Slashdot Mirror

← Back to Stories (view on slashdot.org)

Exploits Emerge For Linux Privilege Escalation Flaw

Posted by samzenpus on from the protect-ya-neck dept.

angry tapir writes "Linux vendors are rushing to patch a privilege escalation vulnerability in the Linux kernel that can be exploited by local attackers to gain root access on the system. The vulnerability, which is identified as CVE-2012-0056, was discovered by Jüri Aedla and is caused by a failure of the Linux kernel to properly restrict access to the '/proc//mem' file."

17 of 176 comments (clear)

  1. Hrrm by Anonymous Coward · · Score: 5, Insightful

    If someone is in a position to run a local exploit, aren't you pretty much fucked anyways?

    1. Re:Hrrm by MichaelSmith · · Score: 4, Insightful

      Web servers are vulnerable because they run server side code, often uploaded with vulnerable content management systems, etc.

      --
      http://michaelsmith.id.au
    2. Re:Hrrm by Anonymous Coward · · Score: 5, Informative

      I was with you up until Rule #3 which is nonsense.

    3. Re:Hrrm by Mad+Merlin · · Score: 4, Interesting

      Rule #1: There is no such thing as 100% secure. Even 100% bug-free cannot be considered 100% secure.

      There's also no such thing as 100% bug-free.

      Rule #3: All security is ultimately "security through obscurity."

      While in the strictest sense, this may not be untrue, to phrase it that way is extremely dishonest. An encryption algorithm that relies on the secrecy of the algorithm is totally worthless (security by obscurity), whereas an encryption algorithm that relies on the secrecy of the keys used for encryption is quite useful (not security by obscurity in the normal sense).

      In fact, if you want to be pedantic about it, the relevant definition for obscure is...

      not readily understood or clearly expressed; also : mysterious [1]

      Which is about understanding and not so much about knowledge. I may understand that I need a username and password to log into your system, just because I don't know what the username or password is doesn't make it security by obscurity. In fact, say I wanted to break into your house, I may have seen you use a physical key to open the front door and walk in and I may have even memorized the pattern of teeth on the key, but it does me no good if I don't have a key of my own to open the door with. There is certainly no obscurity in that security.

      If you're going to go ahead and say that all security is "security through obscurity", then you may as well make the next logical step of not implementing any of it.

      [1] http://www.merriam-webster.com/dictionary/obscure

      --
      Game! - Where the stick is mightier than the sword!
  2. Re:Local exploit? by Lumpio- · · Score: 5, Informative

    A weak SSH user account/PHP script/whatever + local privilege escalation = instant remote root

  3. Link to more info by milbournosphere · · Score: 5, Informative
    It's a geekier breakdown, but is quite informative.

    http://blog.zx2c4.com/749

    Gets into the memory specifics of the bug. I found it to be far better than the actual article.

  4. Re:iOS now has more marketshare than Android by tqk · · Score: 5, Funny

    Pardon me, but I'm going to go watch Firefly now, as it appears none of you make any sense. Bye.

    --
    "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
  5. Debian (mostly) not affected by Trogre · · Score: 5, Informative

    Since this bug was introduced in Linux 2.6.39 Debian Stable (squeeze, Linux 2.6.32) is not affected. Unstable(sid, Linux 3.1) has already been patched, though Testing (wheezy) is still vulnerable.

    More information here

    --
    "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
  6. Re:Broken on Android too by Abreu · · Score: 5, Funny

    Wuh, I think so, Brain, but if we didn't have ears, we'd look like weasels

    --
    No sig for the moment.
  7. Re:Local exploit? by BasilBrush · · Score: 5, Funny

    so someone has to be sitting in front of the boxen to exploit the exploit, why not just init 1?

    Or they could use axen to destroy the boxen. Or set some foxen on them to tear them to pieces. Or they could fill the boxen with melted waxen. Or bury them in faxen. This exploit is usable by people of both sexen, so long as they pay their taxen.

  8. Simple explanation by Chemisor · · Score: 5, Informative

    There is /proc/pid/mem, a pseudofile referring to the memory of process pid. It has 0600 permissions so you can't write to the memory of other users' processes. The bug occurs when you exec an suid executable and the kernel does not change open fds for /proc/pid/mem. This way, you can open mem, dup it to stderr, and exec su with a garbage parameter. su will duly print an error, quoting the offending parameter, writing to its process memory. With a properly selected shellcode you can get root.

  9. Beware of ALL blanket statements ;-) by Zero__Kelvin · · Score: 4, Insightful

    All security is ultimately "security through obscurity."

    "I was with you up until Rule #3 which is nonsense."

    Really? Try proving it's "nonsense". .

    You either don't know what the word all means, or you don't know what the term security through obscurity means.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  10. Proof you are 100% wrong per your request by Zero__Kelvin · · Score: 5, Insightful

    Again, you don't know what security through obscurity means. If the access to the code or other design that implements the security breaks it, then that is security through obscurity. All security relies on a secret known by one party, but unknown to others. This has absolutely nothing to do with security by obscurity.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    1. Re:Proof you are 100% wrong per your request by Zero__Kelvin · · Score: 4, Insightful

      Do you have a problem reading and understanding the English language? While I appreciate your attempts to credit the definition as my own, it has been an accepted term in security circles for a long time, and I am not the one who came up with it. Nobody worth their salt ever said that 100% security can be achieved, and you are not saying anything that isn't obvious to even a security neophyte like yourself. What is known is that security through obscurity is not an effective method of achieving security, even in deference to the fact that nobody will ever achieve 100% security.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  11. Re:Broken on Android too by NeoMorphy · · Score: 5, Funny

    Really? This bug was only present in kernel releases 2.6.39 and newer. Do any Android devices use kernel's based on a Linux this current? A quick search says Android 2.3. used 2.6.35 and 3.0 used 2.6.36 so the number of devices this might possibly help you root looks miniscule.

    I am replying with my new Asus Transformer Prime, which is running ICS(Android version 4.03), kernel is 2.6.39.4.

    I'm thinking this bug is God's way of saying "You are loved. Now go forth and exploit your tablet!"

  12. What'd "//" be ? by aglider · · Score: 4, Informative

    /proc//mem

    is the very wrong quotation!
    The original source quotes instead:

    /proc/<pid>/mem

    which is the memory as seen by a certain process whose PID is <pid>.
    Moreover, there's no "/proc/mem" file and the "//" whould be interpreted as "/".
    But maybe that'd be just the Slashdot editor.

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
  13. Re:Better than Windoze by Tim4444 · · Score: 4, Insightful

    You seem to be in a situation where PEBKAC - it's corrupting the text of your post. Of course what you meant to say is that the Open Source model does not guarantee security but simply allows interested parties to audit for and fix security problems independent of any single company or other rights holding restricting access to the source. Generally we find that the Open Source model has worked well for Linux and has been effective at addressing security concerns. The question is sometimes not whether problems exist, but whether or not they are found and corrected.

    Speaking of security on Windows - if that post of yours isn't a case where PEBKAC, you might want to install some anti virus software - looks like someone might have pwnd your machine.