Local Root Exploit in Linux 2.4 and 2.6 795
Anonymous Coattails writes "Summary from the advisory: 'Locally exploitable flaws have been found in the Linux binary format loaders' uselib() functions that allow local users to gain root privileges.'"
*sits back* (Score:3, Funny)
Re:*sits back* (Score:5, Funny)
Because in this case Linus Torvalds is our new overlord, and I for one, welcome him.
Re:*sits back* (Score:3, Funny)
"You can download the fix
- here
..." - Any Linux website within a days (perhaps hours) of the report.Re:*sits back* (Score:4, Insightful)
Then run a different distribution. On Debian a new kernel is just an apt-get away, no compiling required (unless you need something special of course). I'm sure other distros are similar.
Re:*sits back* (Score:5, Funny)
Hmm. Wait, I think I just described Debian Stable.
*is hit by a gigantic potato from the debian crowd*
(Yes, I am aware that stable is called Woody, and the last version was called Potato. But if I said "is hit by a gigantic woody..." i'd probably get murdered. Oops.)
Re:*sits back* (Score:5, Funny)
So, I would like to remind Linus that I will be very useful in rounding up workers to toil in the underground Perl mines.
Re:*sits back* (Score:4, Funny)
Dude, he was our new overlord like 10 years ago, get with the program...
Re:*sits back* (Score:5, Insightful)
The uselib() system call is quite old. It was introduced in Linux 0.12 as a quick way to support dynamically loaded, statically linked libraries.
The way shared libraries worked was like this:
libc was compiled and linked like a normal program would be, except that its start address was set to (say) 0x400b0000. printf() would be at (say) 0x400cb110.
Main programs were linked down at 0x08048000 or so, and knew where in memory printf was. The kernel knew how to load your main program and jump to its start. However, there was nothing but a segfault waiting for you at 0x400cb110 initially. So how did the kernel know what shared libraries to load?
Well, one possibility was to put a list of library paths into the executable and teach the kernel to load 'em. Ugh. Didn't SCO do that?
Instead, the linker would add a little assembly language stub to start your main program. It looked a little like:
uselib("/lib/libc.2.so")
uselib("/lib/libm.2.so")
and the uselib syscall would graft the contents of those files directly into memory, in the same fashion the kernel knew how to load the main program. Voila, calling printf at 0x400cb110 will now work.
Eventually, this switched to a single uselib("/lib/ld.so") so we could have search paths and dynamic linking. But it was a pretty good start.
After we all switched to ELF, uselib wasn't such a good idea, as ELF allows some more clever things than just direct-mapping the whole executable at a fixed address.
As part of the a.out->ELF transition, the uselib() syscall was preserved. It allowed old-style fixed location libraries to be dressed up in new ELF clothing. A few years ago I tried uselib() on MIPS, and had a miserable time trying to get GNU ld to make a library the kernel didn't reject. I gave up.
So how is this bug like Microsoft? The bug is in a mechanism that is a holdover from an older, simpler time. Nobody saw a good reason to take it out. And it didn't get much security scrutiny until somebody said, "hey, what's THAT still doing in my OS? I bet it's got bugs!"
your wait is over. (Score:3, Informative)
While I can't justify the difference, I'll tell you that there is one if we don't see any regularly recurring network born auto-root that's so bad it threatens the top level domain servers. It's not like someone cracked kernel.org and owned it for three months [slashdot.org] injecting whatever they pleased into the codebase. One good explanation of the difference is that Marketing dorks who do little more than buy other's code can't maintain
Re:your wait is over. (Score:3, Informative)
No, just GNU.org http://uk.builder.com/manage/work/0,39026594,20277 728,00.htm [builder.com]
Re:*sits back* (Score:3, Interesting)
The concept of local security is usually ignored in the MS side, that someone already using the machine could access/modify things that he should not.
Most Microsoft related advisories/reports are centered in remote vulnerabilities, things that only have a meaning for a network connected machine accessing services or being accessed from outside.
Of course, a local vulnerability could be exploited if some piece of software (i.e. a web app) have an entry point, and what should be running
*raises hand* (Score:3)
SElinux?
(don't even get started on the easyness of setting policies for selinux, you get offtopic: post the link of a MS equivalent else you lose the argument
Re:*sits back* (Score:3, Insightful)
Oh yeah. I've never yet seen a local exploit on Windows. This is true. The number one exploit from Console on Windows is usually turning on the box. Once I do that I really don't care what you've done. I own you and I'm root (Yes even with WinXP SP2 and the supposed user password protection.)
Note too to be fair. ANY box where I am at the console I don't need fancy exploits and code to grab root etc. Once I
Re:*sits back* (Score:3, Insightful)
This is a local exploit. These are so common in Windows that nobody talks about them anymore. Most reported Windows exploits are remote exploits (exploitable over the net) or application exploits, e.g. in the bundledbrowser or Email apps.
Really no comparison at all
Re:*sits back* (Score:4, Interesting)
I can only laugh out loud. Read this story [lwn.net] for example.
Re:*sits back* (Score:3, Informative)
* It all depends what copy_from_user does. Does it check to make sure that len is sane? Is it an unsigned int, or a signed int. If it's signed, then a negative value is obviously not sane and should be rejected.
Where did this code come from? What file please?
Combined with another flaw, it could be bad. (Score:3, Insightful)
All flaws need to be fixed. Even ones you don't think are very important because they could be exploited together.
It doesn't matter how many holes Windows has compared to Linux. The exploits are usually scripted and tied to a port scanner. If you're vulnerable, you will be cracked.
That's why multiple levels of securi
Re:Combined with another flaw, it could be bad. (Score:5, Insightful)
- and if we had some ham, we could make ham and eggs, if we had some eggs... seriously, we could play "what if" games all day long, but let's not blow this issue all out of proportion. It is what it is and nothing more, and at the end of the day it will have resulted in none of the sort of disasters we see on a regular basis with the microsoft platform...
Re:Combined with another flaw, it could be bad. (Score:3, Insightful)
Dangerously wrong. It is incredibly common for web applications to have holes that allow execution of arbitrary programs. A "local only" vulnerability is the other half of the weakness an attacker needs to turn a simple coding or configuration error into a root exploit.
Re:Combined with another flaw, it could be bad. (Score:5, Insightful)
This sort of thing is not as easy as you suppose - in the windows world one can write a quick vbscript to cause all sorts of nonsense, but on a unixlike platform such as Linux there would be a considerably higher barrier to the success of such shenanigans.
It sounds like you're saying this isn't such a big disaster because there aren't that many Linux users...and that strikes me as a ridiculous point of view.
I see you've failed to understand my statement. I'm at a loss as to how my meaning could have been contorted from "a potential local exploit isn't going to cause the sorts of internet disasters as we see regularly with windows" into the bizzare statement "hardly anybody uses linux" - (strokes beard thoughtfully). We can put the lie to that sort of thinking by simply considering the apache webserver, it's market share, and security record, compared to the microsoft iis web server, it's market share and it's security record. And by "security record", I don't mean "counting the number of advisories from all linux vendors and comparing them to the number of advisories from microsoft", which is a meaningless comparison. No, I mean "compare the frequency, scope and severity of the security incidents associated with the two platforms", which would be much more telling.
Re:Combined with another flaw, it could be bad. (Score:3, Insightful)
I don't think you understand what security through obscurity is, and your reasoning is the same old joe sixpack thinking that we've heard before, that linux has a better security record only because it has a smaller user base than microsoft windows. By that same logic, apa
Re:*sits back* (Score:5, Insightful)
So, as far as the number of vulnerabilities, you can't convince me (as someone in the industry) that Linux "wins". You also can't convince me that the Linux kernel has far fewer holes found than the Windows kernel. The available evidence does not support the claim. However, that doesn't mean that the Open Source development method tends towards greater potential quality than the closed source method.
Also, remember that a local root vuln is only 1 remote non-root vuln away from becoming effectively a root vulnerability. Too many people who think they are responsible admins try to ignore or downplay the seriousness of local root vulnerabilities.
Thats enough rambling for the day...
Re:*sits back* (Score:3, Funny)
Patch available (testing) (Score:3, Informative)
There is a preliminary patch in testing for the 2.4 series.
Look here. [kernel.org]
The file is patch-2.4.29-rc1.bz2
Note that it's in TESTING, because it probably needs testing yet. But if you're desperate to patch it up quickly at your own risk, then there you go.
Re: bugs in code (Score:4, Informative)
And when some third-party developers write buggy code, they really write buggy code. Remember "Return to the Pool of Radience: Ruins of Myth Drannor". Now that was a buggy game!
Re: bugs in code (Score:3, Funny)
That's why you should always put curly braces on their own lines, to increase your total lines of code. Helps achieve a more favorable sigma.
Re:*sits back* (Score:3, Insightful)
Copyright Poo Poo (Score:5, Interesting)
Credits:
========
Paul Starzetz has identified the vulnerability and
performed further research. COPYING, DISTRIBUTION, AND MODIFICATION OF
INFORMATION PRESENTED HERE IS ALLOWED ONLY WITH EXPRESS PERMISSION OF
ONE OF THE AUTHORS.
Did I violate you buy hitting ctrl-c and ctrl-v? Yeah copyrights stink even in free and open source realm. Oh yeah I guess Polly boy has something to put on his resume now as if someone else was going to steal his glory and get away with it.
isec.pl's guys rule (Score:5, Interesting)
Isec.pl has done a lot for the open source world, they've found lots of vulnerabilities (which is good - vulnerabilities ARE like any other bug):
Take a look at the impressive curriculum of those guys:
d_path() truncating excessive long path name vulnerability
Linux kernel do_brk() lacks argument bound checking [www.isec.pl]
Linux kernel do_mremap() local privilege escalation vulnerability [www.isec.pl]
Linux kernel do_mremap VMA limit local privilege escalation vulnerability [www.isec.pl]
Linux kernel setsockopt MCAST_MSFILTER integer overflow [www.isec.pl]
Linux kernel file offset pointer races [www.isec.pl]
Linux ELF loader vulnerabilities [www.isec.pl]
Linux kernel IGMP vulnerabilities [www.isec.pl]
Linux kernel scm_send local DoS [www.isec.pl]
Linux kernel uselib() privilege elevation [www.isec.pl]
Guess what, they're also the guys who discovered the mozilla hole diclosed today: Heap overflow in Mozilla Browser NNTP code [www.isec.pl]
Those guys are impressive. In particular, Paul Starzetz is the author in most of those kernel holes, along with a guy called Wojciech. They always contact the kernel maintainers before discosing the vulnerability, etc. Basically, they're having the same effect than a security audit. Except that they're doing it for free, so they deserve respect, I think. And yes, Linux is having too many kernel-level vulnerabilities. More than XP if I'm counting them right. Perhaps someone should offer a job to those guys so they can audit parts of the kernel better.
(And I can understand that copyright policy - there're people who probably look at those announcements, ctrl+c and ctrl+v and they release their own announcement twisting dates claiming that they're the guys who found it first)
Re:isec.pl's guys rule (Score:3, Funny)
Yeah, lol. Microsoft.
Oh sorry, I though you meant, 'someone should offer these guys a job so they can audit the kernel better to find *more* exploits, allowing MS to publicise all these anti-linux holes'
Re:Copyright Poo Poo (Score:5, Informative)
What's interesting is the preface that shows up on several lists:
Followed by:
No, think about it ... (Score:4, Interesting)
Actually copyrighting the exploit is kinda cool. Say you are a admin, and some kid gets fresh and tries this out. "Hey kid, not only am I nailing you to the wall for this, but I am turning you over to the guy who "owns" it and you get to pay him a nice fine." No, I think that is it pretty hilarious that the code is copyrighted.
Sera
How the hell (Score:3, Funny)
When do I get my kernel update?
Re:How the hell (Score:2)
Oh, wait. This is Linux. You'll have to reply to 5-10 questions before we can offer an answer.
Re:How the hell (Score:2)
Re:How the hell (Score:3, Funny)
When do I get my kernel update?
No worry. I ve already installed it for you.
Failed on RHEL (Score:3, Informative)
%
[+] SLAB cleanup
child 1 VMAs 65525
child 2 VMAs 65392
[+] moved stack bfff8000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xdf400000 - 0xfe5f2000
Wait... -
[-] FAILED: try again (Cannot allocate memory)
Killed
Re:Failed on RHEL (Score:3, Interesting)
Re:Failed on RHEL (Score:5, Interesting)
Re:Failed on Debian (Score:3, Informative)
I got it to compile and run on Debian Sarge with gcc version 3.3.5, kernel 2.4.25-1-386, and it says it succeeded, but I'm still my normal UID, just drops me into a bourne shell:
won't be exploted here! (Score:5, Funny)
Once again... (Score:3, Interesting)
They've got a pretty good record. Unfortunately, kernel-level stuff is nasty -- how do you fix embedded devices?
Re:Once again... (Score:2, Insightful)
how do you fix embedded devices?
Shouldn't be much of an issue, most embedded devices don't have user accounts.
Embedded devices? (Score:3, Insightful)
First of all, for many embedded devices, this isn't an issue. I mean, if you're an attacker, what are you gonna do once you get root? If the owner can't patch the OS, you probably can't install a rootkit either. Sure, you can DOS it, but if you're physically at the device, you can DOS it just by hitting the power button.
However, manufacturers of all embedd
Funny you should mention... (Score:4, Funny)
Re:Funny you should mention... (Score:2)
garcia@shitbox:~$ sudo su
shitbox:/home/garcia#
woot, the hack works like a charm. They should really include the C source for the hack so all the kiddies can use it.
lets hope no-one discovers (Score:2, Funny)
su
This could help (Score:2, Interesting)
Local Access is always a trump card (Score:4, Interesting)
Re:Local Access is always a trump card (Score:5, Insightful)
Re:Local Access is always a trump card (Score:3, Interesting)
Re:Local Access is always a trump card (Score:5, Funny)
Maybe. (Score:3, Informative)
Atmel, amongst others, produce encrypted RAM. If you don't have the key, you can't read the memory. That's pretty secure, if you ask me.
Any OS with B1 (or better) security has comprehensive mandatory access controls, so that if you DO find an exp
Local vs. Remote (Score:3, Interesting)
Re:Local vs. Remote (Score:5, Informative)
A "remote" exploit is one that can be used by someone who has a network connection to the machine, but no account on it.
Re:Local vs. Remote (Score:3, Informative)
To be limited to a physical access e
Only in select modules? (Score:3, Insightful)
I should mention that enabling ELF format is still highly recommended (after the patch for this is released of course) and unless you do special programming work in linux then enabling a.out format is not recommended.
making APIs secure takes time (Score:5, Insightful)
Re:making APIs secure takes time (Score:5, Informative)
Its fixed by 2.6.10-ac6 along with the setsid crash and some other corner case bugs Coverity found.
Distribution restrictions (Score:5, Insightful)
INFORMATION PRESENTED HERE IS ALLOWED ONLY WITH EXPRESS PERMISSION OF
ONE OF THE AUTHORS.
Is it just me, or is this mind-bogglingly stupid? A security advisory which can't be redistributed freely? Imagine if the same approach was taken to important warnings in the real world -- "There's a tsunami heading towards you... but you're not allowed to redistribute this warning to all the people around you without my permission."
Security advisories should be in the public domain.
Re:Distribution restrictions (Score:5, Interesting)
It's irrelevant anyhow. If you didn't sign a contract to keep it secret, they have no grounds to gag you. They can copyright their exact words and can (and probably should*) control the distribution of those words, but copyright does not give them any protection of the facts contained within. And neither does anything else.
For the same reason, when you are accidentally mailed something with one of those "you must delete this immediately if you are not the intended recipient", unless it is actually and literally classified, you have no obligations. It's just to scare people.
The legal system has a ways to go before you can be obligated by an email out of the blue, or a random announcement on a webpage taking rights not granted to them by copyright but implementing no real access control (i.e., attempting to obligate you after you downloaded a page; it might work if you make it a condidion of reading but not just out of the blue, after the fact).
*: Reputation is important. One of the reasons copyright should not be straight-out abolished is its usefulness in making sure that words are correctly attributed and can be quality controlled, a virtue you are so used to you may never even think about until it is gone.
I'm safe! (Score:3, Funny)
It's a good thing I have telnet running on that box so that I could try it remotly though.
/me flips off isec.pl (Score:3, Insightful)
i'm not too impressed with the timing of this announcement, and i have to wonder what their motives were. it doesn't hurt their cause that slashdot is advertising for them.
please, people. there's no reason that a situation like this should ever happen.
Here's the exploit (-; (Score:4, Funny)
Re:Here's the exploit (-; (Score:4, Informative)
getuid() and geteuid() get the "user ID" and "effective User ID". This scripts makes a library that makes these functions return 0 -- signifying that you are the superuser. It doesn't actually make you the superuser, but it implements functions that pretend you are.
Anyway, then it compiles these functions into a library and tells the loader to link that library first. So when you start up a shell, it will call getuid() to figure out your userid, and your new library will tell it that you are userid 0. The shell prints out the root prompt instead of the regular one.
But this in no way actually gives you root privs, if you go to edit /etc/passwd you will not be able to.
Pretty funny joke, though, kind of like telling everyone that they can ftp to 127.0.0.1 using their own regular userid and password and find all the porn they could ever want...
what's that sound I hear? (Score:4, Funny)
Re:what's that sound I hear? (Score:3, Funny)
Re:what's that sound I hear? (Score:3, Informative)
Fix is merged in mainline already (Score:5, Informative)
raw diffs to for those brave souls who want them
Yawn! (Score:3, Insightful)
Newsflash kids! Linux isn't perfect! Certainly not Linux specific API extensions like uselib. Move along, this isn't the kernel vulnerability you are looking for.
Thank God... (Score:4, Funny)
For those who say "just a local exploit..." (Score:5, Insightful)
Yes it's serious but I expect a fix shortly...
Is this real? (Score:4, Interesting)
For all we know, this is a social engineering trick to spread some malicious code. Let's wait until some official folks eg. CERT, or your vendor/distribution responds. Are the people who released this code have some credibility that can be verified independently?
Unfortunately not the only one... (Score:5, Informative)
I'd really like to know what's being done about this pitiful trend of Linux security, where it's 10x as easy to find a vulnerability in the kernel than it is in any app on the system, where isec releases at least one critical vulnerability for each kernel version.
And given his description of how he found these problems, plus his frustration about getting Linus and akpm to reply, his tone is even somewhat understandable.
Re:Unfortunately not the only one... (Score:3, Interesting)
Between December 15th and today, Linus has committed many changes to
the kernel. Between January 2nd and today, Andrew Morton has committed
several changes to the kernel. 3 weeks is a sufficient amount of time
to be able to expect even a reply about a given vulnerability. A patch
for the vulnerability was attached to the mails, and in the PaX team's
mails, a working exploit as well. Private notification of
vulnerabilities is a privilege, and when that privilege is abused by not
responding promptly, i
Doesn't work? (Score:3, Interesting)
That's right! Stick with 2.0.36 (Score:3, Funny)
Dangit... (Score:4, Funny)
Reminds me of a punchline to my favorite Scottish joke:
"Aye, lad...ya screw ONE goat..."
Re:What, no remote exploit?!? (Score:4, Insightful)
For instance, shatter attacks are still a very large threat for multi-user windows systems
Re:What, no remote exploit?!? (Score:5, Informative)
It's a problem with Win32 messaging if windows aren't secured properly. It's possible for a process to send windows messages (the ones inherited from Windows 1.0) to another process, regardless of what account the processes are running as. There are a few messages (WM_TIMER esp.) that, as a parameter, take an address for the owning thread to jump to. You can also fill the contents of a text box with a message.
Process A is a privilieged service running as SYSTEM. Process B is a malicious program running as a restricted user.
A creates a window on the interactive desktop (a big no-no) with a textbox in it.
B fills the textbox with exploit code with a message and then sends a WM_TIMER or similar to A with the exploit's address. A is now executing the exploit code.
First, there are ways to divide the window handle space into seperate parts, each securable with desktop [microsoft.com] and window station [microsoft.com] objects. Both of these are kernel object types with ACLs: you can't send a message to a window unless you have access to the conaining desktop.
Also, the JOB_OBJECT_UILIMIT_HANDLES flag for Job objects [microsoft.com] will prevent messages from leaving the job.
MS guidelines specifically forbid [microsoft.com] the use of windows from a priveleged process from appearing on the interactive desktop, since NT 3.51, for this reason. This doesn't stop many third-party app developers from creating insecure apps (virus scanners esp.) that do just that.
Winlogon's windows (press ctrl+alt+delete) are safe because they are on a seperate desktop that normal users can't send messages to.
Re:What, no remote exploit?!? (Score:3, Informative)
Sending unsolicited WM_TIMER messages to another process has been blocked, but there are still other messages that can cause arbitrary code execution. The messaging model was inherited from versions of Windows way before security was considered. Sending messages (even the unsafe ones) to other processes can't be blocked or it would break way too many things. No security isn't an option in NT, so
Re:What, no remote exploit?!? (Score:3, Insightful)
Consoles apps (not consoles themselves*) are not vulnerable because they are not part of the windowing system, they output to the window via stdout/stdin/stderr.
As for X, I don't kn
Re:What, no remote exploit?!? (Score:3, Informative)
Re:What, no remote exploit?!? (Score:2, Insightful)
Re:What, no remote exploit?!? (Score:3, Funny)
no way - they're perfect open source programs. model programs, so to speak.
next, you'll tell me that x is a crufty, inefficient kludge.
Re:What, no remote exploit?!? (Score:5, Interesting)
It seems that, even though they were written in different times and without security as the first concern, a sufficiently large number of bug fixes will eventually result in code that is almost as secure.
Re:What, no remote exploit?!? (Score:2, Informative)
Long story short, while it may be shoddy, MS Windows is a LOT bigger than Linux, and thus theres
Re:What, no remote exploit?!? (Score:3)
Semantics aside however, your right, comparing apples to apples gives a better comparison.
The minimal windows install versus a minimal redhat install is a better comparison and there aren't many linux distros in which you'll ever find remote exploits in the core minimal install.
It's still not perfect though, pretty well everything can be stripped from a linux box to harden it. A windows box cannot be hardened since most remote exploits are in cor
Re:What, no remote exploit?!? (Score:2)
Re:What, no remote exploit?!? (Score:3, Interesting)
The same flawed engine is used to display your folders (turn on the location bar and type in a url, see what happens), your desktop, and your email in Outlook express and even most 3rd party apps. If you use AOL, it uses IE to render web pages. When you view a help file, guess what it's IE. It is impossible to avoid IE on a windows system.
By choosing a browser which
Re:What, no remote exploit?!? (Score:2)
It's not like the code magically runs on your machine at home...
Re: (Score:2)
Re:What, no remote exploit?!? (Score:4, Funny)
Don't you think it's more convenient for you to be able to hack multiple machines over LAN? Another reason to choose Windows over Linux.
Re:What, no remote exploit?!? (Score:3)
Re:That's why MS will rule the world. (Score:2, Funny)
Typical biased Slashdotter numbers (Score:3, Insightful)
What happened to all the "Linux is just the kernel" stuff? Oh, that's right, we were bashing Microsoft.
Besides, if you mean "past year" as 2005, then this means Linux is first out of the gate.
Re:Typical biased Slashdotter numbers (Score:3, Insightful)
Linux is not invulnerable (Score:3, Insightful)
It is important to know about, in my opinion. But that's just so we know we need to patch our kernels. Simply the fact that a root exploit has been found does not mean we should go about reposting the same types of stuff that has been posted endlessly before in similar articles on slashdot.
I prefer linux because it's free. It's also pretty stable and secure, which is nice. But I just like
Major Difference (Score:3, Interesting)
First and foremost, the terms to which you must agree before you download and install. The MS downloads and patches often come with "interesting" end-user license agreements. Meanwhile, with the Linux kernel download, you can do whatever you like, including (*gasp*) fix it yourself, if you have the ability.
Secondly, when you use Microsoft update, you don't know what is getting installed. With many things, like XP service pack 2,
Re:How do universities, etc. deal? (Score:4, Insightful)
In short, this one is too big (too exploitable, too public) to wait until Monday.
My life would be so much easier if profs didn't have such a hard on for Linux and let us admins install OpenBSD. Good thing I get paid overtime. Oh wait, I don't.