back to article Linux bug bestows attackers with 'superuser' powers

Security researchers have disclosed a vulnerability in the Linux operating system that allows unprivileged users to gain “superuser” rights on target systems. The bug in the Linux implementation of RDS, or reliable datagram sockets, protocol can be exploited by local users by sending specially manipulated packets that write …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Unhappy

    I avoid these pathetic vulnerabilities by

    using Linux.

    wait.....

    1. gollux
      Grenade

      Linux may be more secure, or quicker to patch...

      but when there's a flaw, usually it's a real doozy!

  2. John Robson Silver badge
    Flame

    Queue

    Linux isn't secure after all flames...

  3. E 2

    Oh no!

    Evildoers will gain control of the brain of my computer!

  4. Anonymous Coward
    Grenade

    You know...

    ...these kinds of serious security problems wouldn't happen if all the micro$haft windoze lusers switche... Wait, what?

  5. Chemist

    Bet you wish MS could handle it in such a rapid, responsible way

    Extracted from link in article

    The following timeline details Linux's response to the reported issue:

    2010-10-13 Vulnerability reported to Linux security team

    2010-10-13 Response, agreement on disclosure date

    2010-10-19 Fix publicly committed [3]

    2010-10-19 Coordinated disclosure

    There is also a workaround until you get/compile a new kernel

    1. Anonymous Coward
      Troll

      You're not helping

      No one likes people being as smug and childish as you. You really don't help the rest of the Linux community and your attitude only perpetuates the Linux / Windows flame wars.

      For every example you can come up with someone else can come up with a counter-example. For instance: http://www.theregister.co.uk/2010/08/19/linux_vulnerability_fix/ There are also many examples of MS fixing security flaws in record time.

      1. Chemist

        "No one likes people being as smug and childish as you"

        Or indeed as anonymous as you.

      2. Tom 13

        re: There are also many examples of MS fixing security flaws in record time.

        Links to just one MS security flaw fixed in 6 days please. Needs to have been discovered by an outside security analyst so we know the true discovery/disclosure to vendor date.

    2. Anonymous Coward
      Anonymous Coward

      This is Tavis Ormandy, as well, remember?

      The same Tavis Ormandy who was lambasted by people like Graham Clueless, and similar talking heads from the "Chattering classes" of the security press, for the way he released details of the security vulnerability in Windows Help and how to exploit it, after waiting just five days, from notifying Microsoft of it, to going public.

      I guess this is only a problem if you can't manage less than five day's turnaround.

    3. Anonymous Coward
      Anonymous Coward

      Ahem...

      It may have been fixed, but if that fix isn't in the repos (it isn't, for CentOS at least, I just did an update) it isn't a very fixy fix, is it?

      This is a bit of a problem with Linux, lots of fixes are made within minutes or hours, but they're untested and unstable. These fixes go into the daily unstable releases and then are updated when they find bugs or incompatibilities with other bits of software. After a while these are ironed out and the fix is moved into stable releases, this can take weeks after the initial "fix".

      Now, I'm a big fan of Linux, but this misrepresentation does no-one any favours, it makes for a false sense of security which is never a good thing.

      1. Anonymous Coward
        WTF?

        You're not really following this....

        ....are you?

        Never mind the vendor kernels, or the unstable kernels. If you're really worried about this, then you will know how to patch, compile and install a fixed kernel which will hold things until the fully tested stuff appears.

        Otherwise you say "OK, only a local vulnerability, I can live with that, I'll just disable RDS for now with a kernel parameter".

        Keep it in perspective folks, there will no doubt be other vulnerabilities in your LinMacWin box, and you use that every day without getting worried.

        1. Anonymous Coward
          Anonymous Coward

          @you can fix it yourself people...

          I may well be able to fix my machines at home if I choose, but if I suggested manually recompiling the kernel of our RHEL servers at work the following would happen:

          1) Red Hat would stop supporting those servers

          2) Everyone would laugh at me

          3) My career path would take a hit

          In big companies vendor support is crucial, if a problem were to occur with software incompatibilities caused by making a change to server software without vendor approval, they wouldn't help us fix it. So, the point remains, it isn't a fix until the vendor puts it into the repos or publishes a supported workaround.

        2. The Ref
          FAIL

          Seriously?

          "If you're really worried about this, then you will know how to patch, compile and install a fixed kernel "

          This attitude goes completely against the theory that Linux is ready for the non techies. With 20 yeras of IT, I could have compiled a kernal a few years ago but since I havent needed to in over 5 years, I wouldn't know where to start anymore.

          1. Chemist

            Re : Seriously?

            As many people have pointed out : if you are REALLY worried about this than it's possible to do something about it now, or more simply use the workaround. Most people don't have to do anything, just wait for their distro updates (unless their system's security is poor - in which case they have other worries)

            1. Anonymous Coward
              Anonymous Coward

              @Chemist

              As I have pointed out: In vendor supported companies, it's not possible to use a fix or workaround, if that fix or workaround hasn't been made available by the vendor, for support and compatibility reasons.

              1. Chemist

                "In vendor supported companies, it's not possible"

                As I have pointed out - wait for the update then. There's no problem unless your existing security is lacking.

                I also find it hard to believe that you can't apply the simple workaround or remove the module altogether without the vendors says so - if that's the case why have a sys. manager at all ?

      2. Chemist

        "It may have been fixed, but if that fix isn't in the repos"

        That is true but at least the fix is ready and anyone who cares to roll their own can incorporate.

        As mentioned there is a simple workaround anyway

  6. Herby

    The real answer is the turn around time of this problem

    The problem was fixed is "warp time" compared to other operating systems. If this were any other operating system, it would have taken MONTHS to find the problem, and probably YEARS to fix it (on a Tuesday), if it is fixed at all.

    Of course this is about a feature that probably isn't in the "other operating system".

  7. Gareth

    No need to highlight "jargon"

    The target audience of this site is fully aware of what a "superuser" is, no need to put it in the "scary technical term" quotes.

    Incidentally, are we talking root access or privilege escalation?

    More jargon please!

  8. Anonymous Coward
    Thumb Up

    that's why i love linux

    open source means that the real problems can be root caused and fixed at the source.

  9. Anonymous Coward
    Grenade

    Awaiting another fight in the OS war...

    Grenade, obviously.

  10. Johnny Canuck

    you don't need a bug

    if the computer uses grub.

    Just edit your kernel options (press "esc" at the boot prompt) and add the word "single" to the end of your boot line like this.

    kernel /boot/vmlinuz-2.6.xx.xx-x ... splash=silent showopts vga=0x314 single

    1. Anonymous Coward
      Gates Halo

      RE: you don't need a big

      I'll never understand why the masses dont switch to Linux, The commands are so straight forward even my grannie could use them...

      kernel /boot/vmlinuz-2.6.xx.xx-x ... splash=silent showopts vga=0x314 single

      1. Daniel 1

        Absolutely

        C:\> NBTStat -A 192.168.1.111

        C:\> IFMEMBER /v /l "MyDomain\Administrators"

        C:\> mountvol ss64 \\?\Volume\{2eca0889-5cf-43d3-aff8-7e8511f60d0e}\

        C:> PORTQRY -n 10.0.0.1 -e 53 -p UDP -i

        C:> RUN REGSVR32.EXE wuaueng.dll

        Nothing wrong with hacking Hive Keys with 32-bit hexadecimal numbers, for names in RgeEdt, is there? Or error messages which give the exact hexadecimal value, of the paging address, where a memory-sharing violation occurred (singular, in stating exactly what went wrong, while imparting no useful information whatsoever).

      2. Vic

        Your granny *could* use it.

        What you see above is a method to turn off user verification on machines that permit it.

        This is not something you'd want in a GUI app - it's only something to be done by someone who knows what they are doing, and in certain very specific situations (e.g. lost root password). It's not *supposed* to be easy...

        Vic.

    2. Vic

      Incorrect...

      You have assumed that grub was installed without a password.

      If a machine is installed somewhere that untrusted people have console access, that would be a mistake. A password would be used, and that would completely prevent such an approach.

      Vic.

  11. Sir Runcible Spoon

    Sir

    It seems that bugs in Linux are quite rare then :)

  12. Anonymous Coward
    Linux

    Did anyone else?

    ... Read the title as "Linux bug bestows attackers with 'super powers'"

    I had images of nerds wearing penguin capes ...

    1. Anonymous Coward
      Joke

      Well...

      ....some of us do that already!

  13. Anonymous Coward
    Anonymous Coward

    The key phrase here is «local users»,

    which seems in this case to refer to persons with actual physical access to the computers in question, as compared to the case of Windows users, in which it seems to mean anyone on the same planet. Or perhaps I have misunderstood - Dan Goodin's article doesn't have a lot to say on this matter....

    Henri

    1. LawLessLessLaw
      Boffin

      local users is a misnomer

      because www is a local user, smtp is a local user, even nobody etc.etc.

      1. Anonymous Coward
        Anonymous Coward

        Eh?

        Why would a normal user be running these sorts of deamons?

        And if you were running these, surly they are sandboxed. (chroot, etc)

      2. William Towle
        Linux

        Re: local users is a misnomer

        The key phrase is indeed "local users", however the key *word* is "user".

        This particular attack starts with the loading of a kernel module followed by writing arbitrary data to a specific port, hence the choices of phrase are between "local root" (clearly overkill for an escalation exploit), "local user" (best candidate because the procedure is most easily performed with a shell account), and any remote access (where, due to the extent and complexity of the procedure on a typical box, you'd probably need multiple [other] exploits to exist to get outside-world system service/s to misbehave appropriately).

  14. davcefai

    MS Fanboy Fun

    Oh Goody,

    The MS fanboys can pass the time commenting on this while waiting for the latest BOFH episode to be posted (we hope).

  15. James Dunmore
    Stop

    you will first have to....

    Manage to open consol on my server to exploit this....

  16. Anonymous Coward
    Linux

    Local users only

    The attack is only possible for local users. Meaning that the attacker must already have an account/access to the machine. Think about that for a minute before posting flames.

    1. simon newton
      Thumb Down

      the problem here

      Is that many of the security compromises you get on hosting platforms - malicious php code, XSS exploits and such, run as a local user - be it 'www-data' or 'nobody' (or even another user is suphp or suexec is used).

      While this may not affect your average home linux user, any public facing linux server which has some vulnerable PHP code or exploitable daemon out there is now rootable. Im very much in the pro linux camp and its way orders of magnitude more secure than some other o/s's but local root exploits are very dangerous when combined with public facing servers.

      1. Vic

        Not much of a prolem...

        > many of the security compromises you get on

        > hosting platforms - malicious php code, XSS

        > exploits and such, run as a local user

        Yes. But that's not really a problem.

        To exploit this vulnerability, you need to call a kernel API on a vulnerable system. You need to find the appropriate value for kernel symbols (either via /proc/ksyms or from System.map, depending on your setup). Then you need to perform an RDS socket operation to effect the exploit.

        PHP doesn't support the above - getting the symbol map will be difficult unless you've already exploited the box sufficiently to find it (and that really means already having root access), and PHP doesn't support RDS sockets. Nor does Perl. The sort of compromise you're talking about just wouldn't work.

        The real vulnerability is where an attacker can inject and run a binary - but such exploits are few and far between, and obviated by mounting the webroot as noexec.

        So whilst this is a real vulnerability, and very embarassing for all concerned, it's actually very unlikely to be exploited unless you have real users with real console logins who want to escalate their privileges.

        Vic.

  17. Adam Trickett
    Linux

    Software has bugs!

    All software has bugs, Linux is not special it has bugs too.

    What matters is how many bugs there are, what in-built mitigation there is and how quickly they get fixed.

    A lot of "core" open source software, including the Linux kernel has fewer defects per line than some proprietary equivalents, Linux/Unix have a better history of internal mitigation than some desktop operating systems and main open source projects have very quick turn around in relation to security defects relative to some proprietary software.

    1. The Other Steve
      WTF?

      Show your working

      "open source software, including the Linux kernel has fewer defects per line than some proprietary equivalents"

      I can only assume you have some kind of metrics for that, and for something at least marginally more specific than 'some' proprietary software, otherwise it is completely meaningless.

      1. Neil Lewis

        It's a pretty old story...

        But the basics haven't really changed much.

        http://www.wired.com/software/coolapps/news/2004/12/66022

        The key paragraph for the sake of this particular discussion is:

        "The report, set to be released on Tuesday, states that the 2.6 Linux production kernel, shipped with software from Red Hat, Novell and other major Linux software vendors, contains 985 bugs in 5.7 million lines of code, well below the industry average for commercial enterprise software. Windows XP, by comparison, contains about 40 million lines of code, with new bugs found on a frequent basis.

        Commercial software typically has 20 to 30 bugs for every 1,000 lines of code, according to Carnegie Mellon University's CyLab Sustainable Computing Consortium. This would be equivalent to 114,000 to 171,000 bugs in 5.7 million lines of code."

        Does that help make it clearer?

    2. Anonymous Coward
      Anonymous Coward

      good old defects per line

      the most pointless metric ever devised.

      If i do exactly the same thing, but use more lines of code to do it, my defect rate is technically lower

  18. Tom 7

    Local Users???

    whooo scary!

    I'd be worried but all my users were brought up on MS so have to ask me to hit the keys for them...

  19. Anonymous Coward
    Linux

    It was interesting to watch ...

    Every month we get the Patch Tuesday list of fixes which often include security fixes and no one much bats an eyelid. We expect these every month, it's not news, every month there's a new list.

    On the other hand, when two local exploits in Linux found and fixed it's newsworthy. It's newsworthy because it doesn't happen often. The fact that security flaws aren't often found in something that's open to public scrutiny and are often found in something that's not open to public scrutiny surely tells you something.

    Still, it's interesting to watch the fanbois all leaping around making idiots of themselves.

  20. Mystic Megabyte

    Bugs? Who cares!

    My Windows will never get a bug because the fcuking thing refuses to activate!

    How many hours have I wasted on this crap? Am I supposed to go and buy another copy?

    I'll stick with buggy old Linux.

  21. simon newton
    Linux

    I LOL'd

    Nice comment in the spolit

    "/* didn't find the symbol, let's retry with the System.map dedicated to the pointlessness of Russell Coker's SELinux test machine (why does he keep upgrading the kernel if "all necessary security can be provided by SE Linux"?)*/"

  22. The Other Steve
    Flame

    Unreliable Datagram Service

    Great, so the kernel team managed to introduce a root bug with their first release of a new feature. Good work fellas. Of course since you are all open and stuff, we wont rag on you the way would if some dumb ass like Microsoft had released code with stupid holes in it. We'll overlook the fact that it ought to have been a no brained to check code that writes to kernel memory.

    And because we don't bother to keep up with the constant stream of vulns disclosed on mailing lists, or research forums, or bother to check CVE updates, or have a clue, we'll also pretend that security bugs in Linux software are rarer than rocking horse shit. What's that ? Dozens ? A month ? Lallalalalalalalalalala, see, I've got my fingers in my ears!

    “a low impact vulnerability that is only of interest to security professionals and system administrators"

    Of course! Like all Linux bugs that can be exploited to execute arbitrary code as root, because everyone knows only good, honest, open, gentle people would know how to exploit Linux!

    1. screaminfakah
      WTF?

      Unreliable source more like

      "Lallalalalalalalalalala, see, I've got my fingers in my ears!"

      You sir.... Are a troll.

      Linux, Windows, Mac are all great OS's. They all have security issues in the code that get discovered everyday. What I like about Linux is it takes a few minutes to apply updates compared to half hour for MS.

      Last security updates from MS borked my .NET Framework 4.0 and told me that "This copy of Windows isn't genuine because there was an unauthorized change to the system. You need to reinstall Windows to fix this"!! It was created by the record breaking amount of updates they needed to secure it. I have heard of similar stories on the Linux side but they were fixed without re-installation.

      I do not understand why people act like they have vested interest in any OS??

  23. R Callan
    Happy

    Phew

    I'm safe! Still using 2.6.27 kernal.

    This seems to be more a symptom of "feature bloat" than anything else, that only affects those on the bleeding edge.

  24. Kebabbert

    Linux is not really ideal

    because of it's design: "it has no design, and will never have a design" - Linus Torvalds.

    Linus means that Linux should evolve like in biology: constantly morphing and recreating until a superior species has been mutated. Linux is constantly rewritten all the time. The code is always in beta stage. There is always new code, and when the code matures and the bugs irons out, it will be rewritten again and introduce new bugs.

    Linux is constantly in beta stage.

    1. Tilman Ahr
      Coat

      always in beta

      ... which would be different from every other piece of "consumer" software (except TeX, maybe) out there, how exactly? Oh. Not at all. Who would have thought.

      The chef's jacket with the black buttons and the "smart"phone in the pocket, please.

This topic is closed for new posts.

Other stories you might like