back to article Linux kernel purged of five-year-old root access bug

The Linux kernel has finally been purged of a privilege-escalation vulnerability that for at least half a decade allowed untrusted local users to gain unfettered rights to the operating system's most secure locations. Maintainers of the central Linux component issued a patch last week that killed the bug, which allowed …

COMMENTS

This topic is closed for new posts.

Page:

  1. Otto von Humpenstumpf
    Troll

    If this had happened to Windows

    the Linux fanbois wouldv'e ripped Microsoft a new one by now for letting a bug like this lie for over 5 years. Only thing I can hear so far, though, is the deafening silence.

    Where's the horned penguin icon when you need it?

    1. Daniel 1

      RE: Only thing I can hear so far, though, is the deafening silence.

      This is because you appear to have waited about fifteen nanoseconds before posting your turd-like drivel.

      Thanks for sharing. Now please flush.

    2. JEDIDIAH
      Linux

      Conflating bugs with actual malware.

      > the Linux fanbois wouldv'e ripped Microsoft a new one by now...

      The Linux Zealots would never have noticed what with all of the real exploits and trojans and worms out there in the wild causing havoc and bringing the internet down and whatnot.

      With Windows, there's plenty of low hanging fruit.

  2. Anonymous Coward
    Grenade

    Crickets, Are Those Crickets I Hear?

    If this had been a five-year unfixed Windows flaw, the regulars of the Reg crowd would have gone nuts...

    Have there ever been any local privilege escalation vulnerabilities in Windows that have gone unpatched for five years after their disclosure? EVER? I'm not sure what the answer is, but probably not.

    1. K. Adams
      Boffin

      Unpatched for 5 Years? How About 17?

      Sensationalised article here:

      -- Neolithic Windows security hole alive and well in Windows 7

      -- http://www.itworld.com/security/93442/neolithic-windows-security-hole-alive-and-well-windows-7

      Well-written technical write-up here:

      -- [Full-disclosure] Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack

      -- http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html

      Last I checked, 17 > 5...

      Be that as it may, pride has oft been the downfall of many an OS/Kernel developer. Even Linus himself has been called-out on occasion:

      -- "That does not look like a kernel problem to me at all," Linus Torvalds is quoted as saying in an email message. "He's running a setuid program that allows the user to specify its own modules. And then you people are surprised he gets local root?"

      -- Excerpted From: On Bugs, Viruses, Malware and Linux

      -- http://www.linuxinsider.com/story/67818.html?wlc=1282255849

      No operating system is perfectly secure. In fact, I would venture to say that anything more complicated than an 8080/8085 executing:

      -- 0100 NOP

      -- 0101 JMP 0100

      is probably in some way "insecure."

      1. Anonymous Coward
        Anonymous Coward

        Unpatched for 5 Years? How About 17?

        But how many years after the *disclosure* of the vulnerability? Whether Linux or Windows, the issue is not how many years the problem lay hidden in waiting, but how quickly an update is released after the world becomes aware of it.

        Here was an 8-year-old Linux vulnerability, at the time, but it was quickly patched:

        http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html

        But is still 17 > 8

        What was the oldest outstanding vulnerability ever discovered? Was it in Windows, Linux, or something else? Probably the ENIAC.

        1. Trib

          17 vs 5

          17 Years might be the Window NT DOSBox bug, but it wasn't know about for 16.9 of those years. It would guess that the .LNK bug is also about 17 years old and fixed within a few weeks.

          It sounds like this Linux bug was found 5 years ago and known about for 5 years as well.

          Which is worse? Does it even matter?

          1. kirovs

            You are missing the point

            You have to be local to exploit. Not so with most Windows bugs. This is a HUGE difference.

        2. IvyKing
          Boffin

          Oldest vulnerability? BSD yacc

          The OpenBSD group discovered a vulnerability in the BSD version of yacc that dated back to 1975 - coincidentally the same time I was at Cal...

          IIRC, the OpenBSD dev's found the problem when the Sparc64 port of yacc was dumping core. I would guess that porting software to different architectures uncovers more bugs than the "many eyeballs" approach.

          1. PuffyBSD
            Boffin

            OpenBSD's security is epic

            *note I made a mistake in my first reply to this message in that I said the xf86 aperture driver was only for the x86 platform so I'm reposting this with the correct info* :

            "One important aspect the attack demonstrates, is how difficult it is to bring security to a desktop platform, where one of the biggest challenges is to let applications talk to the GUI layer (e.g., X server in case of Linux), which usually involves a very fat GUI protocol (think X protocol, or Win32 GUI API) and a very complex GUI server, but at the same time keep things secure,”-- Joanna Rutkowska, a fellow security researcher at Invisible Things Lab blogged.

            OpenBSD has achieved the so called 'difficult' a secure implementation of GUI X functions : server and client. It achieved this two ways. It uses, for instance, a thoroughly audited xf86 kernel aperture driver (that doesn't even run at security level 0. OpenBSD has various runtime security levels), for xenocara. Xenocara is OpenBSD's implementation of Xorg. The reason why OpenBSD uses its own forked version of Xorg is because Theo De Raadt has long known that stock Xorg is insecure (some platforms worse than others e.g. x86) Xenocara is OpenBSD's secure version of Xorg. So that is why OpenBSD is not vulnerable to such a security bug and Linux is. OpenBSD's security is epic and this is just one small example of why.

            http://xenocara.org/

            http://www.openbsd.org/cgi-bin/man.c...86&format=html

          2. PuffyBSD
            Black Helicopters

            OpenBSD is totally immune from this type of bug in the article

            A quote from the above article :

            "One important aspect the attack demonstrates, is how difficult it is to bring security to a desktop platform, where one of the biggest challenges is to let applications talk to the GUI layer (e.g., X server in case of Linux), which usually involves a very fat GUI protocol (think X protocol, or Win32 GUI API) and a very complex GUI server, but at the same time keep things secure,”-- Joanna Rutkowska, a fellow security researcher at Invisible Things Lab blogged.

            OpenBSD has achieved the so called 'difficult' a secure implementation of GUI X functions : server and client. It achieved this two ways. It uses, for instance, a thoroughly audited aperture driver e.g. xf86 (this specific driver is for the x86 platform) kernel aperture driver (that doesn't even run at security level 0. OpenBSD has various runtime security levels), for xenocara. Xenocara is OpenBSD's implementation of Xorg. The reason why OpenBSD uses its own forked version of Xorg is because Theo De Raadt has long known that stock Xorg is insecure (some platforms worse than others e.g. x86) Xenocara is OpenBSD's secure version of Xorg. So that is why OpenBSD is not vulnerable to such a security bug and Linux is. OpenBSD's security is epic and this is just one small example of why.

            http://xenocara.org/

            http://www.openbsd.org/cgi-bin/man.c...86&format=html

        3. Anonymous Coward
          FAIL

          Well...

          ...you'd have problems having a 17 year old bug on a 16 year old os such as Linux, wouldn't you?

          1. Robert Sneddon
            FAIL

            Pre-natal whoopsies

            As I recall Linux was derived from previous strains of Unix and included uncorrected bugs from its predecessors. There was one such bug that was finally spotted a couple of years ago that had been in the Unix kernel code since the 80s, a 32-bit multiply routine which returned a 32-bit result, not a 64-bit value as it should have. This bug was in the Linux kernel from day one and stayed there until recently.

            So yes, Virginia a 16-year-old OS CAN have a 25-year-old bug.

            1. paulc
              Thumb Down

              complete utter bollox...

              "As I recall Linux was derived from previous strains of Unix and included uncorrected bugs from its predecessors."

              ^^^ Totally false... ^^^ as well as the rest of your gibberish...

            2. Nightkiller
              FAIL

              So how come....

              None of you guys reported this to SCO?

      2. proto-robbie
        Headmaster

        with...

        ...interrupts disabled, of course.

  3. Daniel 1

    That begs the question why such a fix was never incorporated in the kernel.

    Well, I suppose, but if you have local access to the machine, you can lean over and hit the power button on the front, reboot with only a bash shell as you kernel, remount the filesystem input/output, and reset the root password. That's how you recover a root account on a machine that someone has lost the root account on.

    In fact, thinking about it, if you had physical access to the machine, and wanted to cause it harm, you could just hit it with a big axe.

    1. K. Adams
      Black Helicopters

      LFDE/2FA

      > ...you can lean over and hit the power button on the front, reboot with only a bash shell as you kernel, remount the filesystem input/output, and reset the root password.

      Ummm... Not quite. The "bash shell" is not a kernel; it does not provide access to any core, system-level functionality on its own. It requires at least a very minimal kernel to be loaded and running first, before it can do its thing.

      > In fact, thinking about it, if you had physical access to the machine, and wanted to cause it harm, you could just hit it with a big axe.

      Probably. Unfortunately, most people who would go through the trouble of obtaining physical access to the machine would probably find it to be a much more valuable item in working condition.

      But yes, in principal, the kind of attack you describe will work, provided the mass storage device(s) used by the target machine isn't (aren't) encrypted.

      However, a hardware keystroke logger interposed between the target machine's keyboard and the machine itself can easily help you get around the encryption issue.

      Which is why I recommend that anyone who uses the latest Ubuntu-flavoured versions of GNU/Linux follow the instructions presented here:

      -- Ubuntu Lucid Lynx 10.04 Full Disk Encryption with USB Key Authentication

      -- http://lfde.org/wiki/index.php/Ubuntu_Lucid_Lynx_10.04_Full_Disk_Encryption_with_USB_Key_Authentication

      ... especially for laptop users (no warranties expressed or implied, and I didn't write the article at the link provided above), and periodically check your keyboards/mice to make sure they aren't being sniffed in some way.

      1. Gary Turner

        single user

        >> ...you can lean over and hit the power button on the front, reboot with only a bash shell as you kernel, remount the filesystem input/output, and reset the root password.

        >Ummm... Not quite. The "bash shell" is not a kernel; it does not provide access to any core, system-level functionality on its own. It requires at least a very minimal kernel to be loaded and running first, before it can do its thing.

        Ah, but you select to boot into single user mode, in which you are in a terminal and Bash as root. From there, do as you wish; the machine is yours. The poster you quote may not have worded it well, myself either for that matter, but the effect is the same.

        1. Anonymous Coward
          Anonymous Coward

          @Gary Turner

          "you select to boot into single user mode"

          RUBBISH !

    2. Anonymous Coward
      Anonymous Coward

      Ahh yes, but...

      If it's a case of simply needing to run a malicious X program, then presumably it could be done remotely over ssh -X for example. I still think it's nowhere near as dangerous as letting a miscreant rdesktop into a Windows box, no matter what their privileges.

      1. David 141
        Linux

        x-servers run on clients

        "If it's a case of simply needing to run a malicious X program, then presumably it could be done remotely over ssh -X for example."

        The reason it works is that the X-server needs access to hardware (video memory) that most processes don't. You can root the X-server - which will grant access to the same machine as the X-server, i.e. the machine behind your screen.

        This won't help you gain access to the remote machine running the x programs. X-servers run on client machines, not on remote servers.

      2. kirovs

        WHAT????

        And how do you login to this machine dear?

      3. JEDIDIAH
        Linux

        The Subtleties of X

        > If it's a case of simply needing to run a malicious X program, then presumably

        > it could be done remotely over ssh -X for example.

        Nope. The X server runs on the local machine. No GUI of any sort needs to be

        running on a server if you are running an X application on it remotely. The part

        of X that needs to do root level bit-banging and would cause the problem is going

        to be running on the machine that is the "terminal".

    3. Timothy Bogart

      Thank you for saving me the trouble

      Yeah, geez, requires local access to machine. And the Windows wankers still don't even understand the glory of NT gaining it's acceptance into US gov procurment circles by passing the security tests for a server - by not being hooked to a network.

      Once again proving the evolutionary advantage of have the palm of your hand the exact size of your forehead ....

      1. Anonymous Coward
        Flame

        Obligatory flame for penguin fanbois

        *****Local access is not the same as physical access.*****

        There is no requirement on location for local access. A local user is simply a user with an account that is local to the machine in question. This is contrasted with a user that does not have shell access to the machine, such as a person viewing webpages on the machine. Alternatively, a local user can be compared to administrator or root access, which have access to sensitive portions of the system. Local users can usually run many programs and are the standard user type on the majority of secured systems.

        If an individual does not have local user access, then it can often be obtained by exploiting an unrelated vunerability in the system that gives the individual access to a shell prompt. Then a privileges-elevation exploit of this type can be used to gain full root access to the system without ever setting foot near it.

        Pedantic note: a local user is more properly compared with a domain user. However, the primary difference between the two is only in where the account is viable and not in the privileges assigned to the account.

        1. kirovs

          Please do share

          The unrelated vulnerability. Pls do!

  4. David Martin
    WTF?

    Interesting but so what?

    They reported it to Linus and co mid-June, kept quiet and waited for it to be fixed in the kernel, then published their paper. It's only sensible to have fixed it but no need to panic. You have to remember that in Linux, you can't download a dodgy executable from the internet (or attached to an email) and run it by double clicking it (or just opening the email, or following the link). Nobody using Linux installs dodgy software either because they don't need to - it's all free and open source, from a trusted source (the package manager). This is why "exploits" such as this don't get exploited in Linux.

    1. Anonymous Coward
      Flame

      Reply to post: Interesting but so what?

      "Nobody using Linux installs dodgy software either because they don't need to - it's all free and open source, from a trusted source (the package manager). "

      Nice to see that even the Linux fanbois don't believe in commercial software on their penguin infected boxes. And here I thought they were interested in having commercial games and specialized high-end software suites running on Linux.

      "This is why "exploits" such as this don't get exploited in Linux."

      I'm glad you've been lucky enough to never have your computer hacked. I've had the "fun" of cleaning up after a Linux fanboi who couldn't be bothered to patch or check the logs on the server he was in charge of. Privilege-escalation exploits are usually pretty useless on their own, but they can be used once a hacker has shell access courtesy of another exploit. The one I had to clean up was the victim of a copy-pasta privilege-escalation hack from a readily available website. The script kiddie probably got shell access through a brute force ssh attack, but might've attacked another publicly available service instead.

      Privilege-escalation exploits are only harmless if you can say unequivocally that noone can get access to the machine, even an authorized user.

      1. Anonymous Coward
        Pint

        Mmmmm, copy-pasta

        ctrl-v ermicelli for me

      2. Martin Owens
        FAIL

        Er

        Linux is a commercial bit of software, just because it's open source doesn't make it a charity or a governmental institution. Or perhaps you think open source is some sort of hobby?

        Commercial == Your paid to write code

        Free and Open Source == Your Users aren't treated like chumps

        I'd like to get paid for not treating my users like chumps please.

      3. JEDIDIAH
        Linux

        The 20 year old stuff should be free.

        > Nice to see that even the Linux fanbois don't believe in

        > commercial software on their penguin infected boxes.

        If you take the average person's box and take off all of the stuff that represents 5 or more shovelware updates over 10 or 20 years or more then you don't have much left really. Most of what's on a common PC is strictly "commodity" stuff that should be pretty much devalued by now. Some of it isn't because of proprietary standards that interfere with the replaceability you have with proper physical commodities.

        A word process or web browser that's mostly unchanged for years and years should be gratis.

        Although the real problem with something like Windows is not the stuff from EA or even the stuff from Penumbra but all of the random stuff out there written by who knows who that can somehow manage to get automatically run for you.

        Creating a freeware trojan for Linux or any other Unix should really not be such a big deal if the local root exploit is available. The problem is running it. the trick of a proper virus is propagation.

    2. Anonymous Coward
      Anonymous Coward

      Seriously?

      You can download and run a dodgy executable from the Internet with a trivial bit of social engineering - in the order of the sort of social engineering used for MS attacks.

      Your assertion that no-one uses closed source commercial software on linux would be fairly well challanged by IBM, Oracle, Symantec, EMC, etc. etc.

      As for Repos being trusted - I trust them as much as I trust updates from MS, in that they're probably ok, but I'd wait for others to install from them first.

  5. Tom 7

    Well at least with the Linux kernel

    you could have got your money back.

    With local access to a windows machine they could have nicked the license stickers off the box and FAST could have fined your company into the dark ages and taken the box away - how secure is that?

  6. Bill Neal
    Grenade

    10 YEARS!

    http://www.theregister.co.uk/2010/02/24/win_crash_bug/

    1. Anonymous Coward
      Anonymous Coward

      Eh?

      "one of the biggest security vulnerabilities in the Windows OS for many years" But actually it was just a DOS attack. If I understand correctly, you have to already have an account on the target machine in order to be able to crash a system.

  7. Bill Neal
    Joke

    5th Element anyone?

    DeLeellu Dallas Multi-Pass!

  8. heyrick Silver badge

    When isa vuln a vuln?

    "which allowed unprivileged users to gain root access. While Linux overlords stopped short of declaring it a security vulnerability,"

    So what DID they call it? I'd say, pretty certainly, that a hole - whether exploited or not - they can be used to elevate a user to root privileges IS a vulnerability. Maybe they didn't want to say it in quite those words as it would destroy all the illusions about Linux.

    PS: Don't downvote me for that, I'm not saying Linux is as bad as Windows, you'd need to configure telnetd to greet people with a message saying "the root password is xyzzy" to make it as bad as Windows. ;-) What I *am* saying is that NO system is invincible, NO system is unhackable, and living with rose-tinted glasses thinking <x> will never be compromised isn't exactly the best attitude to have.

    1. Ole Juul

      Re: When isa vuln a vuln?

      I find it interesting that this hole has been around in plain sight for 5 years and no one has bothered to use it as such. It apparently needed to be pointed out before it became a real "vuln".

  9. johnvile
    Linux

    over allready

    What's the big deal?

  10. Anonymous Coward
    Gates Horns

    did someone say horned pengwyn?

    My kingdom for a linux kernel with random tcp packet sequence like netbsd.

    (I'll use the horned bill - instead)

  11. hurrr

    X server should not be root

    I think one of the main reasons this bug wasn't given a high priority is that the Xorg server is currently being modified to work in non-root mode, precisely because of bugs like this, eliminating the problem at its root (pun intended).

    It is just taking them a little longer than expected so I guess the kernel developers got tired of waiting and squashed this particular bug just in case.

  12. rahul
    WTF?

    If you ever get down to the details...

    ... the vulnerability is question:

    a) Needs local access, and if a person has local access he can do a whole lot, vulnerability or not

    b) Requires a program to be "setuid" (Eg, allow root operations); how does such a program get on the box without root permissions in the first place?

    c) Allows the program to load custom modules; how do the custom modules get on the box in the first place without root access?

    This "free-bashing" (ie, it's not a corporate product, and thus cannot be secure) can only fool those without real knowledge about the vulnerability, and serve as ammo for FUDdies.

    the "fix" is basically a code cleanup; move along now, nothing to see here, not now, not ever.

  13. This post has been deleted by its author

    1. Martin Owens

      Yes

      That everyone isn't using it already says volumes about the human races general humour. Or intellect depending on how cynical you are.

    2. Graham Dawson Silver badge

      True!

      Every time I'm required to reboot my machine for some reason I laugh and laugh and laugh...

      I haven't laughed for about six months.

      1. TeeCee Gold badge
        Coat

        Laughter on every reboot?

        Ah, this must be why Microsoft continually refer to "happy Windows users".....

      2. Anonymous Coward
        Anonymous Coward

        I haven't rebooted most of my Windows PCs in months either

        But your typical home Windows user turns their PC off when they've finished with it.

        1. Anonymous Coward
          Anonymous Coward

          "But your typical home Windows user turns their PC off when they've finished .."

          Usually it's crashed by then !

        2. Graham Dawson Silver badge

          Lets be fair though?

          Your typical home-user wouldn't have the nous to keep their computer in a state that would allow it to run for months at a time without a reboot. Partly because they load every piece of malware they can get their hands on and partly because windows still suffers from bit rot and will tend to become crap after a while just from continued use.

          The point is twofold: Linux distros don't, as a rule, require a reboot every time an update is applied (and if you're running a live kernel patcher like ksplice they may never need one), and they are less vulnerable to maintenance neglect - that is, you don't have to keep cleaning them in order to maintain reasonable performance. They just work, to coin a phrase.

Page:

This topic is closed for new posts.