Hole In Linux Kernel Provides Root Rights 274
oztiks writes with this excerpt from The H:
"A vulnerability in the 32-bit compatibility mode of the current Linux kernel (and previous versions) for 64-bit systems can be exploited to escalate privileges. For instance, attackers can break into a system and exploit a hole in the web server to get complete root (also known as superuser) rights or permissions for a victim's system. According to a report, the problem occurs because the 32-bit call emulation layer does not check whether the call is truly in the Syscall table. Ben Hawkes, who discovered the problem, says the vulnerability can be exploited to execute arbitrary code with kernel rights. ... Hawkes says the vulnerability was discovered and remedied back in 2007, but at some point in 2008 kernel developers apparently removed the patch, reintroducing the vulnerability. The older exploit apparently only needed slight modifications to work with the new hole."
Serve them right (Score:5, Funny)
Re: (Score:3, Interesting)
Re:Serve them right (Score:5, Funny)
I thought that was because you were a pretentious wanker?
Re:Serve them right (Score:5, Informative)
It's quite possible to have two independent reasons for doing something.
Re: (Score:3, Informative)
Unfortunately the Burroughs refused to run mainframe software with such bugs. Burroughs died.
IBMs ran such software without complaint. IBM survived.
Since the programs certainly had some design errors, it really becomes a question of which erroneous behaviors are silliest. Often the "most correct" are the silliest.
Re:Serve them right (Score:4, Insightful)
Linux is often the better choice for desktop usage when security is not an issue.
Security is *always* an issue. Especially on the desktop. One merely needs to look at the large botnets comprised entirely of zombie Windows machines to understand why.
Re:Serve them right (Score:4, Interesting)
While OpenBSD doesn't have a perfect record for security
OpenBSD has got a *terrible* record for security. The illusion of security is only maintained because every time someone discovers a gaping exploit in OpenBSD, Theo moves the goalposts on what he considers a security hole. Just look at all the descriptions of "errata" for OpenBSD - bugfixes for security holes!
Theo is like that kid who, no matter what game you were playing, would always start making up bullshit rules whenever he started losing. Like, "Tag! You're it!" "No I'm not it, that tag didn't count because I'm uh... I'm near this rock".
Don't be that kid. That kid is a dick.
Re: (Score:2)
http://en.wikipedia.org/wiki/UniFLEX [wikipedia.org]
Re: (Score:2)
Re: (Score:2)
Ah, Cromemco. All us hobbyist types drooled over their industrial offerings.
Re:Serve them right (Score:5, Funny)
Thank you Adobe! you saved my machine!
Re:Serve them right (Score:5, Funny)
And those even more in the know use a two-bit operating system like Windows :)
Re: (Score:2)
Re:Serve them right (Score:5, Funny)
1 bit operating systems are totally impossible to infect though.
That's true!
... Or false...
Perhap the kernel's size is becoming too unweildy (Score:3, Interesting)
I mean this is what, the third 'reverted' security patch we've heard about in the recent past that needed replacement?
Maybe it's time to seperate out core kernel code and the arch specific stuff into seperate modules with seperate administration. Git would make this easy, so why aren't we seeing it done?
Re:Perhap the kernel's size is becoming too unweil (Score:5, Informative)
You're talking about git submodules and I'm gonna go ahead and guess that the answer you'll receive from the kernel folks about that is a big fat "no". Maybe if Git had usable project hierarchies, things might be different.
Also to note: even Git can't fix stupid policy or stupid programming decisions.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Insightful)
Also, since the kernel is fairly 'well documented', we should be able to tell WHO is responsible for removing the patch, and reintroducing the vulnerability.
Perhaps, we could ask them why such a thing happened, and whether the linux community needs to backtrack this specific dev/s, kernel patching to date.
You want to talk about 'quality control' in the open source world, here it is right in front of us. Will it be done properly and thoroughly?
Re: (Score:2)
You want to talk about 'quality control' in the open source world, here it is right in front of us. Will it be done properly and thoroughly?
You mean by ridiculing the person who made a mistake in front of the whole world? Patch your own fucking kernel if you're so damn smart.
Re: (Score:3, Informative)
I don't believe ridicule was mentioned.
Anyway, no matter how painful it might be for the person who reverted the patch, the issue does need to be investigated in order to find out how to detect other instances and how to stop it from happening again.
Re:Perhap the kernel's size is becoming too unweil (Score:4, Insightful)
You're talking about git submodules and I'm gonna go ahead and guess that the answer you'll receive from the kernel folks about that is a big fat "no". Maybe if Git had usable project hierarchies, things might be different.
Also to note: even Git can't fix stupid policy or stupid programming decisions.
If ever there was a case of missing the forest for the trees, it's this right here.
Its a bug tracking issue, not a a version control issue.
Re: (Score:2)
Re: (Score:2)
Its a bug tracking issue, not a a version control issue.
No, it's a software complexity issue. The problem is, with the size of the kernel, it would be prohibitively expensive to write and run tests even just for the major bugs fixed.
Re: (Score:2)
User IDs in decentralised version control system are under the control of the comitter. Linus pulls patches from a team of patch maintainers who should always be able to account for the veracity of the meta data in their repos.
Re: (Score:2, Insightful)
Yeah... at this point i'm wondering if there are some kernel developers who like there to be security bugs in the kernel?
Why else would they revert the security patch? Polticial reasons? They don't like the fix?
Or perhaps some of the kernel developers a black hats working covertly, and the 'fixes' cause them problems exploiting their secret bugs.......
Re: (Score:2)
> Why else would they revert the security patch?
Because they made a mistake. People do that.
Re: (Score:2)
Do they have code reviews in Open Source land? We sure as hell do in boring business software world. Tends to catch shit like this.
Re:Unit Tests (Score:3, Insightful)
In theory, you can write a unit test to cover anything and everything you want. In practicality, the amount of code to perform expansive unit tests quickly dwarfs the amount of code in the product you are testing.
Like the summary said, the old attack didn't work exactly, it had to be tweaked slightly. Even if you had a unit test for this situation, it most likely would have passed (meaning the test exploit would fail).
Re:Unit Tests (Score:5, Insightful)
The test doesn't have to detect exploitability, only that the bug is still present (or not).
Re: (Score:3, Insightful)
1 reverted security patch is a mistake.
2 reverted security patches is a major mistake
3 unintentionally reverted critical patches in 6 months is a pattern of major fuck-ups.
I'm not saying people don't make mistakes. Part of the purpose of version control is to prevent such accidental reversions.
A pattern of reverting security changes, and not detecting those reversions before the software goes to world-wide release is pretty inexcusable, in most reputable development firms... people would get fired o
Re: (Score:3, Informative)
The offending patch was authored and committed by a Redhat developer. Since this guy made his own company's product insecure for their clients, I'd say that Redhat could very well fire him. Whether they will or not depends on the company. Besides, do you know of a Microsoft (or any closed source software company) employee being fired based on their coding vulnerable software? How about a CEO being fired for selling vulnerable software to the public? Where's the accountability there?
Errare Humanum est (Score:3, Insightful)
The fact that because we can't fire developers makes it an incentive to bad coding practices is not an argument:
for some people (esp. Linux developers where pride is an important fuel to their creativity), being pointed out in public by such bad behavior is much worse than being fired in the equivalent closed software company.
Moreover, you will never know how many developers in a closed model had turned a simple patch into a remote exploit and if the culprit was really fired afterward esp. if it's a core de
Re: (Score:3, Insightful)
And that has to do with linux?... Oh thats right nothing.
Pointing at what other people are doing wrong so you can look better makes you look like an ass in the long run. People notice it. Stop doing it and worry about what you are doing...
Root escalation is a serious issue but instead of figuring out 'hey how can we stop this from happening again' you are busy saying 'look see teh windowz sux'.
uh ok...
Re: (Score:2)
Yea, because one bitch on slashdot spending 2 minutes writing such a post is really detracting from figuring out "hey how can we stop this from happening again"
I'm pretty sure the people that actually matter won't be found on slashdot poking fun at everyone else.
Re: (Score:3, Informative)
Yeah but none of those exploits is in the Windows 7 kernel itself (which is rarely ever patched). They'll all be related to other components distributed with the operating system. This could be many things including Windows Media Player and IIS. If you want to compare the number of Linux patches with Windows Updates you would need to compare the Windows patches to the patches of s Linux distro not just the Linux kernel itself.
Re: (Score:3, Informative)
> So if you can't find any real reason why Linux is better, you just lie about the competition?
Lying simply isn't necessary.
Windows is in the habit of running untrusted binaries often without knowledge or permission of the user.
THIS aspect of WinDOS makes it far more vulnerable than anything else to any sort of problem that starts out as a local root exploit.
Re: (Score:3, Informative)
He is probably referring to the bout of security fixes for windows 7 with the same wording.. there has been quite a few of them lately.
And that's relevant to this thread how again?
Might as well start posting stuff about Chewbacca.
Maybe Linux' kernel is too big?
Chewbacca lives on Endor wihout any Linux or Windows computers ....
Re: (Score:2)
Chewbacca lives on Endor wihout any Linux or Windows computers ....
They use Force computers.
Re: (Score:2)
Chewbacca lives on Endor wihout any Linux or Windows computers ....
Lies, deceit! Wookies come from Kashyyyk [wikia.com]. :)
Re: (Score:2)
I will not have you talking about C3PO that way!
Re: (Score:2, Redundant)
Re:Perhap the kernel's size is becoming too unweil (Score:5, Funny)
Re:Perhap the kernel's size is becoming too unweil (Score:4, Informative)
I've seen far too many rooted servers to agree with you about the deployment issue.
Re:Perhap the kernel's size is becoming too unweil (Score:4, Informative)
A LOT of hosts still get rooted because of weak passwords. A LOT of valuable hosts get rooted through social engineering. Just because you've seen rooted hosts, doesn't mean that there is any wide-scale deployment of anything.
Re: (Score:2)
Re: (Score:3, Insightful)
> Well, vast majority of pwned Windows boxes end up that way due to
> operator error, not some code exploit - you know, users clicking
> on boobies!.jpg.exe links in mails and such. It's not something
> you can truly fix, short of making an iPad.
Nonsense. You can make it a little harder for end users to do stupid things when prompted by a website.
Talk about "moving goalposts".
NO ONE using ANY OS should ever have to worry about the act of loading data causing malware to run instead.
This is just reta
Re: (Score:2)
Meh. Do you make your living from convincing people to switch from Windows to Linux? Does it really matter to you what other people use? As far as I'm concerned, Linux just needs to suck less than Windows, which it does. As long as that remains true, I won't have to worry about the hassle of considering migrating everything I do to Windows.
Re: (Score:3, Funny)
Not interesting enough. Rewriting something that already works is where it's at.
Patch (Score:5, Funny)
For those who compile from source, here is the patch:
---kernel.c
+++kernel.c
@@ -1,1 +1,1 @@
- void goatse(long cx) {
+ void goatse(int cx) {
The change from long to int closes the massive hole.
Re: (Score:2)
No, it should be a boolean, inscribed to false in stone - or at least ROM, and none of the rewritable kind.
Re: (Score:2)
Let's just settle on a boolean value (open|closed).
Re: (Score:2, Interesting)
The C standard doesn't specify sizes but requires that
sizeof(long) >= sizeof(int) >= sizeof(short) >= sizeof(char)
so if a char is 32-bit, a short must be 32-bit (or more) as well. C-99's <stdint.h>, requires typedefs (eg, uint8_t, int8_t) for 8, 16, and 32-bit signed and unsigned integers.
Re: (Score:2)
How did the TI 340x0 series deal with it? It was a *bit-addressable* machine, but char was 8 bits. They shipped an (allegedly) ISO compliant C89 compiler for it.
Re: (Score:2)
I might be wrong but it's probably because the only character code you can fit into a single bit of memory is SOH. ASCII characters use 8 bits of memory for a single character which is what char was origionally designated for (storing a character).
Error in title (Score:5, Funny)
Patch (Score:4, Funny)
You can get a patch here [microsoft.com].
Patches are available (Score:3, Informative)
If you know how to drive git you could try applying these:
x86-64, compat: Retruncate rax after ia32 syscall entry tracing
x86-64, compat: Test %rax for the syscall number, not %eax
there is a workaround of disabling 32bit binaries (I'd paste a link if Google Chrome dev channel would let me... for some reason I can only paste into /.'s comment box before I've typed anything else, I'll follow-up with it), but of course you may need them depending on what your machine does.
There's also a separate issue that also gives local root, fixed by:
compat: Make compat_alloc_user_space() incorporate the access_ok()
I'm running a kernel base don 2.6.35.4 but with all 3 of those commits applied (note the last one tries to modify an arch/tile/ file which doesn't exist in 2.6.35.4, just ignore that) and can confirm that neither exploit works.
Re: (Score:2)
resort represent!
Why is there anything 32 bit on a 64 bit server? (Score:2)
Okay, I get that when system calls are made to 32 bit whatever, bad things could happen. But why would there be anything 32 bit there at all? Shouldn't everything that is running on a server be compiled for 64 bit? I gotta say, this is a good reason to hate 32 bit binary blobs being distributed by vendors who don't want to release the source for their drivers and what-not... well more than I already do.
Perhaps I am misunderstanding something and that 32 bit calls are still an inherent part of 64 bit Linu
Re: (Score:2)
Okay, I get that when system calls are made to 32 bit whatever, bad things could happen. But why would there be anything 32 bit there at all? Shouldn't everything that is running on a server be compiled for 64 bit?
Flash. Ubuntu handles 32-bit Flash integration automatically with 64-bit Firefox, but on some other distros it's easier just to install 32-bit Firefox instead.
Re: (Score:2)
If you're using your Linux server to browse Flash apps on the web, you might be doing it wrong...
Re: (Score:2)
If you're using your Linux server to browse Flash apps on the web, you might be doing it wrong...
Yeah, I missed the 'server' part :).
Re: (Score:2)
Re: (Score:2)
Java may be, but flash?
Re: (Score:2)
When I worked at a web hosting company, we once had a customer call in to complain that javascript and flash weren't running on our servers. Of course, they aren't supposed to....
Re: (Score:3, Informative)
Everything else on there was compiled for 64 bit.
Re: (Score:2)
makes one wonder what the money gets used for.
Re: (Score:2)
Marketing and Sales.
Re: (Score:3, Interesting)
Around 15% to 25% of revenues going to customer acquisition and retention (marketing, sales calls, rebates, incentives, whatever) is a pretty common budgetary decision in US businesses. So yeah, after payroll, facilities, and other operating costs marketing and sales are a major expense. The most common advice I get as a small-business owner both online and in person from other business owners is 20%.
I've heard as low as 10%, but that's still a big chunk of the budget. I've also heard of people spending as
Re:Why is there anything 32 bit on a 64 bit server (Score:4, Informative)
The vulnerability is affecting kernels compiled with 32-bit compatibility support. Enabling this option seems to be the default, even on x64 systems that do not have 32-bit libraries and cannot execute 32-bit binaries. You can say
zcat /proc/config.gz | grep CONFIG_IA32_EMULATION
to see if you have it on. More info [linuxquestions.org], and the origina [sota.gen.nz] hack [sota.gen.nz].
Re: (Score:2)
Unless you need the big address space and MOST apps don't - 32 bit code runs faster.
Since when?
64-bit code gives you twice as many registers at the cost of doubling the size of pointers, and on older Intel CPUs losing some of the microop fusion optimisations. Every time I've seen people post comparative benchmarks of their 32-bit code recompiled to 64-bit, they've shown significant speedups.
Re: (Score:2)
You and I have been looking at vastly different sets of benchmarks.
Some go better at 64 bit. Many others do worse.
Bit late to be news (Score:5, Informative)
Ubuntu, at least, has already released the patch as a kernel upgrade; it was fixed early in the week so I presume most other distros have too.
Re: (Score:3, Informative)
Slackware forum [linuxquestions.org] has a link to the white hat's page [sota.gen.nz]. Here [sota.gen.nz] you can get a very neat proggy that will root you in less than 200 if you are still unpatched.
Re: (Score:3, Informative)
RHEL was never affected. Red Hat BugID 630551 [redhat.com] states: /dev/sequencer device file is restricted to root access only."
"This issue did not affect the version of Linux kernel as shipped with Red Hat
Enterprise Linux 3, 4, and 5 as it did not include upstream commit 7034632d
that introduced the problem. It did not affect Red Hat Enterprise MRG as the
Further, Red Hat states for CVE-2010-3080 [redhat.com] that the commit upstream that brought the bug back was never allowed into Red Hat kernels:
"This issue did not affect the ver
code comments? (Score:5, Insightful)
Hawkes says the vulnerability was discovered and remedied back in 2007, but at some point in 2008 kernel developers apparently removed the patch, reintroducing the vulnerability
and this, my friends, is why we add comments to our code
Re: (Score:3, Insightful)
> and this, my friends, is why we add comments to our code
It's also a good argument for regression testing.
Re: (Score:2)
The old exploit didn't work as-is, but required slight changes. So I don't know if regression testing would have caught it here.
But of course, the kernel does need more unit tests.
Tell me more about this "superuser" (Score:2)
is Ric Romero writing about security now?
Gentoo Hardened nomultilib (Score:3, Informative)
News like this makes me smile that I decided to use Gentoo Hardened 64-bit nomultilib whenever I built servers. Makes it harder if the software needed to run is only available as 32-bit binaries, but I haven't run into any yet that I've needed.
Since it has no 32-bit emulation layer, this is probably one of the few 64-bit linux not affected (without a patch).
Re: (Score:2)
It must be done.... (Score:2)
Re: (Score:2)
Indeed.
Who the fuck calls that superuser?
Re: (Score:2)
Re: (Score:3, Informative)
Who the fuck calls that superuser?
All I had to do was turn around and reach at the bookshelf behind me:
"But we must warn you: there is a special user on every UNIX system, called the super-user, who can read or modify any file on the system. The special loginm name root carries super-user privledges...."
from page 52, "The UNIX Programming Environment", Brian W. Kernigan & Robert Pike, Prentice Hall, 1984.
Re:Doesn't work (Score:5, Informative)
cd /usr/src/linux &&
grep -ilE 'super.?user' `find . -iname *.[ch]`
arch/avr32/mm/cache.c
arch/h8300/include/asm/cachectl.h
arch/ia64/kernel/unaligned.c
arch/m68k/include/asm/cachectl.h
arch/m68k/kernel/sys_m68k.c
arch/parisc/hpux/sys_hpux.c
arch/x86/kernel/apm_32.c
arch/x86/kernel/ioport.c
drivers/char/apm-emulation.c
drivers/char/rio/errors.h
drivers/char/rio/rioctrl.c
drivers/net/wireless/airo.c
drivers/scsi/megaraid.c
drivers/scsi/megaraid/megaraid_mm.c
drivers/staging/vt6655/iwctl.c
drivers/staging/vt6656/iwctl.c
fs/cachefiles/daemon.c
fs/ext4/mballoc.c
fs/fcntl.c
fs/namei.c
fs/ntfs/super.c
fs/smbfs/file.c
fs/ubifs/budget.c
fs/ufs/ufs_fs.h
fs/unionfs/sioq.c
fs/utimes.c
fs/xfs/quota/xfs_qm.c
fs/xfs/quota/xfs_qm_syscalls.c
fs/xfs/xfs_quota.h
include/linux/acct.h
include/linux/dqblk_xfs.h
include/linux/fd.h
include/linux/keyboard.h
include/linux/random.h
include/linux/sched.h
include/linux/shm.h
include/net/sock.h
kernel/kexec.c
kernel/sys.c
kernel/sysctl.c
kernel/time/ntp.c
mm/mempolicy.c
mm/migrate.c
mm/oom_kill.c
net/core/dev.c
net/core/sock.c
net/netlink/af_netlink.c
net/netrom/af_netrom.c
(full disclosure: I also piped it thru |sed -e 's/^\.\///g' for formatting purposes (slashdot puts it all one one line if they begin with ./ for some reason) and |sort because I'm just like that)
Re: (Score:3, Informative)
try for example "man su":
NAME
su - change user ID or become superuser
or sudo, but you'll have to all the way down to the description:
DESCRIPTION
sudo allows a permitted user to execute a command as the superuser or another user
Outside geek circles "root" doesn't mean anything, but superuser is at least somewhat meaningful. Though most don't actually deal with it at all anymore, they're in a sudo group so they o
Re: (Score:3, Funny)
You are too stupid to live....
I guess for people like you, next time I need to add...
*** BEGIN JOKE ***
and
*** END JOKE ***
If that's still not enough - I can incorporate the blink tag and some colored fonts.
Re:Doesn't work (Score:4, Funny)
Re:But...but... (Score:4, Insightful)
Linux is better than Windows.
better != perfect
Re:But...but... (Score:4, Informative)
It's also part of the reason behind the slow turnaround time on patches coming out of Redmond. They do regression testing.
Re: (Score:2)
That's what you get for using Ubuntu on a server!
Re: (Score:2, Informative)
That's what you get for using Ubuntu on a server!
Immediate community action and timely patches?
If that's what we get, then thank you, Ubuntu.
Re: (Score:2)
Fucking idiots.
What's the point of rooting a server and making it obvious? These are the ones that get noticed and cleaned. It's the ones who did it quietly that sit around for years!
Re:exploited (Score:4, Funny)
Classy.
Re: (Score:3, Funny)
You should have included the next two as well:
A Windows-specific character set and a looping nonexistent background sound. Heh.
Re: (Score:2)
Here's a better fix:
dd if=/dev/zero of=/dev/?d? bs=512 count=1
Re: (Score:2, Funny)
Re: (Score:2)
welcome to the world of ubuntu?