Slashdot Mirror

← Back to Stories (view on slashdot.org)

RDS Protocol Bug Creates a Linux Kernel Hole, Now Fixed

Posted by timothy on from the what-does-the-sky-think-as-it-falls dept.

Trailrunner7 writes "The open-source Linux operating system contains a serious security flaw that can be exploited to gain superuser rights on a target system. The vulnerability, in the Linux implementation of the Reliable Datagram Sockets (RDS) protocol, affects unpatched versions of the Linux kernel, starting from 2.6.30, where the RDS protocol was first included." The article goes on to say, though, that "Linux installations are only vulnerable if the CONFIG_RDS kernel configuration option is set, and if there are no restrictions on unprivileged users loading packet family modules, as is the case on most stock distributions," and that Linus Torvalds has committed a fix.

8 of 89 comments (clear)

  1. A local exploit only by h4rr4r · · Score: 4, Informative

    They should mention in the summary this is a local privilege escalation exploit only.

    1. Re:A local exploit only by synthesizerpatel · · Score: 4, Funny

      Listen, not a year goes by, not a year, that I don't hear about some escalator accident involving some bastard kid which could have easily been avoided had some parent - I don't care which one - but some parent conditioned him to fear and respect that escalator.

    2. Re:A local exploit only by tom17 · · Score: 5, Informative

      It's everywhere. I just tested it on a random newish Ubuntu install (Well, 10.04) and the exploit works. It *does* say in the article that it's set up this way as default.

      I'd expect this is a pretty common vulnerability out there.

    3. Re:A local exploit only by tlhIngan · · Score: 4, Insightful

      They should mention in the summary this is a local privilege escalation exploit only.

      Local exploits become remote exploits througha vulnerable service or bad passwords. Just because something can only be done locally means nothing. It just means all I need to do is gain any sort of access then use the exploit. Instant root. And all I needed was just the ability to run a bit of my code. Or if I've previously gotten access in but not used it because running things as "nobody" isn't terribly useful, now with the ability to get root makes it very useful.

      It's the same sort of thing that let that jailbreakme.com thing work - Safari downloads a PDF, the PDF display code tries to display it and fails, and runs the exploit code. Exploit code runs as Safari, uses a priviledge escalation hole to get root access, then does lal the jailbreak stuff as root.

    4. Re:A local exploit only by Oceanplexian · · Score: 4, Interesting

      Only? Only a local root exploit?

      That kind of attitude makes me upset because I endure a lot of it where I work. A local root exploit is the hard part of owning a server. Getting
      unprivileged access through some vulnerability is comparatively a piece of cake.

  2. Fixing a hole where the rain gets in... by digitaldc · · Score: 5, Informative

    Reliable Datagram Sockets (RDS) provide in order, non-duplicating, highly available, low overhead, reliable delivery of datagrams between hundreds of thousands of non-connected endpoints."

    Gives new meaning...

    Recommendation:
    Users should install updates provided by downstream distributions or apply the committed patch [3] and recompile their kernel.
    Preventing the RDS kernel module from loading is an effective workaround. This can be accomplished by executing the following command as root:
    echo "alias net-pf-21 off" > /etc/modprobe.d/disable-rds

    --
    He who knows best knows how little he knows. - Thomas Jefferson
  3. Re:Note to linux devs by Meshach · · Score: 4, Insightful

    If you release early and you release often, you will release a big piece of sh^H^H code with a lot of bugs.

    Funny how Microsoft releases late and releases seldom and has the same problem...

    --
    "Maybe this world is another planet's hell"
    Aldous Huxley
  4. Clearing up some questions... by Anonymous Coward · · Score: 5, Informative

    Sorry for the Anonymous Coward reply, I don't have an account in my name. I'm the researcher who discovered the vulnerability and published it. Just thought I'd clear up a few issues:

    1. Stock installations of Ubuntu, Debian, Fedora, Red Hat, Arch, Slackware, and SuSE (and probably more) >= 2.6.30 are (or were) all vulnerable to the issue. Ubuntu has already issued an update, which is why some people can't get the exploit working on their Ubuntu machines. Even if the proof-of-concept doesn't work on your machine, if you have an unpatched machine that compiles RDS as a module, you are vulnerable and should patch.

    2. Just because something is "compiled as a module" doesn't mean you have to explicitly have an administrator load it in order for it to be used. Networking protocols can be loaded at runtime by unprivileged users on nearly every distribution, including RDS. This is part of a broader security problem in the Linux world that should be improved.

    3. No one should be complaining about the week-long period after reporting before disclosure. The Linux security folks upstream would have published the fix the day I reported the issue, except I specifically requested an embargo period of one week, during which downstream distributions could prepare updates. If I hadn't requested this embargo, then the fix would have been published immediately, but distribution users would have had to wait for their respective distributions to put together updates.