Forgot your password?
typodupeerror
Security Linux

The Linux Backdoor Attempt of 2003 360

Posted by Unknown Lamer
from the alright-which-one-of-you-did-it dept.
Hugh Pickens DOT Com writes "Ed Felton writes about an incident, in 2003, in which someone tried to backdoor the Linux kernel. Back in 2003 Linux used BitKeeper to store the master copy of the Linux source code. If a developer wanted to propose a modification to the Linux code, they would submit their proposed change, and it would go through an organized approval process to decide whether the change would be accepted into the master code. But some people didn't like BitKeeper, so a second copy of the source code was kept in CVS. On November 5, 2003, Larry McAvoy noticed that there was a code change in the CVS copy that did not have a pointer to a record of approval. Investigation showed that the change had never been approved and, stranger yet, that this change did not appear in the primary BitKeeper repository at all. Further investigation determined that someone had apparently broken in electronically to the CVS server and inserted a small change to wait4: 'if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) ...' A casual reading makes it look like innocuous error-checking code, but a careful reader would notice that, near the end of the first line, it said '= 0' rather than '== 0' so the effect of this code is to give root privileges to any piece of software that called wait4 in a particular way that is supposed to be invalid. In other words it's a classic backdoor. We don't know who it was that made the attempt—and we probably never will. But the attempt didn't work, because the Linux team was careful enough to notice that that this code was in the CVS repository without having gone through the normal approval process. 'Could this have been an NSA attack? Maybe. But there were many others who had the skill and motivation to carry out this attack,' writes Felton. 'Unless somebody confesses, or a smoking-gun document turns up, we'll never know.'"
This discussion has been archived. No new comments can be posted.

The Linux Backdoor Attempt of 2003

Comments Filter:
  • Repost (Score:2, Informative)

    by Anonymous Coward on Wednesday October 09, 2013 @12:13PM (#45082251)

    This has been posted plenty of times on here, and this article has no new information on the backdoor attempt. About the only thing is the spurious claim the NSA was behind hit. Geez.

  • by Anonymous Coward on Wednesday October 09, 2013 @12:17PM (#45082311)

    The difference between linux and closed source OSs is that on linux you may be able to identify malicious code in the kernel and remedy this situation. For closed source solutions you're truly fucked through and through. You seriously think Microsoft and Apple haven't backdoored their OS ? Just one more reason to stop using closed source software if you value your privacy, your secrets etc...

  • Re:OMG enough (Score:5, Informative)

    by djmurdoch (306849) on Wednesday October 09, 2013 @12:26PM (#45082419)

    Unless somebody has proof that somebody was trying to create a back door then stop with all of the "X-Files" shit. It could have been a hacker trying to put that code in. How was the system that hosted the CVS repository managed? Was it hacked? Was there any investigation or was it possibly somebody that did something stupid and now everybody thinks it's somehow tied to the NSA?!?!?

    Yes, there was an investigation [indiana.edu]. The name attached to the log entries belonged to someone who said he didn't make the changes.

  • Re:OMG enough (Score:5, Informative)

    by Virtucon (127420) on Wednesday October 09, 2013 @12:37PM (#45082541)

    L. McVoy...

    It's not a big deal, we catch stuff like this, but it's annoying to the
    CVS users.

    My Favorite from A. Walrond..

    Somebody getting access to and inserting exploits directly into the linux
    source is not something we should take lightly. Whilst we understand the
    limits of the problem, the fact that it happened at all could get /.'d out of
    all proportion and be used to seriously undermine linux's reputation

    Note, back in 2003, "/.'d out of all proportion..." which is exactly what this article is all about.

  • Re:Repost (Score:5, Informative)

    by i kan reed (749298) on Wednesday October 09, 2013 @12:54PM (#45082733) Homepage Journal

    Not just in the news, but documented as having worked with software companies to inject backdoors into software, and hints that they may have specifically solicited Linus to do that with Linux.

  • Re:OMG enough (Score:5, Informative)

    by gstoddart (321705) on Wednesday October 09, 2013 @01:09PM (#45082929) Homepage

    I do listen to the news, so prove to me that it was the NSA rather than some bored college student looking to inject some mayhem?

    And why would I seek to prove something to you that it says right in the damned article that nobody knows who did it, or why, or how? I certainly never claimed it was the NSA, and even TFS suggest that, while it could have been the NSA, they don't know.

    There is direct proof someone tried to insert a back door, but as far as who did it, nobody fucking knows, and TFS even says that.

    Given what the NSA is doing lately, they're a plausible guess, but, there is no proof to suggest what entity did that ... NSA, bored college student, the Chinese, aliens, your mom. It says right in the summary they don't know, and unless someone admits to it, they never will -- but nonetheless, code did magically end up in the code repository they couldn't account for and which they caught. So someone did attempt to insert a back door, that much is fact -- the rest of it is speculation, and that's pretty much evident that it is speculation.

    You're asking for proof of something that people are only suggesting as a possibility, not claiming as fact. Which means you're not even debating the article, you're debating something the article didn't say but you're acting as if it did.

    You're tilting at windmills there dude.

  • Re:C/C++ operator = (Score:2, Informative)

    by Anonymous Coward on Wednesday October 09, 2013 @01:51PM (#45083397)

    The language is FORTRAN and they fixed it before FORTRAN 77.

  • Re:OMG enough (Score:5, Informative)

    by gstoddart (321705) on Wednesday October 09, 2013 @02:03PM (#45083483) Homepage

    Or there was a coding error.

    A coding error, which got into CVS and bypassed BitKeeper, for which there's no commit logs to account for it? And which by sheer fluke would also have been an exploit?

    Sure, it could have been a coding error, but the description of how they found it and what they couldn't subsequently find would strongly suggest that this got in there by some really, er, 'unusual' mechanism.

    It sounds like they did the forensics at the time, and that it didn't come in through any mechanism any of them could account for.

    If I understood correctly, this didn't get into CVS from a commit, it just ended up in there. And in many years of working with CVS, I'm pretty sure I've never seen that happen.

  • Re:OMG enough (Score:4, Informative)

    by tlhIngan (30335) <<slashdot> <at> <worf.net>> on Wednesday October 09, 2013 @04:06PM (#45084795)

    The name attached to the log entries belonged to someone who said he didn't make the changes.

    Well, it also had the fact that CVS was just a read-only clone. If you wanted to make a change, you can't submit it to CVS - you had to submit it up the change and eventually it would hit the BitKeeper repo first, then propagate to CVS.

    So oddball entries like that mean it not only is a change that doesn't end up back in the BK tree (because there's no pointer back to the BK changeset), so something strange is going on.

    Of course, this only affected CVS users - it would not affect BK users (as the CVS was a one-way clone of the BK tree that was autogenerated), so the change not only was only in CVS, but there is no corresponding change in the BK tree to be linked with anyone.

  • Re:OMG enough (Score:5, Informative)

    by jcochran (309950) on Wednesday October 09, 2013 @07:07PM (#45086721)

    Obviously you're unaware of how GCC works. Yes, it would have issued a warning message if the line was:
    wait4: if ((options == (__WCLONE|__WALL)) && current->uid = 0) ...

    But the author of that little backdoor attempt added the extra 'superfluous' parenthesis around the assignment. Like this:
    wait4: if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) ...

    And GCC uses those extra parenthesis as an indication that 'The assignment is deliberate and desired. Don't warn me about it. I know what I'm doing'
    In fact, GCC still uses those extra parenthesis as an indication that the warning message should be suppressed.

If Machiavelli were a hacker, he'd have worked for the CSSG. -- Phil Lapsley

Working...