Flaw in most Linux kernel allows attack
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Flaw in most Linux kernel allows attack

  1. #1
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126

    Flaw in most Linux kernel allows attack

    The Debian Project warned on Monday that a flaw in the Linux kernel helped attackers compromise four of the open-source software project's development servers.
    During several intrusions Nov. 19, the flaw enabled an attacker who already had access to a server to remove the limitations that protected the system from everyday users. The technique is known as a privilege escalation.

    Members of the development team found the flaw in September and fixed the latest version of the core Linux software, or kernel. The fix came a bit late, however. The latest version of the kernel, 2.4.23, was released Friday, eight days after the Debian breach.


    The Debian Project, which uses only truly open-source software in its make-up, stressed that the breaches hadn't affected the project's code base.

    "Fortunately, we require developers to sign the upload (software) digitally," said Martin Schulze, a developer and member of the project. "These files are stored off-site as well, which were used as a basis for a recheck."

    The development team promised to lock all developer accounts until the flaw had been found and fixed. The team published patches for the flaw on Monday as well but didn't specify when the accounts would be unlocked.

    The unknown attacker compromised at least four servers. The systems--known as Master, Murphy, Gluck and Klecker--had maintained the open-source project's bug tracking system, source code database, mailing lists, Web site and security patches.

    The attacker gained access to one of the systems by compromising a developer's computer and installing a program to sniff out the characters typed on the developer's keyboard, according to a postmortem analysis the team published Friday. When the programmer logged into the klecker system, the attacker recorded his password.

    Using the September flaw, the attacker gained owner privileges on Klecker. This is frequently referred to as "owning" the system. The flaw--in a part of the kernel that manages memory--allows only users that already have access to the system to raise their privileges. Such flaws are less critical than vulnerabilities that give an outside attacker access to a server and so are fixed less quickly.

    The attacks have been the latest leveled at open-source software. In early November, an attacker attempted to corrupt the Linux kernel with a coding error that would have created a flaw similar to the one that affected the Debian Project. A year ago, malicious attackers placed spyware into a popular open-source tool, Tcpdump. Several other known attacks have also been executed against other open-source projects.

    The latest bug has been fixed in the most recent version of the Linux kernel, 2.4.23, and has also been patched in the next generation of Linux since 2.6.0-test6, which was released in late September.

    Despite a two-month delay in releasing a patch, Ian Murdock, the founder of Debian and the chairman of Linux distribution maintenance provider Progeny, praised the project team.

    "All in all, the way the Debian guys handled the situation has been admirable: They have been open with what they found out, and the speed at which they have found things out has been quite quick," he said. Murdock is a developer on the team but no longer has day-to-day administration duties.
    Source : http://zdnet.com.com/2100-1104_2-5112427.html
    -Simon \"SDK\"

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Anyone know anything more specific about this kernel bug?

    I have seen no exploit, but I know it's do_brk(). I patched my production server today (but I have no idea how to test it)

    I have another system which is going to be trickier to patch - maybe I should get 2.4.23 on

    Slarty

  3. #3
    Senior Member
    Join Date
    Oct 2001
    Posts
    872
    ...This Space For Rent.

    -[WebCarnage]

  4. #4
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Or just switch to FreeBSD....hehehe Sorry i couldn't resist.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  5. #5
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Originally posted here by KorpDeath
    Or just switch to FreeBSD....hehehe Sorry i couldn't resist.
    Korp you know I gotta bust your balls a lil bit since you havn't been on in forever

    http://www.antioffline.com/freebsd.html



    On the other hand:

    http://wwws.sun.com/software/solaris/trustedsolaris/

    I want that^

  6. #6
    Senior Member
    Join Date
    May 2002
    Posts
    450
    Patched my slack box the minute the updates hit the official mirrors.

    Thanks for the heads up anyway - the machine was upgraded to the new kernel as a matter of course (like to stay current) before I knew the old kernel had the flaw !!

    For those using Slackware, the kernel upgrade went as smooth as silk here using "swaret" package tool.

  7. #7
    Junior Member
    Join Date
    Jan 2003
    Posts
    26

    Lightbulb Need user access to the machine

    FYI, it is a system call available to any process that is broken. You need to make a C program with that particular system call, compile it, run it on that machine as a user (you need to have a valid login to the machine to do any of this), and the user that runs it gets a bump in permissions to root level. Basically, if someone doesn't have a login with a valid shell on your box, they can't use this exploit. It is a serious problem for those providers of a shell with their web/ftp accounts, but for the vast majority, your user base with a shell is much smaller and more manageable, plus, if the admin is smart, they'll restart all shells and do a symbolic link for everyone but root to /bin/false as their shell until they get this resolved. Plus, it would be interesting to see which users were actively creating such a process. Anyway, no-one is going to gain access to your machine with this. It only increases their permissions that they already have.
    No, I\'m not interested in developing a powerful brain. All I\'m after is just a mediocre brain, something like the president of American Telephone and Telegraph Company.
    -- Alan Turing on the possibilities of a thinking
    machine, 1943.

  8. #8
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    The worst part is, last night on TechTV, they were talking about this and saying how there was problems in Linux, MacOS, and Windows and that NONE of them had a patch.....And here I though updating your kernel was the patch....

    I seriously get pissed about **** like that for some reason. Like come on people, you actually have a job while I struggle to pay my bills, and at least I can figure out the difference between OS patches.

    They said "No matter what your using your at risk". Hmm, BeOS, BSD, DOs, and a million other OSs do NOT make "Everyone" at risk because of 3 damned platforms.

    They made it sound like it was some gigantic security flaw. They did NOT bother to say you needed to already have access to the machine to even pull this off. first thing I read about this was "You need to already be able to access the machine to do this"

    So I was like hell, no one has access to mine except me.

    Now, does it bother anyone else that Debian of all distros let this happen to their servers? I mean ****, instead of updating they let their servers be compromised....Prolly from someone who works their that got paid by Microsoft to take one of their servers down and show the world Linux wasn't the almighty secure OS that some think it is.

    Kinda sad that Debian would have a "keep up to date" part in their books yet not do it.

  9. #9
    Senior Member
    Join Date
    Jan 2003
    Posts
    120

    Re: Need user access to the machine

    Originally posted here by Turing_Machine
    .....if the admin is smart, they'll restart all shells and do a symbolic link for everyone but root to /bin/false as their shell until they get this resolved.
    Could you elaborate more on this?
    http://www.AntiOnline.com/sig.php?imageid=517

    the Open Source model doesn\'t offer any great benefit in
    terms of reliability and security. -Bill Gates

  10. #10
    Senior since the 3 dot era
    Join Date
    Nov 2001
    Posts
    1,542
    Originally posted here by KorpDeath
    Or just switch to FreeBSD....hehehe Sorry i couldn't resist.
    Korp that's a long time ago

    thx for the heads up... so everybody patch your boxes if not done already but this doesn't seem to be such a BIG security hole as presented by the media.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •