Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Most Serious' Linux Privilege-Escalation Bug Ever Is Under Active Exploit (arstechnica.com)

Posted by msmash on from the linux-security-flaws dept.

Reader operator_error shares an ArsTechnica report: A serious vulnerability that has been present for nine years in virtually all versions of the Linux operating system is under active exploit, according to researchers who are advising users to install a patch as soon as possible. While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers are taking it extremely seriously. For one thing, it's not hard to develop exploits that work reliably. For another, the flaw is located in a section of the Linux kernel that's a part of virtually every distribution of the open-source OS released for almost a decade. What's more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild.

"It's probably the most serious Linux local privilege escalation ever," Dan Rosenberg, a senior researcher at Azimuth Security, told Ars. "The nature of the vulnerability lends itself to extremely reliable exploitation. This vulnerability has been present for nine years, which is an extremely long period of time." The underlying bug was patched this week by the maintainers of the official Linux kernel. Downstream distributors are in the process of releasing updates that incorporate the fix. Red Hat has classified the vulnerability as "important."

109 comments

  1. Should have used APPS! by Anonymous Coward · · Score: -1

    Modern app appers know that ONLY apps can app apps, NOT LUDDITE software like LUDDITE Linux, so appy app apps can't be apped by LUDDITE hackers!

    Apps!

    1. Re:Should have used APPS! by Anonymous Coward · · Score: 0

      Can someone explain this bug in English?

    2. Re: Should have used APPS! by Anonymous Coward · · Score: 0

      Sure. The mm subsystem is overly complex, its design is poorly documented, and it's understood by only a couple of people who are largely responsible for the overcomplexity and poor documentation in the first place.

      Oh, and it also is responsible for managing almost all of the memory on the system.

      What could possibly go wrong?

    3. Re:Should have used APPS! by ilsaloving · · Score: 1

      Modern app appers know that ONLY apps can app apps, NOT LUDDITE software like LUDDITE Linux, so appy app apps can't be apped by LUDDITE hackers!

      You know, you gotta admire his persistence.

      He could re-invent the smurfs, except everyone wears hipster clothing and says "apps" instead of "smurf"

    4. Re: Should have used APPS! by Anonymous Coward · · Score: 0

      How about version numbers of patches (or vulnerabilities) to see if the latest kernel patch covers this.

    5. Re:Should have used APPS! by Anonymous Coward · · Score: 0

      Serious question, what does luddite actually mean?

    6. Re: Should have used APPS! by Anonymous Coward · · Score: 0

      two definitions. one is a disparaging term for folks who hate technology. a more historically accurate definition is a person who objects to detrimental social conditions spurred by technological advances. the original Luddites were workers who protested the deterioration of their living conditions due to the industrial revolution.

    7. Re:Should have used APPS! by Aighearach · · Score: 1, Interesting

      Can someone explain this bug in English?

      There is a thing called COW (copy on write). There is a bug where worker code can ride the cow over the fence and gain access to the farmer's private yard.

      Moral of the story: Don't let people ride your cows, let them find their own darn *nix shell.

      Or more literal version: People with user access can get administrator access without permission.

    8. Re:Should have used APPS! by Anonymous Coward · · Score: -1

      It means anyone who refuses to use Appdows 10 because they're too stupid to use apps and only want to use LUDDITE software!

      Apps!

    9. Re: Should have used APPS! by WarJolt · · Score: 3, Informative

      Yep. Processes have memory. Memory is divided into pages. Some pages are shared by multiple processes. Initially some pages are marked read only. If the child writes to the page you get a page fault. The fault causes the kernel to make a copy of the page and maps the copy into to the original virtual address space.

      Multiple processes may share that original readonly page, so if exploit the bug and write to it then you actually are writing to a page shared by multiple processes.

    10. Re:Should have used APPS! by Anne+Thwacks · · Score: 1
      what does luddite actually mean?

      A follower of Ned Ludd.

      Some of Ned's mates smashed up automated weaving looms because they made a lot of weavers redundant. The plot was not very effective.

      Eventually, the drop in price of cloth made by automated looms enabled the export of cloth to make England so rich it could afford an Empire*, and even the poor could afford to wear clothes. However, that was after two or three generations of abject poverty.

      *Empires cost a lot of money. Sure they make a lot for a few, but in general, they eat money cos of the cost of the military.

      --
      Sent from my ASR33 using ASCII
    11. Re:Should have used APPS! by wierd_w · · Score: 1

      Wikipedia is your friend.

      I won't spoil it for you, but early in the industrial revolution a man with the lad name "Ludd" started a movement to try and halt the spread of mechanization via acts of sabotage. The basic feature was fear of new methods and technologies.

      People who subscribed to his ideology were called "Luddites". In more modern parlance, the term refers to anyone who is resistant to adopting new tech.

    12. Re:Should have used APPS! by Pseudonym · · Score: 1

      I won't spoil it for you, but early in the industrial revolution a man with the lad name "Ludd" started a movement to try and halt the spread of mechanization via acts of sabotage.

      The Luddites actually started as a mostly peaceful group demanding decent wages and safe working conditions. There is some dispute as to whether or not Ludd and the story of him smashing the knitting machine after a supervisor criticised his work are real. The group eventually did start sabotaging machines, but contrary to popular belief, they were not, and never were, anti-technology. It was just an industrial dispute that got nasty.

      --
      sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
  2. Why Use Linux? by OzPeter · · Score: 0, Troll

    OMGUbuntu why use linux answered in 3 short words

    Why use Linux? Because of security!

    Hmm .. something just doesn't sound right here.

    --
    I am Slashdot. Are you Slashdot as well?
    1. Re: Why Use Linux? by Anonymous Coward · · Score: 0

      Still better than the alternatives

    2. Re:Why Use Linux? by Anonymous Coward · · Score: 5, Insightful

      Why use Linux? Because of security!

      Hmm .. something just doesn't sound right here.
      True. The thing that doesn't sound right is the belief that security is binary. Security is a continuum and sometimes a series of tradeoffs. It's not, never has been, and never will be 100%.

      So no, finding a security bug in the linux kernel doesn't mean that linux is any less secure. We know these things happen. The idea is that it happens LESS often, and with less severity, and with fewer downsides than with Windows.

    3. Re: Why Use Linux? by Anonymous Coward · · Score: -1

      Is Linux Privilege like White Privilege?

    4. Re:Why Use Linux? by wjcofkc · · Score: 3, Insightful

      Why use Linux? Because as much as I love FreeBSD as a hardware barebones headless server for this and that, dealing with hardware driver issues for a fully featured desktop ranges between a pain in the ass and impossible. Otherwise I would be using the PC-BSD variant as a desktop productivity OS over Linux.

      --
      Brought to you by Carl's Junior.
    5. Re:Why Use Linux? by dargaud · · Score: 2

      Why ? I mean, as a 99% Linux user for the past 16 years, I've never tried any BSD. I'm not religious about it, I just don't know what would be better on it.

      --
      Non-Linux Penguins ?
    6. Re: Why Use Linux? by Anonymous Coward · · Score: 0

      Any of the BSDs?

      Not hardly.

    7. Re:Why Use Linux? by Anonymous Coward · · Score: 3, Insightful

      So, how many security holes just as bad as this one has been silently plugged in Windows the last 15 years? How many equally serious security holes are being exploited in Windows right now? How many worse security holes are being exploited, or waiting to be found in Windows, right now?

      I don't now. But I'm willing to guess the answer isn't "zero" to any of those questions. Nobody ever claimed Linux was bulletproof, the point is that it's better than the alternative.

      Linux is less complex than Windows, bugs tend to be more public (no silent fixing of things while fixing other breakage), and get fixed faster than Windows. That's how it's more secure. Not because it's bulletproof.

      It's also not a massive piece of spyware in itself.

    8. Re:Why Use Linux? by wjcofkc · · Score: 2

      The ports tree is miraculous. It eliminates a lot of admin work you have to deal with in Linux land. It also has a very solid implementation of ZFS, which can be life saving. Also, the layout of the file system is both sane and statically consistent over time. I could carry on for awhile about why I feel it is a superior server OS. Honestly if you don't get it then do your own research on it, contemplate you favorite services and give it a whirl. You will be doing yourself a favor. I assure it is not a religious thing.

      --
      Brought to you by Carl's Junior.
    9. Re:Why Use Linux? by Anonymous Coward · · Score: 5, Funny

      For Linux, it's the most serious local privilege escalation ever.

      For Windows, it's Friday.

    10. Re: Why Use Linux? by macs4all · · Score: 0

      Still better than the alternatives

      Um, I beg to differ...

    11. Re:Why Use Linux? by Anonymous Coward · · Score: 0

      Why use Linux? Because of security!

      Hmm .. something just doesn't sound right here.
      True. The thing that doesn't sound right is the belief that security is binary. Security is a continuum and sometimes a series of tradeoffs. It's not, never has been, and never will be 100%.

      So no, finding a security bug in the linux kernel doesn't mean that linux is any less secure. We know these things happen. The idea is that it happens LESS often, and with less severity, and with fewer downsides than with Windows.

      More observational selection bias by the parent. How many patches and fixes are released for each version of Windows to fix 'code execution' and 'privilege escalation' issues every period, and how many times has a Linux privilege bug been announced/fixed? That's almost the same thing as saying "See! See! It happens all the time! How can you have missed this? It's so insecure!!!!"

      Yeah, well, no one found/exploited it for 9 years. Someone pwn3d your Win 8.1 box 15 seconds ago. Ah, and again just now.

      This is like the global warming crap - when one point is found people use it as a motto constantly until the next is found. The more you reinforce your points, the more insecure you are of their validity; seeking others' backup and approval. Animal humans. Think we're so far above everything. LOL!

    12. Re:Why Use Linux? by TangoMargarine · · Score: 1

      And whenever an article like this comes out, it's almost always already patched on Linux. How often is that the case with the proprietary sphere?

      --
      Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
    13. Re:Why Use Linux? by Anonymous Coward · · Score: 0

      What an idiotic statement. Glad someone smarter than you came around and already showed you the error of your ways. Too bad you aren't familiar with concepts like severity, and the difference between a trickle and a flood.

    14. Re:Why Use Linux? by sexconker · · Score: 0

      Security is binary.
      You're either secure or you're not.
      There's no "less secure" or "more secure".

      The scope/impact of specific vulnerabilities may differ, but the fact that you have vulnerabilities means you're not secure.

      So no, finding a security bug in the linux kernel doesn't mean that linux is any less secure.

      Even if you believe security is a spectrum, you're wrong here. Discovering a previously unknown vulnerability means you know the system to be less secure than you thought it to be.

    15. Re:Why Use Linux? by Jason+Levine · · Score: 1

      And often it depends on the person behind the keyboard. If you have two computers with the same level of security, the computer with the insecure user will get hacked before (and more frequently than) the computer with the more secure user. Unfortunately, user education can only take you so far.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    16. Re:Why Use Linux? by OzPeter · · Score: 1

      OMGUbuntu why use linux answered in 3 short words

      Why use Linux? Because of security!

      Hmm .. something just doesn't sound right here.

      Replying to my own post because I'm defeated by all that whooshing noise from all those other replies.

      Some people just can't take a joke.

      --
      I am Slashdot. Are you Slashdot as well?
    17. Re:Why Use Linux? by sjames · · Score: 1

      By your reasoning, security is a fixed steady state of false. Is that safe secure? No, given only 6 months and a modest $100 million investment, it can be drilled through.

    18. Re:Why Use Linux? by Anonymous Coward · · Score: 0

      Yeah, well, no one found/exploited it for 9 years.

      You most definitely do not know that, and it's exceedingly foolish to assume it.

    19. Re: Why Use Linux? by Anonymous Coward · · Score: 0

      except systemd

    20. Re:Why Use Linux? by Type44Q · · Score: 1

      Another retarded post farted-out without a moment's thought: you're nothing if not consistent. ;)

    21. Re: Why Use Linux? by Anonymous Coward · · Score: 1

      If you install BSD on some random desktop and get VESA only graphics or CLI only and the network card or wifi doesn't work, that's pretty secure.

    22. Re:Why Use Linux? by Blaskowicz · · Score: 1

      One of the old Roman authors wrote that at any one time, e.g. your slave might slit your throat while in the middle of shaving you.
      I think the message was something like "Deal with it" (in the internet memes sense)

    23. Re:Why Use Linux? by Anonymous Coward · · Score: 0

      >(no silent fixing of things while fixing other breakage)

      This is absolutely, indisputably false. Anyone who has followed LKML and linux updates over the years knows that the kernel devs often sneak "silent" security patches in with other updates.

    24. Re:Why Use Linux? by Anonymous Coward · · Score: 0

      OMGUbuntu why use linux answered in 3 short words

      Why use Linux? Because of security!

      Hmm .. something just doesn't sound right here.

      That's why you use OpenBSD, not Linux.

    25. Re: Why Use Linux? by Anonymous Coward · · Score: 1

      Go on, then. Differ already.

    26. Re: Why Use Linux? by Anonymous Coward · · Score: 0

      I really doubt systemd is more complex than Windows stuff.

    27. Re:Why Use Linux? by Anonymous Coward · · Score: 0

      How many have been silently plugged in Linux?

    28. Re:Why Use Linux? by Anonymous Coward · · Score: 0

      The more time and effort it takes to find and exploit something the more secure you are..
      The less time and effort it takes to find and exploit something the less secure you are..

    29. Re: Why Use Linux? by Anonymous Coward · · Score: 0

      Maybe not more complex, but using a crap design and crap code.

    30. Re:Why Use Linux? by Anonymous Coward · · Score: -1

      No GNU Coreutils. No glibc.

      Those are very good reasons to prefer a BSD.

    31. Re:Why Use Linux? by Anonymous Coward · · Score: 0

      Do you know what's false? Your statement. And I'll prove it, right here: In open source you can't make silent changes. Are you fucking stupid? Do you think I am? The code is right there! Worst case it's not announced with fanfares or explained but it's right there.

      If Microsoft releases a patch that purports to fix X and silently does Y too, or a whole bunch of other things, all you get is a binary patch and in practice there's no way in hell you'd ever know. That's not even close to being the same thing.

    32. Re:Why Use Linux? by Anonymous Coward · · Score: 0

      None, since it's impossible. It's distributed as source, it's all there. All you have to do is diff the sources and you'll find everything that has been changed, ever.

      Whether you'll understand it and all it's implications is another question all together.

    33. Re: Why Use Linux? by eneville · · Score: 1

      They're for different purposes. OpenBSD for example has a very advanced firewall, just not as advanced as Linux in other areas, such as desktop.

      --
      Why UNIX?
    34. Re:Why Use Linux? by eneville · · Score: 1

      The whole point is that someone noticed the exploit in the wild.

      --
      Why UNIX?
    35. Re: Why Use Linux? by eneville · · Score: 1

      ... and reinvents tried and tested code, thus bringing more exploits to the party.

      --
      Why UNIX?
    36. Re:Why Use Linux? by dargaud · · Score: 1

      What's wrong with GNU Coreutils and glibc ?!? I use those hundreds of times a day and never knew there was something wrong with them...

      --
      Non-Linux Penguins ?
  3. given enough eyeballs, all bugs are shallow by Anonymous Coward · · Score: 0

    so no wonder MS has the worst privilege escalation ever and it has lasted nine years and is under active exploit. this would never happen with open source software!!

    1. Re:given enough eyeballs, all bugs are shallow by chipschap · · Score: 1

      It does happen with open source software, as with any software, and open source advocates don't need to apologize for it. What they need to do is fix it when it's brought to their attention --- oh, wait, they already did that.

    2. Re:given enough eyeballs, all bugs are shallow by Anonymous Coward · · Score: 0

      so no wonder MS has the worst privilege escalation ever and it has lasted nine years

      Like the one that affected every version of IE ever and was bad enough that Microsoft released an update for Windows XP after support ended?

      That's not to say this is bad. It's bad, and Linus should roast whoever did this.

      But your trolling is kind of like your team being three goals down in football and finally getting one goal and declaring that your team is awesome. Yeah, our defense fucked up, but you're still losing.

    3. Re:given enough eyeballs, all bugs are shallow by Anonymous Coward · · Score: 0

      ... 9 years after the fact.

    4. Re:given enough eyeballs, all bugs are shallow by Anonymous Coward · · Score: 1

      ... 9 years after the fact.

      Actually the bug was fixed 11 years ago, but was regressed in a later patch that fixed a different issue for one architecture linux supports.

    5. Re:given enough eyeballs, all bugs are shallow by chipschap · · Score: 1

      ... 9 years after the fact.

      Yes, but that misses the point. It was fixed as soon as it was pointed out. No denial, no delay, just fixed. And, at least it was found and reported, even if it did take a very long time.

      Of course, with closed source we'll never know what's been lurking for many years, but I suspect there will be things there too, as there are in all complex systems.

  4. Mitigations by Anonymous Coward · · Score: 1

    The existing known exploit does not work on stock RHEL5/6 systems because /proc/self/mem is read-only by default. But, there may be other exploit vectors.

    1. Re:Mitigations by Anonymous Coward · · Score: 1

      Not sure what rhel5/6 systems you are looking at. All of the ones I checked have it rw.

    2. Re:Mitigations by Anonymous Coward · · Score: 0

      The mitigation is to disable ptrace. Which is going to cause a lot of utterly not-nice surprises because nowadays you have instrumented profiling everywhere, including deeply inside some libraries... and all of those will suddenly break.

      So, it is actually far safer *in the general case* to just install the updated kernels, and reboot.

    3. Re:Mitigations by Anonymous Coward · · Score: 0

      Did you actually try writing to it? My understanding is it is not a permissions check.

    4. Re:Mitigations by Anonymous Coward · · Score: 3, Informative

      "The in the wild exploit we are aware of doesn't work on Red Hat Enterprise Linux 5 and 6 out of the box because on one side of the race it writes to /proc/self/mem, but /proc/self/mem is not writable on Red Hat Enterprise Linux 5 and 6."
      -- https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13

    5. Re:Mitigations by bluefoxlucid · · Score: 1

      The simple mitigation is to not have local users who will hack your machine.

      If you run a server, an exploit of the server software (nginx, PHP scripts, Ruby on Rails, etc.) will provide local non-root access, which you can then root.

      If you run your server software in Docker, then the host system's binaries aren't exposed. That means an attacker can't modify the disk cache for /bin/su and then su to root; he can only modify the disk cache for /bin/su or glibc from e.g. the debian:jessie image that the Docker image the container used is based on. Elevation in the same container is useless: anything mounted read-write is likely already writable by the software the attacker exploited in the first place, so they have that access; and modifying the system is pointless, since you can just destroy and recreate the container in 10 seconds.

      A container exploit might give a cross-container exploit to all containers eventually descended from the same version of the same base image (e.g. everything ultimately built from that release of debian:jessie), but it's tricky. You can modify e.g. /usr/sbin/nginx and send a reverse-shell to all nginx containers; or you can modify glibc and get it into everything using the same base image (because it's from the same disk blocks, thus the same disk cache). Either of those has to use the existing memory space (can't add empty memory pages or use anything outside the file), replace code in an existing function, and not outright crash (or the container terminates and all processes end immediately); and a glibc modification would make your reverse shell kind of useless (bash would just re-exploit and call a new reverse shell).

      Escape to the host system is as impossible as it is without this exploit, so there's that.

      So, for some server software configurations, this is diminished to the point of uselessness. For others, they get the www-data user and then su straight to root.

      --
      Support my political activism on Patreon.
    6. Re: Mitigations by Anonymous Coward · · Score: 0

      You think escaping the container is impossible?

      I have some land and a bridge to sell you. Just try a Google search before you talk.

    7. Re:Mitigations by Anonymous Coward · · Score: 0

      Is there a way to make /proc/self/mem read-only on a unpatched kernel ?

    8. Re: Mitigations by Anonymous Coward · · Score: 0

      That depends on how your container is configured.... To start with, nothing in the container should have setuid.. Second nothing in the container should execute as root.

  5. Root my Android phone? by crow · · Score: 5, Interesting

    Can I use this to root my Android phone? I just want to install an ad-blocking /etc/hosts file, so I don't need a permanent root. This sounds like just the sort of exploit to do the trick, but I haven't looked at the technical details. I just want to do this before the next security update patches it.

    1. Re:Root my Android phone? by Anonymous Coward · · Score: 2, Informative

      Fuck, you did it. Now APK is going to show up.

    2. Re:Root my Android phone? by Anonymous Coward · · Score: 1

      Why don't you use a VPN and do the fingering on the remote end of the VPN, you can even compress the stuff so it loads faster on your end

    3. Re:Root my Android phone? by Anonymous Coward · · Score: 5, Funny

      > just want to do this before the next security update patches it

      On your *Android phone*? I don't think you have to worry about that.

    4. Re:Root my Android phone? by ArchieBunker · · Score: 1

      You could always install the AdblockPlus Browser.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    5. Re:Root my Android phone? by sirber · · Score: 1

      VPN on android with the compression and encryption is a cpu and battery drain. The best way to block most ads is via /etc/hosts. You still get unity video ads though... then you use lucky patcher :)

      --
      Be or ben't
    6. Re:Root my Android phone? by Anonymous Coward · · Score: 0

      NO! Just install firefox, and install the extension yourself. Many of those custom browsers are just firefox with a few extensions preinstalled, as well as some sort of adware or trackware built in.

      I personally use firefox with ublock-origin.

    7. Re:Root my Android phone? by Anonymous Coward · · Score: 0

      Yes you can. But in Android, that's actually the rule rather than the exception (unless you're talking about whatever Google devices are still being supported), so you don't have to worry much because you are no worse today than you were yesterday. As in: there were 200 root exploits available yesterday, there are 201 now (just an example).

  6. Don't forget the stupid name! by Anonymous Coward · · Score: 2, Informative

    Dirty Cows are for cows mooooooooooooooooooooo

  7. How does it work? by Anonymous Coward · · Score: 0

    Anyone here know how this thing works?
    I'm getting babble about race conditions and user privileges from websites, but nothing concrete. Not even sure if servers can be attacked over http, or if this needs shell access.

    Can somebody please clarify what's going on?

    1. Re: How does it work? by Anonymous Coward · · Score: 3, Informative

      Spam the mm from 2 threads. Wait for a read only page to be writeable before cow occurs.

    2. Re:How does it work? by Dadoo · · Score: 1

      I'm not 100% sure, either, but based on what I'm reading, this exploit requires some type of local access to use directly. While it's not as bad as all the hype, it's still not great, and can still be exploited remotely; it just takes an extra step.

      Say you're running a web server, and Apache has a buffer overflow vulnerability. A hacker can break in and, normally, only has access to whatever the "apache" user has access to. If the hacker knows about dirty cow, he can now give himself root access.

      --
      Sit, Ubuntu, sit. Good dog.
  8. Q' Linus whining about XML in 3... 2... 1... by BlueKitties · · Score: 0

    Yup, for some reason this is XML's fault.

    --
    "Sorrow is better than laughter, for by sadness of face the heart is made glad." [Ecclesiastes 7:3]
  9. overreaction abounds. by nimbius · · Score: 4, Funny

    Among the more serious exploits ive encountered, i must protest that "dirty cow" is not a sufficiently spooky enough name for this one. We all know Halloween approaches, so why not call it haunted cow? or zombie cow?

    in addition, this exploit is far less severe than the shoulder surfing exploit of 2005 which resulted in direct root privilege access and a broken friendship, Margaret, that led me to conclude I could no longer trust you to use either the mini fridge or my Sriracha sauce anymore because friends dont just log in to anyones workstation Margaret, i trusted you and you deceived me.

    --
    Good people go to bed earlier.
  10. Linux "operating system"? by l2718 · · Score: 1

    This is a bug in the Linux kernel, affecting most operating systems that use this kernel.

    1. Re:Linux "operating system"? by ender8282 · · Score: 1

      This is a bug in the Linux kernel, affecting most operating systems that use this kernel.

      Sorry Richard...

  11. So Much For The "Many Eyes" Theory... by macs4all · · Score: -1, Troll

    What I worry about is not the 10 Linux Desktops on the Planet; but the gazillion of devices running Embedded Linux. NONE of them will receive an update that will resolve this, and if it happens to be in some IoT or Networking device (let's say, a Router...), you are pwned, or most certainly can be.

    So, with the "Many Eyes" theory, how does a bug like this exist for NINE YEARS? I don't CARE how "obscure" the code is; surely SOMEONE can spot a logic flaw or buffer-overrun error in that time, even in code they don't fully understand!

    This is much like the long-lurking SSL vulnerability a couple of years back. Did that ever get fully resolved?

    1. Re:So Much For The "Many Eyes" Theory... by Anonymous Coward · · Score: 0

      Calm down. This is a local exploit, so you have to control a local program to take advantage of it. Bad enough, but insignificant in the IoT context, where devices are known to have an open Telnet port with default passwords. Why go to the pain of exploiting dirty cow when you can get by by password guessing?

    2. Re:So Much For The "Many Eyes" Theory... by macs4all · · Score: 0

      Calm down. This is a local exploit, so you have to control a local program to take advantage of it. Bad enough, but insignificant in the IoT context, where devices are known to have an open Telnet port with default passwords. Why go to the pain of exploiting dirty cow when you can get by by password guessing?

      I did see that this was a local exploit after I wrote my initial diatribe. But as you say, this is "bad enough" as it is; so I don't really apologize.

  12. Truly easy to exploit by Zo0ok · · Score: 4, Informative

    I found one of these "exploits in the wild":
    https://github.com/dirtycow/dirtycow.github.io/blob/master/dirtyc0w.c

    It works on the three Linux machines I first tested it on.
    $ dirtyc0w /etc/secretfile.txt abcde
    simply (over)writes abcde to the beginning of the file.

    Fix seems to be available for none of the systems right now.

    At least it requires a local account.... I mean, after all, it must be considered a security problem to allow web users to upload binaries or run arbitrary commands via a web server anyway. But if I was responsible for a students lab with hundreds of Linux computers I would be a little nervous.

    1. Re:Truly easy to exploit by Anonymous Coward · · Score: 0

      Red Hat has a kpatch, which isn't a "fix" per se, but a bandaid.

    2. Re: Truly easy to exploit by BlackLotus89 · · Score: 1

      > Fix seems to be available for none of the systems right now Yeah sure except for ArchLinux, Gentoo and all if I can trust the "News":"Most major Linux distros" And I don't know why nobody mentioned that people running grsec were secure all along, because damn this is the nth major Kernel Exploit that didn't affect them.

    3. Re:Truly easy to exploit by Zo0ok · · Score: 1

      On Ubuntu, 4.4.0-43-generic was clearly vulnerable.
      I now have 4.4.0-45-generic which seems to safe.

    4. Re: Truly easy to exploit by Zo0ok · · Score: 1

      For some reason ubuntu installed 4.4.0-45 but insisted on still booting 4.4.0.43. So after a full upgrade and a reboot it was still vulnerable. After I I discovered the problem and booted 4.4.0-45 I confirmed that fixed the problem.

      Raspbian seems not to be fixed (please correct me if I am wrong).

    5. Re: Truly easy to exploit by anarcobra · · Score: 1

      Why isn't grsecurity part of the mainline?

    6. Re: Truly easy to exploit by Anonymous Coward · · Score: 0

      How does grsec protect against this specific bug?

    7. Re:Truly easy to exploit by Anonymous Coward · · Score: 0

      That is why my Linux students (comm. college intro course) the students install Linux to external hard drives and write the boot loader there as well. This way, they can boot on any PC capable of booting from USB. I give the option of using portable virtualbox, but only one or two students in the past 2 years (80 total) have gone that direction.

    8. Re: Truly easy to exploit by Anonymous Coward · · Score: 0

      grsec denies write access to /proc/self/mem is the first line of defense that stops this particular exploit. It's the same reason that RHEL 5/6 aren't having the issue currently.

      $ strace -eopen -ff ./dirtyc0w /tmp/foo cowsgomoo
      open("/etc/ld.so.cache", O_RDONLY) = 3
      open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY) = 3
      open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 3
      open("/tmp/foo", O_RDONLY) = 3
      mmap 18828000
       
      Process 4332 attached
      Process 4333 attached
      [pid 4333] open("/proc/self/mem", O_RDWR) = -1 EACCES (Permission denied)

      All of that said, I do wonder if there is an alternate way to exploit this without needing RW access to /proc/self/mem

  13. Firefox has uBlock Origin by emil · · Score: 2

    If you just want to block ads to your browser, then Firefox has the best tool. uBlock Origin can be configured for adblock, malware, and many sundry lists. Opera also advertises adblock as well as VPN, but Opera is now Chinese-owned and will be able to keybridge you, so caveat emptor.

    You only need to touch /etc/hosts if you want to adblock Chrome and/or something OTHER than a browser. In that case, I am using AdAway from F-Droid, and that needs root every time it applies updates to /etc/hosts, so you will likely need persistent root.

  14. Most Popular Comment @ Ars by CrashNBrn · · Score: 3, Interesting
    S2pidiT Ars Centurion said:

    Linus explained on the GitHub link:

    This is an ancient bug that was actually attempted to be fixed once (badly) by me eleven years ago in commit 4ceb5db9757a ("Fix get_user_pages() race for write access") but that was then undone due to problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").

    In the meantime, the s390 situation has long been fixed, and we can now fix it by checking the pte_dirty() bit properly (and do it better). The s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement software dirty bits") which made it into v3.9. Earlier kernels will have to look at the page state itself.

    Also, the VM has become more scalable, and what used a purely theoretical race back then has become easier to trigger.

    To fix it, we introduce a new internal FOLL_COW flag to mark the "yes, we already did a COW" rather than play racy games with FOLL_WRITE that is very fundamental, and then use the pte dirty flag to validate that the FOLL_COW flag is still valid.

    So there was an attempt to fix the race condition over a decade ago, but it got undone.

    1. Re:Most Popular Comment @ Ars by Anonymous Coward · · Score: 0

      Now let's hope that this will teach Linus some humility. (Spoiler: Vg jba'g.)

    2. Re:Most Popular Comment @ Ars by Anonymous Coward · · Score: 0

      So I have a hypothesis that git (and especially the way the Linux kernel development process is structured) is a huge cause for bugs. Git allows programmers to loose history, encourages lots of branches (where merges can introduce unintended consequences). While I haven't studied any statistics yet I suspect projects managed with SVN-style processes (e.g. FreeBSD, OpenBSD) will be inherently more secure and stable than software managed by Git.

      Will there be exceptions? Yes. But overall I think git is a huge step backwards. Sometimes tools should focus on safety over power. A circular saw without a blade guard may be slightly more useful but I don't think I want one.

  15. there is an *Evil* Torvaldis! by Provocateur · · Score: 1

    It's probably the most serious Linux local privilege escalation ever

    The evil twin of Mr. Torvalds has been known to use Please and Thank you, and actively, as well, to wit:

    "Now please, pretty please, with cherry on top, will you take your patch and take it out of my m*****ing kernel??"

    He is working on the anti-kernel, as well, but that has been kept under wraps, until a proper EULA has been prepared.

    --
    WARNING: Smartphones have side effects--most of them undocumented.
  16. Where is the theme-song? by Anonymous Coward · · Score: 0

    Ok, they have a proper shop. But where is the theme-song / jingle ?

    I can not take these guys seriously unless they immediately create a theme-song too.

  17. Read the rest of the sentence. It's about the fix by raymorris · · Score: 1

    The eyeballs quote from Eric S Raymond is about *fixing* bugs. It doesn't say anything like "there will never be a bug". The end of the sentence is the words "the fix obvious to someone" and a few lines down he says it "can be rephrased as "Debugging is parallelizable''. Linus clarified "Somebody finds the problem and somebody else understands it".

    Would he include all of that discussion of how bugs are fixed if he even believed there were no bugs? Of course not. The claim is that no one person has to spend a long time trying to figure out what's causing the problem and then how to fix it without screwing up something else, "the fix will be obvious to someone".

    In this case, a solid fix was released within a few days. Compare the IE content-negotiation bug, listed on MSDN for eight years before it was fixed.

  18. Read the whole sentence. "The fix will be obvious by raymorris · · Score: 1

    The eyeballs quote from Eric S Raymond is about *fixing* bugs. It doesn't say anything like "there will never be a bug". There most definitely WILL be bugs in all software (except the space shuttle software). The end of the sentence is the words "the fix obvious to someone" and a few lines down he says it "can be rephrased as "Debugging is parallelizable''. Linus clarified "Somebody finds the problem and somebody else understands it".

    Would he include all of that discussion of how bugs are fixed if he even believed there were no bugs? Of course not. The claim is that no one person has to spend a long time trying to figure out what's causing the problem and then how to fix it without screwing up something else, "the fix will be obvious to someone".

    In this case, a solid fix was released within a few days. Compare the IE content-negotiation bug, listed on MSDN for eight years before it was fixed.

  19. Nine year old bug? What about "a million eyes"? by Anonymous Coward · · Score: 1

    "A million eyes makes all bugs shallow."
    Yet again, we see that is total BS. THis exploit has been there for at least nine years, and we see the apologists saying, "When an article like this comes out, it's already patched!!" What about those that have been screwed over by this design flaw for nine years?

  20. In a nutshell by Demonoid-Penguin · · Score: 1

    This is an ancient bug that was actually attempted to be fixed once (badly) by me [Phil "not Paul" Oester] eleven years ago in commit 4ceb5db9757a ("Fix get_user_pages() race for write access") but that was then undone due to problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").
    In the meantime, the s390 situation has long been fixed, and we can now fix it by checking the pte_dirty() bit properly (and do it better).
    The s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement software dirty bits") which made it into v3.9. Earlier kernels will have to look at the page state itself.
    Also, the VM has become more scalable, and what used a purely theoretical race back then has become easier to trigger. To fix it, we introduce a new internal FOLL_COW flag to mark the "yes, we already did a COW" rather than play racy games with FOLL_WRITE that is very fundamental, and then use the pte dirty flag to validate that the FOLL_COW flag is still valid.

    tl;dr? It only became a serious flaw recently. It's been fixed. Install the fix.
    apt-get update&&apt-get -y upgrade&&reboot

    I'm not surprised that a published vulnerability is being exploited. Nor am I surprised that problem has been fixed, (and the fix was available immediately instead of on Patch Tuesday), or that some people are running systems that haven't been updated with the fix.

    1. Re:In a nutshell by hankwang · · Score: 1

      Where did you get "It only became a serious flaw recently"? It happened somewhere between 11 years ago and present, but no date is given for commit f33ea7f404e5 (I did try Google).

      --
      Avantslash: low-bandwidth mobile slashdot.
    2. Re:In a nutshell by Anonymous Coward · · Score: 0

      It was a novel flaw. It only became a serious flaw when somebody started exploting it.

    3. Re:In a nutshell by Anonymous Coward · · Score: 0

      It was a novel flaw. It only became a serious flaw when somebody started exploting it.

      It was a novel flaw. It only became a serious flaw when somebody noticed that somebody started exploting it.

  21. Re:Read the whole sentence. "The fix will be obvio by Anonymous Coward · · Score: 0

    In this case, a solid fix was released within a few days. Compare the IE content-negotiation bug, listed on MSDN for eight years before it was fixed.

    Part of the problem was that the bug was hidden and was exploited since 9 years ago.
    Quick release of patch was useless when the bug was being exploited since 9 years ago.
    How many more are currently hidden bugs and being used by nation state? Which will be only disclosed 10 years from now?

  22. Citation needed by raymorris · · Score: 1

    It is unfortunate that it wasn't caught sooner. Do you have *any* reason to believe it was exploited years ago, or that anyone even thought it *could* be exploitable? To my knowledge, it was a crash bug, never considered a security issue until a few days agob

  23. Re:Nine year old bug? What about "a million eyes"? by TangoMargarine · · Score: 1

    And I'm saying, what about when a bug shows up on Oracle's or Microsoft's systems, that has been there for 9 years, and they still take a couple months to fix it after it becomes public knowledge?

    Your move, Sparky.

    --
    Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF