Restoring function pointer...
      [*] Exploit failed to get root.

    4. Re:Fixing a hole where the rain gets in... by drumbug1 · · Score: 2, Informative

      If the system is completely up to date it's already patched in Ubuntu. Details on the kernel package needed for each currently supported release is here: http://www.ubuntu.com/usn/usn-1000-1 [ubuntu.com]

    5. Re:Fixing a hole where the rain gets in... by Anonymous Coward · · Score: 2, Informative

      "net-pf" is a common prefix that refers to network packet families. You have an alias file at /lib/modules/[kernel version]/modules.alias that contains a number of entries like this. This is actually a format that is hard-coded into the kernel:

      http://lxr.linux.no/#linux+v2.6.36/net/socket.c#L1196

      The workaround is perfectly valid.

    6. Re:Fixing a hole where the rain gets in... by JesseMcDonald · · Score: 2, Informative

      The module name is "rds"; "net-pf-21" is an alias, and stands for Network Packet Family #21.

      --
      "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
  3. Re:Note to linux devs by Meshach · · Score: 4, Insightful

    If you release early and you release often, you will release a big piece of sh^H^H code with a lot of bugs.

    Funny how Microsoft releases late and releases seldom and has the same problem...

    --
    "Maybe this world is another planet's hell"
    Aldous Huxley
  4. Re:Note to linux devs by jedidiah · · Score: 2, Informative

    Nope. The usual Microsoft nonsense is still alive and well in 2010.

    --
    A Pirate and a Puritan look the same on a balance sheet.
  5. Re:Note to linux devs by stagg · · Score: 2, Insightful

    The same article announcing the existence of the exploit announced the existence of the fix. That's pretty good support if you ask me, and it's hard to be too worried under those circumstances.

  6. Re:Note to linux devs by DeadCatX2 · · Score: 2, Informative

    Yeah, it's 2010, and every Tuesday my computer bitches about how I have updates waiting to be installed...

    --
    :(){ :|:& };:
  7. Re:Note to linux devs by man_of_mr_e · · Score: 2, Interesting

    Of course what you don't know is that this issue has been known by the kernel team and unreported for at least 9 days.

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3904

    Notice the "Assigned" date, 10/12/2010, that's the date the CVE was created for this flaw and it was likely known and reported several days before that.

    What this means is that the kernel team knew of the flaw, it was reported in secret, and they kept it a secret while they researched a fix. So people were vulnerabile for almsot 2 weeks, even though there was a known workaround that would have prevented them from being vulnerable if they had known.

    --
    If you need web hosting, you could do worse than here
  8. Clearing up some questions... by Anonymous Coward · · Score: 5, Informative

    Sorry for the Anonymous Coward reply, I don't have an account in my name. I'm the researcher who discovered the vulnerability and published it. Just thought I'd clear up a few issues:

    1. Stock installations of Ubuntu, Debian, Fedora, Red Hat, Arch, Slackware, and SuSE (and probably more) >= 2.6.30 are (or were) all vulnerable to the issue. Ubuntu has already issued an update, which is why some people can't get the exploit working on their Ubuntu machines. Even if the proof-of-concept doesn't work on your machine, if you have an unpatched machine that compiles RDS as a module, you are vulnerable and should patch.

    2. Just because something is "compiled as a module" doesn't mean you have to explicitly have an administrator load it in order for it to be used. Networking protocols can be loaded at runtime by unprivileged users on nearly every distribution, including RDS. This is part of a broader security problem in the Linux world that should be improved.

    3. No one should be complaining about the week-long period after reporting before disclosure. The Linux security folks upstream would have published the fix the day I reported the issue, except I specifically requested an embargo period of one week, during which downstream distributions could prepare updates. If I hadn't requested this embargo, then the fix would have been published immediately, but distribution users would have had to wait for their respective distributions to put together updates.

  9. Re:now fixed? by TeknoHog · · Score: 2, Informative

    The fix mentioned in TFA is also in the 2.6.36 changelog. So if you use the latest vanilla kernel, it is already fixed.

    --
    Escher was the first MC and Giger invented the HR department.
  10. Re:If it were MS, it would be months later by sjames · · Score: 2, Insightful

    And meanwhile, since practically nobody and nothing actually uses that protocol, just disabe it unless/until you apply the update.