New Linux Kernel Vulnerability 486
Stop Or I'll Noop writes "Paul Starzetz writes, "A critical security vulnerability has been found in the Linux kernel memory management code inside the mremap(2) system call due to missing function return
value check. This bug is completely unrelated to the mremap bug disclosed on 05-01-2003 except concerning the same internal kernel function code." Full scoop here."
Update: 03/07 20:53 GMT by T : This vulnerability (and fixes) were mentioned briefly in an update to this earlier posting.
Re:2.6.3? (Score:5, Interesting)
Apparently, only <= 2.6.2 is affected. How could this be fixed in 2.6.3 without anyone noticing that it might be a problem in earlier kernels?
And why do you guys blame just windows... (Score:0, Interesting)
And with a 25 year history of UNIX behind it, it is "surprising" to say the least.
And how do you avid windows-baiters react to it? How come you hypocrites just blow Windows bugs out of proportion while attempting to cover up Linux kernel holes?
With just 6 year history bejind it i think Windows has come a far way from Linux (what it was when a 6 year old).
Moral: People in Glass houses should not throw stones: So you UNIX/Linux guys just suck up and keep quiet instead of baiting WIndows hereafter.
Oh well... (Score:0, Interesting)
Simon.
[Posted no-karma etc. yadda yadda...]
Important to Remember (Score:3, Interesting)
Wne a Linux vulnerability is patched, it is proof that open source software is wonderful.
More critical vulnerability in FreeBSD (Score:4, Interesting)
The TCP/IP stack can be stopped by sending unordered TCP fragments.
This is a serious remote vulnerability, and any FreeBSD with an open TCP port should be patched ASAP.
Here's a link to the official advisory
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisori
Regardless of the operating system you are running, always keep everything up to date.
Re:"Windows users: want Security, install linux"?? (Score:2, Interesting)
The goal a lot of people have is to make Linux mainstream, that means that less and less knowledgeable users will be using it. If Linux continues to suffer from kernel exploits from time to time just like Windows then those same users will be running executable mail viruses built for Linux just like they do for Windows now.
A lot of people I've seen using Linux have a false sense of security and therefore aren't as careful as they are on Windows (which is a scary thing because we all know how insecure Windows is).
Not the way to make friends. (Score:2, Interesting)
My biggest grief, is him not releasing source code patches for genuine kernel.org kernels. If he's so good to release sploits, he's good enough to submit source code patches.
Robert
Fixed on SUSE kernels??? (Score:3, Interesting)
I can't exploit this on my SUSE kernel. All I get (after many attempts) is:
[+] kernel 2.4.21-192-athlon vulnerable: YES exploitable YES
MMAP #65530 0x50bfa000 - 0x50bfb000 [-] Failed
Perhaps this hasn't gone completely unnoticed...
Re:Many eyes, but wide open or tight shut ? (Score:1, Interesting)
Does not compute. (Score:4, Interesting)
Re:2.6.3? (Score:1, Interesting)
In theory, you can write functions to never require such return checking. In *practice*, though, it's hard to avoid this kind of buffer overflow. And make no mistake: exceeding the 65,535 16-bit limit hard-coded into various functions and source coded is not unusual and is a source of endless confusion.
grsecurity (Score:2, Interesting)
Re:Many eyes, but wide open or tight shut ? (Score:3, Interesting)
So basically this proves that Linux is just as insecure as Windows is. There have been lots of major kernel vulnerabilities floating around in the past 6 months. I guess it's time to switch to OpenBSD.
Are we sure? (Score:3, Interesting)
Is this really a bug? [tinfoilhatmode] Is the advisory code correct? Or is this just so old that both 2.4 and 2.6 lines have it fixed already?
Tom
-AC kernels not affected. (Score:3, Interesting)
Typical user experience. (Score:3, Interesting)
1) Buy computer with Windows XP Home Edition pre-installed.
2) They get a virus, perhaps even a trojan. Or maybe a worm, since the computer wasn't up-to-date. Or they were stupid and opened MyDoom. Regardless, it cripples the computer.
3) They buy or download an antivirus software. Perhaps their computer works well enough to install it, and reinstall Windows if it does not.
4)Ok, finally a working computer again. But since they browse the internet as administrator (as it works by default) they get spyware. Lot's of spyware. It builds up on each other and Internet Explorer has trouble starting. Pop-ups occur on every website, even Google or when IE isn't open. Perhaps their credit card info is stolen.
5) If their lucky, they would have heard of Ad-Aware or Spybot Search and Destroy and they somehow get it on their computer to install it (no IE remember?). It deals with most of the pop-ups. But nothing really works right. Reinstall Windows.
6) Go to step 2.
I work at the campus helpdesk, so I see students with these sorts of problems all the time. I have a problem respecting an OS that will get a worm before the user has a chance to do Windows Update, an occurance I've seen a few times.
Re:Damn (all your base are belong to us) (Score:3, Interesting)
There is a patched kernel at least for RedHat:
https://rhn.redhat.com/errata/RHSA-2004-065.html [redhat.com]
Note in the third paragraph:
"Paul Starzetz discovered a flaw in return value checking in mremap() in the Linux kernel versions 2.4.24 and previous that may allow a local attacker to gain root privileges. No exploit is currently available; however this issue is exploitable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0077 to this issue."
This is the same CVE as the article. The patch was issued 2004-02-18.
This issue was patched in Fedora on 19 Feb with 2.4.22-1.2174. See the Fedora announce list here:
http://www.redhat.com/archives/fedora-announce-li
Supposed vulnerability (Score:2, Interesting)
So, before the fud machine starts churning out all these opinions on how insecure linux is, let's check our facts OK?
neo:
(tty/dev/pts/1): bash: 1016 >
[+] kernel 2.6.3-ck1 vulnerable: NO exploitable NO
gibson:
(tty/dev/pts/1): bash: 126 >
[+] kernel 2.4.22-1.2174.nptlsmp vulnerable: YES exploitable YES
MMAP #65525 0x50bf5000 - 0x50bf6000
[-] Failed
Re:Supposed vulnerability (Score:2, Interesting)
Double standard? (Score:1, Interesting)
When Windows has a bug [slashdot.org] a comment saying "The bugs aren't in the software. THEY'RE IN THE CORPORATE CULTURE OF THIS PARTICULAR VENDOR" get modded to +5 Insightful.
Another +5 Insightful comment says "I still wouldn't say Microsoft is getting 'better' though. They'd be getting 'better' if the vulnerabilities didn't exist in the first place!"
I wonder what he has to say about this vulnerability existing in the first place.
This patch requires a reboot, right? Kinda funny that nobody complains about it, but in this article [slashdot.org], someone says "Of course I like to reboot all the time. Otherwise I would be running Linux" in response to his newly-patched computer asking him if he'd like to reboot.
Proof-of-Concept Code (Score:5, Interesting)
I have one kernel that is vulnerable but not exploitable according to the Proof-of-Concept code. Saves me some time to not patch, recompile and reboot a new kernel.
I wish future vulnerability announcements will be like this one. e.g. contain Proof-of-Concept exploit code that can tell me whether or not the kernel/software I am running is vulnerable and/or exploitable.
Re:eyes wide stupid? (Score:2, Interesting)
The days of 'fill out form 11-B and wait two weeks and maybe we'll install that app for you' are gone.
That model of administration is dead, except in the largest most reptilian corporations.
Public knowledge for over two weeks (Score:5, Interesting)
The advisory [www.isec.pl] was released Feb. 18, so this has all been public knowledge for over two weeks. This USENET post [google.com] shows the vulnerability and upcoming exploit was known about, and slashdot is just plain late on this one.
You have had two weeks to patch your systems. I know slackware's advisory [slackware.com] was sent right after the vulnerability became public knowledge.
Way Too Idealistic (Score:4, Interesting)
Anyway, go read "The Art Of War" or watch "The Godfather". It is a serious error to assume your enemy is weak, and I would recommend against that philosophy when securing critical assets.
Re:Many eyes, but wide open or tight shut ? (Score:2, Interesting)
No, not at all. IMHO, this is one of the greatest advantages of Linux over Windows: there's a