Linux Kernel Exploit Busily Rooting 64-Bit Machines

An anonymous reader writes "Running 64-bit Linux? Haven't updated yet? You're probably being rooted as I type this. CVE-2010-3081, this week's second high-profile local root exploit in the Linux kernel, is compromising machines left and right. Almost all 64-bit machines are affected, and 'Ac1db1tch3z' (classy) published code to let any local user get a root shell. Ac1db1tch3z's exploit is more malicious than usual because it leaves a backdoor behind for itself to exploit later even if the hole is patched. Luckily, there's a tool you can run to see if you've already been exploited, courtesy of security company Ksplice, which beat most of the Linux vendors with a 'rebootless' version of the patch."

But wait

[drinking12many]

I thought only windows got exploited this way.... oh thats right All OS's do.

Is Slashdot advertising now?

[fluffy99]

Why does the summary and articles read like a paid advertisement for Ksplice?

Oh Noes

[symbolset]

Yes, there's an available rights escalation vulnerability in recent Linux Kernels that's best patched by updating your system with the latest updates. The breathless nature of the fine summary betrays an eagerness to get Linux admins to click the links before they've done so. I'd rather not. Social engineering is such a powerful exploit mechanism after all.

The Windows geeks obviously will want to paint this as a native Linux vulnerability that they don't have - and it is marginally true. That's fine - but it's an escalation bug, not a remote root, and they've several dozen remote root bugs to close before they point fingers.

EH

[Anonymous Coward]

This is a local exploit so I'm not horribly concerned and here is why.

You should always treat your systems as if an exploit already exists for both remote and local connections.

The systems I maintain are part of a bit of an elaborate network. There is a huge investment in controlling incoming and outgoing traffic as well as managing who actually has access to systems. While a local exploit a big deal it's not like there are a great number of places for users to inject this code. If someone could compromise an input vector and piggyback the exploit that still wouldn't get them very far. In fact, without knowing key details regarding the network infrastructure they would simply nab a host that could not reach the outside world.

With that said we do have a bit of reliance on lbs, traffic inspection, firewalls and a good bit of monitoring equipment. However, there is a solid investment in specific purpose network and security protocols to accomplish these goals. In a bit of a cheaper shop I'm wondering what others do to maintain security and get some of the same tools. (I'm being very vague about our setup intentionally, but there have to be some decent foss network tools as well).

*Yawn* Local Root Exploit

[Greyfox]

If hostile users have local access, you're pretty much boned anyway.

Re:*Yawn* Local Root Exploit

[Anonymous Coward]

This doesn't require being physically close to the computer. For example, a web hosting company might give people limited permission ssh accounts on a web server, and the people could then use this exploit to get root.

slashdvertisement ... and full of crap.

[GNUALMAFUERTE]

Now Ksplice is really starting to piss me off. This is at least the fifth time we've get this kind of crap on slashdot.

Besides that, this is an escalation vuln ... it's local, ok? Not a remote exploit. And, regardless of all that, there's already a fix, which was promptly released before this got out of hand.

So, between the ksplice assholes that abuse each vulnerability that is published to blow it out of proportion and somehow imply that if you require ksplice to patch this without loosing your job (I mean, come on, If your service is critical enough that it can't accept 2 minutes of downtime for a reboot, then you have redundancy and can update machines one by one without any real downtime) ; and the winslow assholes that don't understand shit about security and somehow think that this means that GNU/Linux is insecure and as bad as their shitty system, I'm going nuts every time there is a new vuln in the kernel.

Re:*Yawn* Local Root Exploit

[mlts]

Pretty much Greyfox sums it up right there. The days of having hundreds to thousands of users with shell access on a university or public access machine are long gone. Instead, the focus of security has moved from keeping users out of root [1] to keeping people from getting to the machine in the first place, and if they get to the machine via a networking protocol, not being able to execute code in any meaningful context on the machine.

The only time I'd worry about this is if someone could get a shell or execute code in an application's context (say they manage to do a buffer overrun and are able to stick a user shell on a port, for example.) However, this is what AppArmor and SELinux are designed to stop anyway, so even with root context, and attacker is limited to what they can do.

[1]: This isn't to say that user to root priv exploits are something to be completely neglected, of course.

Not running it...

[Dragoniz3r]

Am I the only person who says "hell no" to running that "diagnosis" program? After looking through the code real quick, I have no interest whatsoever in running a program that performs the very exploit I'm supposed to be scared of, cuz I don't have time to make sure ksplite neutralized it properly. Also, since it's only a local exploit, I'm not concerned enough about it to run a diagnosis tool that implements it.

And good lord god almighty, what 12 year old wrote this code, that they think having function names like put_your_hands_up_hooker() makes them cool?

Re:Bad Publicity...

[simcop2387]

There is something to be said though about going to a 64bit operating system. The fact that there are a little more than twice as many general purpose registers in the CPU available means that code can be compiled to not need to do memory fetches anywhere near as often which means that the code will run faster. the extra addressing space has always been a red herring argument (e.g. i only need it if i have more than 4gb of ram).

Re:EH

[GNUALMAFUERTE]

THIS ^^^^^^

I understand why you are posting as AC and being vague about it, I'm fucking paranoid about revealing details of the entrails of my network too.

People don't understand how security works. If I told you the alarm in my office will fail to detect movement in zone 7 if you do X and Y, would you say that my office is absolutely compromised? No. I still have a security guy, bars, security doors, CCTV, and most things of real value inside is doubly secured (source code is encrypted, money is in the safe). A simple glitch doesn't mean I'm getting robbed.

The problem is that there are many admins out there that do it by the book, and just think that patching systems is enough. You have to work with the OS to keep it secure, not just rely on it. Of course, securing a platform like windows is fucking impossible, that's why we don't use it (not even in the desktops). But if you have a reasonably secure OS, you have to use the rest of your architecture plus some level of monitoring and log-watching to keep things safe.

Re:virus scanner

[socceroos]

A virus scanner isn't going to do much against a rootkit.

FUD

[proxima]

Running 64-bit Linux? Haven't updated yet? You're probably being rooted as I type this.

C'mon now. As others have pointed out, and has been mentioned earlier on /., this is a local root exploit. It's bad, it affects a lot of users (in theory), but to write this is to simply spread fear for most of those using Linux.

Why? Because the systems that inexperienced users run also happen to be those with a few, generally trusted users. Think netbooks. Sure, all local root exploits are bad and should be patched asap. But that doesn't mean "you're probably being rooted as I type this". It means that a remote attacker needs user-level privileges (say, with a browser or plugin vulnerability) first. Since Ubuntu and probably other major distros have already patched this, and the default settings for updates on these systems is to check fairly frequently, most end users will have the patched kernel quickly.

That leaves multi-user systems. The admins of these servers certainly benefit from finding out about the vulnerability asap, and they did (including through previous stories here). By now, though, most admins should have something in place if they don't have full trust in their users. If they don't, they should definitely be looking at whether this was exploited.

The bottom line is that there are many local root exploits which come out every year. This is the latest one, with a patch already available. Responsible admins of multi-user systems are used to dealing with this, and home users are almost certainly going to be patched before it causes any issues. For them, the latest Flash vulnerability is more worrisome. Even the extremely rare remote exploit of a service isn't usually an issue, since most modern distros don't start much of anything by default (including ssh, IIRC).

Re:Oh Noes

[Anonymous Coward]

The Windows geeks ... they've several dozen remote root bugs to close before they point fingers.

Care to point them out?

Re:Is Slashdot advertising now?

[Anonymous Coward]

More to the point, why does the summary suggest its being exploited 'left and right'. Its still a local exploit right? That means they're getting to your machine either through visiting a website, reading an email or via another remote exploit. Seems a might sensationalist.

Having said that, way to stuff up - kernel devs. Whoever reverted that patch needs a swift kick in the go-nads.

Re:But wait

[similar_name]

Ah if that is true then it only means Linux is more popular that Apple. Zing.

Re:Is Slashdot advertising now?

[tomhudson]

iWeb caught it running on ONE shared-hosting server. Are you running a publicly-facing shared-host serveer? No? Then don't worry about it, and when your distro comes out with a new kernel, just update.

Ksplice are attention whores.

Re:slashdvertisement ... and full of crap.

[sdasher]

Actually, RHEL and CentOS have still yet to release a fix. So for your average Linux sysadmin out there, there still isn't an easy-to-use fix. Well, besides Ksplice anyway.

Then perhaps do as the GP asks

[Sycraft-fu]

Point out a current remote root exploit in Windows. To the best of my knowledge, there are none. Which means that the original poster is just fluffing his feathers trying to divert attention from the Linux issue.

While this isn't something that means Linux is majorly insecure or anything, it is a Linux issue. However fanboys don't like that, they can't just say "Yep, there's a problem." Instead they want to try and deflect it, make it about something else. So he deflects the issue by claiming there are some nebulous "remote root bugs," without any specifics.

Ya

[Sycraft-fu]

Our UNIX admin has the philosophy that anyone with local access can get root if they want it bad enough. Security isn't done by presuming you've made that impossible. Rather security is done by making sure you don't give access to just anyone, and to monitoring what people do. Local escalation exploits are things to be fixed, since they can always make a remote exploit worse (someone exploits something remotely, gets unprivileged access, exploits the local exploit to get root) they aren't a critical threat usually.

However I will say you don't make things much better when you start with name calling with regards to Windows and the people that run it. That smacks of being the sort of asshole that knows little about the other platform that you are painting them to be. That you have a preferred platform is great. One would hope it is based on good reasons. However name calling on another platform indicates it is more likely based on zealotry than anything else.

Re:Not running it...

[Anonymous Coward]

I don't know, glancing at the code it looks fairly clean.

The naming convention, on the other hand, reverses all attempts to make the code tolerable.

Maybe I am just getting old, but WTF is stuff like this about?

__yyy_tegdtfsrer("!!! Un4bl3 t0 g3t r3l3as3 wh4t th3 fuq!\n");

Really? Writing, "!!! Unable to get release, what the fuck?\n" was too hard?

Re:OSS Strikes Again

[picoboy]

Tell us how great OSS is.

Tell us how much better Linux is.

Tell us how badly Microsoft sucks.

I'm a PC, and using Windows instead of Linux was my idea.

I knew it was just a matter of time before Ballmer showed up as an AC on Slashdot.

Re:But wait

[Anonymous Coward]

I'm surprised you can type so well with Steve's cock in your mouth.

Re:Then perhaps do as the GP asks

[shutdown -p now]

The attack you mention is not ASP.NET-specific (the initial paper describing it actually used JSF to demo the vulnerability, and Rails is also affected), and it does not lead one to getting "remote root" at all.

Slashvertisement

[Cruciform]

As a long time user I get the option to disable advertising. I don't. I even whitelist Slashdot in Adblock because I support the site and the banner ads are rarely obnoxious.
These poorly disguised articles-as-ads are quite annoying though. Just make KSplice pay for a banner like everyone else.

Re:But wait

[man_of_mr_e]

Uhh.. dude. Seriously. Did you even think about this?

Your web browser runs as a local user. If there is a flaw in your web browser (and all of them have had plenty), then they can use that flaw, just by looking at a web site, to gain root access to your machine using this vulnerability.

So yes. This *IS* the kind of flaw that just looking at someones web site can exploit, if they can also attack your web browser (which is typically pretty easy to do as most people aren't always up to date).

Re:Oh Noes

[symbolset]

>Care to point them out?

No.

I don't want them fixed. I am aware of several dozen remote root exploits for Windows and am sure there are hundreds I'm not aware of. But I don't have to prove it. I can say it, and Microsoft could sue me. Between the time they sued me and the time we got to court they would have to span two years of updates, in which they would have to admit several dozen remote root exploits and concede their case. They are there, and if you trawl the darker corners of the Internet you can find them. It's been twenty years and I see no evidence that Microsoft is even interested in pursuing this level of discovery - and that says a lot.

I want these faults to be exploited over and over. I want business and government to suffer until they see that this is crazy. I want them to find the answer by themselves because obviously they won't listen to me, though we've all tried to tell them many times. I want these IIS .NET websites to divulge the financial details of their members, and make them suffer, because that is the only way they will learn. Yes, some bad guys will turn a profit in the interim, which is a bad thing, but there's some pain involved in educating the fool.

If you want a secure desktop you don't consider Windows first, second, third or ever. You dismiss it out of the gate. Your proper choices are OS-X, Linux and BSD. OS-X is fine for general use, especially now that you can get Photoshop and AutoCad for it. Linux is cool for office staff - it includes office software. BSD is for the finance department and other paranoid people because the feature that can't be implemented securely in BSD won't be implemented in any serious distribution. If the question is utility versus security, the BSD community would rather have security.

But no, your question is "do you care to point these vulnerabilities out". No. No I don't. They're as plain as day for anyone who honestly looks. You can find them if you want to. If you don't see them I have to ask why? Why do you not see them? The only possible answer is that you don't want to.

Re:But wait

[man_of_mr_e]

What part of Web *BROWSER* did you not understand?

I said nothing about a server. Even so, you don't need a shell to execute arbitrary code. You just need to be able overflow a buffer or some other kind of attack. A shell is meaningless.

Re:*Yawn* Local Root Exploit

[microbee]

Mod the parent up. It's funny how certain folks try to down play a security hole like this just because it happens on Linux.

Re:FUD

[Anonymous Coward]

GIven a known flash vulnerability in the wild, that Adobe can't be bothered to fix promptly, that could be combined with the kernel hole to yield a remote root.

Although there may not be enough 64 bit linux users who have jumped through all the hoops needed to get flash working, since its 64 bit support is so lame. Every cloud a silver lining.

Moderation abuse

[symbolset]

Y'know, sometimes there are posts that are poignant, interesting, on-topic, and yet are modded down as a troll for no better reason than people who have mod points are more interested in squelching challenging ideas. That's fine, and slashdot has a mechanism to deal with that, called Karma.

Because I have good /. Karma I can call your attention to the parent post even though I believe it's been badly moderated. Because I'm a Slashdot subscriber, I get an extra point to add to this post, which calls attention to the parent. I have enough good Karma that even if this post is moderated a troll I will have lost nothing.

I'm making this amplifying post because the parent post was moderated down in one second. It was born silenced. Obviously there were moderators prepared to prevent you from hearing my response to the question asked. Some of you might for this reason alone find my words above meaningful or intriguing.

Re:Then perhaps do as the GP asks

[symbolset]

>Point out a current remote root exploit in Windows. To the best of my knowledge, there are none.

You're kidding right? They're enumerated the second Tuesday of each month. We even have a word for it now: "Patch Tuesday". It's an IT anti-holiday. How do you not know about this?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Moderation abuse

[symbolset]

>With your penchant for vague, unsupported assertions and callous lack of empathy, you'd be excellent upper management - possibly even C-level - material. That, or a RIAA lawyer.

OK, that hurt.

I do care. I would prefer that we went with persuasion. Unfortunately I've tried persuasion and it doesn't work. We now have to deal in pain.

Re:Is Slashdot advertising now?

[inflex]

Because sensationalism sells and best of all, people on the other side of the fence (eg, MS) can then link to the article as way of providing "proof" of how insecure Linux really is. Facts be damned, let's just spray some more fear-mongering around and scare the dillys out of every person. It's just not a /. story anymore unless it's an advert or traffic-whore.

Re:Then perhaps do as the GP asks

[Yaur]

What the exploit actually allows you to do is to read arbitrary files inside of the virtual root directory that the IIS application. Every thing else you see is from a third party CMS (DotNetNuke) and a shitty configuration. No doubt this is bad but its a far cry from remote root.

Re:Scriptkiddies these days

[dlb]

Would you kids get off my lawn?

Re:Is Slashdot advertising now?

[X0563511]

Yea, and guess what? When someone breaks into $LAME_PHP_CODE and runs something, that something is running locally, no?

Re:But wait

[Edzilla2000]

How exactly do you know it was never exploited?

Re:Patch on its way...

[Anonymous Coward]

Me too. Let's see Microsoft get a patch out that fast. ;)

Yeah really fast 2+ years!

In-band checksums with downloadable files

[CarpetShark]

You are a dummy for downloading from a http website without a checksum. No thank you.

What exactly is the point of supplying a checksum by the same route/download method as the file in question? Surely if the file can be modified, so can the checksum. Maybe it would be useful if people got the checksum and verified it was the same checksum everyone else saw, then verified the file with it, but that just doesn't happen.

Re:But wait

[owlstead]

As a home user, I'm always a bit aghast when people determine that preventing access to root is my biggest priority.

If they've got access to my browser, this means that they now have access to all of my documentation, and have the ability to run programs (e.g. through my .bin and .profile files) including full access to the internet.

I mean, they've got my data, they've got the power to run applications and they've got full internet access. I'm personally not that worried about root access - if they break through the browser barrier I'm basically f*cked already.

(yes, yes, I know, SELinux and such could protect me if I configure them correctly. Not even I can easily do that however, and nobody that I know would go that far).

Re:But wait

[ultranova]

Even so, you don't need a shell to execute arbitrary code. You just need to be able overflow a buffer or some other kind of attack.

Yeah. If only we had some way to prevent that - some kind of programming language feature where all buffer accesses were automatically checked by the machine. But Real Men Manually Manage Memory, and usually badly.

Re:My own Computer - Dude!

[DJRumpy]

For a home user, not a big deal. For an business environment, much more so. Dismissing it as 'nothing to see' is shortsighted at best, especially when considering the backdoor left by the hack.

Re:Is Slashdot advertising now?

[bill_mcgonigle]

Why does the summary and articles read like a paid advertisement for Ksplice?

Probably because the Ksplice guys offer a solution to a problem for admins who have standalone servers that can't be rebooted and nobody else does.

I don't understand the Ksplice hate here - they're filling a niche. I'd advise my clients (should I slashvertize too?) to instead go with a redundant clustered solution, preferably with automatic failover and/or live migrations of vm's so reboots don't hurt. But, that's more expensive than Ksplice, if really all you need is a single server (there being other benefits to clusters, naturally, but they do cost more) so it's not the best solution for everybody.

Either is better than staying unpatched if you have folks using your machines who don't deeply understand security. One buggy cgi and a local root exploit makes your day pretty rotten.

Re:But wait

[bonch]

Yeah, let's ignore public market share figures saying otherwise.

Re:But wait

[owlstead]

Yeah, super-easy. Just learn YET ANOTHER fucking configuration file setup, figure out why usr.bin.firefox is in the /etc/apparmor.d/disable folder, figure out that you have to use the "enforce" command line utility, figure out why that does not change any status for firefox and figure out why the fuck I am bothering in the first place. And that for something for which I wonder if it is still maintained at all. Reading the FAQ was interesting, but do you really want users to care if the system uses inodes or paths? More to the point: *should* users know that kind of crap?

Common guys, when are you going to learn that this way of handling systems is something for sysadmins that care to know what the system does? I don't have the time to go into this, let alone prove that it actually works for my setup.

Thanks for pointing out the app, but I'll pass.