Local Root Exploit in Linux 2.4 and 2.6 795
Anonymous Coattails writes "Summary from the advisory: 'Locally exploitable flaws have been found in the Linux binary format loaders' uselib() functions that allow local users to gain root privileges.'"
Failed on RHEL (Score:3, Informative)
%
[+] SLAB cleanup
child 1 VMAs 65525
child 2 VMAs 65392
[+] moved stack bfff8000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xdf400000 - 0xfe5f2000
Wait... -
[-] FAILED: try again (Cannot allocate memory)
Killed
Re:*sits back* (Score:1, Informative)
Second, it'll probably be patched rather quickly.
Third, it's one of a few holes, compared to the one of many holes found in windows...
Re:What, no remote exploit?!? (Score:3, Informative)
Re:What, no remote exploit?!? (Score:2, Informative)
Long story short, while it may be shoddy, MS Windows is a LOT bigger than Linux, and thus theres more to exploit. If you look at something like Redhat, which is a distribution, you have more of a comparison, and you will find remote exploits.
Re:dude (Score:2, Informative)
Re:Local vs. Remote (Score:5, Informative)
A "remote" exploit is one that can be used by someone who has a network connection to the machine, but no account on it.
Re:Copyright Poo Poo (Score:1, Informative)
Not copyright. Because you copied a mere part of the work, and you did so for the purposes of criticism, and you aren't making any money off it. Almost anybody would classify that as "fair use". Copyright has limits. It does not give the author absolute control in all circumstances and forms.
Re:Failed on RHEL (Score:1, Informative)
exploit.c: In function `scan_mm_start':
exploit.c:425: error: storage size of 'l' isn't known
exploit.c:425: error: storage size of `l' isn't known
exploit.c: In function `check_vma_flags':
exploit.c:545: error: label at end of compound statement
gcc version 3.4.1 (Mandrakelinux 10.1 3.4.1-4mdk)
Re: bugs in code (Score:4, Informative)
And when some third-party developers write buggy code, they really write buggy code. Remember "Return to the Pool of Radience: Ruins of Myth Drannor". Now that was a buggy game!
Fix is merged in mainline already (Score:5, Informative)
raw diffs to for those brave souls who want them
Re:Copyright Poo Poo (Score:5, Informative)
What's interesting is the preface that shows up on several lists:
Followed by:
Re:what's that sound I hear? (Score:3, Informative)
Maybe. (Score:3, Informative)
Atmel, amongst others, produce encrypted RAM. If you don't have the key, you can't read the memory. That's pretty secure, if you ask me.
Any OS with B1 (or better) security has comprehensive mandatory access controls, so that if you DO find an exploit somewhere, it is still not possible to access other parts of the system. (B-class and A-class OS' do not "need" a system admin account, since you can define specialised pseudo users that can do exactly what is needed for a given task and no more.)
Then, there are systems like OpenBSD which have been audited to hell and back. OpenBSD has had one provably-usable exploit in living memory.
Then, you've various security software that's out there. eg: Using OTPs w/ S/Key or OPIE for passwords, enforcement of strong passwords, IPSec w/ strong host authentication on all network connections, etc.
In theory, there is nothing to prevent someone from combining all of these elements to produce a hardened OS that is impervious to both physical and logical attacks, both locally and remotely.
In practice, nobody would spend the time and/or money on that level of security for normal use. Ok, the NSA might, but that's not strictly "normal use". It's also unlikely they'd make such an OS readily available. (They've done wonders with SE-Linux, and the declassifying of Skipjack and SHA has made a world of difference in cryptography, but that's not quite the same as Open Sourcing a bullet-proof system.)
Re:making APIs secure takes time (Score:5, Informative)
Its fixed by 2.6.10-ac6 along with the setsid crash and some other corner case bugs Coverity found.
Re:*sits back* (Score:3, Informative)
* It all depends what copy_from_user does. Does it check to make sure that len is sane? Is it an unsigned int, or a signed int. If it's signed, then a negative value is obviously not sane and should be rejected.
Where did this code come from? What file please?
Re:What, no remote exploit?!? (Score:5, Informative)
It's a problem with Win32 messaging if windows aren't secured properly. It's possible for a process to send windows messages (the ones inherited from Windows 1.0) to another process, regardless of what account the processes are running as. There are a few messages (WM_TIMER esp.) that, as a parameter, take an address for the owning thread to jump to. You can also fill the contents of a text box with a message.
Process A is a privilieged service running as SYSTEM. Process B is a malicious program running as a restricted user.
A creates a window on the interactive desktop (a big no-no) with a textbox in it.
B fills the textbox with exploit code with a message and then sends a WM_TIMER or similar to A with the exploit's address. A is now executing the exploit code.
First, there are ways to divide the window handle space into seperate parts, each securable with desktop [microsoft.com] and window station [microsoft.com] objects. Both of these are kernel object types with ACLs: you can't send a message to a window unless you have access to the conaining desktop.
Also, the JOB_OBJECT_UILIMIT_HANDLES flag for Job objects [microsoft.com] will prevent messages from leaving the job.
MS guidelines specifically forbid [microsoft.com] the use of windows from a priveleged process from appearing on the interactive desktop, since NT 3.51, for this reason. This doesn't stop many third-party app developers from creating insecure apps (virus scanners esp.) that do just that.
Winlogon's windows (press ctrl+alt+delete) are safe because they are on a seperate desktop that normal users can't send messages to.
Unfortunately not the only one... (Score:5, Informative)
I'd really like to know what's being done about this pitiful trend of Linux security, where it's 10x as easy to find a vulnerability in the kernel than it is in any app on the system, where isec releases at least one critical vulnerability for each kernel version.
And given his description of how he found these problems, plus his frustration about getting Linus and akpm to reply, his tone is even somewhat understandable.
Re:Here's the exploit (-; (Score:4, Informative)
getuid() and geteuid() get the "user ID" and "effective User ID". This scripts makes a library that makes these functions return 0 -- signifying that you are the superuser. It doesn't actually make you the superuser, but it implements functions that pretend you are.
Anyway, then it compiles these functions into a library and tells the loader to link that library first. So when you start up a shell, it will call getuid() to figure out your userid, and your new library will tell it that you are userid 0. The shell prints out the root prompt instead of the regular one.
But this in no way actually gives you root privs, if you go to edit /etc/passwd you will not be able to.
Pretty funny joke, though, kind of like telling everyone that they can ftp to 127.0.0.1 using their own regular userid and password and find all the porn they could ever want...
your wait is over. (Score:3, Informative)
While I can't justify the difference, I'll tell you that there is one if we don't see any regularly recurring network born auto-root that's so bad it threatens the top level domain servers. It's not like someone cracked kernel.org and owned it for three months [slashdot.org] injecting whatever they pleased into the codebase. One good explanation of the difference is that Marketing dorks who do little more than buy other's code can't maintain it properly.
Re:Local Access is always a trump card (Score:2, Informative)
> an attacker with physical access?
In the phrase "local root exploit", the word "local" doesn't mean local in
the sense of physically present, but in the sense of needing to already have
user-level access. If you combine it with a non-root remote exploit, the
two together add up to the equivalent of a remote root exploit.
In other words, this is definitely something we want to fix.
As far as securing a system against physical access, that's a whole nother
kind of hard. At bare minimum you need an encrypted filesystem with a key
that isn't stored and so has to be entered by an authorized user every time
the filesystem is mounted, and then on top of that if you make sure that the
machine, if left unattended, suspends running processes to disk and then
unmounts the filesystem, and if you're both paranoid, obsessive, and tireless
when it comes to bughunting, you potentially could develop a system that has
a reasonable degree of security against an attacker with physical access --
but "a reasonable degree" does not mean "impenetrable" -- there are still
hidden cameras, keyboard logging devices, and the like, to say nothing of
rubber hose cryptanalysis.
Re:Local vs. Remote (Score:3, Informative)
To be limited to a physical access exploit, it would need to be a bug in the keyboard driver, the input layer, or possibly a user-space program that uses raw keyboard entry. I don't think screwdriver level access counts, since you can lock your machine up. Filesystem bugs could be exploitable via usb drives, floppy disks, cf drives, etc... Those are physical exploits rather than local.
Re:Failed on Debian (Score:3, Informative)
I got it to compile and run on Debian Sarge with gcc version 3.3.5, kernel 2.4.25-1-386, and it says it succeeded, but I'm still my normal UID, just drops me into a bourne shell:
Patch available (testing) (Score:3, Informative)
There is a preliminary patch in testing for the 2.4 series.
Look here. [kernel.org]
The file is patch-2.4.29-rc1.bz2
Note that it's in TESTING, because it probably needs testing yet. But if you're desperate to patch it up quickly at your own risk, then there you go.
Re:your wait is over. (Score:3, Informative)
No, just GNU.org http://uk.builder.com/manage/work/0,39026594,20277 728,00.htm [builder.com]
Re:What, no remote exploit?!? (Score:3, Informative)
Exploit uses deprecated GCC extension (Score:1, Informative)