Root Privileges Through Linux Kernel Bug 131
Lars T. writes "The H has a story about a Linux kernel bug that allows root level access. 'According to a report written by Rafal Wojtczuk (PDF), a conceptual problem in the memory management area of Linux allows local attackers to execute code at root level. The Linux issue is caused by potential overlaps between the memory areas of the stack and shared memory segments.' SUSE maintainer Andrea Arcangeli provided a fix for the problem in September 2004, but for unknown reasons this fix was not included in the Linux kernel. The bug is not related to the X Server bug found by Brad Spengler."
As the linked article notes: "SUSE itself has the fix and SUSE Linux Enterprise 9, 10 and 11 as well as openSUSE 11.1 through 11.3 do not exhibit this vulnerability."
Re:Unrelated? The PDFs are the same! (Score:5, Insightful)
The memory management issue is the thing that enables using a flaw in the X server to escalate privilege. If you fix the X server to not allow that kind of manipulation, you still have the kernel memory management issue that could be used by some other application to escalate privilege.
I think that fixing the X server - one mitigation is to disable the MIT-SHM extension as discussed in the pdf - really reduces the exposure but since the real problem is in the kernel, it doesn't completely remove the threat.
At least that is how I understand it...
Re:Nothing to see here.... (Score:5, Insightful)
I don't agree that it's "nothing to see here" - something has gone wrong if it took 6 years for this to happen.
Re:Nothing to see here.... (Score:5, Insightful)
Nothing to see here? Will you say the same thing when Microsoft waits 6 years to apply a fix to WinXP? :)
Yes, these things are less likely to happen with Linux. That doesn't mean Linux kernel processes are above reproach, and can't be made more responsive & accountable in cases like this where somebody obviously dropped the ball on merging a patch somewhere. I hope they spend a little time reviewing how this got missed, to make sure it's not a flaw in their process that could allow it to happen again.
Re:Ummmmm, a local exploit. (Score:2, Insightful)
No, normally access to the machine at user level should not imply access to the machine at root level.
Re:Linux! "It just works!" (Score:3, Insightful)
I wonder how many bugs like this are lurking in closed source products, just waiting to be discovered and exploited?
I wonder how many bugs like this are lurking in open source projects, just waiting to be discovered and used against people that assume that the software they use is secure because they read Slashdot comments.
Re:ZOMG!!! (Score:4, Insightful)
What part of "local attackers" do you fail to understand?
Re:Nothing to see here.... (Score:4, Insightful)
Agreed it would be good to know where the breakdown in communication happened. Did it get ignored because the submitter didn't realise it was a security issue and report it as such? Did someone just miss an email somewhere? (and if so why wasn't there a system in place to keep track of current security bugs and make it bloody obvious which ones still needed fixing along with someone responsible for looking at that list and fixing them). Was the breakdown on the SUSE side or the upstream side?
Re:ZOMG!!! (Score:3, Insightful)
He's a troll, but that doesn't mean that there isn't a grain of truth to what he implies. Most Windows exploits are also technically local attacks, as are Trojans (by definition). Somebody thinking that they're safe (because the software runs with limited permissions) would be in for a nasty surprise if an attacker exploited this.
Re:Linux! "It just works!" (Score:5, Insightful)
Indeed, 5 years old and no exploit.
How do you know?
Re:Wow! Linux is really Secure. (Score:5, Insightful)
Look at this graph: http://linuxinsecurity.blogspot.com/ [blogspot.com]
Please do. Notice how the graphs show Windows with 10-12% of the issues unpatched?
That's the problem. Well that and the missing graph showing "time to patch"...
Re:you didn't do it right (Score:3, Insightful)
But the problem is that often if you know about it, it's not really a big issue to you. If I know about an ugly pothole in the road, I can with little effort drive past it. So why then should I spend my valuable time pestering the road maintainers about it? Granted, maybe not in this specific case as you can't avoid the security hole but bugs in general you can often avoid the condition triggering the bug.
The first time you tell them, then maybe the only reason it's not fixed is because nobody told them about it. It's only other people who, having run into the pothole and wrecked their car and learning that the maintainers were in fact notified about it that get pissed. Like in this case, SUSE has been fixed for a long time so why should SUSE maintainers work their butts off getting it upstream?
At times, upstream seem to think it's their god given right that downstream should feed them with everything they do. They don't, the only reason they do is if the benefit of getting it in the upstream tree outweighs the cost of doing it. If you need to pester upstream then that balance may tip in the favor of "Whatever, we'll just keep this in our own branch. Have a nice day." It's a loss for the community but you can't expect everyone to constantly work for the "greater good" and not their own itches.