Slashdot Mirror
'Most Serious' Linux Privilege-Escalation Bug Ever Is Under Active Exploit (arstechnica.com)
Reader operator_error shares an ArsTechnica report: A serious vulnerability that has been present for nine years in virtually all versions of the Linux operating system is under active exploit, according to researchers who are advising users to install a patch as soon as possible. While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers are taking it extremely seriously. For one thing, it's not hard to develop exploits that work reliably. For another, the flaw is located in a section of the Linux kernel that's a part of virtually every distribution of the open-source OS released for almost a decade. What's more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild.
"It's probably the most serious Linux local privilege escalation ever," Dan Rosenberg, a senior researcher at Azimuth Security, told Ars. "The nature of the vulnerability lends itself to extremely reliable exploitation. This vulnerability has been present for nine years, which is an extremely long period of time." The underlying bug was patched this week by the maintainers of the official Linux kernel. Downstream distributors are in the process of releasing updates that incorporate the fix. Red Hat has classified the vulnerability as "important."
"It's probably the most serious Linux local privilege escalation ever," Dan Rosenberg, a senior researcher at Azimuth Security, told Ars. "The nature of the vulnerability lends itself to extremely reliable exploitation. This vulnerability has been present for nine years, which is an extremely long period of time." The underlying bug was patched this week by the maintainers of the official Linux kernel. Downstream distributors are in the process of releasing updates that incorporate the fix. Red Hat has classified the vulnerability as "important."
OMGUbuntu why use linux answered in 3 short words
Why use Linux? Because of security!
Hmm .. something just doesn't sound right here.
I am Slashdot. Are you Slashdot as well?
so no wonder MS has the worst privilege escalation ever and it has lasted nine years and is under active exploit. this would never happen with open source software!!
The existing known exploit does not work on stock RHEL5/6 systems because /proc/self/mem is read-only by default. But, there may be other exploit vectors.
Can I use this to root my Android phone? I just want to install an ad-blocking /etc/hosts file, so I don't need a permanent root. This sounds like just the sort of exploit to do the trick, but I haven't looked at the technical details. I just want to do this before the next security update patches it.
Dirty Cows are for cows mooooooooooooooooooooo
Can someone explain this bug in English?
Anyone here know how this thing works?
I'm getting babble about race conditions and user privileges from websites, but nothing concrete. Not even sure if servers can be attacked over http, or if this needs shell access.
Can somebody please clarify what's going on?
Sure. The mm subsystem is overly complex, its design is poorly documented, and it's understood by only a couple of people who are largely responsible for the overcomplexity and poor documentation in the first place.
Oh, and it also is responsible for managing almost all of the memory on the system.
What could possibly go wrong?
Yup, for some reason this is XML's fault.
"Sorrow is better than laughter, for by sadness of face the heart is made glad." [Ecclesiastes 7:3]
Among the more serious exploits ive encountered, i must protest that "dirty cow" is not a sufficiently spooky enough name for this one. We all know Halloween approaches, so why not call it haunted cow? or zombie cow?
in addition, this exploit is far less severe than the shoulder surfing exploit of 2005 which resulted in direct root privilege access and a broken friendship, Margaret, that led me to conclude I could no longer trust you to use either the mini fridge or my Sriracha sauce anymore because friends dont just log in to anyones workstation Margaret, i trusted you and you deceived me.
Good people go to bed earlier.
This is a bug in the Linux kernel, affecting most operating systems that use this kernel.
Modern app appers know that ONLY apps can app apps, NOT LUDDITE software like LUDDITE Linux, so appy app apps can't be apped by LUDDITE hackers!
You know, you gotta admire his persistence.
He could re-invent the smurfs, except everyone wears hipster clothing and says "apps" instead of "smurf"
How about version numbers of patches (or vulnerabilities) to see if the latest kernel patch covers this.
I found one of these "exploits in the wild":
https://github.com/dirtycow/dirtycow.github.io/blob/master/dirtyc0w.c
It works on the three Linux machines I first tested it on. /etc/secretfile.txt abcde
$ dirtyc0w
simply (over)writes abcde to the beginning of the file.
Fix seems to be available for none of the systems right now.
At least it requires a local account.... I mean, after all, it must be considered a security problem to allow web users to upload binaries or run arbitrary commands via a web server anyway. But if I was responsible for a students lab with hundreds of Linux computers I would be a little nervous.
Calm down. This is a local exploit, so you have to control a local program to take advantage of it. Bad enough, but insignificant in the IoT context, where devices are known to have an open Telnet port with default passwords. Why go to the pain of exploiting dirty cow when you can get by by password guessing?
If you just want to block ads to your browser, then Firefox has the best tool. uBlock Origin can be configured for adblock, malware, and many sundry lists. Opera also advertises adblock as well as VPN, but Opera is now Chinese-owned and will be able to keybridge you, so caveat emptor.
You only need to touch /etc/hosts if you want to adblock Chrome and/or something OTHER than a browser. In that case, I am using AdAway from F-Droid, and that needs root every time it applies updates to /etc/hosts, so you will likely need persistent root.
Serious question, what does luddite actually mean?
two definitions. one is a disparaging term for folks who hate technology. a more historically accurate definition is a person who objects to detrimental social conditions spurred by technological advances. the original Luddites were workers who protested the deterioration of their living conditions due to the industrial revolution.
Can someone explain this bug in English?
There is a thing called COW (copy on write). There is a bug where worker code can ride the cow over the fence and gain access to the farmer's private yard.
Moral of the story: Don't let people ride your cows, let them find their own darn *nix shell.
Or more literal version: People with user access can get administrator access without permission.
Yep. Processes have memory. Memory is divided into pages. Some pages are shared by multiple processes. Initially some pages are marked read only. If the child writes to the page you get a page fault. The fault causes the kernel to make a copy of the page and maps the copy into to the original virtual address space.
Multiple processes may share that original readonly page, so if exploit the bug and write to it then you actually are writing to a page shared by multiple processes.
A follower of Ned Ludd.
Some of Ned's mates smashed up automated weaving looms because they made a lot of weavers redundant. The plot was not very effective.
Eventually, the drop in price of cloth made by automated looms enabled the export of cloth to make England so rich it could afford an Empire*, and even the poor could afford to wear clothes. However, that was after two or three generations of abject poverty.
*Empires cost a lot of money. Sure they make a lot for a few, but in general, they eat money cos of the cost of the military.
Sent from my ASR33 using ASCII
Calm down. This is a local exploit, so you have to control a local program to take advantage of it. Bad enough, but insignificant in the IoT context, where devices are known to have an open Telnet port with default passwords. Why go to the pain of exploiting dirty cow when you can get by by password guessing?
I did see that this was a local exploit after I wrote my initial diatribe. But as you say, this is "bad enough" as it is; so I don't really apologize.
Wikipedia is your friend.
I won't spoil it for you, but early in the industrial revolution a man with the lad name "Ludd" started a movement to try and halt the spread of mechanization via acts of sabotage. The basic feature was fear of new methods and technologies.
People who subscribed to his ideology were called "Luddites". In more modern parlance, the term refers to anyone who is resistant to adopting new tech.
It's probably the most serious Linux local privilege escalation ever
The evil twin of Mr. Torvalds has been known to use Please and Thank you, and actively, as well, to wit:
"Now please, pretty please, with cherry on top, will you take your patch and take it out of my m*****ing kernel??"
He is working on the anti-kernel, as well, but that has been kept under wraps, until a proper EULA has been prepared.
WARNING: Smartphones have side effects--most of them undocumented.
Ok, they have a proper shop. But where is the theme-song / jingle ?
I can not take these guys seriously unless they immediately create a theme-song too.
The eyeballs quote from Eric S Raymond is about *fixing* bugs. It doesn't say anything like "there will never be a bug". The end of the sentence is the words "the fix obvious to someone" and a few lines down he says it "can be rephrased as "Debugging is parallelizable''. Linus clarified "Somebody finds the problem and somebody else understands it".
Would he include all of that discussion of how bugs are fixed if he even believed there were no bugs? Of course not. The claim is that no one person has to spend a long time trying to figure out what's causing the problem and then how to fix it without screwing up something else, "the fix will be obvious to someone".
In this case, a solid fix was released within a few days. Compare the IE content-negotiation bug, listed on MSDN for eight years before it was fixed.
The eyeballs quote from Eric S Raymond is about *fixing* bugs. It doesn't say anything like "there will never be a bug". There most definitely WILL be bugs in all software (except the space shuttle software). The end of the sentence is the words "the fix obvious to someone" and a few lines down he says it "can be rephrased as "Debugging is parallelizable''. Linus clarified "Somebody finds the problem and somebody else understands it".
Would he include all of that discussion of how bugs are fixed if he even believed there were no bugs? Of course not. The claim is that no one person has to spend a long time trying to figure out what's causing the problem and then how to fix it without screwing up something else, "the fix will be obvious to someone".
In this case, a solid fix was released within a few days. Compare the IE content-negotiation bug, listed on MSDN for eight years before it was fixed.
"A million eyes makes all bugs shallow."
Yet again, we see that is total BS. THis exploit has been there for at least nine years, and we see the apologists saying, "When an article like this comes out, it's already patched!!" What about those that have been screwed over by this design flaw for nine years?
tl;dr? It only became a serious flaw recently. It's been fixed. Install the fix.
apt-get update&&apt-get -y upgrade&&reboot
I'm not surprised that a published vulnerability is being exploited. Nor am I surprised that problem has been fixed, (and the fix was available immediately instead of on Patch Tuesday), or that some people are running systems that haven't been updated with the fix.
I won't spoil it for you, but early in the industrial revolution a man with the lad name "Ludd" started a movement to try and halt the spread of mechanization via acts of sabotage.
The Luddites actually started as a mostly peaceful group demanding decent wages and safe working conditions. There is some dispute as to whether or not Ludd and the story of him smashing the knitting machine after a supervisor criticised his work are real. The group eventually did start sabotaging machines, but contrary to popular belief, they were not, and never were, anti-technology. It was just an industrial dispute that got nasty.
sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
In this case, a solid fix was released within a few days. Compare the IE content-negotiation bug, listed on MSDN for eight years before it was fixed.
Part of the problem was that the bug was hidden and was exploited since 9 years ago.
Quick release of patch was useless when the bug was being exploited since 9 years ago.
How many more are currently hidden bugs and being used by nation state? Which will be only disclosed 10 years from now?
It is unfortunate that it wasn't caught sooner. Do you have *any* reason to believe it was exploited years ago, or that anyone even thought it *could* be exploitable? To my knowledge, it was a crash bug, never considered a security issue until a few days agob
And I'm saying, what about when a bug shows up on Oracle's or Microsoft's systems, that has been there for 9 years, and they still take a couple months to fix it after it becomes public knowledge?
Your move, Sparky.
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF