Local Root Hole in Linux Kernels

xepsilon writes "A local Linux security hole using ptrace has been discovered that allows a potential attacker to gain root privileges. Linux 2.2.25 has been released to correct this security hole, along with a patch for 2.4.20-pre kernels. 2.4.21 ought to contain this fix, once it is released. 2.5 is not believed to be vulnerable to this security hole. See this email from Alan Cox for details, and a patch."

Eek!

[Jouster]

And please, allow me to be the first to say:

Holy shit, this could be a problem.

Excuse me while I go patch my servers, which all of my developers have user-level access to, albeit very limited access.

New marketing ploy for TMF: get your security news before the 13-year-old 5<R1p7 <1|)|)135, since they don't have credit cards with which to subscribe.

Jouster

patched it already

[Lxy]

Got an e-mail this morning from Redhat Network that a new kernel was available to solve this vulnerability. up2date got my machine patched hours before the /. post.

If you're running Redhat, RHN is a valuable tool that no admin should be without.

Kernel Patches

[dave at hostwerks]

Hmmm....

A Windows vulnerability is discovered and it takes a week or more to get it taken care of.

The Linux kernel has a vulnerability and the patch is available immediately.

Who's a sysadmin to trust?

Time to patch my IIS^H^H^HKernel

[Richard_at_work]

Soooo, i wonder how many posts will appear here along the lines of those in the WebDav exploit story earlier. Not many im willing to bet.

Those people willing to shout and hollor at every serious issue, screaming bloody murder because someone got it wrong, really pisses me off. Yes people get it wrong, they write insecure code from time to time. This issue and a number of those before it show that Linux has as many opportunities for exploitation as any other OS.

Re:Linux disclosure procedures?

[N3WBI3]

1) umm, I got a mail from redhat about this same as I get something from MS.
2) I think you worry about crackers knowing not hackers, hackers fix problems like this. Also as anyone in a production environment knows just because MS does not publish it does not mean that people dont know before they have a fix. Also the time to deploy a MS patch in production is much longer due to shutdowns and testing.
3) As opposed to almost *ALL* MS updates which requres a restart of every server in your company Woo Hoo!
4) ??? 5) Profit

Re:Linux disclosure procedures?

[Anonymous Coward]

However, quoting some guy further down the page:

A Windows vulnerability is discovered and it takes a week or more to get it taken care of.

The Linux kernel has a vulnerability and the patch is available immediately.

To all the windows bashers...

[EZmagz]

Nobody's safe.

I hate to say it, but this is kind of refreshing. This ins't a troll, so don't get me wrong...I'm a linux user myself. But after seeing the masses rip into MS yesterday when the thread about the IIS 5.0 hole was posted, I got a tad frustrated. Granted, I hate Microsoft as much as the next guy, but this just goes to show you that it's NOT just Microsoft that falls prey to holes and exploits. If it runs an OS, there's a chance it'll be cracked. Simple as that.

Hell, the linux kernel is without a doubt one of the most audited open source projects out there, and this bug STILL didn't surface until 2.4.20. Of course, I applaud the speed and availibility of patches and workarounds to the bug. Just remember, it happens to everyone.

Exploitable?

[Rain]

Geez, only took /. 27-odd hours. Anyway.

I tried writing an exploit for this flaw, but I couldn't get far enough to inject any code. I managed to ptrace(PTRACE_ATTACH, ...) a uid 0 modprobe (easy enough way to call kernel_thread()), but for some reason, the traced process isn't properly reparented, so all subsequent ptrace() calls fail. (Whenever you PTRACE_ATTACH to a process, it's supposed to become the child process of the tracer, and ptrace_check_attach (linux/kernel/ptrace.c) will return -ESRCH if this condition isn't met.)

I'm not positive this is actually exploitable, but I'm not positive I took the correct approach, either. In any case, the most I've been able to do is spawn a slew of suspended root-owned processes. Not good, but not the end of the world, either. If someone has actually managed to exploit this flaw, I'd love to see some code so that I could see what I did wrong. Conversely, I'm willing to share the code I have upon request. I've only written code up to the current impasse, but once past this problem, the rest should be pretty trivial.

Where's Debian??

[drwho]

Where the hell are the debian people with a patched kernel? The patch alan cox provided doesn't apply cleanly to the debina modified kernel, so I am trying to hack it up now. But shouldn't someone in charge of security patches at debian have done this and had an update out?

COME ON WAKE UP!

Re:patched it already

[DrXym]

It would be even more invaluable if Red Hat et al made RPM and their updates incremental. It is rather silly to expect people on 56k modems (of which there are still many) to download 30-50mb of patches to fix what probably amounts to 1mb at most of code changes. Kernel changes are particularly horrible - a one line patch means 35Mb download! How many users will bother with that? Now perhaps that's their own fault when they're rooted, but it's bad for everyone else too - a rooted box is a springboard for further attacks, not to mention dragging the reputation of Linux through the mud.

Why isn't it possible to produce incremental binary patches containing just the diffs? Not only would it vastly increase the chances of people downloading them (which is good for everyone), it is good for Red Hat too since their bandwidth for up2date is slashed.

Now obviously there are times when incremental diffs are not useful, but with the proper safeguards (e.g. checksums and backing up originals etc.) I don't see what the problem is. If anyone from Red Hat or RPM land is listening, please consider implementing this feature. Pretty please with a cherry on top.

Re:I don't think so

[mmontour]

At least in Debian, even with "linux single" you have to type the root password to get root.

How about with "linux init=/bin/sh"?

Re:IT'S IN ENGLISH!!!

[TheRaven64]

Welsh has the most glaring deficit of vowels and proper spelling.

Actually, Welsh has more vowels than English, and is spelt almost entirely phonetically. It's hard for English speakers to read since it uses the same characters to represent different sounds (Yes, I have had to listen to Alan rave about how wonderful Welsh is...). The most confusing thing I find about welsh is the way words 'mutate', that is to say their pronunciation changes depending on the syllable preceding or following them to make the sentence flow more easily.

It is sometimes useful to know a language that no-one else in the room speaks, and I think that this is one of Alan's reasons for learning, but I prefer Latin for this purpose. The structure is more logical.

Re:patched it already

[DrXym]

I didn't mean that way. I mean if up2date says there is a new version e.g. 1.2.1 and you have 1.2.0, and there is an incremental diff available (i.e. 1.2.0-1.2.1) then it should fetch and apply that rather than fetching the whole 1.2.1 package which could be massive. After patching you now have 1.2.1 as if you had done rpm -Uvh on it.

There is no 'hotfixing' or piece patching here. The result of the incremental diff is the same as installing the whole new version, just considerably easier to download. As I mentioned, a kernel update is 35mb of patches. I would be surprised if an equivalent incremental patch were more than a megabyte.

This and IIS exploit

[OoSync]

While its not really kosher to bash an OS because of a single flaw, there is a fundamental difference in the case of this flaw and the previously announced IIS exploit: this one's not yet exploited. One thing that hurts FS/OSS on bug lists is that all *potential* exploits in open code will be listed as bugs, while many proprietary producst only disclose known, possibly exploited, bugs. Case in point, the IIS problem was exploited almost a week ago. The kernel problem was noticed, fixed, and no exploit exists. In fact, a previous poster on this board has posted his inability to trigger the *potential* exploit and asked for help.

Re:I'm not going to patch.

[humphrm]

How about "Security-By-Not-Having-Anything-Of-Any-Real-Inter est-To-Crack" on my system?

Rule of Thumb

[Anonymous Coward]

When setting up security, I always assume any local user can get root priviledges and make sure I don't care that much. It makes life much easier and less worrisome.

Re:How is Microsoft responsible?

[aggieben]

uhh.....I don't think so. SunOS has had it's share....
but that's besides the point. The OS has little to do with privelage escalation, anyway; it has everything to do with the programmers who write programs that will be suid.

Re:How is Microsoft responsible?

[palfreman]

"If Microsoft didn't exist it would be necessary to invent them."
So you are equating Microsoft to God. Interesting...

Although Voltair may have said "If God didn't exist it would be necessary to invent him" it is another matter as to whether Microsoft resembles Him. I would have said that Microsoft was just anouther popular-for-now company with nothing to fall back on. Nothing special in the long run.

However,if you want to be really picky, they have the advantage of existing and actually being pointable-to, unlike God.