Linux Kernel 2.6 Local Root Exploit 586
aquatix writes "This local root exploit (Debian, Ubuntu) seems to work everywhere I try it, as long as it's a Linux kernel version 2.6.17 to 2.6.24.1. If you don't trust your users (which you shouldn't), better compile a new kernel without vmsplice." Here is millw0rm's proof-of-concept code.
Beauty of OSS (Score:5, Insightful)
On the other hand though this is the beauty of open source. The problem is now known so I'm sure a fix is already on the way.
Before the inevitable occurs: (Score:5, Insightful)
The difference is that we know about this hole, and can now fix it - I'm just going to bed, and it will no doubt be fixed by the time I wake up. How many Windows security issues are known that haven't been fixed?
"Oh man, this is why Linux is great! We can find holes, and fix them, like, immediately!"
Yes, that's a strength of Linux. What I want to know is, what steps will be taken to ensure that bugs of this type - whatever they might be - don't crop up again? One advantage that a large paid organization can have is strict testing requirements - I'm honestly not sure if I believe the Linux kernel is held to the strong standards that a commercial kernel theoretically could be.
The existence of this bug is a failure on Linux's part. There's no way to get around that. Many mistakes were made, from the original code or design decision that caused this bug all the way up to it not being found until now. The bug will be fixed rapidly - but the process that let this bug be released needs to be looked at, casually at the very least, to figure out if there's a way to stop this class of error from ever happening again. (Whatever class of error it ends up being - I don't pretend to know.)
Works for me too (Score:3, Insightful)
Linux opteron 2.6.22.16-0.2-default #1 SMP 2008/02/01 19:36:55 UTC x86_64 x86_64 x86_64 GNU/Linux
Re:For those that would rather write than read. (Score:2, Insightful)
Re:Misleading (Score:5, Insightful)
Re:Beauty of OSS (Score:5, Insightful)
Re:Before the inevitable occurs: (Score:5, Insightful)
This is quite old code and I had to rewrite it to even compile.
Re:Misleading (Score:5, Insightful)
If the only people that have accounts on the machine have physical access to it, this exploit is a lot more work than just opening the box...
Re:For those that would rather write than read. (Score:4, Insightful)
A 'local root exploit' only means that you have to have a shell of some kind first. This can include an SSH shell account. This can also include any kind of non-root shell exploit.
Say that you can exploit some webapp to get a shell as wwwrun/apache/www. That combined with a local root exploit to get root. It doesn't even need to be a DIRECT shell exploit. Perhaps your hack/program opens up a port with telnet listening.
Thus all 'local root exploits' are potential remote exploits, if we allow for chaining. Chaining can be used by anyone who isn't just a script kiddie. Hell, you could probably make an auto-rooter that will chain the exploits.
Re:Beauty of OSS (Score:0, Insightful)
Pretty good. That's 2 more posts than I expected when I read the headline...
Re:Misleading (Score:5, Insightful)
Re:ssh (Score:4, Insightful)
Re:Before the inevitable occurs: (Score:3, Insightful)
Re:Misleading (Score:5, Insightful)
You know, I haven't built my own kernel since 'make menuconfig' was the most advanced method around.
I got rather tired of picking and choosing what I need, just to get faster boot times.
That, and any time you need (professional) support for a third-party application, the first thing they ask you is wether you are running a stock kernel.
I -want- to be able to tell MySQL and RedHat to fight it out amongst themselves if my database does not live up to expectations.
I have better things to do with my time than to set-up and analyse endless system profiles, straces and stack dumps.
Grow up, get a real job and see what the real world is like.
You'll find that you no longer have the time to check SANS and packetstorm every day, just to see if your system is secure, spend days just to get that library to compile and then see the entire system go out the window, because it cannot be maintained (because you have be re-assigned to another project).
Re:But this can't be real! (Score:4, Insightful)
NTFS has had that for a while now.
Suggest you check out Windows System Resource Manager
The real problem here seems to be not Windows, but your ignorance about Windows.
Re:Misleading (Score:5, Insightful)
So the right answer is not 'It's not really a problem, honest!' The right answer is 'Yes, I fixed the problem on all our servers first thing this morning, with no downtime.'
Re:Beauty of OSS (Score:2, Insightful)
yea but how do we disable it till its fixed? (Score:3, Insightful)
Re:Misleading (Score:3, Insightful)
I notice that there are people who think otherwise, and I also notice (with some glee, I may add) that it's usually them who gets called at 5 AM on a Sunday morning because their server has been hacked or is at high risk from a zero day exploit.
'Sploit needs fixing on x86-64 (Score:3, Insightful)
Every instance of "0x%lx" needs to be replaced by "%p".
The moral of this story is: Always use gcc -Wall and fraggin' pay attention to the warnings.
Re:Whatever... (Score:3, Insightful)
Far more sensible in a corporate environment is to stick to the published stuff, so when it goes tits up you can call support and say "Fix it", or when your sysadmin leaves the incoming guy doesn't have to work out why the server is configured to behave in a way which "will be really great" but actually means everybody's mail is delivered in Swahili.
slashdot not filtering well enough (Score:4, Insightful)
It seems to me that slashdot's system for filtering submissions is doing a very poor job these days with stories about security bugs.
Within the last day or two, we've had the following:
This is really getting to be a Boy Who Cried Wolf thing.
Re:Whatever... (Score:5, Insightful)
Out there in the real world you use RHEL because it has paid support. You then use hardware certified by Redhat and use their packages (btw. RHEL doesn't appear to be vulnerable - you get an mmap failure trying to run the exploit).
If your oracle server goes titsup and oracle refuse to support you because although you're running on the supported RHEL your cowboy IT guy recompiled the kernel and broke it.. that costs money (potentially millions if the downtime is extended). And time. And stress. And the IT guy's job, and his job reference, and, we would hope, his career.
Re:Misleading (Score:4, Insightful)
Suppose there is a bug in Windows (stretch your imagination to include that possibility) that is part of one of the unpopular services on by default. No one on /. would excuse it because the user (or their sysadmin) should have disabled that service.
Also, options should never, as a principle, cause security holes.
Re:Misleading (Score:3, Insightful)
Re:Misleading (Score:2, Insightful)
I thought it still was...
Re:Beauty of OSS (Score:2, Insightful)
The truth is that you can't. The thing is that you don't have that guarantee with closed source either. The difference is that open source gives a lot more options to those who can and even those who can't (by virtue that someone who can can supply a pre-compiled fix). Open source isn't perfect. It just has some serious advantages in this particular type of situation.
Re:Misleading (Score:5, Insightful)
Dunno about you, but it's my job to (among other things) keep abreast of emerging security issues, then decide on their severity and priority. A quickie scan of SANS ISC is just as much a morning habit to me as log reviews and sucking down the morning caffeinated liquid.
Shit, man... a sysadmin who doesn't check at least some source of leading-edge security news daily is IMHO either incompetent or lazy, and tend to be the ones who look really stupid once they get blindsided by a compromise.
I'd much rather be chided for pushing something off by a few minutes, than to have to explain to my boss and his peers why I didn't know about XYZ exploit, and more importantly, why I didn't do anything to prevent it from chowing down on the production servers...
(and no, I don't run Gentoo, and I avoid recompiling any kernel unless absolutely necessary).
Re:Beauty of OSS (Score:3, Insightful)
See, we don't download binaries from websites and click "yes" until the installer shuts up. (Though I hate to say it but there are some utilities and install scripts coming out of the Ubuntu community that are dangerously close to that kind of installation paradigm.)
Re:Before the inevitable occurs: (Score:2, Insightful)
As opposed to Linux, which is backed up by several large paid organizations, notably including IBM.
Re:This is incorrect (Score:1, Insightful)
Re:Beauty of OSS (Score:2, Insightful)
Did you forget about assignment versus equality, perhaps? http://kerneltrap.org/node/1584 [kerneltrap.org]
Re:fast response (Score:3, Insightful)
unfortunate that the exploit existed for so long, but a patch was available for my gentoo distro within four hours of the article being posted on slashdot.
It sucks, actually. The bug was clearly simple enough to patch within hours, but that didn't stop hundreds if not thousands of programmers from failing to see it for a long, long period of time. "Many eyes make bugs shallow" my ass. One brilliant eye makes a bug shallow (in this case, the exploit author).
Clearly there are not enough brilliant eyes looking.