Slashdot Mirror
'Most Serious' Linux Privilege-Escalation Bug Ever Is Under Active Exploit (arstechnica.com)
Reader operator_error shares an ArsTechnica report: A serious vulnerability that has been present for nine years in virtually all versions of the Linux operating system is under active exploit, according to researchers who are advising users to install a patch as soon as possible. While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers are taking it extremely seriously. For one thing, it's not hard to develop exploits that work reliably. For another, the flaw is located in a section of the Linux kernel that's a part of virtually every distribution of the open-source OS released for almost a decade. What's more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild.
"It's probably the most serious Linux local privilege escalation ever," Dan Rosenberg, a senior researcher at Azimuth Security, told Ars. "The nature of the vulnerability lends itself to extremely reliable exploitation. This vulnerability has been present for nine years, which is an extremely long period of time." The underlying bug was patched this week by the maintainers of the official Linux kernel. Downstream distributors are in the process of releasing updates that incorporate the fix. Red Hat has classified the vulnerability as "important."
"It's probably the most serious Linux local privilege escalation ever," Dan Rosenberg, a senior researcher at Azimuth Security, told Ars. "The nature of the vulnerability lends itself to extremely reliable exploitation. This vulnerability has been present for nine years, which is an extremely long period of time." The underlying bug was patched this week by the maintainers of the official Linux kernel. Downstream distributors are in the process of releasing updates that incorporate the fix. Red Hat has classified the vulnerability as "important."
The existing known exploit does not work on stock RHEL5/6 systems because /proc/self/mem is read-only by default. But, there may be other exploit vectors.
Can I use this to root my Android phone? I just want to install an ad-blocking /etc/hosts file, so I don't need a permanent root. This sounds like just the sort of exploit to do the trick, but I haven't looked at the technical details. I just want to do this before the next security update patches it.
Hmm .. something just doesn't sound right here.
True. The thing that doesn't sound right is the belief that security is binary. Security is a continuum and sometimes a series of tradeoffs. It's not, never has been, and never will be 100%.
So no, finding a security bug in the linux kernel doesn't mean that linux is any less secure. We know these things happen. The idea is that it happens LESS often, and with less severity, and with fewer downsides than with Windows.
Why use Linux? Because as much as I love FreeBSD as a hardware barebones headless server for this and that, dealing with hardware driver issues for a fully featured desktop ranges between a pain in the ass and impossible. Otherwise I would be using the PC-BSD variant as a desktop productivity OS over Linux.
Brought to you by Carl's Junior.
Dirty Cows are for cows mooooooooooooooooooooo
It does happen with open source software, as with any software, and open source advocates don't need to apologize for it. What they need to do is fix it when it's brought to their attention --- oh, wait, they already did that.
Why ? I mean, as a 99% Linux user for the past 16 years, I've never tried any BSD. I'm not religious about it, I just don't know what would be better on it.
Non-Linux Penguins ?
So, how many security holes just as bad as this one has been silently plugged in Windows the last 15 years? How many equally serious security holes are being exploited in Windows right now? How many worse security holes are being exploited, or waiting to be found in Windows, right now?
I don't now. But I'm willing to guess the answer isn't "zero" to any of those questions. Nobody ever claimed Linux was bulletproof, the point is that it's better than the alternative.
Linux is less complex than Windows, bugs tend to be more public (no silent fixing of things while fixing other breakage), and get fixed faster than Windows. That's how it's more secure. Not because it's bulletproof.
It's also not a massive piece of spyware in itself.
Spam the mm from 2 threads. Wait for a read only page to be writeable before cow occurs.
Among the more serious exploits ive encountered, i must protest that "dirty cow" is not a sufficiently spooky enough name for this one. We all know Halloween approaches, so why not call it haunted cow? or zombie cow?
in addition, this exploit is far less severe than the shoulder surfing exploit of 2005 which resulted in direct root privilege access and a broken friendship, Margaret, that led me to conclude I could no longer trust you to use either the mini fridge or my Sriracha sauce anymore because friends dont just log in to anyones workstation Margaret, i trusted you and you deceived me.
Good people go to bed earlier.
This is a bug in the Linux kernel, affecting most operating systems that use this kernel.
The ports tree is miraculous. It eliminates a lot of admin work you have to deal with in Linux land. It also has a very solid implementation of ZFS, which can be life saving. Also, the layout of the file system is both sane and statically consistent over time. I could carry on for awhile about why I feel it is a superior server OS. Honestly if you don't get it then do your own research on it, contemplate you favorite services and give it a whirl. You will be doing yourself a favor. I assure it is not a religious thing.
Brought to you by Carl's Junior.
For Linux, it's the most serious local privilege escalation ever.
For Windows, it's Friday.
And whenever an article like this comes out, it's almost always already patched on Linux. How often is that the case with the proprietary sphere?
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
Modern app appers know that ONLY apps can app apps, NOT LUDDITE software like LUDDITE Linux, so appy app apps can't be apped by LUDDITE hackers!
You know, you gotta admire his persistence.
He could re-invent the smurfs, except everyone wears hipster clothing and says "apps" instead of "smurf"
... 9 years after the fact.
Actually the bug was fixed 11 years ago, but was regressed in a later patch that fixed a different issue for one architecture linux supports.
I found one of these "exploits in the wild":
https://github.com/dirtycow/dirtycow.github.io/blob/master/dirtyc0w.c
It works on the three Linux machines I first tested it on. /etc/secretfile.txt abcde
$ dirtyc0w
simply (over)writes abcde to the beginning of the file.
Fix seems to be available for none of the systems right now.
At least it requires a local account.... I mean, after all, it must be considered a security problem to allow web users to upload binaries or run arbitrary commands via a web server anyway. But if I was responsible for a students lab with hundreds of Linux computers I would be a little nervous.
... 9 years after the fact.
Yes, but that misses the point. It was fixed as soon as it was pointed out. No denial, no delay, just fixed. And, at least it was found and reported, even if it did take a very long time.
Of course, with closed source we'll never know what's been lurking for many years, but I suspect there will be things there too, as there are in all complex systems.
If you just want to block ads to your browser, then Firefox has the best tool. uBlock Origin can be configured for adblock, malware, and many sundry lists. Opera also advertises adblock as well as VPN, but Opera is now Chinese-owned and will be able to keybridge you, so caveat emptor.
You only need to touch /etc/hosts if you want to adblock Chrome and/or something OTHER than a browser. In that case, I am using AdAway from F-Droid, and that needs root every time it applies updates to /etc/hosts, so you will likely need persistent root.
And often it depends on the person behind the keyboard. If you have two computers with the same level of security, the computer with the insecure user will get hacked before (and more frequently than) the computer with the more secure user. Unfortunately, user education can only take you so far.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
OMGUbuntu why use linux answered in 3 short words
Why use Linux? Because of security!
Hmm .. something just doesn't sound right here.
Replying to my own post because I'm defeated by all that whooshing noise from all those other replies.
Some people just can't take a joke.
I am Slashdot. Are you Slashdot as well?
Can someone explain this bug in English?
There is a thing called COW (copy on write). There is a bug where worker code can ride the cow over the fence and gain access to the farmer's private yard.
Moral of the story: Don't let people ride your cows, let them find their own darn *nix shell.
Or more literal version: People with user access can get administrator access without permission.
Yep. Processes have memory. Memory is divided into pages. Some pages are shared by multiple processes. Initially some pages are marked read only. If the child writes to the page you get a page fault. The fault causes the kernel to make a copy of the page and maps the copy into to the original virtual address space.
Multiple processes may share that original readonly page, so if exploit the bug and write to it then you actually are writing to a page shared by multiple processes.
By your reasoning, security is a fixed steady state of false. Is that safe secure? No, given only 6 months and a modest $100 million investment, it can be drilled through.
A follower of Ned Ludd.
Some of Ned's mates smashed up automated weaving looms because they made a lot of weavers redundant. The plot was not very effective.
Eventually, the drop in price of cloth made by automated looms enabled the export of cloth to make England so rich it could afford an Empire*, and even the poor could afford to wear clothes. However, that was after two or three generations of abject poverty.
*Empires cost a lot of money. Sure they make a lot for a few, but in general, they eat money cos of the cost of the military.
Sent from my ASR33 using ASCII
Wikipedia is your friend.
I won't spoil it for you, but early in the industrial revolution a man with the lad name "Ludd" started a movement to try and halt the spread of mechanization via acts of sabotage. The basic feature was fear of new methods and technologies.
People who subscribed to his ideology were called "Luddites". In more modern parlance, the term refers to anyone who is resistant to adopting new tech.
It's probably the most serious Linux local privilege escalation ever
The evil twin of Mr. Torvalds has been known to use Please and Thank you, and actively, as well, to wit:
"Now please, pretty please, with cherry on top, will you take your patch and take it out of my m*****ing kernel??"
He is working on the anti-kernel, as well, but that has been kept under wraps, until a proper EULA has been prepared.
WARNING: Smartphones have side effects--most of them undocumented.
I'm not 100% sure, either, but based on what I'm reading, this exploit requires some type of local access to use directly. While it's not as bad as all the hype, it's still not great, and can still be exploited remotely; it just takes an extra step.
Say you're running a web server, and Apache has a buffer overflow vulnerability. A hacker can break in and, normally, only has access to whatever the "apache" user has access to. If the hacker knows about dirty cow, he can now give himself root access.
Sit, Ubuntu, sit. Good dog.
Another retarded post farted-out without a moment's thought: you're nothing if not consistent. ;)
The eyeballs quote from Eric S Raymond is about *fixing* bugs. It doesn't say anything like "there will never be a bug". The end of the sentence is the words "the fix obvious to someone" and a few lines down he says it "can be rephrased as "Debugging is parallelizable''. Linus clarified "Somebody finds the problem and somebody else understands it".
Would he include all of that discussion of how bugs are fixed if he even believed there were no bugs? Of course not. The claim is that no one person has to spend a long time trying to figure out what's causing the problem and then how to fix it without screwing up something else, "the fix will be obvious to someone".
In this case, a solid fix was released within a few days. Compare the IE content-negotiation bug, listed on MSDN for eight years before it was fixed.
The eyeballs quote from Eric S Raymond is about *fixing* bugs. It doesn't say anything like "there will never be a bug". There most definitely WILL be bugs in all software (except the space shuttle software). The end of the sentence is the words "the fix obvious to someone" and a few lines down he says it "can be rephrased as "Debugging is parallelizable''. Linus clarified "Somebody finds the problem and somebody else understands it".
Would he include all of that discussion of how bugs are fixed if he even believed there were no bugs? Of course not. The claim is that no one person has to spend a long time trying to figure out what's causing the problem and then how to fix it without screwing up something else, "the fix will be obvious to someone".
In this case, a solid fix was released within a few days. Compare the IE content-negotiation bug, listed on MSDN for eight years before it was fixed.
"A million eyes makes all bugs shallow."
Yet again, we see that is total BS. THis exploit has been there for at least nine years, and we see the apologists saying, "When an article like this comes out, it's already patched!!" What about those that have been screwed over by this design flaw for nine years?
tl;dr? It only became a serious flaw recently. It's been fixed. Install the fix.
apt-get update&&apt-get -y upgrade&&reboot
I'm not surprised that a published vulnerability is being exploited. Nor am I surprised that problem has been fixed, (and the fix was available immediately instead of on Patch Tuesday), or that some people are running systems that haven't been updated with the fix.
If you install BSD on some random desktop and get VESA only graphics or CLI only and the network card or wifi doesn't work, that's pretty secure.
One of the old Roman authors wrote that at any one time, e.g. your slave might slit your throat while in the middle of shaving you.
I think the message was something like "Deal with it" (in the internet memes sense)
I won't spoil it for you, but early in the industrial revolution a man with the lad name "Ludd" started a movement to try and halt the spread of mechanization via acts of sabotage.
The Luddites actually started as a mostly peaceful group demanding decent wages and safe working conditions. There is some dispute as to whether or not Ludd and the story of him smashing the knitting machine after a supervisor criticised his work are real. The group eventually did start sabotaging machines, but contrary to popular belief, they were not, and never were, anti-technology. It was just an industrial dispute that got nasty.
sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
Go on, then. Differ already.
It is unfortunate that it wasn't caught sooner. Do you have *any* reason to believe it was exploited years ago, or that anyone even thought it *could* be exploitable? To my knowledge, it was a crash bug, never considered a security issue until a few days agob
They're for different purposes. OpenBSD for example has a very advanced firewall, just not as advanced as Linux in other areas, such as desktop.
Why UNIX?
The whole point is that someone noticed the exploit in the wild.
Why UNIX?
... and reinvents tried and tested code, thus bringing more exploits to the party.
Why UNIX?
What's wrong with GNU Coreutils and glibc ?!? I use those hundreds of times a day and never knew there was something wrong with them...
Non-Linux Penguins ?
And I'm saying, what about when a bug shows up on Oracle's or Microsoft's systems, that has been there for 9 years, and they still take a couple months to fix it after it becomes public knowledge?
Your move, Sparky.
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF