Slashdot Mirror

← Back to Stories (view on slashdot.org)

Exploits Emerge For Linux Privilege Escalation Flaw

Posted by samzenpus on from the protect-ya-neck dept.

angry tapir writes "Linux vendors are rushing to patch a privilege escalation vulnerability in the Linux kernel that can be exploited by local attackers to gain root access on the system. The vulnerability, which is identified as CVE-2012-0056, was discovered by Jüri Aedla and is caused by a failure of the Linux kernel to properly restrict access to the '/proc//mem' file."

22 of 176 comments (clear)

  1. Hrrm by Anonymous Coward · · Score: 5, Insightful

    If someone is in a position to run a local exploit, aren't you pretty much fucked anyways?

    1. Re:Hrrm by JimCanuck · · Score: 3, Insightful

      Yes that you are.

    2. Re:Hrrm by MichaelSmith · · Score: 4, Insightful

      Web servers are vulnerable because they run server side code, often uploaded with vulnerable content management systems, etc.

      --
      http://michaelsmith.id.au
    3. Re:Hrrm by Anonymous Coward · · Score: 5, Informative

      I was with you up until Rule #3 which is nonsense.

    4. Re:Hrrm by Mad+Merlin · · Score: 4, Interesting

      Rule #1: There is no such thing as 100% secure. Even 100% bug-free cannot be considered 100% secure.

      There's also no such thing as 100% bug-free.

      Rule #3: All security is ultimately "security through obscurity."

      While in the strictest sense, this may not be untrue, to phrase it that way is extremely dishonest. An encryption algorithm that relies on the secrecy of the algorithm is totally worthless (security by obscurity), whereas an encryption algorithm that relies on the secrecy of the keys used for encryption is quite useful (not security by obscurity in the normal sense).

      In fact, if you want to be pedantic about it, the relevant definition for obscure is...

      not readily understood or clearly expressed; also : mysterious [1]

      Which is about understanding and not so much about knowledge. I may understand that I need a username and password to log into your system, just because I don't know what the username or password is doesn't make it security by obscurity. In fact, say I wanted to break into your house, I may have seen you use a physical key to open the front door and walk in and I may have even memorized the pattern of teeth on the key, but it does me no good if I don't have a key of my own to open the door with. There is certainly no obscurity in that security.

      If you're going to go ahead and say that all security is "security through obscurity", then you may as well make the next logical step of not implementing any of it.

      [1] http://www.merriam-webster.com/dictionary/obscure

      --
      Game! - Where the stick is mightier than the sword!
    5. Re:Hrrm by anonymov · · Score: 3, Interesting

      "The fact is private encryption keys only work when P and Q are not known. You can also decrypt the cyphertext without the key - just search for $5 wrench"

      You're mistaking "secret", which is necessary part of every encryption scheme, with "obscurity", which is useful only in very specific circumstances.

      Following your analogy, security by obscurity is making key duplication method secret and hiding the lock's inner working. Good security, on the other hand, is when you can't duplicate the key unless you snatch it from the owner and can't pick the lock even if you know how it's built.

      Security by obscurity is useful only as preliminary defense line to stall an attacker until he gathers enough information about your systems to begin targeted attack.

  2. Re:Local exploit? by Lumpio- · · Score: 5, Informative

    A weak SSH user account/PHP script/whatever + local privilege escalation = instant remote root

  3. Link to more info by milbournosphere · · Score: 5, Informative
    It's a geekier breakdown, but is quite informative.

    http://blog.zx2c4.com/749

    Gets into the memory specifics of the bug. I found it to be far better than the actual article.

  4. Re:iOS now has more marketshare than Android by tqk · · Score: 5, Funny

    Pardon me, but I'm going to go watch Firefly now, as it appears none of you make any sense. Bye.

    --
    "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
  5. Debian (mostly) not affected by Trogre · · Score: 5, Informative

    Since this bug was introduced in Linux 2.6.39 Debian Stable (squeeze, Linux 2.6.32) is not affected. Unstable(sid, Linux 3.1) has already been patched, though Testing (wheezy) is still vulnerable.

    More information here

    --
    "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
  6. Re:Broken on Android too by Abreu · · Score: 5, Funny

    Wuh, I think so, Brain, but if we didn't have ears, we'd look like weasels

    --
    No sig for the moment.
  7. Re:Local exploit? by BasilBrush · · Score: 5, Funny

    so someone has to be sitting in front of the boxen to exploit the exploit, why not just init 1?

    Or they could use axen to destroy the boxen. Or set some foxen on them to tear them to pieces. Or they could fill the boxen with melted waxen. Or bury them in faxen. This exploit is usable by people of both sexen, so long as they pay their taxen.

  8. Simple explanation by Chemisor · · Score: 5, Informative

    There is /proc/pid/mem, a pseudofile referring to the memory of process pid. It has 0600 permissions so you can't write to the memory of other users' processes. The bug occurs when you exec an suid executable and the kernel does not change open fds for /proc/pid/mem. This way, you can open mem, dup it to stderr, and exec su with a garbage parameter. su will duly print an error, quoting the offending parameter, writing to its process memory. With a properly selected shellcode you can get root.

  9. Beware of ALL blanket statements ;-) by Zero__Kelvin · · Score: 4, Insightful

    All security is ultimately "security through obscurity."

    "I was with you up until Rule #3 which is nonsense."

    Really? Try proving it's "nonsense". .

    You either don't know what the word all means, or you don't know what the term security through obscurity means.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  10. Re:Broken on Android too by bfree · · Score: 3, Informative

    Really? This bug was only present in kernel releases 2.6.39 and newer. Do any Android devices use kernel's based on a Linux this current? A quick search says Android 2.3. used 2.6.35 and 3.0 used 2.6.36 so the number of devices this might possibly help you root looks miniscule.

    --

    Never underestimate the dark side of the Source

  11. Proof you are 100% wrong per your request by Zero__Kelvin · · Score: 5, Insightful

    Again, you don't know what security through obscurity means. If the access to the code or other design that implements the security breaks it, then that is security through obscurity. All security relies on a secret known by one party, but unknown to others. This has absolutely nothing to do with security by obscurity.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    1. Re:Proof you are 100% wrong per your request by Zero__Kelvin · · Score: 4, Insightful

      Do you have a problem reading and understanding the English language? While I appreciate your attempts to credit the definition as my own, it has been an accepted term in security circles for a long time, and I am not the one who came up with it. Nobody worth their salt ever said that 100% security can be achieved, and you are not saying anything that isn't obvious to even a security neophyte like yourself. What is known is that security through obscurity is not an effective method of achieving security, even in deference to the fact that nobody will ever achieve 100% security.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  12. Re:Broken on Android too by NeoMorphy · · Score: 5, Funny

    Really? This bug was only present in kernel releases 2.6.39 and newer. Do any Android devices use kernel's based on a Linux this current? A quick search says Android 2.3. used 2.6.35 and 3.0 used 2.6.36 so the number of devices this might possibly help you root looks miniscule.

    I am replying with my new Asus Transformer Prime, which is running ICS(Android version 4.03), kernel is 2.6.39.4.

    I'm thinking this bug is God's way of saying "You are loved. Now go forth and exploit your tablet!"

  13. Turtles all the way down by tepples · · Score: 3, Insightful

    Have you vetted your x86 CPU vendor's microcode for correctness? How far down do the proverbial turtles go?

  14. Re:Broken on Android too by slack_justyb · · Score: 3, Informative

    Someone has already beaten every one else to the punch.

    However, you need Ice Cream Sandwich and you will need access to a disassembler. Also, you cannot use this exploit for "one-click" root access as the only program that is in the Android stack that runs setuid root, is run-as. That command is statically linked so you will still need adb access so that you can disassemble the program to find it's exit call.

    So there is still a fair amount of work left to be done to make this an exploit that can be used in the "wild" for Android devices. However, as a fair note. A little crowd sourcing to compile a list of offsets for different devices could greatly speed up the process. I'm actually curious if Google will patch this in there kernel.

  15. What'd "//" be ? by aglider · · Score: 4, Informative

    /proc//mem

    is the very wrong quotation!
    The original source quotes instead:

    /proc/<pid>/mem

    which is the memory as seen by a certain process whose PID is <pid>.
    Moreover, there's no "/proc/mem" file and the "//" whould be interpreted as "/".
    But maybe that'd be just the Slashdot editor.

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
  16. Re:Better than Windoze by Tim4444 · · Score: 4, Insightful

    You seem to be in a situation where PEBKAC - it's corrupting the text of your post. Of course what you meant to say is that the Open Source model does not guarantee security but simply allows interested parties to audit for and fix security problems independent of any single company or other rights holding restricting access to the source. Generally we find that the Open Source model has worked well for Linux and has been effective at addressing security concerns. The question is sometimes not whether problems exist, but whether or not they are found and corrected.

    Speaking of security on Windows - if that post of yours isn't a case where PEBKAC, you might want to install some anti virus software - looks like someone might have pwnd your machine.