Forgot your password?
typodupeerror
Security Linux

RDS Protocol Bug Creates a Linux Kernel Hole, Now Fixed 89

Posted by timothy
from the what-does-the-sky-think-as-it-falls dept.
Trailrunner7 writes "The open-source Linux operating system contains a serious security flaw that can be exploited to gain superuser rights on a target system. The vulnerability, in the Linux implementation of the Reliable Datagram Sockets (RDS) protocol, affects unpatched versions of the Linux kernel, starting from 2.6.30, where the RDS protocol was first included." The article goes on to say, though, that "Linux installations are only vulnerable if the CONFIG_RDS kernel configuration option is set, and if there are no restrictions on unprivileged users loading packet family modules, as is the case on most stock distributions," and that Linus Torvalds has committed a fix.
This discussion has been archived. No new comments can be posted.

RDS Protocol Bug Creates a Linux Kernel Hole, Now Fixed

Comments Filter:
  • A local exploit only (Score:5, Informative)

    by h4rr4r (612664) on Thursday October 21, 2010 @02:25PM (#33977158)

    They should mention in the summary this is a local privilege escalation exploit only.

    • Re: (Score:3, Insightful)

      by jgrahn (181062)
      And they should say who actually has this code /installed/. RDS surely falls in the same category as SCTP -- might be useful in the lab at CERN, but not on any normal server, and certainly not on some random Ubuntu user's desktop.
      • Re: (Score:3, Insightful)

        Hm. By default? I don't know, but the article mentions testing the exploit on Ubuntu 10.04 x64.
      • by tom17 (659054) on Thursday October 21, 2010 @02:57PM (#33977694) Homepage
        It's everywhere. I just tested it on a random newish Ubuntu install (Well, 10.04) and the exploit works. It *does* say in the article that it's set up this way as default.

        I'd expect this is a pretty common vulnerability out there.
        • Re: (Score:3, Informative)

          by drumbug1 (1140947)
          If the system is completely up to date it's already patched in Ubuntu. Details on the kernel package needed for each currently supported release is here: http://www.ubuntu.com/usn/usn-1000-1 [ubuntu.com]
        • Re: (Score:2, Insightful)

          by miknix (1047580)

          That's why I like and appreciate user personalization in GNU/Linux. At expense of being modded down, imagine Gentoo Linux for example. The kernel and userspace are built mostly by the user and so, there is a lot of user generated entropy in it. That is good for security since we can't really say for sure if Gentoo is vulnerable to this attack or other attack. The kernel option is there, it depends if the user enabled it or not.

          • by Kjella (173770)

            Seriously, get a grip. Most people will compile it using the default flags unless they got a reason to change it. That it doesn't involve everyone is roughly equivalent to other people on other distros hardening their machine by disabling stuff they dont' use.

            • by miknix (1047580)

              Seriously, get a grip. Most people will compile it using the default flags unless they got a reason to change it

              Well.. If everything is to be left defaulted, what is the point of installing Gentoo in the first place? ;)
              People installing Gentoo know exactly what they want and want not. Otherwise it is just pointless to go all over the work that is required to install it..
              Of course there is always the people initiating in Gentoo, but that happens to be a small and volatile userbase.

              That it doesn't involve everyone is roughly equivalent to other people on other distros hardening their machine by disabling stuff they dont' use.

              Notice that I never said that. However I think you might agree that people changing the system *a lot* are the exception. For the sake of t

              • - that is my point. Still in Gentoo the percentage doesn't arrive anywhere near 100% because we have genkernel (to generate config and build the kernel automatically).

                I like genkernel, place your custom kernel config for the right version in /etc/kernels (just cp any old one), run genkernel --menuconfig for a quick look if there is anything new if you want and done. I use git-sources on my desktop and change kernel frequently and genkernel saves time when (ab)using a _custom_ kernel. And apparently "# CONFIG_RDS is not set"..

    • by synthesizerpatel (1210598) on Thursday October 21, 2010 @02:38PM (#33977392)

      Listen, not a year goes by, not a year, that I don't hear about some escalator accident involving some bastard kid which could have easily been avoided had some parent - I don't care which one - but some parent conditioned him to fear and respect that escalator.

    • by Aquina (1923974)
      Yes, because that's what makes a huge difference!
    • by tlhIngan (30335) <slashdot@worfMOSCOW.net minus city> on Thursday October 21, 2010 @04:14PM (#33978902)

      They should mention in the summary this is a local privilege escalation exploit only.

      Local exploits become remote exploits througha vulnerable service or bad passwords. Just because something can only be done locally means nothing. It just means all I need to do is gain any sort of access then use the exploit. Instant root. And all I needed was just the ability to run a bit of my code. Or if I've previously gotten access in but not used it because running things as "nobody" isn't terribly useful, now with the ability to get root makes it very useful.

      It's the same sort of thing that let that jailbreakme.com thing work - Safari downloads a PDF, the PDF display code tries to display it and fails, and runs the exploit code. Exploit code runs as Safari, uses a priviledge escalation hole to get root access, then does lal the jailbreak stuff as root.

      • Browser based exploits are generally considered remotely exploitable for user devices. They can be placed anywhere on the net.

        Good luck getting this one to be exploited via the browser automatically.

        • by tepples (727027)

          Good luck getting this one to be exploited via the browser automatically.

          Put it on a web advertisement network.

    • by Oceanplexian (807998) on Thursday October 21, 2010 @04:26PM (#33979084) Homepage
      Only? Only a local root exploit?

      That kind of attitude makes me upset because I endure a lot of it where I work. A local root exploit is the hard part of owning a server. Getting
      unprivileged access through some vulnerability is comparatively a piece of cake.
    • I guess that means most websites then. Nothing to see folks, move along.
  • by digitaldc (879047) * on Thursday October 21, 2010 @02:33PM (#33977310)
    Reliable Datagram Sockets (RDS) provide in order, non-duplicating, highly available, low overhead, reliable delivery of datagrams between hundreds of thousands of non-connected endpoints."

    Gives new meaning...

    Recommendation:
    Users should install updates provided by downstream distributions or apply the committed patch [3] and recompile their kernel.
    Preventing the RDS kernel module from loading is an effective workaround. This can be accomplished by executing the following command as root:
    echo "alias net-pf-21 off" > /etc/modprobe.d/disable-rds
    • Re: (Score:3, Insightful)

      by h4rr4r (612664)

      Better question do any distros ship with this on by default?

      They mention 10.04, but do not say if they had to enable it first. I guess I will have to check what modules my desktop has at home to see.

      • Re: (Score:3, Informative)

        by tom17 (659054)
        It's enabled by default. I tested it.
        • by dgatwood (11270)

          You see, this is what I don't like about most Linux distros. There's way too much crap turned on by default. This protocol is basically useful only in a cluster computing environment, which represents maybe one, maybe two percent of the installed base of even a frequently clustered OS like Linux (and only because each admin runs thousands of usually identical boxes). Sure, security may ultimately be the responsibility of the users, but it's downright reckless and irresponsible to have esoteric protocols

      • Re: (Score:2, Interesting)

        by AlphaZeta (1356887)

        Just tried on my home machine (Ubuntu 10.04 64 bit) and it couldn't get the root shell. It's running 2.6.32-25-generic.
        [*] Linux kernel >= 2.6.30 RDS socket exploit
        [*] by Dan Rosenberg
        [*] Resolving kernel addresses...
        [+] Resolved rds_proto_ops to 0xffffffffa0bc4860
        [+] Resolved rds_ioctl to 0xffffffffa0bbd000
        [+] Resolved commit_creds to 0xffffffff8108aee0
        [+] Resolved prepare_kernel_cred to 0xffffffff8108b2c0
        [*] Overwriting function pointer...
        [*] Triggering payload...
        [*] Res

    • by hackus (159037)

      MMMmmm sounds like a perfect transport layer for a botnet...now if I could just break into the server...

      Oh wait.

      Nevermind.

      -Hack

    • Re: (Score:2, Informative)

      by rastos1 (601318)

      Preventing the RDS kernel module from loading is an effective workaround. This can be accomplished by executing the following command as root:
      echo "alias net-pf-21 off" > /etc/modprobe.d/disable-rds

      I hate it when I see an advice like that. Linux is an open system. We should understand what are we doing when running a command like that as root. Running that command means that you tell to kernel module loading mechanism that it should not load module with name net-pf-21. My man page for modprobe says th

      • Re: (Score:2, Informative)

        by Anonymous Coward

        "net-pf" is a common prefix that refers to network packet families. You have an alias file at /lib/modules/[kernel version]/modules.alias that contains a number of entries like this. This is actually a format that is hard-coded into the kernel:

        http://lxr.linux.no/#linux+v2.6.36/net/socket.c#L1196

        The workaround is perfectly valid.

      • Re: (Score:3, Informative)

        by JesseMcDonald (536341)
        The module name is "rds"; "net-pf-21" is an alias, and stands for Network Packet Family #21.
  • by Anonymous Coward

    2.2.26 is still working great for me, thanks!

  • Was this vulnerability fixed in yesterday's massive security update?
  • by Anonymous Coward on Thursday October 21, 2010 @04:14PM (#33978900)

    Sorry for the Anonymous Coward reply, I don't have an account in my name. I'm the researcher who discovered the vulnerability and published it. Just thought I'd clear up a few issues:

    1. Stock installations of Ubuntu, Debian, Fedora, Red Hat, Arch, Slackware, and SuSE (and probably more) >= 2.6.30 are (or were) all vulnerable to the issue. Ubuntu has already issued an update, which is why some people can't get the exploit working on their Ubuntu machines. Even if the proof-of-concept doesn't work on your machine, if you have an unpatched machine that compiles RDS as a module, you are vulnerable and should patch.

    2. Just because something is "compiled as a module" doesn't mean you have to explicitly have an administrator load it in order for it to be used. Networking protocols can be loaded at runtime by unprivileged users on nearly every distribution, including RDS. This is part of a broader security problem in the Linux world that should be improved.

    3. No one should be complaining about the week-long period after reporting before disclosure. The Linux security folks upstream would have published the fix the day I reported the issue, except I specifically requested an embargo period of one week, during which downstream distributions could prepare updates. If I hadn't requested this embargo, then the fix would have been published immediately, but distribution users would have had to wait for their respective distributions to put together updates.

  • goto fallback;
    goto repeat;

    See? If gotos are outlawed, only outlaws will have gotos.
  • Would SELinux not protect against this?

  • "The open-source Linux operating system"

    LINUX IS A FUCKING KERNEL. The distros comprise the operating system.

    Until /. can make this distinction and keep it consistent (and totally disavow any article containing the phrase 'Linux Operating System') this site should not be operating as any sort of distribution site.

    It's just as bad as Fox with the spouted nonsense in the actual story.

    Sorry, Tako (octopus,) you need to lose your geek-cred license for this site until your brain-dead editors can get their shit r

What ever you want is going to cost a little more than it is worth. -- The Second Law Of Thermodynamics

Working...