Linux: Beep Command Can Be Used to Probe for the Presence of Sensitive Files (bleepingcomputer.com) 109
Catalin Cimpanu, writing for BleepingComputer: A vulnerability in the "beep" package that comes pre-installed with Debian and Ubuntu distros allows an attacker to probe for the presence of files on a computer, even those owned by root users, which are supposed to be secret and inaccessible. The vulnerability, tracked as CVE-2018-0492, has been fixed in recent versions of Debian and Ubuntu (Debian-based OS). At its core, the bug is a race condition in the beep utility that allows the OS to emit a "beep" sound whenever it is deemed necessary. Security researchers have discovered a race condition in the beep package that allows an attacker to elevate his code to root-level access.
bleep (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Re: bleep (Score:1)
The second one there seem to fit ...
Re: bleep (Score:1)
Re: (Score:2)
By your standards, the Attorney general must be a tinfoil fucknut too then.
https://www.politico.com/story... [politico.com]
> Jesus fucking Christ you're fucking dumb. It's well known he hates her.
Its also well-known that he hates Trump and in fact anything American, but you Liberal morons just can't handle that because the truth undermines your whole rabid conspiracy rant.
Re: (Score:1)
Re: bleep (Score:1)
Re: (Score:1)
This is the age of unsubstantiated bullshit. Indirect accusations are now more powerful than fact.
Re: (Score:2)
>> Republican lead Congress
Like this you mean? :https://www.politico.com/story/2017/11/13/sessions-special-counsel-clinton-uranium-244867
Re: (Score:1)
Dude, Hillary lost.
Not according to Hillary and the left, who keep reminding those of us who didn't vote for her that she "won the popular vote", as if that is some sort of consolation prize.
Re: (Score:2)
Treason doesn't pay.
Unless you're Hillary. The whole Clinton Foundation thing while SoS was a criminal endeavor pay to play, legalized bribery. Funny how the Clinton Foundation donations have all but disappeared now that she and Bill have no chance at power.
And no, I didn't vote for Donald. It is amazing how people are still excusing their candidate because someone else won. Two Criminals, by Two Criminal Organization called political parties. Pretending it would be better under "Not Trump" Hillary is why the country is going
Re: (Score:1)
as if that is some sort of actual thing
FTFY. There ain't no "popular vote" for President in the US.
Re: bleep (Score:1)
Re: (Score:2)
It is perfectly well documented that Hillary has in fact broken the law and has thus far at least, gotten away scott free with it.
If someone simply pointing out facts equates in your mind to that person having personal failings and insecurities, then it's 100% clear that you only need to look in the mirror to see where the real and significant mental issues actually lie.
beep boop root (Score:1)
Urg... this'll get some flack from the Windows fanboys.
"Linux can be rooted by a command that makes your computer beep? That's fucking idiotic, man..."
Re: (Score:3)
Right? About the only thing worse would be a kernel vulnerability in something silly like fonts [blogspot.com]...
The beep vulnerability makes a lot of sense, actually. Related to this update, I recently learned that the ubiquitous beep used to be driven by reprogramming the system clock [microsoft.com]. Naturally, that kind of hardware access is something that should be a system administrator function, restricted to root on *nix systems. It would make sense, then, that any vulnerability there would likely be a privilege escalation.
Re:beep boop root (Score:4, Informative)
Right? About the only thing worse would be a kernel vulnerability in something silly like fonts
Windows and Linux have both had font handling vulnerabilities. The difference is that in Windows they were in the kernel, whereas in Linux they were in X11, which ran with root privilege and could open /dev/kmem and directly modify kernel memory.
The beep vulnerability makes a lot of sense, actually.
No it doesn't. All *NIX operating systems provide standard UNIX file permissions on device nodes and accessing /dev/dsp or the device for the internal speaker to a group is trivial. Most modern *NIX systems provide ACLs, so you can provide finer-grained access. Most modern *NIX systems even provide access control frameworks that let you grant access on a {program, file} pair, rather than, a {user, file} pair, so you could grant access to the device to the beep program running at any user, but not grant any other rights to the program or the user. These vulnerabilities are in no way intrinsic to the beep program, they are related to how the beep program is installed.
Fonts on UNIX (Score:5, Informative)
The difference is that in Windows they were in the kernel, whereas in Linux they were in X11, which ran with root privilege and could open /dev/kmem and directly modify kernel memory.
Maybe a couple of decades ago.
Since then:
- in some distant past, font rendering on Unix was offloaded to a separate X Font Server [wikipedia.org] that communicate over a socket, and didn't need it self to be root to write to the framebuffer.
- in a more recent past , font rendering was moved out of the X server, and into the client.
No it doesn't. All *NIX operating systems provide standard UNIX file permissions on device nodes and accessing /dev/dsp or the device for the internal speaker to a group is trivial.
In this case, that's the console/VT or event device (basically beep is good old "\a" bell, but on steroids, i.e.: with ioctl/writes to precisely tune the beep). /dev/dsp).
It doesn't use any audio device (no
That's indeed stupid as there are methods to give access of those to the currently loged-in user (If I'm not mistaken, basically the same work that has been done to run X11 on any non-dinosaur distros)
That's exactly what is abused by some exploits [github.com] (source [sigint.sh]) :
have a symlink point to an event device (the king that is controlled by writing instead of ioctl) start a "beep" command (which will open the symlink for writing as root on each played sound), then at the perfect time reroute the symlink send a kill signal - the signal handle will try to mute the speaker (by again opening the symlink for writing), but is now writing the parameters in the target file instead of the event device.
Re: (Score:2)
Font h
Re: (Score:2)
Both points there are exactly what I was alluding to... Modern computing is a lot more complicated than it seems. It's amazing how much of technology is hacked together with duct tape and baling wire to make it work, and it's silly for anyone to throw stones in a city full of glass houses.
And rooted from the patch, too (Score:5, Informative)
"Linux can be rooted by a command that makes your computer beep? That's fucking idiotic, man..."
And the patch [holeybeep.ninja] that supposedly fixes the bug contains this gem :
/dev/null 2018-13-37 13:37:37.000000000 +0100
---
+++ b/beep.c 2018-13-37 13:38:38.000000000 +0100
1337a
1,112d
!id>~/pwn.lol;beep # 13-21 12:53:21.000000000 +0100
.
Which is supposed to be an exploit of patch [seclists.org]:
according to that source, patch supports diff written in ed [die.net] scripts (you, know the one editor that is supposed to be the punch line of every "VI vs EMACS" flamewar)
and ed in turn has "! command" to execute commands.
So yes, even the patch fixing the "beep" exploit can be exploited in turn and root the system too (... of any admin careless enough to run the build of the patched package on the bare system instead of inside some container and as a non-root user).
---
Back to beep itself :
- https://sigint.sh/#/holeybeep [sigint.sh] - a good source which analyzes how beep is exploitable (basically signal handler called at the exact wrong time, while performing a switcharoo on symlink target, between the console that gets opened on each beep, and the target file that gets opened when the signal kills the audio)
- https://github.com/johnath/bee... [github.com] upstream audio.
Article ist not correct (Score:4, Informative)
Beep is not pre-installed on Debian GNU/Linux.
Re: (Score:3)
It's not pre - installed on Mint either
Re: (Score:2)
Nor on Ubuntu. I can't imagine anybody going out and just getting this package. Is there anything that gets it as a pre-req?
Re: (Score:3)
Its not debian installed by default
beep does what you'd expect: it beeps. But unlike printf "\a" beep allows
you to control pitch, duration, and repetitions. Its job is to live inside
shell/perl scripts and allow more granularity than one has otherwise. It is
controlled completely through command
I suppose somebody needs that, not us.
Re: (Score:2)
When I was young the programs were play and rec.
Re: (Score:1)
Or fucking echo Ctrl-V Ctrl-A
Re: (Score:2)
So only those who have ever used computers just to generate music are supposed to be on Slashdot? You might want to go back to eating Tide Pods and snorting condoms back in your basement, kid.
Re: (Score:3)
If you have never written a script to generate music using beep you don't belong on slashdot.
Coding music with beep is like programming BASIC, real men echo to /dev/dsp.
Re: (Score:2)
real men echo to /dev/dsp
Except for those who noticed that /dev/dsp was deprecated five ages and two aeons ago, and today its emulation is not even functional anymore.
Re: (Score:2)
real men echo to /dev/dsp
Except for those who noticed that /dev/dsp was deprecated five ages and two aeons ago, and today its emulation is not even functional anymore.
You could say the same about beep, deprecated and now only works through emulation.. Emulation so complex it has security holes.
Re: (Score:2)
That's not emulation of beeps: you can do that unprivileged as long as you can play regular sound: here's a function named sin, output its results as 16-bit integers and there you go. That beep tool uses real PC honker, needing root to access it without being at console.
Re: (Score:2)
Re: setuid strikes again (Score:2)
Beeping on IBM clones is done by playing with the PIC chip which was quite literally connected to a pin on the processor. It requires rather low level access to program. You could obviously write a shim in modern kernels to user space but there are a lot of things that have direct access to hardware.
So (Score:3)
Forget this comes from Bleeping Computer (Score:2)
The real pun to this vulnerability is the fact it is a race condition in the "beep" package [thelicenseplatesite.com].
Beep! Beep!
I find it ironic... (Score:5, Insightful)
... that a command that probably started life as putchar('\007'); could morph into some monster needing to spawn threads and have race conditions.
Re: (Score:3)
Re:I find it ironic... (Score:5, Informative)
Your comment tells me that you probably don't understand the "putchar('\007')" reference.
The "bell" command is so primitive that it's a BIOS function. There's no code to write. It's already in there. Even from the DOS 1.0 command line you can type "echo ^G" and it works. (That's the control key plus the letter G, for the younger kids in the crowd)
It should be so simple that regardless of how many layers of code you pile on top, security issues of ANY form should be impossible, But, alas, code bloat and overly complex implementations have brought us to this place. You can't even trust a beep.
Re: (Score:1)
The "bell" command is so primitive that it's a BIOS function. There's no code to write. It's already in there. Even from the DOS 1.0 command line you can type "echo ^G" and it works.
Actually it is much older than that. The BEL code was in teletype Murray code from 1901, some 80 years before MS-DOS. It requested that the teletype machine rang a bell to alert the operator.
See http://en.wikipedia.org/wiki/Baudot_code
Re: (Score:1)
| oo
| oo
| ooo
| o . |
| oo o.ooo|
| oo
| oo
| o . |
| oo o.o o|
| oooo. o|
| o . |
| oo o.o |
| oo . o|
| ooo
| oo o.oo |
| o o.oo |
| o. o |
___________
Re: (Score:2)
Most modern computers don't even have a BIOS any more. In fact most don't even have a beeper.
Some people were using beep to create delays in scripts. The mind boggles.
Debian Beeping (Score:2)
The one thing that's been driving me nuts since switching to Debian testing (from Fedora) is X using system beeps to alert, even though Pulse is running. I'll have to see if something dragged in 'beep' as a dependency when I get home.
Re: (Score:1)
rmmod pcspkr
FFS (Score:1)
Is this really where we are now? How many decades of computer science and security research and there's a vulnerability in beep?
Pack it up. We're done. Computers were good while they lasted, but maybe our pending cockroach overlords will get this whole computer thing straightened out better than we did.
Missing information (Score:2)
So, when the attacker do this, does it now beep or not?
Re: (Score:3, Funny)
no they would use beep --silent
Re: (Score:1)
Oh, nice (Score:2)
Now you can beep your way to success.
Why setuid root?? (Score:2)
Why the heck would beep need root? I'm guessing in order to access the hardware, but that's what we are supposed to have HALs for?
Millions "affected" (Score:2)
From their website:
"How many people are affected?
Millions! Everyone, almost.
According to the Debian popularity contest, beep is installed on 1.86% of all machines. Extrapolating that by the earth population, we estimate roughly 130 million affected users."
130 millions is probably an order of magnitude bigger than all debian users. That extrapolation is ridiculous. Is this supposed to be a tongue in cheek number?