'Stack Clash' Linux Flaw Enables Root Access. Patch Now (threatpost.com) 126
msm1267 writes: Linux, BSD, Solaris and other open source systems are vulnerable to a local privilege escalation vulnerability known as Stack Clash that allows an attacker to execute code at root. Major Linux and open source distributors made patches available Monday, and systems running Linux, OpenBSD, NetBSD, FreeBSD or Solaris on i386 or amd64 hardware should be updated soon.
The risk presented by this flaw, CVE-2017-1000364, becomes elevated especially if attackers are already present on a vulnerable system. They would now be able to chain this vulnerability with other critical issues, including the recently addressed Sudo vulnerability, and then run arbitrary code with the highest privileges, said researchers at Qualys who discovered the vulnerability.
The risk presented by this flaw, CVE-2017-1000364, becomes elevated especially if attackers are already present on a vulnerable system. They would now be able to chain this vulnerability with other critical issues, including the recently addressed Sudo vulnerability, and then run arbitrary code with the highest privileges, said researchers at Qualys who discovered the vulnerability.
Re: (Score:2)
The stack clash - that's something that I have experienced when I coded in C on MS-DOS.
Re: (Score:3)
It makes a *lot* less than Windows...
Likely not. The Windows kernel is quite hardened these days, from being the largest target for so long. That's why almost all of the Windows security problems you read about have nothing to do with a kernel flaw, and tend to be "trick the user into running this thing as admin". Well, almost all flaws are browser attacks anyhow, but I was talking about the remainder.
Re: (Score:1)
Windows is just about the smallest target you mean. Who uses it anymore? From phones, tablets, set top boxes, autos, satellites, routers, switches, san... well you get the picture. I could keep on going. It does have a hold of some business desktops, however even there it's going away. I'm seeing local businesses and even chains that use Linux.
So no, it's not the largest target. It's the smallest. There's a good chance that in 10 years people will say Microsoft windows - what's that?
Re: (Score:2)
Neither Windows nor Linux runs stuff as admin/root by default. Both require the user to escalate, in principle. Both have plenty of exploits, in practice. But Linux escalation exploits are more common than Windows these days.
Re:SSDD (Score:5, Funny)
Re: (Score:2)
A lot. There was a massive Linux source code leak (all the source code going back to the early 90s) over the winter and hackers have been using it to find exploits.
How do people not get this joke?
Re: (Score:2)
It occurs to me that the people who crap on and on about any story that doesn't fit their personal definition of "tech" are mostly the same ones who aren't getting the tech joke.
It doesn't surprise me much, either.
Re: (Score:2)
Or, they gave the benefit of the doubt, "he wouldn't make a non-joke that stupid and intend it as a joke... right?"
Which gives the speaker more benefit of doubt; that they might actually be so ignorant that there is a surprise in there that would create a funny irony, or that they might have left out some words and they meant to say something better?
If they say they don't get it, it means they're trying really hard to find an interpretation other than that you're an idiot, and they're failing. And they tell
Re: (Score:2)
A lot. There was a massive Linux source code leak (all the source code going back to the early 90s) over the winter and hackers have been using it to find exploits.
By god! A leak of this scale could go all the way to the top, does Linus know about this?
Re: SSDD (Score:1)
Re: SSDD (Score:1)
Re: (Score:2)
The preceding message brought to you by the Slashdot Preview button.
Re: (Score:2)
Remote exploits are the real problem though. This is not a remote exploit.
Re: (Score:2)
Don't run code helps.
Another is: don't allow users. A privilege escalation relies on there being privileges to escalate. Services require privileges in order to start, but why should they keep them?
Actually, if you have systemd it might not be true that services have to have privileges to start, you might be able to give them sanitized I/O pipes and they never even open a filehandle. At least, in the future.
How do I actually "upgrade" my Linux. (Score:2)
Sorry if this is a dumb question but I'm pretty sure there's a lot of people with the same question.
I'm comfortable with apt-get but that's just upgrading all the softwares other than the operating system. How do I actually upgrade my OS?
My usage pattern tends to be, do a clean install of linux, install all the packages I need, edit the configuration files as I need them. Then use it till I buy a new computer only upgrading the installed packages. Then I start over. I never have actually pathced my Linu
Re:How do I actually "upgrade" my Linux. (Score:5, Informative)
I'm comfortable with apt-get but that's just upgrading all the softwares other than the operating system. How do I actually upgrade my OS?
My usage pattern tends to be, do a clean install of linux, install all the packages I need, edit the configuration files as I need them. Then use it till I buy a new computer only upgrading the installed packages. Then I start over. I never have actually pathced my Linux or installed an "upgrade". I'm terrified it would break all my packages.
Actually "apt-get upgrade" will also get the latest kernel as well.
The only real difference is that you need to reboot into the new kernel, a step never needed for just upgrading software packages.
That's all you need to do to patch your system against this specific vulnerability.
But if by "OS" you mean "distribution version" instead of "kernel" (IE going from Debian 7 to Debian 8), you first do an "apt-get upgrade" like normal, and afterwards do an "apt-get dist-upgrade"
However you are correct that a dist-upgrade may break software packages, or specifically your custom configuration files.
The reason they call it the "stable" distribution is because any and all upgrades to software will guarantee config file compatibility.
But between two stable major versions, this is not guaranteed. /etc configs, your copy of the "old versions" config will be kept, and may be missing required new lines or have deprecated old lines that will throw an error, thus the program won't run.
The new stable version may come with a significantly newer version of some program, not just the same version as shipped with all security fixes back-ported into it.
Because of that, if you've made any significant changes to a programs
The dist-upgrade process WILL give you an opportunity to deal with it on a manual basis, but it sucks to have to do.
Your options are basically "Keep the old possibly missing things config", or "wipe away my config and install the new versions defaults", or "show me the difference and give me an editor"
As it sounds, none of those are "fun"
BUT there is good news!
If you installed Debian 7, and Debian 8 comes out, you don't need to dist-upgrade at all.
Security fixes and updates will continue to be released for 7 for some time, and you can just keep your working system as is.
So your process of waiting until you get new hardware and doing a new install from scratch is perfectly workable for quite some time after new distro versions come out.
Re: (Score:3)
Yikes, "dist-upgrade" certainly does *not* upgrade you to latest release of a debian based system. As per the apt-get man page:
upgrade
upgrade is used to install the newest versions of all packages
currently installed on the system from the sources enumerated in
Re: (Score:2)
Yikes, "dist-upgrade" certainly does *not* upgrade you to latest release of a debian based system.
Yes and no. No, dist-upgrade will not change your sources.list. Yes, it's needed for release upgrades, and those are why it exists.
Normal updates do not involve package refactoring, but release upgrades often do. The thing that "apt-get upgrade" does not do is remove packages or install new packages. This is normally a good thing, because it reduces the chance that your system may actually lose functionality. But releases change a lot more, and so dist-upgrade is required. The chance of breaking something
Re: (Score:2)
I always use "dist-upgrade" because it actually does what most people would expect "upgrade" to do.
Not really. Most people don't expect upgrade to remove packages or install new packages, which dist-upgrade can do. Most of the time it doesn't (except on rolling release systems), but by using dist-upgrade you are increasing the probability that you'll break something on your system. It's safer to use upgrade. If upgrade reports that changes are being held back, you should investigate why, and then take appropriate action (which may be dist-upgrade).
When I tell the system to upgrade, I expect it to install kernel updates. If you do an "upgrade", you may or may not get kernel updates because they may be considered a new package (for example, 3.16.0-4 vs 3.16.0-5). That's definitely not the functionality I want. The kernel, specifically, was what got me into the habit of using "dist-upgrade" instead of "upgrade". On debian proper, this is less of an issue since the kernel versions don't change often but, on Ubuntu, if you don't use dist-upgrade, you'
Re: How do I actually "upgrade" my Linux. (Score:2)
This being a kernel issue, the kernel package is what gets updated. You use the same apt upgrade command to update linux-image as everything else. You've probably already done so several times without even noticing - aside from the need to reboot afterwards.
Here's the Ubuntu page on the defect, along with instructions if you need them.
https://www.ubuntu.com/usn/usn... [ubuntu.com]
Re: (Score:2)
What you do is install a new version to a new hard drive, then attach the old hard drive and copy over all of your files, then spend the next few days configuring the system as you slowly figure out what packages you were using and install them...
The people who maintain the distro I use suggest the provided Export tool in the package manager for writing a list of all installed packages to a text or XML file, but what do they know?
Re: (Score:2)
That's an extraordinarily bizarre, and totally false, perspective.
I've been upgrading the system I'm typing this message on right now since 1994. First with dselect and/or 'dpkg -iGROEB' and later with apt-get. The ability to do this is a large part of the reason for running an upgradable OS like debian.
In all that time, with hundreds of upgrades performed (thousands if you include al
Re: (Score:2)
Real men use tape. (So do real and virtual women, AFAICT).
Re: (Score:2)
Simple instructions for Slackware can be found here on Paranoid Penguin [paranoidpenguin.net].
Basically:
Re: (Score:2, Informative)
It's not a kernel exploit at all. It's an exploit against distributions vulnerable enough to ship suid binaries compiled without -fstack-check.
Now, there is a kernel patch to partially mitigate the effect of bugs in suid binaries, much like the kernel implements address space layout randomization to mitigate shellcode attacks, but the vulnerability exists in the application binary, not the kernel.
Re: (Score:2)
Yikes, another moron without a clue.
Interesting, makes me wonder (Score:2, Interesting)
Re: Interesting, makes me wonder (Score:2, Interesting)
It's only on specific processor types, which indicates the flaw is in the chips' instruction set and the OS patch is a mitigation.
Re: (Score:2, Interesting)
It's an ABI flaw, not a instruction set flaw.
The real fix would be in the compiler and recompiling all libraries and binaries.
So yes, the kernel fix is "mitigation", because doing the real thing will take much longer.
Re: (Score:1)
The compiler already is fixed, use -fstack-check
It's an option because it costs some performance and therefore you may want to use it only on applications subject to untrusted input.
Re: (Score:2, Informative)
Very interesting that the major flavors (Sys V, BSD, and Linux [which I consider a rewrite of Sys V]) are vulnerable. Sounds like a deep seated logic flaw there. Wonder if other vendor specific ones (IRIX, SunOS, Ultrix, AIX, etc) are vulnerable.
I'm actually still wondering if any of the above except Linux actually are vulnerable.
Only the "threatpost.com" article claims so, and of course the copy/pasted slashdot summary.
But the security researchers quoted in that very article explicitly say they discovered this in Linux, and nothing else.
The CVE issued explicitly says Linux kernels from 3.0 to 4.11.5 as well, no CVEs for other kernels or OSes.
Also the vulnerability in Linux only applies to Intel x86 and amd64 architectures, and it has been proven n
Re: (Score:2)
"The Stack Clash is a vulnerability in the memory management of several operating systems. It affects Linux, OpenBSD, NetBSD, FreeBSD and Solaris, on i386 and amd64. It can be exploited by attackers to corrupt memory and execute arbitrary code."
https://blog.qualys.com/securi... [qualys.com]
Re:Interesting, makes me wonder (Score:5, Informative)
Wonder no more, here's the actual technical description of the problem that includes attacks on non-Linux OSes: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt [qualys.com].
Slashdot editors: this link should have been in the summary. It's the relevant one to technical users interested in what the attack actually is.
Re: (Score:2)
Re: (Score:2)
I see this as a rehash of the attacks often used in the late 1980s.
It is exactly like scanning IPv6 addresses, the problem is hard but computers can do billions of operations a second now. Throw in human issues and then the search space is much lower. Just like scanning systems trying ..:1::MAC or ..:1::ipv4 or probing the infinite space of SNMP starting with 1.3.6.1.4.1...
This is much harder to do on systems that have hardware stacks (sparc, some mips and others but not x86) since they can never ever run
Re: (Score:2)
requires local access (Score:3)
This exploit still requires local access to a machine, so it's not as bad as people claim. Unless you're giving random people shell access to your server.
Re:requires local access (Score:4, Informative)
You might not be giving random people shell access to your server, but if they've managed to acquire it through some other means (e.g. a compromised acccount or some other form of compromise) this means that they can pretty much be assured of being able to go from there to root until you install the patch. Not as bad as a remote root exploit, but still very nasty and worth the "Patch Now".
Re: (Score:2)
To me privilege separation seems like an area where formal verification could be useful, but so far no one cares enough to really work on it.
Re: (Score:3)
You'd need to start with a very simple permission system. For example, Android has so many complex, overlapping, and confusing permissions that holes are easy to find without any thought at all [acolyer.org]. Basic Unix has a very simple permission system so you could probably work with that, Windows is probably too c
Re: (Score:2)
Two words: "priviledge" and "escalation".
One word: "privilege". A comment: Glaring spelling mistakes make one look stupid and ignorant.
Re: (Score:3)
I think the important thing is that effectively as soon as it was reported, it was fixed and a patch rolled out.
Linux certainly has flaws and vulnerabilities, just like any major OS.
But by and large, they don't get "solved" by hoping no one exploits them. They actually get fixed, more often than not in a timely manner.
Re: (Score:2)
so it's not as bad as people claim
Yes if your computer is your own and you don't do something like provide services for others.
First of all (Score:1)
Re: (Score:2)
It is called Stack Smashing and OpenBSD is NOT vulnerable to it!
CVE-2017-1000372 and CVE-2017-1000373 are mentioned in the advisory? Broad statements without facts are not helpful. Try again.
Re: (Score:2)
I thought stack and heap were mapped to different memory spaces and you could not hop from one to the other - the "same" address would map to different physical memory regions (randomised and non-contiguous in the case of OpenBSD). Logical addresses might appear contiguous, so, theoretically, you could increment (or decrement) a number which is a pointer to Heap and end up in Stack or V
Re: (Score:2)
All I could read seemed to imply this was for Intel and AMD architectures. Do you know if Sparc64 or ARM are susceptible?
The attacks done by Qualys are near to the top of the stack. That is very hard to do on sparc64 as it has a hardware stack. I expect it can be done but it would be a real pain since you would have to attack a deeper level of the stack.
The sparc (and a few other non-x86 cpus) have "Register Windows" for their stack. What happens is the real stack is in static L0 ram just about like the
Re: First of all (Score:2)
If OpenBSD wasn't vulnerable, why did they issue a patch:
https://ftp.openbsd.org/pub/Op... [openbsd.org]
?
This may be a very old bug (Score:1)
What's odd is that I think it got fixed a very long time ago, as in v7 or maybe 4.2BSD. How did it come back and end up in Linux?
It's been a long time, maybe I am remembering incorrectly, but it seems awfully familiar.
Re: (Score:2)
What's odd is that I think it got fixed a very long time ago, as in v7 or maybe 4.2BSD. How did it come back and end up in Linux?
Warning: Asking this question may re-ignite the SCO case.
Red Hat Linux... (Score:3)
Red Hat sent out a notification on Monday. Nice to see the Slashdot editors catching up on the news this weekend.
https://access.redhat.com/security/cve/cve-2017-1000364 [redhat.com]
Re: (Score:3)
They were busy practicing with goop stones all week, just check the headlines. They even threw their backs out trying!
Requires poorly-designed software, basically (Score:5, Informative)
Sifting through the CVE and the write-up:
The kernel places an unmappable guard page just below the process's maximum-alloted stack space. Normally a process gets allocated only as much stack space as it needs. When the process's stack usage grows, the kernel maps additional pages to grow the process's stack space, but will not grow it beyond the maximum alloted stack size. If the process enters an infinite recursion loop, it'll hit the end of the alloted stack space, and the unmappable guard page segfaults the process out of its misery.
The problem appears to be if the process's heap is right next to the stack, with only the guard page separating it from the stack, and a single function call creates a stack frame that exceeds the size of the guard page. This effectively places the stack pointer into the heap. The function call thinks it has allocated its usual, large stack frame, but the stack pointer is in the heap.
At this point, usual code execution will typically make further use of the stack, so it ends up crapping all over the heap.
That's not good, of course. But I would expect the process in question to attempt to access its alleged stack frame before much happens. At this point the process will try to access the guard page, and gets segfaulted. That, at least, is my understanding of the vulnerability.
The overall design involving a guard page to limit the size of the process's stack is a traditional OS design, which is why the general approach affects both Linux and BSDs, here.
For this to be remotely exploitable, the attacker has to arrange for a process to execute a function call that creates a large stack frame so that the stack pointer jumps over the guard page. I would expect common, battle-tested free software that powers the intertubes to be well designed and written by experienced greybeards who fully understand how an operating system works, and the fact that the stack is not an endless resource, that it is quite a limited resource actually; with the resulting code minimizing automatically-scoped object usage on the stack, which should eliminate the vulnerability completely.
I find Red Hat's write-up [redhat.com] somewhat puzzling. They appeared to have taken the tack of addressing the exploit by increasing the size of the guard area to a megabyte, rather than a single page.
That seems to be somewhat inadequate to me, in the brave-new 64-bit world of ours. It seems to me that the permanent fix would be to map the stack into virtual address space that's a terabyte, or two, away from the heap and everything else. Seems to be a no-brainer solution to me, dunno why they didn't do it.
Re: (Score:2)
Re: (Score:2)
I would expect common, battle-tested free software that powers the intertubes to be well designed and written by experienced greybeards who fully understand how an operating system works, and the fact that the stack is not an endless resource, that it is quite a limited resource actually; with the resulting code minimizing automatically-scoped object usage on the stack, which should eliminate the vulnerability completely.
That's the most optimistic thing I've read today.
Re: (Score:1)
I understand this stack mechanism, but where is the privilege escalation?
Re: (Score:2)
Based on our research, we recommend that the affected operating systems:
- Increase the size of the stack guard-page to at least 1MB, and allow system administrators to easily modify this value (for example, grsecurity/PaX introduced /proc/sys/vm/heap_stack_gap in 2010).
This first, short-term solution is cheap, but it can be defeated by a
very large stack-based buffer.
- Recompile all userland code (ld.so, libraries, binaries) with GCC's "-fstack-check" option, which prevents the stack-pointer from moving into another memory region without accessing the stack guard-page (it writes one word to every 4KB page allocated on the stack). This second, long-term solution is expensive, but it cannot be defeated (even if the stack guard-page is only 4KB, one page) -- unless a vulnerability is discovered in the implementation of the stack guard-page or the "-fstack-check" option.
That was one of the recommendations. Finding large stack allocations, in setuid binaries, that don't write to the allocated memory is hard.
Damn (Score:1)
Explination (Score:2)
Re: (Score:2)
Most of the time user space programs will be running on a processor. Each user space program has its own memory space to work from. The processor switches back to the kernel when an interrupt occurs. An interrupt is a signal to the processor that causes it to save some information about the current running program and then jump to an instruction or function based on the interrupt. An interrupt could be an serial device dem
Re: (Score:2)
However the page-fault interrupt doesn't reliably go off in the way the kernel programmers would like. It is possible to access memory that you were not supposed to be able to access with out the interrupt occurring. This unfortunate difference in expectation is what leads to this vulnerability and why it affects multiple OS on i86..
I was on the bus until I got to this paragraph. What do you mean, "page-fault interrupt doesn't reliably go off" in a way that "It is possible to access memory that you were not supposed to be able to access"?
If this were really true, this would exploited every day and no computer would be even a little bit secure.
As I understand it, the "problem", which the guard page tries to mitigate, is that the stack pointer can be made to point to heap space that the process absolutely is supposed to have access to.
If
Re: (Score:2)
That is the point I was trying to make earlier on, but put more elegantly.
This affects Linux Kernels 4.11.5 and Later (Score:1)
this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010).
https://nvd.nist.gov/vuln/detail/CVE-2017-1000364/ [nist.gov]
-- kjh
Wait... Build with selinux, and... (Score:3)
it becomes vulnerable?! WTF!
The NSA made selinux. Automatic backdoor!
Does anyone really think that was an accident?
Re: (Score:1)
Does your doctor know you're off your meds?
Android? (Score:2)
Does it affect Android too?
Re: (Score:2)
Re: (Score:1)
That's good news then, we can gain root on our Android devices and remove all those crappy apps bundled with our phones and tablets. Then install and ad-blocker.
What about Darwin? (Score:2)
Are Darwin-based OSes, such as macOS and iOS, affected by this?
And if so, any information as to whether it is being, if has been, patched in those OSes?
Re: (Score:2)
Try coming in her pussy, then going for doggy-style anal. That way you've got plenty of fresh lubricant immediately to, ummm, hand in a convenient container.