Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Linux Backdoor Attempt of 2003

Posted by Unknown on from the alright-which-one-of-you-did-it dept.

Hugh Pickens DOT Com writes "Ed Felton writes about an incident, in 2003, in which someone tried to backdoor the Linux kernel. Back in 2003 Linux used BitKeeper to store the master copy of the Linux source code. If a developer wanted to propose a modification to the Linux code, they would submit their proposed change, and it would go through an organized approval process to decide whether the change would be accepted into the master code. But some people didn't like BitKeeper, so a second copy of the source code was kept in CVS. On November 5, 2003, Larry McAvoy noticed that there was a code change in the CVS copy that did not have a pointer to a record of approval. Investigation showed that the change had never been approved and, stranger yet, that this change did not appear in the primary BitKeeper repository at all. Further investigation determined that someone had apparently broken in electronically to the CVS server and inserted a small change to wait4: 'if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) ...' A casual reading makes it look like innocuous error-checking code, but a careful reader would notice that, near the end of the first line, it said '= 0' rather than '== 0' so the effect of this code is to give root privileges to any piece of software that called wait4 in a particular way that is supposed to be invalid. In other words it's a classic backdoor. We don't know who it was that made the attempt—and we probably never will. But the attempt didn't work, because the Linux team was careful enough to notice that that this code was in the CVS repository without having gone through the normal approval process. 'Could this have been an NSA attack? Maybe. But there were many others who had the skill and motivation to carry out this attack,' writes Felton. 'Unless somebody confesses, or a smoking-gun document turns up, we'll never know.'"

11 of 360 comments (clear)

  1. OMG enough by Virtucon · · Score: 5, Insightful

    Unless somebody has proof that somebody was trying to create a back door then stop with all of the "X-Files" shit. It could have been a hacker trying to put that code in. How was the system that hosted the CVS repository managed? Was it hacked? Was there any investigation or was it possibly somebody that did something stupid and now everybody thinks it's somehow tied to the NSA?!?!?

    Let's just go forward with what we know and stop the speculation, that is unless somebody has some hard facts like an IP address that belongs to the government or a chain of evidence.

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
    1. Re:OMG enough by sqorbit · · Score: 5, Interesting

      It's just like the "We can't explain this, so it must have been aliens" philosophy. If someone tried to create a backdoor, it must be the NSA. Not some bored hacker or some other explanation.

      --
      Sent from my TARDIS
    2. Re:OMG enough by djmurdoch · · Score: 5, Informative

      Unless somebody has proof that somebody was trying to create a back door then stop with all of the "X-Files" shit. It could have been a hacker trying to put that code in. How was the system that hosted the CVS repository managed? Was it hacked? Was there any investigation or was it possibly somebody that did something stupid and now everybody thinks it's somehow tied to the NSA?!?!?

      Yes, there was an investigation. The name attached to the log entries belonged to someone who said he didn't make the changes.

    3. Re:OMG enough by Russ1642 · · Score: 5, Funny

      There's a 50% chance it was aliens. Either it was aliens, or it wasn't aliens.

    4. Re:OMG enough by jcochran · · Score: 5, Informative

      Obviously you're unaware of how GCC works. Yes, it would have issued a warning message if the line was:
      wait4: if ((options == (__WCLONE|__WALL)) && current->uid = 0) ...

      But the author of that little backdoor attempt added the extra 'superfluous' parenthesis around the assignment. Like this:
      wait4: if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) ...

      And GCC uses those extra parenthesis as an indication that 'The assignment is deliberate and desired. Don't warn me about it. I know what I'm doing'
      In fact, GCC still uses those extra parenthesis as an indication that the warning message should be suppressed.

    5. Re:OMG enough by LanceUppercut · · Score: 5, Interesting

      That is actually misguided reasoning. If you remove this parenthesis and write it like that
      if ((options == (__WCLONE|__WALL)) && current->uid = 0)
      the code will fail to compile for a completely different reason. In C (as well as in C++) the assignment operator has very low priority, lower than `&&` operator. That means that the above code would be interpreted as
      if (((options == (__WCLONE|__WALL)) && current->uid) = 0)
      A code like that would not compile at all, since it attempts to assign 0 to something that is not lvalue. For this reason (and not some "warning"), you actually absolutely need that extra parenthesis.
      Also, note that the first condition is also wrapped in parenthesis, which is formally excessive ('==' has higher priority than `&&`, but some users prefer to add that extra parenthesis since they believe it improves readability). For this reason, it is fairly safe to conclude that both parentheses where there from the very beginning. They were not added by that malicious coder.

  2. C/C++ operator = by Jamu · · Score: 5, Interesting

    It's why placing constants on the left of the equality operator is a good idea in C/C++. The whole line then looks suspicious because its constants are on the right, and the first thing you'll think about is bugs involving operator = instead of operator ==. Unfortunately there's a lot of old code that doesn't do this, but it's easy enough for a compiler to issue warnings about operator = in if-statements.

    --
    Who ordered that?
  3. Re:Repost by squiggleslash · · Score: 5, Funny

    You're forgetting that the NSA is in the news right now, which creates an entirely new angle on it.

    I was able to get a copy of the original submission:

    Ed Felton writes about an incident, in 2003, in which someone tried to backdoor the Linux kernel, a key component of the GNU/Linux operating system. As you know, Apple just released a new operating system called iOS 6. Is it possible that an NSA contractor, paid in Bitcoins raised through an anonymous Kickstarter project to avoid detection, placed an exploit in the new iPhone 5S? And if so, should the government immediately investigate Google who might have used the feature to implement some sort of tracking bug for people using their iPhones in their Teslas?

    --
    You are not alone. This is not normal. None of this is normal.
  4. Repost by jovius · · Score: 5, Insightful

    http://linux.slashdot.org/story/03/11/06/058249/linux-kernel-back-door-hack-attempt-discovered

  5. Re:Type safety by ultrasawblade · · Score: 5, Insightful

    Here's why the UID is 0 and should stay 0.

    In most assembly languages, when you compare against a value, you have use a "compare" instruction that effectively does a subtraction, but throws away the result.
    In most CPUs, there is a flags register with a zero (Z) bit, which is flipped whenever a value is loaded that is zero.
    When you want to see if something like your accumulator or another register is an arbitrary value like 100, you need to do a "compare 100" and then "branch if equal to whatever..."
    If it's zero, you can just load the value and skip the compare step. You get a "free compare" when the value you want to compare against is zero.
    So if the superuser is not zero, there will be a performance penalty.

    Besides, this dumb shit is C's fault for using = and == as operators. Pascal had it right with := being the assignment operator.

  6. Underhanded C Contest by KingofSpades · · Score: 5, Interesting

    I'm suprised that no one mentioned the Underhanded C Contest
    http://underhanded.xcott.com/

    Quoting their web site:
    "The goal of the contest is to write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil. "