New Linux Kernel Vulnerability

Stop Or I'll Noop writes "Paul Starzetz writes, "A critical security vulnerability has been found in the Linux kernel memory management code inside the mremap(2) system call due to missing function return value check. This bug is completely unrelated to the mremap bug disclosed on 05-01-2003 except concerning the same internal kernel function code." Full scoop here." Update: 03/07 20:53 GMT by T : This vulnerability (and fixes) were mentioned briefly in an update to this earlier posting.

Re:2.6.3?

[say]

Oops. That HTML posting problem. This was what I was trying to say:

Apparently, only <= 2.6.2 is affected. How could this be fixed in 2.6.3 without anyone noticing that it might be a problem in earlier kernels?

And why do you guys blame just windows...

[Anonymous Coward]

Hmmm... seems the much-hyped linux too has its share of bugs and holes.
And with a 25 year history of UNIX behind it, it is "surprising" to say the least.
And how do you avid windows-baiters react to it? How come you hypocrites just blow Windows bugs out of proportion while attempting to cover up Linux kernel holes?
With just 6 year history bejind it i think Windows has come a far way from Linux (what it was when a 6 year old).

Moral: People in Glass houses should not throw stones: So you UNIX/Linux guys just suck up and keep quiet instead of baiting WIndows hereafter.

Oh well...

[Anonymous Coward]

The date in the original threw me - I'm not from the US, and the month/day/year order just makes them damned hard to grok. It looks very much like this *was* the the same problem as a few weeks back...

Simon.
[Posted no-karma etc. yadda yadda...]

Important to Remember

[rudy_wayne]

When a Windows vulnerability is patched, it is proof that closed source software is evil.

Wne a Linux vulnerability is patched, it is proof that open source software is wonderful.

More critical vulnerability in FreeBSD

[chrysalis]

Another kernel vulnerability was recently found in all FreeBSD (4.X and 5.x) versions.

The TCP/IP stack can be stopped by sending unordered TCP fragments.

This is a serious remote vulnerability, and any FreeBSD with an open TCP port should be patched ASAP.

Here's a link to the official advisory :

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisorie s/ FreeBSD-SA-04:04.tcp.asc

Regardless of the operating system you are running, always keep everything up to date.

Re:"Windows users: want Security, install linux"??

[Padrino121]

Neither have I, but that wasn't the point of my post.

The goal a lot of people have is to make Linux mainstream, that means that less and less knowledgeable users will be using it. If Linux continues to suffer from kernel exploits from time to time just like Windows then those same users will be running executable mail viruses built for Linux just like they do for Windows now.

A lot of people I've seen using Linux have a false sense of security and therefore aren't as careful as they are on Windows (which is a scary thing because we all know how insecure Windows is).

Not the way to make friends.

[stock]

This guy investigating mremap is saving a new vulnerability for every week. He's working only to get his name printed everywhere. I cannot take this seriously. If he's a genuine security analyst, he'd fix _all_ mremap related bugs within 1 patch.

My biggest grief, is him not releasing source code patches for genuine kernel.org kernels. If he's so good to release sploits, he's good enough to submit source code patches.

Robert

Fixed on SUSE kernels???

[multipart]

I can't exploit this on my SUSE kernel. All I get (after many attempts) is:

[+] kernel 2.4.21-192-athlon vulnerable: YES exploitable YES
MMAP #65530 0x50bfa000 - 0x50bfb000 [-] Failed

Perhaps this hasn't gone completely unnoticed...

Re:Many eyes, but wide open or tight shut ?

[CoreDump01]

Local as in an 0wn3d apache / sendmail / whatever server?

Does not compute.

[Raven42rac]

Let me get this straight, it has nothing to do with the bug from a year ago, except that it affects the same code in the same system call? Call me unenlightened, but, that sounds pretty similar to me.

Re:2.6.3?

[Anonymous Coward]

Perhaps because someone actually bothered to check the return value of low-level kernel functions? This is vital to do throughout your source code, but many developers ignore return values to make their code easier to write and slightly smaller and faster to run. In the kernel, this can matter a *lot* because a little bit of extra return handling code passed around thousands of times a second in a low-level function can take a heck of a lot of extra CPU and RAM. So it can also be a performance trade-off by developers not realizing how easy it is to exceed that limit and require the return handling.

In theory, you can write functions to never require such return checking. In *practice*, though, it's hard to avoid this kind of buffer overflow. And make no mistake: exceeding the 65,535 16-bit limit hard-coded into various functions and source coded is not unusual and is a source of endless confusion.

grsecurity

[mslinux]

Wouldn't grsecurity provide protection for this?

Re:Many eyes, but wide open or tight shut ?

[AKnightCowboy]

Yeh, but if you read the security report, this problem exists in *all* 2.2, 2.4, and 2.6 Linux's - so this local exploit has been sitting there for ~5 years before The Good Guys spotted it.

So basically this proves that Linux is just as insecure as Windows is. There have been lots of major kernel vulnerabilities floating around in the past 6 months. I guess it's time to switch to OpenBSD.

Are we sure?

[tomstdenis]

I ran the test code in the advisory on a stock 2.4.25 build and it printed out NO and NO for both questions [vulnerable and exploitable].

Is this really a bug? [tinfoilhatmode] Is the advisory code correct? Or is this just so old that both 2.4 and 2.6 lines have it fixed already?

Tom

-AC kernels not affected.

[Anonymous Coward]

Just what the subject says.

Typical user experience.

[eean]

A typical user experience.
1) Buy computer with Windows XP Home Edition pre-installed.
2) They get a virus, perhaps even a trojan. Or maybe a worm, since the computer wasn't up-to-date. Or they were stupid and opened MyDoom. Regardless, it cripples the computer.
3) They buy or download an antivirus software. Perhaps their computer works well enough to install it, and reinstall Windows if it does not.
4)Ok, finally a working computer again. But since they browse the internet as administrator (as it works by default) they get spyware. Lot's of spyware. It builds up on each other and Internet Explorer has trouble starting. Pop-ups occur on every website, even Google or when IE isn't open. Perhaps their credit card info is stolen.
5) If their lucky, they would have heard of Ad-Aware or Spybot Search and Destroy and they somehow get it on their computer to install it (no IE remember?). It deals with most of the pop-ups. But nothing really works right. Reinstall Windows.
6) Go to step 2.

I work at the campus helpdesk, so I see students with these sorts of problems all the time. I have a problem respecting an OS that will get a worm before the user has a chance to do Windows Update, an occurance I've seen a few times.

Re:Damn (all your base are belong to us)

[SiChemist]

There is a patched kernel at least for RedHat:

https://rhn.redhat.com/errata/RHSA-2004-065.html [redhat.com]

Note in the third paragraph:

"Paul Starzetz discovered a flaw in return value checking in mremap() in the Linux kernel versions 2.4.24 and previous that may allow a local attacker to gain root privileges. No exploit is currently available; however this issue is exploitable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0077 to this issue."

This is the same CVE as the article. The patch was issued 2004-02-18.

This issue was patched in Fedora on 19 Feb with 2.4.22-1.2174. See the Fedora announce list here:

http://www.redhat.com/archives/fedora-announce-lis t/2004-February/thread.html [redhat.com]

Supposed vulnerability

[sloanster]

Just to add my .02, I've tested this exploit code on a representative sample my boxes here, some running stock fedora kernels, some running 2.6 kernels, and NONE of the systems is exploitable, though the reports vary depending on kernel.

So, before the fud machine starts churning out all these opinions on how insecure linux is, let's check our facts OK?

neo: /home/jjs
(tty/dev/pts/1): bash: 1016 > ./a.out

[+] kernel 2.6.3-ck1 vulnerable: NO exploitable NO

gibson: /home/jjs
(tty/dev/pts/1): bash: 126 > ./a.out

[+] kernel 2.4.22-1.2174.nptlsmp vulnerable: YES exploitable YES

MMAP #65525 0x50bf5000 - 0x50bf6000
[-] Failed

Re:Supposed vulnerability

[lintux]

How did you compile the exploit? It didn't work on my machine either, initially, but when I compiled it correctly (-fomit-frame-pointer seems to be important), it did work.

Double standard?

[steve_stern]

When a Linux bug is found, its a triumph of the open-source community. "Look, we had access to the source code, we found a bug, and we fixed it".

When Windows has a bug [slashdot.org] a comment saying "The bugs aren't in the software. THEY'RE IN THE CORPORATE CULTURE OF THIS PARTICULAR VENDOR" get modded to +5 Insightful.

Another +5 Insightful comment says "I still wouldn't say Microsoft is getting 'better' though. They'd be getting 'better' if the vulnerabilities didn't exist in the first place!"

I wonder what he has to say about this vulnerability existing in the first place.

This patch requires a reboot, right? Kinda funny that nobody complains about it, but in this article [slashdot.org], someone says "Of course I like to reboot all the time. Otherwise I would be running Linux" in response to his newly-patched computer asking him if he'd like to reboot.

Proof-of-Concept Code

[0xB00F]

I tried the "Proof-of-Concept" code. Nice thing about it is that it tells you two things. 1) If your kernel is vulnerable 2) If your vulnerability is exploitable.

I have one kernel that is vulnerable but not exploitable according to the Proof-of-Concept code. Saves me some time to not patch, recompile and reboot a new kernel.

I wish future vulnerability announcements will be like this one. e.g. contain Proof-of-Concept exploit code that can tell me whether or not the kernel/software I am running is vulnerable and/or exploitable.

Re:eyes wide stupid?

[Endive4Ever]

A perfect snapshot example of the kind of admin arrogance that Personal Computer users revile.

The days of 'fill out form 11-B and wait two weeks and maybe we'll install that app for you' are gone.

That model of administration is dead, except in the largest most reptilian corporations.

Public knowledge for over two weeks

[bigberk]

The advisory [www.isec.pl] was released Feb. 18, so this has all been public knowledge for over two weeks. This USENET post [google.com] shows the vulnerability and upcoming exploit was known about, and slashdot is just plain late on this one.

You have had two weeks to patch your systems. I know slackware's advisory [slackware.com] was sent right after the vulnerability became public knowledge.

Way Too Idealistic

[EventHorizon]

That's a very naive, idealistic argument. American business often maximizes shareholder value by being as dishonest as possible, short of clearly breaking commonly enforced laws. Under your argument, Darl McBride is a "good guy" because he's a) rich from the SCOX pump-n-dump and b) not in jail (yet).

Anyway, go read "The Art Of War" or watch "The Godfather". It is a serious error to assume your enemy is weak, and I would recommend against that philosophy when securing critical assets.

Re:Many eyes, but wide open or tight shut ?

[mangu]

And when something breaks, you'll have no idea what caused it,

No, not at all. IMHO, this is one of the greatest advantages of Linux over Windows: there's a /var/log/messages file which tells you what went wrong. One of the most frustrating tasks in Windows sysadmin is when you are trying to install something and it fails. Often, you have only one choice: reinstall.