Linux: Beep Command Can Be Used to Probe for the Presence of Sensitive Files (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Linux: Beep Command Can Be Used to Probe for the Presence of Sensitive Files (bleepingcomputer.com)

Posted by msmash on Tuesday April 10, 2018 @03:20AM from the a-quiet-place dept.

Catalin Cimpanu, writing for BleepingComputer: A vulnerability in the "beep" package that comes pre-installed with Debian and Ubuntu distros allows an attacker to probe for the presence of files on a computer, even those owned by root users, which are supposed to be secret and inaccessible. The vulnerability, tracked as CVE-2018-0492, has been fixed in recent versions of Debian and Ubuntu (Debian-based OS). At its core, the bug is a race condition in the beep utility that allows the OS to emit a "beep" sound whenever it is deemed necessary. Security researchers have discovered a race condition in the beep package that allows an attacker to elevate his code to root-level access.

44 of 109 comments (clear)

Min score:

Reason:

Sort:

bleep by Chaldean42 · 2018-04-10 03:23 · Score: 5, Funny

Anyone else find it ironic that this comes from bleepingcomputer.com?
1. Re:bleep by fluffernutter · 2018-04-10 03:40 · Score: 1
  
  From your comment I expected to see a link to a definition that differed from Alanis Morissette's but it is the same; leaving me very confused.
  
  --
  Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
2. Re: bleep by aliquis · 2018-04-10 03:46 · Score: 1
  
  The second one there seem to fit ...
3. Re:bleep by Archangel+Michael · 2018-04-11 03:48 · Score: 1
  
  Treason doesn't pay.
  
  Unless you're Hillary. The whole Clinton Foundation thing while SoS was a criminal endeavor pay to play, legalized bribery. Funny how the Clinton Foundation donations have all but disappeared now that she and Bill have no chance at power.
  And no, I didn't vote for Donald. It is amazing how people are still excusing their candidate because someone else won. Two Criminals, by Two Criminal Organization called political parties. Pretending it would be better under "Not Trump" Hillary is why the country is going to shit.
  And Bernie isn't trustworthy, he and his wife are under criminal investigation for fraud. But he's a good socialist so lets ignore that.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
4. Re:bleep by JustNiz · 2018-04-11 11:30 · Score: 1
  
  >> Republican lead Congress
  Like this you mean? :https://www.politico.com/story/2017/11/13/sessions-special-counsel-clinton-uranium-244867
5. Re: bleep by JustNiz · 2018-04-11 11:35 · Score: 1
  
  By your standards, the Attorney general must be a tinfoil fucknut too then.
  https://www.politico.com/story...
  > Jesus fucking Christ you're fucking dumb. It's well known he hates her.
  Its also well-known that he hates Trump and in fact anything American, but you Liberal morons just can't handle that because the truth undermines your whole rabid conspiracy rant.
6. Re:bleep by JustNiz · 2018-04-12 14:18 · Score: 1
  
  It is perfectly well documented that Hillary has in fact broken the law and has thus far at least, gotten away scott free with it.
  If someone simply pointing out facts equates in your mind to that person having personal failings and insecurities, then it's 100% clear that you only need to look in the mirror to see where the real and significant mental issues actually lie.
beep boop root by Anonymous Coward · 2018-04-10 03:24 · Score: 1

Urg... this'll get some flack from the Windows fanboys.
"Linux can be rooted by a command that makes your computer beep? That's fucking idiotic, man..."
1. Re:beep boop root by Sarten-X · 2018-04-10 03:41 · Score: 2
  
  Right? About the only thing worse would be a kernel vulnerability in something silly like fonts...
  The beep vulnerability makes a lot of sense, actually. Related to this update, I recently learned that the ubiquitous beep used to be driven by reprogramming the system clock. Naturally, that kind of hardware access is something that should be a system administrator function, restricted to root on *nix systems. It would make sense, then, that any vulnerability there would likely be a privilege escalation.
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
2. Re:beep boop root by TheRaven64 · 2018-04-10 04:10 · Score: 3, Informative
  
  Right? About the only thing worse would be a kernel vulnerability in something silly like fonts
  
  Windows and Linux have both had font handling vulnerabilities. The difference is that in Windows they were in the kernel, whereas in Linux they were in X11, which ran with root privilege and could open /dev/kmem and directly modify kernel memory.
  
  The beep vulnerability makes a lot of sense, actually.
  No it doesn't. All *NIX operating systems provide standard UNIX file permissions on device nodes and accessing /dev/dsp or the device for the internal speaker to a group is trivial. Most modern *NIX systems provide ACLs, so you can provide finer-grained access. Most modern *NIX systems even provide access control frameworks that let you grant access on a {program, file} pair, rather than, a {user, file} pair, so you could grant access to the device to the beep program running at any user, but not grant any other rights to the program or the user. These vulnerabilities are in no way intrinsic to the beep program, they are related to how the beep program is installed.
  
  --
  I am TheRaven on Soylent News
3. Re:beep boop root by tlhIngan · 2018-04-10 05:13 · Score: 1
  
  Right? About the only thing worse would be a kernel vulnerability in something silly like fonts...
  The beep vulnerability makes a lot of sense, actually. Related to this update, I recently learned that the ubiquitous beep used to be driven by reprogramming the system clock. Naturally, that kind of hardware access is something that should be a system administrator function, restricted to root on *nix systems. It would make sense, then, that any vulnerability there would likely be a privilege escalation.
  Font handling is not easy, especially in modern days. It might seem easy (after all, TeX works by pushing around fixed-sized boxes, but that doesn't work in a modern i18n world). Take for example, letter decorations. Beyond the Euro languages which generally just have accents and such, some languages have a lot more they can put on letters. And then the order of the decorations can be important as well as where the character appears in the string (e.g., Arabic is bad for this - add a character and the "word" can enlarge in size, shrink in size, etc. It's one of the ways iOS was compromised - if you attempt to replace a long word with a split one (e.g., instead of showing "This is a really long message to fit on the message box of the screen", it will want to cut it and show "This is a really long message..." or "This is a really long mess..."), the string can actually take more space to display than if you added more characters.
  Rendering fonts is no longer easy - some languages seem poised to make it especially difficult because the shape you use depends on so many variables (decorations, preceding words, location of character in the word, etc) so it is no surprise that there are vulnerabilities. Depending on where your font rendering code is, this could be a serious one or a minor one.
  As for the beep package, on the PC, the system speaker is connected to the timer chip. In order to control the pitch and duration you have to reprogram the timer chip (which can be the main timer chip as well) in order to cause it to make noise (you have to have access to a couple other registers as well - there's an enable line and an "amplifier" enable line used to connect the timer output to the speaker itself).
  This inflexibility of the PC speaker is what makes PCM output using the speaker impressive.
4. Re:beep boop root by Sarten-X · 2018-04-10 06:16 · Score: 1
  
  Both points there are exactly what I was alluding to... Modern computing is a lot more complicated than it seems. It's amazing how much of technology is hacked together with duct tape and baling wire to make it work, and it's silly for anyone to throw stones in a city full of glass houses.
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
Article ist not correct by messju · 2018-04-10 03:30 · Score: 4, Informative

Beep is not pre-installed on Debian GNU/Linux.
1. Re:Article ist not correct by andrewbaldwin · 2018-04-10 03:38 · Score: 2
  
  It's not pre - installed on Mint either
2. Re:Article ist not correct by sjwest · 2018-04-10 03:39 · Score: 2
  
  Its not debian installed by default
  beep does what you'd expect: it beeps. But unlike printf "\a" beep allows
  you to control pitch, duration, and repetitions. Its job is to live inside
  shell/perl scripts and allow more granularity than one has otherwise. It is
  controlled completely through command
  I suppose somebody needs that, not us.
3. Re:Article ist not correct by FormOfActionBanana · 2018-04-10 04:40 · Score: 1
  
  When I was young the programs were play and rec.
  
  --
  Take off every 'sig' !!
4. Re:Article ist not correct by Scarletdown · 2018-04-10 04:51 · Score: 1
  
  So only those who have ever used computers just to generate music are supposed to be on Slashdot? You might want to go back to eating Tide Pods and snorting condoms back in your basement, kid.
  
  --
  This space unintentionally left blank.
5. Re:Article ist not correct by Chris+Mattern · 2018-04-10 05:00 · Score: 1
  
  Nor on Ubuntu. I can't imagine anybody going out and just getting this package. Is there anything that gets it as a pre-req?
6. Re:Article ist not correct by Carewolf · 2018-04-10 05:21 · Score: 2
  
  If you have never written a script to generate music using beep you don't belong on slashdot.
  Coding music with beep is like programming BASIC, real men echo to /dev/dsp.
7. Re:Article ist not correct by tomxor · 2018-04-10 06:24 · Score: 1
  
  Yup, I just tried it.
8. Re:Article ist not correct by KiloByte · 2018-04-10 06:52 · Score: 1
  
  real men echo to /dev/dsp
  Except for those who noticed that /dev/dsp was deprecated five ages and two aeons ago, and today its emulation is not even functional anymore.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
9. Re:Article ist not correct by Carewolf · 2018-04-11 05:34 · Score: 1
  
  real men echo to /dev/dsp
  Except for those who noticed that /dev/dsp was deprecated five ages and two aeons ago, and today its emulation is not even functional anymore.
  You could say the same about beep, deprecated and now only works through emulation.. Emulation so complex it has security holes.
10. Re:Article ist not correct by KiloByte · 2018-04-11 06:34 · Score: 1
  
  That's not emulation of beeps: you can do that unprivileged as long as you can play regular sound: here's a function named sin, output its results as 16-bit integers and there you go. That beep tool uses real PC honker, needing root to access it without being at console.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
So by Greyfox · 2018-04-10 03:53 · Score: 2

Another setuid vulnerability in this day and age? You'd think it was difficult to find all the setuid programs on a system and audit the shit out of each and every one of them.

--
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Forget this comes from Bleeping Computer by cloud.pt · 2018-04-10 03:57 · Score: 1

The real pun to this vulnerability is the fact it is a race condition in the "beep" package.
Beep! Beep!
I find it ironic... by frank_adrian314159 · 2018-04-10 03:57 · Score: 4, Insightful

... that a command that probably started life as putchar('\007'); could morph into some monster needing to spawn threads and have race conditions.

--
That is all.
1. Re:I find it ironic... by Anonymous Coward · 2018-04-10 04:54 · Score: 5, Informative
  
  Your comment tells me that you probably don't understand the "putchar('\007')" reference.
  The "bell" command is so primitive that it's a BIOS function. There's no code to write. It's already in there. Even from the DOS 1.0 command line you can type "echo ^G" and it works. (That's the control key plus the letter G, for the younger kids in the crowd)
  It should be so simple that regardless of how many layers of code you pile on top, security issues of ANY form should be impossible, But, alas, code bloat and overly complex implementations have brought us to this place. You can't even trust a beep.
2. Re:I find it ironic... by edtice1559 · 2018-04-10 05:15 · Score: 2
  
  The command is a bit more complicated than that. It allows you to specify the tone and duration. And the race condition comes because (a) multiple processes can call it simultaneously and (b) there is signal handling code present so that the speaker isn't left beeping in perpetuity should the process somehow get killed in the middle of a beep! If you look at the proposed patch, things make a bit more sense. And the FAQ is hysterical https://holeybeep.ninja/
3. Re:I find it ironic... by Anonymous Coward · 2018-04-10 05:37 · Score: 1
  
  The "bell" command is so primitive that it's a BIOS function. There's no code to write. It's already in there. Even from the DOS 1.0 command line you can type "echo ^G" and it works.
  Actually it is much older than that. The BEL code was in teletype Murray code from 1901, some 80 years before MS-DOS. It requested that the teletype machine rang a bell to alert the operator.
  See http://en.wikipedia.org/wiki/Baudot_code
4. Re:I find it ironic... by slashdice · 2018-04-10 06:58 · Score: 1
  
  ___________ | oo .ooo| | oo .o o| | ooo .o | | o . | | oo o.ooo| | oo .oo | | oo .oo | | o . | | oo o.o o| | oooo. o| | o . | | oo o.o | | oo . o| | ooo .ooo| | oo o.oo | | o o.oo | | o. o | ___________
  
  --
  Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
5. Re:I find it ironic... by AmiMoJo · 2018-04-10 23:35 · Score: 1
  
  Most modern computers don't even have a BIOS any more. In fact most don't even have a beeper.
  Some people were using beep to create delays in scripts. The mind boggles.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Debian Beeping by bill_mcgonigle · 2018-04-10 04:01 · Score: 1

The one thing that's been driving me nuts since switching to Debian testing (from Fedora) is X using system beeps to alert, even though Pulse is running. I'll have to see if something dragged in 'beep' as a dependency when I get home.

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
1. Re:Debian Beeping by Anonymous Coward · 2018-04-10 05:22 · Score: 1
  
  rmmod pcspkr
FFS by Anonymous Coward · 2018-04-10 04:08 · Score: 1

Is this really where we are now? How many decades of computer science and security research and there's a vulnerability in beep?
Pack it up. We're done. Computers were good while they lasted, but maybe our pending cockroach overlords will get this whole computer thing straightened out better than we did.
Missing information by nospam007 · 2018-04-10 04:23 · Score: 1

So, when the attacker do this, does it now beep or not?
1. Re:Missing information by Anonymous Coward · 2018-04-10 04:33 · Score: 3, Funny
  
  no they would use beep --silent
And rooted from the patch, too by DrYak · 2018-04-10 04:49 · Score: 4, Informative

"Linux can be rooted by a command that makes your computer beep? That's fucking idiotic, man..."
And the patch that supposedly fixes the bug contains this gem :
--- /dev/null 2018-13-37 13:37:37.000000000 +0100 +++ b/beep.c 2018-13-37 13:38:38.000000000 +0100 1337a 1,112d !id>~/pwn.lol;beep # 13-21 12:53:21.000000000 +0100 .
Which is supposed to be an exploit of patch:
according to that source, patch supports diff written in ed scripts (you, know the one editor that is supposed to be the punch line of every "VI vs EMACS" flamewar)
and ed in turn has "! command" to execute commands.
So yes, even the patch fixing the "beep" exploit can be exploited in turn and root the system too (... of any admin careless enough to run the build of the patched package on the bare system instead of inside some container and as a non-root user).
---
Back to beep itself :
- https://sigint.sh/#/holeybeep - a good source which analyzes how beep is exploitable (basically signal handler called at the exact wrong time, while performing a switcharoo on symlink target, between the console that gets opened on each beep, and the target file that gets opened when the signal kills the audio)
- https://github.com/johnath/bee... upstream audio.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Fonts on UNIX by DrYak · 2018-04-10 05:18 · Score: 5, Informative

The difference is that in Windows they were in the kernel, whereas in Linux they were in X11, which ran with root privilege and could open /dev/kmem and directly modify kernel memory.
Maybe a couple of decades ago.
Since then:
- in some distant past, font rendering on Unix was offloaded to a separate X Font Server that communicate over a socket, and didn't need it self to be root to write to the framebuffer.
- in a more recent past , font rendering was moved out of the X server, and into the client.

No it doesn't. All *NIX operating systems provide standard UNIX file permissions on device nodes and accessing /dev/dsp or the device for the internal speaker to a group is trivial.
In this case, that's the console/VT or event device (basically beep is good old "\a" bell, but on steroids, i.e.: with ioctl/writes to precisely tune the beep).
It doesn't use any audio device (no /dev/dsp).
That's indeed stupid as there are methods to give access of those to the currently loged-in user (If I'm not mistaken, basically the same work that has been done to run X11 on any non-dinosaur distros)
That's exactly what is abused by some exploits (source) :
have a symlink point to an event device (the king that is controlled by writing instead of ioctl) start a "beep" command (which will open the symlink for writing as root on each played sound), then at the perfect time reroute the symlink send a kill signal - the signal handle will try to mute the speaker (by again opening the symlink for writing), but is now writing the parameters in the target file instead of the event device.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Oh, nice by ChoGGi · 2018-04-10 05:39 · Score: 1

Now you can beep your way to success.
Re: setuid strikes again by guruevi · 2018-04-10 05:47 · Score: 1

Beeping on IBM clones is done by playing with the PIC chip which was quite literally connected to a pin on the processor. It requires rather low level access to program. You could obviously write a shim in modern kernels to user space but there are a lot of things that have direct access to hardware.

--
Custom electronics and digital signage for your business: www.evcircuits.com
Re:Kids by slashdice · 2018-04-10 07:00 · Score: 1

Kids these days code a helloworld.c using node.js and electron, And yes, it has a cross-domain vulnerability. and 7 copies of Never Gonna Give you Up (apparently, included with is-thirteen.js)

--
Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
Why setuid root?? by schweini · 2018-04-10 07:10 · Score: 1

According to the FAQ, beep has to be installed as setuid root for this to work.
Why the heck would beep need root? I'm guessing in order to access the hardware, but that's what we are supposed to have HALs for?
Millions "affected" by paulpach · 2018-04-10 08:23 · Score: 1

From their website:
"How many people are affected?
Millions! Everyone, almost.
According to the Debian popularity contest, beep is installed on 1.86% of all machines. Extrapolating that by the earth population, we estimate roughly 130 million affected users."
130 millions is probably an order of magnitude bigger than all debian users. That extrapolation is ridiculous. Is this supposed to be a tongue in cheek number?
Re:Unfortunate by fluffernutter · 2018-04-10 08:38 · Score: 1

She's talking about ironic coincidences.. which both definitions mention.

--
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.