Feeds

back to article Linux bug bestows attackers with 'superuser' powers

Security researchers have disclosed a vulnerability in the Linux operating system that allows unprivileged users to gain “superuser” rights on target systems. The bug in the Linux implementation of RDS, or reliable datagram sockets, protocol can be exploited by local users by sending specially manipulated packets that write …

COMMENTS

This topic is closed for new posts.

Page:

Unhappy

I avoid these pathetic vulnerabilities by

using Linux.

wait.....

15
2
Grenade

Linux may be more secure, or quicker to patch...

but when there's a flaw, usually it's a real doozy!

0
0
Flame

Queue

Linux isn't secure after all flames...

1
2
E 2

Oh no!

Evildoers will gain control of the brain of my computer!

1
0
Grenade

You know...

...these kinds of serious security problems wouldn't happen if all the micro$haft windoze lusers switche... Wait, what?

8
2
Silver badge

Bet you wish MS could handle it in such a rapid, responsible way

Extracted from link in article

The following timeline details Linux's response to the reported issue:

2010-10-13 Vulnerability reported to Linux security team

2010-10-13 Response, agreement on disclosure date

2010-10-19 Fix publicly committed [3]

2010-10-19 Coordinated disclosure

There is also a workaround until you get/compile a new kernel

16
4
Troll

You're not helping

No one likes people being as smug and childish as you. You really don't help the rest of the Linux community and your attitude only perpetuates the Linux / Windows flame wars.

For every example you can come up with someone else can come up with a counter-example. For instance: http://www.theregister.co.uk/2010/08/19/linux_vulnerability_fix/ There are also many examples of MS fixing security flaws in record time.

10
6
Anonymous Coward

Ahem...

It may have been fixed, but if that fix isn't in the repos (it isn't, for CentOS at least, I just did an update) it isn't a very fixy fix, is it?

This is a bit of a problem with Linux, lots of fixes are made within minutes or hours, but they're untested and unstable. These fixes go into the daily unstable releases and then are updated when they find bugs or incompatibilities with other bits of software. After a while these are ironed out and the fix is moved into stable releases, this can take weeks after the initial "fix".

Now, I'm a big fan of Linux, but this misrepresentation does no-one any favours, it makes for a false sense of security which is never a good thing.

6
1
Anonymous Coward

This is Tavis Ormandy, as well, remember?

The same Tavis Ormandy who was lambasted by people like Graham Clueless, and similar talking heads from the "Chattering classes" of the security press, for the way he released details of the security vulnerability in Windows Help and how to exploit it, after waiting just five days, from notifying Microsoft of it, to going public.

I guess this is only a problem if you can't manage less than five day's turnaround.

1
1
Bronze badge
WTF?

You're not really following this....

....are you?

Never mind the vendor kernels, or the unstable kernels. If you're really worried about this, then you will know how to patch, compile and install a fixed kernel which will hold things until the fully tested stuff appears.

Otherwise you say "OK, only a local vulnerability, I can live with that, I'll just disable RDS for now with a kernel parameter".

Keep it in perspective folks, there will no doubt be other vulnerabilities in your LinMacWin box, and you use that every day without getting worried.

1
1
Silver badge

"It may have been fixed, but if that fix isn't in the repos"

That is true but at least the fix is ready and anyone who cares to roll their own can incorporate.

As mentioned there is a simple workaround anyway

1
0
Silver badge

"No one likes people being as smug and childish as you"

Or indeed as anonymous as you.

0
0
Silver badge

re: There are also many examples of MS fixing security flaws in record time.

Links to just one MS security flaw fixed in 6 days please. Needs to have been discovered by an outside security analyst so we know the true discovery/disclosure to vendor date.

1
1
Anonymous Coward

@you can fix it yourself people...

I may well be able to fix my machines at home if I choose, but if I suggested manually recompiling the kernel of our RHEL servers at work the following would happen:

1) Red Hat would stop supporting those servers

2) Everyone would laugh at me

3) My career path would take a hit

In big companies vendor support is crucial, if a problem were to occur with software incompatibilities caused by making a change to server software without vendor approval, they wouldn't help us fix it. So, the point remains, it isn't a fix until the vendor puts it into the repos or publishes a supported workaround.

3
2
FAIL

Seriously?

"If you're really worried about this, then you will know how to patch, compile and install a fixed kernel "

This attitude goes completely against the theory that Linux is ready for the non techies. With 20 yeras of IT, I could have compiled a kernal a few years ago but since I havent needed to in over 5 years, I wouldn't know where to start anymore.

1
1
Silver badge

Re : Seriously?

As many people have pointed out : if you are REALLY worried about this than it's possible to do something about it now, or more simply use the workaround. Most people don't have to do anything, just wait for their distro updates (unless their system's security is poor - in which case they have other worries)

0
0
Anonymous Coward

@Chemist

As I have pointed out: In vendor supported companies, it's not possible to use a fix or workaround, if that fix or workaround hasn't been made available by the vendor, for support and compatibility reasons.

1
1
Silver badge

"In vendor supported companies, it's not possible"

As I have pointed out - wait for the update then. There's no problem unless your existing security is lacking.

I also find it hard to believe that you can't apply the simple workaround or remove the module altogether without the vendors says so - if that's the case why have a sys. manager at all ?

0
0
Bronze badge

The real answer is the turn around time of this problem

The problem was fixed is "warp time" compared to other operating systems. If this were any other operating system, it would have taken MONTHS to find the problem, and probably YEARS to fix it (on a Tuesday), if it is fixed at all.

Of course this is about a feature that probably isn't in the "other operating system".

7
2

No need to highlight "jargon"

The target audience of this site is fully aware of what a "superuser" is, no need to put it in the "scary technical term" quotes.

Incidentally, are we talking root access or privilege escalation?

More jargon please!

1
1
Grenade

Awaiting another fight in the OS war...

Grenade, obviously.

0
0
Thumb Up

that's why i love linux

open source means that the real problems can be root caused and fixed at the source.

0
0
Linux

Did anyone else?

... Read the title as "Linux bug bestows attackers with 'super powers'"

I had images of nerds wearing penguin capes ...

1
0
Bronze badge
Joke

Well...

....some of us do that already!

1
0

you don't need a bug

if the computer uses grub.

Just edit your kernel options (press "esc" at the boot prompt) and add the word "single" to the end of your boot line like this.

kernel /boot/vmlinuz-2.6.xx.xx-x ... splash=silent showopts vga=0x314 single

0
2
Gates Halo

RE: you don't need a big

I'll never understand why the masses dont switch to Linux, The commands are so straight forward even my grannie could use them...

kernel /boot/vmlinuz-2.6.xx.xx-x ... splash=silent showopts vga=0x314 single

4
2

Absolutely

C:\> NBTStat -A 192.168.1.111

C:\> IFMEMBER /v /l "MyDomain\Administrators"

C:\> mountvol ss64 \\?\Volume\{2eca0889-5cf-43d3-aff8-7e8511f60d0e}\

C:> PORTQRY -n 10.0.0.1 -e 53 -p UDP -i

C:> RUN REGSVR32.EXE wuaueng.dll

Nothing wrong with hacking Hive Keys with 32-bit hexadecimal numbers, for names in RgeEdt, is there? Or error messages which give the exact hexadecimal value, of the paging address, where a memory-sharing violation occurred (singular, in stating exactly what went wrong, while imparting no useful information whatsoever).

3
2
Vic
Silver badge

Incorrect...

You have assumed that grub was installed without a password.

If a machine is installed somewhere that untrusted people have console access, that would be a mistake. A password would be used, and that would completely prevent such an approach.

Vic.

0
0
Vic
Silver badge

Your granny *could* use it.

What you see above is a method to turn off user verification on machines that permit it.

This is not something you'd want in a GUI app - it's only something to be done by someone who knows what they are doing, and in certain very specific situations (e.g. lost root password). It's not *supposed* to be easy...

Vic.

0
0
Silver badge

Sir

It seems that bugs in Linux are quite rare then :)

0
2
Anonymous Coward

The key phrase here is «local users»,

which seems in this case to refer to persons with actual physical access to the computers in question, as compared to the case of Windows users, in which it seems to mean anyone on the same planet. Or perhaps I have misunderstood - Dan Goodin's article doesn't have a lot to say on this matter....

Henri

2
2
Boffin

local users is a misnomer

because www is a local user, smtp is a local user, even nobody etc.etc.

3
3
Anonymous Coward

Eh?

Why would a normal user be running these sorts of deamons?

And if you were running these, surly they are sandboxed. (chroot, etc)

0
0
Linux

Re: local users is a misnomer

The key phrase is indeed "local users", however the key *word* is "user".

This particular attack starts with the loading of a kernel module followed by writing arbitrary data to a specific port, hence the choices of phrase are between "local root" (clearly overkill for an escalation exploit), "local user" (best candidate because the procedure is most easily performed with a shell account), and any remote access (where, due to the extent and complexity of the procedure on a typical box, you'd probably need multiple [other] exploits to exist to get outside-world system service/s to misbehave appropriately).

0
0

MS Fanboy Fun

Oh Goody,

The MS fanboys can pass the time commenting on this while waiting for the latest BOFH episode to be posted (we hope).

1
3
Stop

you will first have to....

Manage to open consol on my server to exploit this....

1
4
Linux

Software has bugs!

All software has bugs, Linux is not special it has bugs too.

What matters is how many bugs there are, what in-built mitigation there is and how quickly they get fixed.

A lot of "core" open source software, including the Linux kernel has fewer defects per line than some proprietary equivalents, Linux/Unix have a better history of internal mitigation than some desktop operating systems and main open source projects have very quick turn around in relation to security defects relative to some proprietary software.

1
0
WTF?

Show your working

"open source software, including the Linux kernel has fewer defects per line than some proprietary equivalents"

I can only assume you have some kind of metrics for that, and for something at least marginally more specific than 'some' proprietary software, otherwise it is completely meaningless.

3
1

It's a pretty old story...

But the basics haven't really changed much.

http://www.wired.com/software/coolapps/news/2004/12/66022

The key paragraph for the sake of this particular discussion is:

"The report, set to be released on Tuesday, states that the 2.6 Linux production kernel, shipped with software from Red Hat, Novell and other major Linux software vendors, contains 985 bugs in 5.7 million lines of code, well below the industry average for commercial enterprise software. Windows XP, by comparison, contains about 40 million lines of code, with new bugs found on a frequent basis.

Commercial software typically has 20 to 30 bugs for every 1,000 lines of code, according to Carnegie Mellon University's CyLab Sustainable Computing Consortium. This would be equivalent to 114,000 to 171,000 bugs in 5.7 million lines of code."

Does that help make it clearer?

1
0
Anonymous Coward

good old defects per line

the most pointless metric ever devised.

If i do exactly the same thing, but use more lines of code to do it, my defect rate is technically lower

0
1
Linux

Local users only

The attack is only possible for local users. Meaning that the attacker must already have an account/access to the machine. Think about that for a minute before posting flames.

1
0
Thumb Down

the problem here

Is that many of the security compromises you get on hosting platforms - malicious php code, XSS exploits and such, run as a local user - be it 'www-data' or 'nobody' (or even another user is suphp or suexec is used).

While this may not affect your average home linux user, any public facing linux server which has some vulnerable PHP code or exploitable daemon out there is now rootable. Im very much in the pro linux camp and its way orders of magnitude more secure than some other o/s's but local root exploits are very dangerous when combined with public facing servers.

2
1
Vic
Silver badge

Not much of a prolem...

> many of the security compromises you get on

> hosting platforms - malicious php code, XSS

> exploits and such, run as a local user

Yes. But that's not really a problem.

To exploit this vulnerability, you need to call a kernel API on a vulnerable system. You need to find the appropriate value for kernel symbols (either via /proc/ksyms or from System.map, depending on your setup). Then you need to perform an RDS socket operation to effect the exploit.

PHP doesn't support the above - getting the symbol map will be difficult unless you've already exploited the box sufficiently to find it (and that really means already having root access), and PHP doesn't support RDS sockets. Nor does Perl. The sort of compromise you're talking about just wouldn't work.

The real vulnerability is where an attacker can inject and run a binary - but such exploits are few and far between, and obviated by mounting the webroot as noexec.

So whilst this is a real vulnerability, and very embarassing for all concerned, it's actually very unlikely to be exploited unless you have real users with real console logins who want to escalate their privileges.

Vic.

1
0
Silver badge

Local Users???

whooo scary!

I'd be worried but all my users were brought up on MS so have to ask me to hit the keys for them...

2
1
Linux

It was interesting to watch ...

Every month we get the Patch Tuesday list of fixes which often include security fixes and no one much bats an eyelid. We expect these every month, it's not news, every month there's a new list.

On the other hand, when two local exploits in Linux found and fixed it's newsworthy. It's newsworthy because it doesn't happen often. The fact that security flaws aren't often found in something that's open to public scrutiny and are often found in something that's not open to public scrutiny surely tells you something.

Still, it's interesting to watch the fanbois all leaping around making idiots of themselves.

4
0
Silver badge

Bugs? Who cares!

My Windows will never get a bug because the fcuking thing refuses to activate!

How many hours have I wasted on this crap? Am I supposed to go and buy another copy?

I'll stick with buggy old Linux.

1
0
Linux

I LOL'd

Nice comment in the spolit

"/* didn't find the symbol, let's retry with the System.map dedicated to the pointlessness of Russell Coker's SELinux test machine (why does he keep upgrading the kernel if "all necessary security can be provided by SE Linux"?)*/"

0
1
Flame

Unreliable Datagram Service

Great, so the kernel team managed to introduce a root bug with their first release of a new feature. Good work fellas. Of course since you are all open and stuff, we wont rag on you the way would if some dumb ass like Microsoft had released code with stupid holes in it. We'll overlook the fact that it ought to have been a no brained to check code that writes to kernel memory.

And because we don't bother to keep up with the constant stream of vulns disclosed on mailing lists, or research forums, or bother to check CVE updates, or have a clue, we'll also pretend that security bugs in Linux software are rarer than rocking horse shit. What's that ? Dozens ? A month ? Lallalalalalalalalalala, see, I've got my fingers in my ears!

“a low impact vulnerability that is only of interest to security professionals and system administrators"

Of course! Like all Linux bugs that can be exploited to execute arbitrary code as root, because everyone knows only good, honest, open, gentle people would know how to exploit Linux!

2
2
WTF?

Unreliable source more like

"Lallalalalalalalalalala, see, I've got my fingers in my ears!"

You sir.... Are a troll.

Linux, Windows, Mac are all great OS's. They all have security issues in the code that get discovered everyday. What I like about Linux is it takes a few minutes to apply updates compared to half hour for MS.

Last security updates from MS borked my .NET Framework 4.0 and told me that "This copy of Windows isn't genuine because there was an unauthorized change to the system. You need to reinstall Windows to fix this"!! It was created by the record breaking amount of updates they needed to secure it. I have heard of similar stories on the Linux side but they were fixed without re-installation.

I do not understand why people act like they have vested interest in any OS??

2
0
Happy

Phew

I'm safe! Still using 2.6.27 kernal.

This seems to be more a symptom of "feature bloat" than anything else, that only affects those on the bleeding edge.

0
0

Page:

This topic is closed for new posts.