Feeds

back to article Bug in latest Linux gives untrusted users root access

A software developer has uncovered a bug in most versions of Linux that could allow untrusted users to gain complete control over the open-source operating system. The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at the …

COMMENTS

This topic is closed for new posts.

Page:

Thumb Down

Blame

I would imagine its probably Microsofts fault.

Linux rocks!!!

0
0
Pint

"I picked it out two weeks before the people whose job it is"

Hurrah for weasel words. Have you considered a job in politics?

Obviously there's hundreds of people doing exactly what he does, most find almost nothing, together they find a fraction of the bugs found by "those whose job it is" (as well as not repairing them).

It's like the incredibly improbable numberplate I have, XY-32-TP --- what's the chance, 1 in 45million!!

0
0
Thumb Down

Security schmekurity

So this is why I never could make Wine work on my Fedora. Linux desktop for the masses my foot. Gimme less security, not more.

0
0
J 3
FAIL

Fail

Wine is not a desktop environment, as many other commentards are likely to have pointed out before me.

0
0
Stop

Ehhh?

"A software developer has uncovered a bug in most versions of Linux that could allow untrusted users to gain complete control over the open-source operating system.

The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at the moment vulnerable"

Then....

"The latest bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature"

Make your minds up!

0
0
Bronze badge

And cue Linux bashing...

...in 3... 2... 1...

Honestly folks, the fact that there's a bug in the Linux Kernel does not surprise me - *any* program big enough to be useful is big enough to have bugs. However, the fact that an *independent* developer was able to find the bug by reviewing the source code is something that could not have happened with either Windows or OSX.

Good, bad? The choice is yours. I personally run Windows XP on my desktop and Ubuntu Linux on my web/mail servers at home - use the tool best suited for the job sort of thing.

0
0
Joke

Linux suxx0rs

OMG ANUTHER bug?!!? ycant thees ppl lrn 2 chk there codes b4 releesig it?1/1 Linux just suxxors!! Linuxs got more holes then swis ches now. y does ppl stil use that gabrage U shuld all switch to a BSD they gots waaaaay more seccurrity and more sable too.

</parody>

Just thought I'd try a parody of the usual post found in Windows security issue comment threads.

0
0
WTF?

Not this guy again

This guy popped up with a fairly obscure but quite cute exploit that is basically a local privilege escalation.

If this was a remotely expoitable vuln, then ok, but really the biggest class of issue is the dumb user running some random file from the web and that is all this amounts too in terms of threat.

While I'm glad he raised and disclosed the bug enabling me to patch my kernels, I think this guy is making a lot of fuss over basically a couple of sloppy lines of code.

In fairness the entire net/socket.c file has a couple of example of "use before check" bugs,

it wouldn't take more then an hour to fix and for the most part they bomb correctly.

The real issue is being allowed to mmap page 0, which if you can't do then his exploit fails miserably.

Most distro kernels come with mmap_min_addr enabled anyway, if they don't frankly it's not hard to add a line to the /etc/systctl.conf file like vm.mmap_min_addr=4096

or run "sudo sysctl -w vm.mmap_min_addr=4096" on the command line.

Sure if your using wine or pulse-audio then there are issues as they need to mmap low addresses but for a lot of people stopping a user from downloading and running untrusted code is more difficult then sandboxing the system and more effective in security terms

And as for slating red-hat, they are on the case, see http://kbase.redhat.com/faq/docs/DOC-18042

Sure There are security issues with Linux but why not write a patch, submit to the LKML and be done with it.

0
0
Linux

Easily fixed

What you really need to know:

http://kbase.redhat.com/faq/docs/DOC-18042.

Or a clear description of the setting:

http://wiki.debian.org/mmap_min_add

Pretty trivial really. Mr Spengler is starting to sound a lot like chicken little.

0
0

Bit of an alarmist headline

All my boxen are fine.

0
0

I'm still laughing

Theo de Raadt, the leader of the OpenBSD OS had this to say about Linux and Torvalds:

If anyone wants a choice quote from me about the recent Linux holes,

this is what I have to say:

Linus is too busy thinking about masturabating monkeys, he doesn't

have time to care about Linux security.

For the record, this particular problem was resolved in OpenBSD a

while back, in 2008. We are not super proud of the solution, but it

is what seems best faced with a stupid Intel architectural choice.

However, it seems that everyone else is slowly coming around to the

same solution.

0
0
Troll

Ewww

Very nasty indeed.

Luckily for most, Windows® doesnt have that 'feature'.

I have a mate who will already be pissing blood over this - hahaha you hippie, thats what you get for going to uni!

Cupcake anyone, while we watch the Trolls and Fanbois over-react?

0
0
Thumb Down

Worst comment ever

"It's interesting to me that I picked it out two weeks before the people whose job it is to find this sort of stuff,"

What is the point of saying this???? This just proves open source is working. Presumably he is about as likely to find a flaw as anyone else (discounting different levels of smarts). If this was Microsoft and he was finding bugs with fuzzing or what not then he would have a point. The purpose of Linux is to rely on users like himself to find these bugs. Open source is working, move along.

0
0
Anonymous Coward

Ha

Some say that *BSD is for those who love Unix and Linux is for those who hate Windows. Might also add to the linux side, "doesn't give a shit about security"

Who has time to worry about root exploits when sodding Word 2007 runs?!?

http://marc.info/?l=openbsd-misc&m=125729287502801&w=2

0
0

Upgrades can be slow on the ground

For many commercial customers, upgrading immediately to the latest bug fix releases of the kernel is not a realistic option. For example if you use OCFS2 you might have to wait a little while for them to update their kernel modules. Or if you're an HP customer and use their Proliant Support Pack with their updated drivers you also have to wait for a version to be released that supports the kernel you want to move to. Typically this happens about every 3 months and they will always lag behind the the very latest kernels because kernel releases are a moving target and HP have to stop at some point to QA before they do a release.

I can't speak for IBM or Dell as I don't have any experience with those vendors. Would be interested to hear from anyone who does.

0
0
Linux

OMG!

Linux behaving like Windwoes?

0
0
Grenade

if only

they had written the kernel in ADA instead of that half-arsed 'c' language

0
0
Silver badge

Spengler cries wolf again

As root type "sysctl vm.mmap_min_addr". If the result is 4096, the problem has been dealt with. If it is 0, read the man page for "sysctl.conf".

WINE is for running Windows programs on a Linux box, but it has limitations. Last time I read about it, WINE was unable to install or run Windows malware correctly.

Closed source drivers can cause some hassle (none in this case). If some kit provides so much benefit for you that it is worth the hassle, ask the supplier to provide a minimal open source wrapper around a binary blob like nVidia have for years.

0
0
Silver badge
Thumb Down

Latest Linux? Or just old Red Hat?

Your headline is more than misleading: the latest -and not-so-latest- Linux is indeed fully patched, only Red Hat left a hole in there, which is actually not even there anymore in their "latest" (as you put it) release. So "Bug in latest Linux gives untrusted users root access" actually reads "Hack in old RHEL gives users root access". And even so, coming from the guy who discovered that a person running programs as root can get root access (Shock! Horror!), I have my doubts.

0
0
Grenade

@ NOC

indeed, this could not happen to windows and os X.

no source to look at

lmho

rg

0
0

OMG, you Linux boys

Head..................Sand

0
0
Bronze badge
Linux

Really seems to be MS compatibility hitting you

From article: "or desktop environments such as Wine."

Wine is not a desktop environment, but a Windows emulator. It needs a Windows-compatible insecure memory layout. There are also some "ported" programs that use a bundled version of Wine underneath. True Linux programs (including Linux desktop environments like Gnome) don't care about the mmap_min_addr setting. So this is a case of getting insecurity for catering to Windows-originated software.

0
0

Schmekurity economics

Security features do not happy end users make - as nicely demonstrated by AC@22:00, and the comments about redhat breaking the feature on purpose. End users are made happy by more features, which require more development effort, which requires lower barriers to entry.

If you're playing market catchup (as Linux is on the desktop) then this may mean loosening things up to make emulations, wrappers and crude ports work. I must presume that the sco binary wrappers that eased Linux server uptake 10 years ago had some similar requirements.

The other area for lowering barriers for entry is making things easier for developers. This was a major part of how Microsoft won PC/Mac round 1 in the 80s. I'd be surprised if this wasn't also part of the RHEL decision. Easier for developers means allowing them to be a bit sloppier, or making them jump through fewer hoops to achieve a goal that would be hugely painful to reach correctly (pulseaudio seems to fit into this bucket).

I think that the Linux kernel team have made some better tradeoffs in this regard than the Windows team, with de Raadt and company just refusing to play. It's a factor in the fight for desktop marketshare, and unfortunately it's not in Linux's favour.

0
0
Bronze badge
Headmaster

Improbable

@By Marvin the Martian Posted Tuesday 3rd November 2009 21:16 GMT

It's like the incredibly improbable numberplate I have, XY-32-TP --- what's the chance, 1 in 45million!!

=========================

What's the formal name for this logical fallacy ? I've heard it referred to as "The Golf Course Fallacy", as in 'what's so special about the blade of grass my ball landed on', but I don't think that is correct.

The quest to know what I'm talking about has been downsized to an epic scavenger hunt ... could you help me out ?

0
0
Silver badge

@David 141 - URL Typo

The correct URL is http://wiki.debian.org/mmap_min_addr

0
0
Linux

Fedora is OK, apparently

> "As root type "sysctl vm.mmap_min_addr". If the result is 4096, the problem has been dealt with. If it is 0, read the man page for "sysctl.conf"."

On Fedora 10, with no sysctl tweaks at all, I get a result of 65536. Everything works too, including pulseaudio.

0
0
Linux

CentOS is OK, too, apparently

Me again ...

Running "sysctl vm.mmap_min_addr" on a default CentOS 5.3 install gave the same result as Fedora 10 (i.e. 65536).

0
0

local exploit?

Did i read right? This is a local exploit. Therefore the hacker needs to be actually at your computer? In that case not too big an issue.

0
0
Boffin

memmap & root

There's your problems right there, design faults.

0
0
Grenade

Get a life

OMG even when the article is purly Linux related the geeks can't help but bring Windows into it. You people should get a life..........

0
1
Linux

This is a surprise

The Reg seems to be going overboard with its balance of views regarding Windows vs Linux this week.

This is good as it gives more cred to the good stuff.

Also good to note that it seems only RHEL due to the other Distro's correct implementation of the mmap_min_addr feature and that the bug has already been fixed in the latest upcoming 2.6.32 kernel.

I wonder how long it would have taken Apple or MSFT to fix something like this.

0
0
FAIL

Redhat oopsie

oooh, the one with the most enterprise grade solutions in FTSE organisations too...

egg....face...interaction.

As a side note... I thought LINUX was superior in every way, was completely secure and would *never* be victim of the same mistakes/bugs that befall Windows or OS X?

My linux is certainly 100% secure...I can't get the damned thing to run X, so a permanent "power off" state is in effect. Formatting with Win2k8 will be a lot less painful than a descent into CLI hell trying to get display drivers to work in LINUX.

0
0
Anonymous Coward

Re: I'm still laughing

"Theo de Raadt, the leader of the OpenBSD OS had this to say about Linux and Torvalds:"

Ah yes, OpenBSD, the project that gave us OpenSSH and its remotely-exploitable root exploit.

Of course bugs are discovered in software. But when that happened, you might have expected the openssh.com website to have a big red warning saying there was a critical problem and telling people to upgrade urgently. Did they? Nope. The announcement is buried in the smallprint at http://www.openssh.com/security.html in weasly negative-speak:

"OpenSSH 2.3.0 and newer are not vulnerable to the "Feb 8, 2001: SSH-1 Daemon CRC32 Compensation Attack Detector Vulnerability", RAZOR Bindview Advisory CAN-2001-0144. A buffer overflow in the CRC32 compensation attack detector can lead to remote root access. This problem has been fixed in OpenSSH 2.3.0. However, versions prior to 2.3.0 are vulnerable."

0
0
Flame

Meh

A small issue. Noone is going to bother writing a virus that targets Linux anyway.

0
0

@Anonymous Coward

Most of Mac OS is opensource including the kernel you can download it and look though it all you want.

0
0
Bronze badge

Job?

He spends his free time looking for minor security holes in the Linux kernel does he? Either he's hoping some security firm will give him a job or he's already being paid by somebody to do it.

Whinging about developers not finding the bugs won't help his case much when many of those developers give their time for free and contribute much more than he does, by actually coding. His hobby, it appears, is floccinaucinihilipilification. Finding a couple of minor holes hardly justifies all the crowing he's doing. From the way he's gobbing off you'd think he'd single handedly fixed several major holes, where as all he's done is discovered a couple of minor ones.

Time, I think, that he got himself a sense of perspective - a little lesson of "world big, you tiny" is required.

0
0
Boffin

@Neoc - Windows open to black hats

"However, the fact that an *independent* developer was able to find the bug by reviewing the source code is something that could not have happened with either Windows or OSX."

Not the case. OSX is open source except for desktop cosmetics. One of my work colleagues put a Windows source CD on my desk, made available under Microsoft's "Shared Source" program. I haven't read it, because I don't want Microsoft suing me for copyright or patent infringement if I contribute anything they consider similar to an open source program. To sell Windows to government and security sensitive environments, MS wouldn't make these sales without disclosing source. So Windows users are not protected from code review because of Microsoft's inability to keep source code in house.

This gets worse, because black hats who have no intention of contributing to open source have access to Windows source code and white hats, who also technically have access, for reasons given above are unlikely to want to read it unless paid by employers with very large security budgets specifically to do so.

0
0

This post has been deleted by a moderator

Grenade

The Solution

The world needs a new OS.

Not a new version of Windows, MacOS, Linux, Unix, OpenVMS, OS400, zOS, or anything else.

It needs a new OS built from the ground up to be fundamentally secure. Written from scratch, without worrying about end features and groovy interfaces. Start with the very basics and build it up. If everything at lower levels is secure, there's no reason everything added can't be secure

Why not? Expensive.

And I bet it still has bugs and holes!

0
0
Silver badge

Already patched?

I fully expected the issue to be patched by the time I finished reading the article, but it turns out it was patched before I even read the headline.

You'll forgive me if I don't panic.

0
0
Linux

It's been mentioned before, but it's worth re-iterating

What most of the people bouncing up and down and pointing "you're insecure" fingers at Linux fail to realise is the nature of this exploit.

It's a local root exploit: that is you have to be running code on the machine in order to take advantage of the problem.

How do you do that? Well, you persuade someone to download and run some malware on the machine. Good luck with that, it's not impossible but I'm sure you'll find some gullible idiot somewhere on the net. On the other hand, that gullible idiot is likely to fall for more overt trickery (eg don't use two-factor authentication, it's not secure because you don't need a password).

Server admins aren't in any particular hurry to patch local root exploits because the unwashed masses aren't allowed anywhere near the machine ....

0
0
Gold badge
Troll

@Pete 8

"Cupcake anyone, while we watch the Trolls and Fanbois over-react?"

Thank you, don't mind if I do.

Mmmmm. Cake....

0
0
Anonymous Coward

linux fanboys in predictable response shocker

You Linux fanboys make me laugh. Well, you would if you weren't so sad.

You forever moan about windows running in admin mode, yet when it comes to linux you write:

"Did i read right? This is a local exploit. Therefore the hacker needs to be actually at your computer? In that case not too big an issue."

You laugh whenever there is a windows exploit, yet when it comes to Linux, you write:

"Honestly folks, the fact that there's a bug in the Linux Kernel does not surprise me - *any* program big enough to be useful is big enough to have bugs."

This is why people in the real world don't take you seriously.

Anyway, is Linux still alive? I thought everyone moved to BSD a long time ago....

0
0
FAIL

Blinkered.

I love the LINUX fanboi's response to LINUX problems like this. Rational, reasonable, stating sensible facts, and mitigations thereof.

The very same people who scream like little girls about Microsoft doing anything similar, as if the greatest offence in the history of mankind had been commited and is completely unforgivable.

Software development is the one of the most complex tasks mankind has ever undertaken, there will always be vulnerabilities in code, stop being arses thinking your precious littel hobbyist operating systems are any different.

Blinkered, idiotic losers. You really are.

0
0
Gold badge

@Gannon (J.) Dick

"What's the formal name for this logical fallacy ? I've heard it referred to as "The Golf Course Fallacy", as in 'what's so special about the blade of grass my ball landed on', but I don't think that is correct."

I don't think it is any of the accepted "logical fallacies". I usually call it a "selection effect" (and wikipedia calls it a "selection bias"). I suppose it might be a "post hoc ergo propter hoc" thing, but it really ought to have a name, suitably dripping in ridicule, because it happens far too often IMHO. How about "placing your bet after the end of the race"?

0
0
Pint

@The Solution

Secure OS? Well, it would work with just a secure kernel, really, as long as modules like drivers run in a less-privileged layer and there are sufficient monitoring functions in said secure kernel.

Aussi boffins are already on the way to doing that:

http://www.theregister.co.uk/2009/08/17/secure_kernel/

0
0
Joke

Local user exploit - no longer exploitable

..and now for the weather

A storm that has been brewing tor several months has now broken over a small teacup in a shed in finland..................

0
0
Boffin

Why Linux fanbois are right

"You forever moan about windows running in admin mode, yet when it comes to linux you write:

Did i read right? This is a local exploit. Therefore the hacker needs to be actually at your computer? In that case not too big an issue.

The reason they say that is because of the extra difficulty to remotely exploit Linux when compared to Microsoft operating systems. See Metasploit.org for details.

0
0

Attention whore

Of course, Spengler is nothing more than an attention whore.

Why else would someone take an issue with the NSA (you know, the MAKERS of SELinux), to the kernel developers?

0
0
Jobs Horns

When will Reg disable Anonymous comments?

They rarely contribute anything of worth.

0
0

Page:

This topic is closed for new posts.