Linux Kernel Exploit Busily Rooting 64-Bit Machines 488
An anonymous reader writes "Running 64-bit Linux? Haven't updated yet? You're probably being rooted as I type this. CVE-2010-3081, this week's second high-profile local root exploit in the Linux kernel, is compromising machines left and right. Almost all 64-bit machines are affected, and 'Ac1db1tch3z' (classy) published code to let any local user get a root shell. Ac1db1tch3z's exploit is more malicious than usual because it leaves a backdoor behind for itself to exploit later even if the hole is patched. Luckily, there's a tool you can run to see if you've already been exploited, courtesy of security company Ksplice, which beat most of the Linux vendors with a 'rebootless' version of the patch."
Scriptkiddies these days (Score:1, Interesting)
Re:Bad Publicity... (Score:3, Interesting)
1. MS & Windows shills may laugh about this, but only because they feel your pain. Beyond that, what does making this statement even mean?
2. 64bit hardware is cheap. You can buy an AMD64 X2 5000 Dual Core CPU for 38 bucks shipped.. add a mobo for another 45 and if you need ram, another 50. eBay for more savings
Re:But wait (Score:1, Interesting)
oh thats right All non-Apple OS's do.
FTFY.
Re:Is Slashdot advertising now? (Score:5, Interesting)
Re:Bad Publicity... (Score:3, Interesting)
... until you get closer to 16GB of RAM and you start running out of lowmem (especially on older 2.4 kernel systems).
Re:Bad Publicity... (Score:5, Interesting)
Microsoft already felt the pain, because the Xbox 360 hypervisor got owned by the same exact hole . It would almost be the same instruction-by-instruction identical bug were it not for the fact that the 360 is a PowerPC system and this is an x86_64 hole. Yes, they, too, used a 32-bit compare to check the system call humber, then indexed into the array using the full 64 bits, exactly the same bug that caused this Linux hole.
Re:virus scanner (Score:3, Interesting)
this is an exploit to gain "root" (administrator) access not a rootkit which is a malicious program built to hide itself from the operating system.
But the exploit leaves a backdoor (hell, it's right there in the summary) which *is* what a rootkit does.
Rootkits do typically hide themselves -- but only so they aren't removed, so they can provide root access at a later date. Their primary function is to provide root access at a later date -- which this exploit does, according to the summary.
poorly described (Score:3, Interesting)
What is annoying me about these issues is that they are described so poorly that I'm not certain if I have a problem. I run 64-bit Linux but no 32-bit code and there are no local users other than for the services I'm running (http and ssh). So do I need to take the time to do something or can I wait for a normal update?
Re:poorly described (Score:3, Interesting)
What is annoying me about these issues is that they are described so poorly that I'm not certain if I have a problem. I run 64-bit Linux but no 32-bit code and there are no local users other than for the services I'm running (http and ssh). So do I need to take the time to do something or can I wait for a normal update?
Short answer - it depends on whether your kernel has the vulnerability. Seriously, Slashdot is the worst place to find out more into about vulnerabilities. At least it did give the CVE which you can use to get more details and determine if you're affected.
Re:slashdvertisement ... and full of crap. (Score:5, Interesting)
``assholes that don't understand shit about security and somehow think that this means that GNU/Linux is insecure''
It _is_ insecure. There are plenty of vulnerabilities being found and reported, and there are several things that many distributions could do to improve security. To name a few examples, many distros ship with stack smashing protection and address space layout randomization disabled, and allow pages to be writable and executable by default. Also, usually, many operations are reserved to the root user, and the root user can do everything which means that more programs than necessary run as root, and root has more power than necessary. These are not the properties of secure systems; it's not even close to state of the art security.
``as bad as their shitty system''
I am not sure that such derogatory language makes the world a better place. I'm not even sure comparing the security of Linux with that of Windows is useful. If you do compare them, you will find that, at the very least, Microsoft has improved the security picture on Windows a great deal. In some cases, such as running with reduced privileges by default and only elevating privileges for programs that need it, they have merely caught up with Linux systems. But since Windows Vista, Windows ships with address space layout randomization and non-executable pages (Microsoft calls it DEP) enabled for many libraries and executables. Newer versions of Internet Explorer (certainly 8, but also newer versions of 7 if I'm not mistaken) are among those applications, and also include a "protected mode" where most of the program can't do very much at all, and all potentially harmful operations are concentrated in a small, trusted kernel running in a separate process. These are the sort of security measures taken by a vendor who takes security seriously. On the *nix side, you will find this kind of stuff in OpenBSD and a few specialty hardened Linux distros, and that's about it. Ubuntu has AppArmor, but hardly uses it.
If you look at vulnerabilities, like the privilege escalation vulnerability in the story, I would not be surprised to find that more of these are being found and reported in Linux than in Windows these days. What that means about the relative security of Linux and Windows, I don't know. But clearly, serious security flaws are being found in Linux. As far as I am concerned, Linux's security track record is far from stellar, and there certainly isn't a strong security culture that will make this better in the near future. Easily applied security measures (see first part of my post) are being left on the table, and we have far too much code running in all-powerful kernel mode for me to be comfortable with (just one data point: I have over 100 MB of kernel modules on my system, and on the order of tens of megabytes in the running kernel image).
Considering all the above, I would certainly refrain from calling names or making derogatory remarks against users of non-Linux systems. I don't profess to know which system is the most secure, all things considered, but I'm a firm believer in not needlessly stepping on people's toes.
Kind regards,
Your friendly neighborhood Linux guy
Re:Then perhaps do as the GP asks (Score:2, Interesting)
Re:slashdvertisement ... and full of crap. (Score:2, Interesting)
and the winslow assholes that don't understand shit about security and somehow think that this means that GNU/Linux is insecure and as bad as their shitty system, I'm going nuts every time there is a new vuln in the kernel.
Well at least Windows admins don't lash out at YOUR OS every time THEY have a vulnerability to deal with. Why is it every time Linux has a vulnerability you lash out like it's their fault? Who is attacking whom each time a flash, adobe, or core Windows vulnerability is announced? Why the anger?
(I mean, come on, If your service is critical enough that it can't accept 2 minutes of downtime for a reboot, then you have redundancy and can update machines one by one without any real downtime)
Hey theory, come meet practice.
and the winslow assholes that don't understand shit about security
This is funny because there is a 99% chance the Windows admins where you work (you have a job?) already have the infrastructure in place to report & patch & reboot on greater numbers of systems than you have due to the frequency of their critical patches and volume of corporate desktops. Meanwhile, have fun double checking your fstab, init scripts, and 3rd party drivers, and scrapping together a complete list of affected servers. Go brutalize a hundred servers with cat semiuptodatelist | while read s; do ssh -n $s yum -y update; done
If it sounds like I'm bitter, it's because I've been there.
Re:Bad Publicity... (Score:2, Interesting)