Slashdot Mirror
5-Year-Old Critical Linux Vulnerability Patched (threatpost.com)
msm1267 quotes Kaspersky Lab's ThreatPost: A critical, local code-execution vulnerability in the Linux kernel was patched more than a week ago, continuing a run of serious security issues in the operating system, most of which have been hiding in the code for years.
Details on the vulnerability were published Tuesday by researcher Philip Pettersson, who said the vulnerable code was introd in August 2011.
A patch was pushed to the mainline Linux kernel December 2, four days after it was privately disclosed. Pettersson has developed a proof-of-concept exploit specifically for Ubuntu distributions, but told Threatpost his attack could be ported to other distros with some changes. The vulnerability is a race condition that was discovered in the af_packet implementation in the Linux kernel, and Pettersson said that a local attacker could exploit the bug to gain kernel code execution from unprivileged processes. He said the bug cannot be exploited remotely.
"Basically it's a bait-and-switch," the researcher told Threatpost. "The bug allows you to trick the kernel into thinking it is working with one kind of object, while you actually switched it to another kind of object before it could react."
A patch was pushed to the mainline Linux kernel December 2, four days after it was privately disclosed. Pettersson has developed a proof-of-concept exploit specifically for Ubuntu distributions, but told Threatpost his attack could be ported to other distros with some changes. The vulnerability is a race condition that was discovered in the af_packet implementation in the Linux kernel, and Pettersson said that a local attacker could exploit the bug to gain kernel code execution from unprivileged processes. He said the bug cannot be exploited remotely.
"Basically it's a bait-and-switch," the researcher told Threatpost. "The bug allows you to trick the kernel into thinking it is working with one kind of object, while you actually switched it to another kind of object before it could react."
The real story here, is that 4 days after the vulnerability was made known to the devs, a patch was released.
The amazing thing to me is that the linux kernel doesn't even have a testsuite like GCC or binutils (correct me if I'm wrong).
There is a test suite here.
If an attacker is in the same room as your system, you're already pwnd.
This bug can't be exploited remotely. Other bugs can, to get a local user shell, then you stack this one on top.
They're all problems.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
In my OS class during my UG CS degree we were writing a small OS. By the time we got to threading we were bitching about how hard it was in *nix so our prof cracked the hood on the Windows threading APIs... We collectively shut the hell up when we saw how hideous and needlessly complicated it was compared to what we were working with.
It turns out that Linux has WAY less bugs than Windows or Mac despite being dreams and wishes...and this is with completely open code base. https://www.cvedetails.com/
Windows is a colostomy bag of code in comparison and it you think you've found a way to improve some part Linux you should write up and submit a patch.
So basically, a classic, well known TOCTTOU vulnerability.
Higher Logics: where programming meets science.
This bug need CAP_NET_ADMIN privileges, which are VERY rarely enabled for typical user, because they will let you screw network configuration and sniff on traffic (which is almost equal to root privileges in our networking days)