Linux Kernel Back-Door Hack Attempt Discovered

An anonymous reader writes "The BitKeeper to CVS gateway was apparently hacked in an attempt to add a root exploit back door to the Linux kernel, according to the linux-kernel archive. The change was in the file kernel/exit.c and changed the user ID of a process to root under the guise of checking the validity of some flags. The core Linux BitKeeper kernel repository was not at risk, and in fact it was the BitKeeper CVS export scripts that detected the unauthorized modifications to CVS. The changes were falsely attributed in CVS to long-time Linux developer davem (David Miller). Users of the BKCVS repository should resync their trees to remove the offending code if they had replicated it since yesterday."

Daaaammmmmnnnn..

[NegativeK]

Someone has some damned big balls to do something like that...

Let's hope they're cut off.

Microsoft

[mr100percent]

Anybody point fingers at Microsoft yet? SCO?

!!! rag

[VAXGeek]

Imagine if this had sneaked into some Longhorn code right before shipping. Many eyes make few mistakes.

hmm

[Anonymous Coward]

Sounds like a plan to get the dirty GNU/hippies to upgrade to the real BitKeeper instead of using the communist CVS gateway.

That McVoy is a smart one!

Did you know his programmers need to feed their families and pay their mortgages? Very sad situation, I hope everybody buys 10-15 licenses ASAP.

Re:Microsoft

[Cobralisk]

No, but I'd like to see them claim copyright infringement on back-door code.

Re:Well well

[Anonymous Coward]

You would wonder what would happen if said hacker was working for a company on a similar closed source program. Would it have been detected?

Well the 12 backdoors I put into the Windows XP kernel haven't been detected yet.

Alright....

[aws4y]

I'll call ESR, he's got the guns.
You guys get Linus and make sure he brings Tove, since she could probly kick all our asses.

Once thats done we'll Larry McVoy, by this time hopefully he will have the IP of the slimeball.

The Pose rides at Dawn, we can kill some Trolls along the way.

Re:3 cheers for monolithic kernals

[_Sprocket_]

When you troll like that, I think you're supposed to have some throw-away account so you can collect karma in some misguided intent to abuse the moderation system. I hear that's what all the kids are doing these days.

(wait - am I supposed to say "here goes my karma" at this point?) :)

Re:3 cheers for monolithic kernals

[Geek of Tech]

You honestly have no idea what a "monolithic kernel" is, do you.

My God! It's full of stars!

1 x 4 x 9

That monolith... oh... kernel.... right...

Re:!!! rag

[LordLucless]

No, you don't understand. This exploit was disguised as error checking code. It'd stick out in Longhorn like a sore thumb.

Re:Well well

[Johnno74]

Maybe it was someone from SCO, inserting code from UnixWare to give them the 'evidence' they need...

Has anyone tried sys_wait4(__WCLONE|__WALL) on Unixware? ;)

Re:My boss is gonna read this..

[kasperd]

No more Linux for us

Yeah, because he'd rather like a closed source product where such attempts suceed unnoticed.

Re:Well well

[Anonymous Coward]

I work for Linus and am therefore posting anonymously. While this was not done on purpose, it was by a sole hacker, and not a decision by Linus. That hacker has since been let go.

In other news..

[RichardX]

Microsoft insists the timing of their bounty (pay deal) on (for) virus writers (hackers) [slashdot.org] "entirely coincidental" (damned convenient)

You mean, "what's really gonna bake your noodle...

[AvantLegion]

... is would the code be exploited if nobody had said anything?"

Re:more reason to sign patches?

[Anonymous Coward]

"This is a passphrase that is long but easy to remember. I would just like to tell you, Mister Password Prompt, that nobody will guess this!"

Hey man... That's my password. Why do you have to go and tell everyone?

Re:!!! rag

[Ripplet]

That's right, if it was just something like:

/* need to be administrator here for temporary */
/* hack, must remember to change it back again */
/* later */
set userLevel = administrator;

Nobody from MS would have batted an eyelid.

Re:Well well

[Khazunga]

RMS *must* be a low level hacker. He shows all the signs: long beard, long hair, smells, can't behave in front of people, yawns at conferences. Heck, he even farted at a conference at my Uni.

If he isn't a lowest level hacker, my world foundations are crumbling...

Does that mean the trojan is GPL'd?

[Danathar]

So, if source code for a trojan is inserted into a GPL's project and assuming the author of the Trojan knows the trojaned program is a GPL project, does that mean that the Trojan is technically GPL'ed

Re:Well well

[balloonhead]

Leprechauns.

Leprechauns live on my hard drive controller, and spin it with all their tiny might.

They're like little green DJs when I use my RAID.

Re:Well well

[The Evil Muppet]

If you do that, one of two things will happen:

1. UnixWare will crash
2. UnixWare will tell you that no such call exists

Either way, you could completely and totally use it as an excuse to make whichever person you installed UnixWare look like a complete dick, and then shoot them in the groin with a nailgun.

Re:Well well [Thompson: Reflections on Trust]

[revery]

I wonder if there is not a way to defeat such a method?

For those who didn't read the article by Ken Thompson ( read it here [acm.org]) a compiler is corrupted so that it inserts a bug into all compilers that it compiles, and the purpose of that bug is to insert a bug into another program (such as login) when it compiles it (such as accepting a certain password as the root password)

Both bugs have to be a pattern based search method. They look for some string or some sequence of characters that the original hacker believes will be consistent in future code, and then make their modifications.

Running the code through a obfuscating precompiler that both randomized variable names and added random white space would potentially remove any pattern that the trojan was looking for.

Can anyone think of things that I missed (or ways to make the trojan continue to work in the face of obfuscation)

the obfuscator would, of course, be written in an interpreted language... ( [raises pink to corner of mouth and channels Dr. Evil] whose interpreter has of course been corrupted so that it inserts naughty limericks into every application it "obfuscates".... MUWAHAHAHA... MUWAHAHAH....)

--

Was it the sheep climbing onto the altar, or the cattle lowing to be slain,
or the Son of God hanging dead and bloodied on a cross that told me this was a world condemned, but loved and bought with blood.

Re:Well well

[Greedo]

When you want to make a cattle herd cross a piranha-infested river, you probably will lose many cows (or oxen) -- the trick is get a first ox inside the river for sacrifice; while the piranhas devour it, the rest can pass unharmed.


Well, in theory.

Of course, you send in the first ox, and the pirannhas attack it. Then you try and get the other oxen to cross, and they are all like "Fuck this man, I ain't going in that freakin' river! Look at what's happenin' to Bob!!!"

Re:Well well

[Anonymous Coward]

Thats why I compile everything by hand.