Forgot your password?
typodupeerror
Security Linux IT

Linux Kernel Exploit Busily Rooting 64-Bit Machines 488

Posted by timothy
from the get-your-patch-on dept.
An anonymous reader writes "Running 64-bit Linux? Haven't updated yet? You're probably being rooted as I type this. CVE-2010-3081, this week's second high-profile local root exploit in the Linux kernel, is compromising machines left and right. Almost all 64-bit machines are affected, and 'Ac1db1tch3z' (classy) published code to let any local user get a root shell. Ac1db1tch3z's exploit is more malicious than usual because it leaves a backdoor behind for itself to exploit later even if the hole is patched. Luckily, there's a tool you can run to see if you've already been exploited, courtesy of security company Ksplice, which beat most of the Linux vendors with a 'rebootless' version of the patch."
This discussion has been archived. No new comments can be posted.

Linux Kernel Exploit Busily Rooting 64-Bit Machines

Comments Filter:
  • by Pseudonym Authority (1591027) <SammyKakeNO@SPAMgmail.com> on Sunday September 19, 2010 @10:18PM (#33632030)
    Acidbitches..... In my day, naming your ubeR l3e7 h4xX0r 6r00p MEANT something.
  • Re:Bad Publicity... (Score:3, Interesting)

    by cybrthng (22291) on Sunday September 19, 2010 @10:26PM (#33632092) Journal

    1. MS & Windows shills may laugh about this, but only because they feel your pain. Beyond that, what does making this statement even mean?
    2. 64bit hardware is cheap. You can buy an AMD64 X2 5000 Dual Core CPU for 38 bucks shipped.. add a mobo for another 45 and if you need ram, another 50. eBay for more savings

  • Re:But wait (Score:1, Interesting)

    by sirrunsalot (1575073) on Sunday September 19, 2010 @10:36PM (#33632158)

    oh thats right All non-Apple OS's do.

    FTFY.

  • by tomhudson (43916) <barbara.hudson@NOSpAM.barbara-hudson.com> on Sunday September 19, 2010 @10:43PM (#33632212) Journal
    Because the article is alarmist bs? You are probably NOT being rooted even as you read this. Every ksplice story slashdot has carried has turned out to be no big deal. I'm going to ignore it, based on their previous performance.
  • Re:Bad Publicity... (Score:3, Interesting)

    by HTMLSpinnr (531389) on Sunday September 19, 2010 @10:43PM (#33632214) Homepage

    ... until you get closer to 16GB of RAM and you start running out of lowmem (especially on older 2.4 kernel systems).

  • Re:Bad Publicity... (Score:5, Interesting)

    by marcansoft (727665) <[moc.tfosnacram] [ta] [rotceh]> on Sunday September 19, 2010 @10:59PM (#33632318) Homepage

    Microsoft already felt the pain, because the Xbox 360 hypervisor got owned by the same exact hole . It would almost be the same instruction-by-instruction identical bug were it not for the fact that the 360 is a PowerPC system and this is an x86_64 hole. Yes, they, too, used a 32-bit compare to check the system call humber, then indexed into the array using the full 64 bits, exactly the same bug that caused this Linux hole.

  • Re:virus scanner (Score:3, Interesting)

    by dougmc (70836) <dougmc+slashdot@frenzied.us> on Sunday September 19, 2010 @11:02PM (#33632340) Homepage

    this is an exploit to gain "root" (administrator) access not a rootkit which is a malicious program built to hide itself from the operating system.

    But the exploit leaves a backdoor (hell, it's right there in the summary) which *is* what a rootkit does.

    Rootkits do typically hide themselves -- but only so they aren't removed, so they can provide root access at a later date. Their primary function is to provide root access at a later date -- which this exploit does, according to the summary.

  • poorly described (Score:3, Interesting)

    by MikeFM (12491) on Sunday September 19, 2010 @11:47PM (#33632594) Homepage Journal

    What is annoying me about these issues is that they are described so poorly that I'm not certain if I have a problem. I run 64-bit Linux but no 32-bit code and there are no local users other than for the services I'm running (http and ssh). So do I need to take the time to do something or can I wait for a normal update?

  • Re:poorly described (Score:3, Interesting)

    by fluffy99 (870997) on Monday September 20, 2010 @12:20AM (#33632698)

    What is annoying me about these issues is that they are described so poorly that I'm not certain if I have a problem. I run 64-bit Linux but no 32-bit code and there are no local users other than for the services I'm running (http and ssh). So do I need to take the time to do something or can I wait for a normal update?

    Short answer - it depends on whether your kernel has the vulnerability. Seriously, Slashdot is the worst place to find out more into about vulnerabilities. At least it did give the CVE which you can use to get more details and determine if you're affected.

  • by RAMMS+EIN (578166) on Monday September 20, 2010 @02:00AM (#33633034) Homepage Journal

    ``assholes that don't understand shit about security and somehow think that this means that GNU/Linux is insecure''

    It _is_ insecure. There are plenty of vulnerabilities being found and reported, and there are several things that many distributions could do to improve security. To name a few examples, many distros ship with stack smashing protection and address space layout randomization disabled, and allow pages to be writable and executable by default. Also, usually, many operations are reserved to the root user, and the root user can do everything which means that more programs than necessary run as root, and root has more power than necessary. These are not the properties of secure systems; it's not even close to state of the art security.

    ``as bad as their shitty system''

    I am not sure that such derogatory language makes the world a better place. I'm not even sure comparing the security of Linux with that of Windows is useful. If you do compare them, you will find that, at the very least, Microsoft has improved the security picture on Windows a great deal. In some cases, such as running with reduced privileges by default and only elevating privileges for programs that need it, they have merely caught up with Linux systems. But since Windows Vista, Windows ships with address space layout randomization and non-executable pages (Microsoft calls it DEP) enabled for many libraries and executables. Newer versions of Internet Explorer (certainly 8, but also newer versions of 7 if I'm not mistaken) are among those applications, and also include a "protected mode" where most of the program can't do very much at all, and all potentially harmful operations are concentrated in a small, trusted kernel running in a separate process. These are the sort of security measures taken by a vendor who takes security seriously. On the *nix side, you will find this kind of stuff in OpenBSD and a few specialty hardened Linux distros, and that's about it. Ubuntu has AppArmor, but hardly uses it.

    If you look at vulnerabilities, like the privilege escalation vulnerability in the story, I would not be surprised to find that more of these are being found and reported in Linux than in Windows these days. What that means about the relative security of Linux and Windows, I don't know. But clearly, serious security flaws are being found in Linux. As far as I am concerned, Linux's security track record is far from stellar, and there certainly isn't a strong security culture that will make this better in the near future. Easily applied security measures (see first part of my post) are being left on the table, and we have far too much code running in all-powerful kernel mode for me to be comfortable with (just one data point: I have over 100 MB of kernel modules on my system, and on the order of tens of megabytes in the running kernel image).

    Considering all the above, I would certainly refrain from calling names or making derogatory remarks against users of non-Linux systems. I don't profess to know which system is the most secure, all things considered, but I'm a firm believer in not needlessly stepping on people's toes.

    Kind regards,

    Your friendly neighborhood Linux guy

  • by LinuxAndLube (1526389) on Monday September 20, 2010 @02:55AM (#33633164)
    Are you ready to put your money where your mouth is? I set up a Windows machine. You have 24 hours to remotely root it. If you succeed, I give you 1000 USD, if not you give me 1000 USD. Deal?
  • by ToasterMonkey (467067) on Monday September 20, 2010 @03:19AM (#33633258) Homepage

    and the winslow assholes that don't understand shit about security and somehow think that this means that GNU/Linux is insecure and as bad as their shitty system, I'm going nuts every time there is a new vuln in the kernel.

    Well at least Windows admins don't lash out at YOUR OS every time THEY have a vulnerability to deal with. Why is it every time Linux has a vulnerability you lash out like it's their fault? Who is attacking whom each time a flash, adobe, or core Windows vulnerability is announced? Why the anger?

    (I mean, come on, If your service is critical enough that it can't accept 2 minutes of downtime for a reboot, then you have redundancy and can update machines one by one without any real downtime)

    Hey theory, come meet practice.

    and the winslow assholes that don't understand shit about security

    This is funny because there is a 99% chance the Windows admins where you work (you have a job?) already have the infrastructure in place to report & patch & reboot on greater numbers of systems than you have due to the frequency of their critical patches and volume of corporate desktops. Meanwhile, have fun double checking your fstab, init scripts, and 3rd party drivers, and scrapping together a complete list of affected servers. Go brutalize a hundred servers with cat semiuptodatelist | while read s; do ssh -n $s yum -y update; done

    If it sounds like I'm bitter, it's because I've been there.

  • Re:Bad Publicity... (Score:2, Interesting)

    by janisozaur (1465907) on Monday September 20, 2010 @05:37AM (#33633814)
    I'm all in favor of x86_64, but as proven by one of dev blogs (no longer available) for a facebook-ish website using custom python code, it doesn't necessarily bring speedups/advantages everywhere. Their point was that python uses *a lot* of pointers. Tests showed, that even though switching to 64 bits brought some really minor improvements, it also brought much more memory usage to their servers, effectively worsening their performance. They've stayed with x86. They conducted tests some 2 or 3 years ago, I wonder what would be the result today?

As the trials of life continue to take their toll, remember that there is always a future in Computer Maintenance. -- National Lampoon, "Deteriorata"

Working...