Thwarted Back-door Kernel Hack
Results 1 to 6 of 6

Thread: Thwarted Back-door Kernel Hack

  1. #1
    Senior Member
    Join Date
    Nov 2003
    Posts
    247

    Exclamation Hidden Kernel Code--Backdoor Hack

    http://www.securityfocus.com/news/7388

    Don't know if you've all heard about this yet, but I thought it was pretty interesting.

    Thwarted Linux backdoor hints at smarter hacks

    By Kevin Poulsen, SecurityFocus Nov 6 2003 6:00PM
    Software developers on Wednesday detected and thwarted a hacker's scheme to submerge a slick backdoor in the next version of the Linux kernel, but security experts say the abortive caper proves that extremely subtle source code tampering is more than just the stuff of paranoid speculation.

    The backdoor was a two-line addition to a development copy of the Linux kernel's source code, carefully crafted to look like a harmless error-checking feature added to the wait4() system call -- a function that's available to any program running on the computer, and which, roughly, tells the operating system to pause execution of that program until another program has finished its work.

    Under casual inspection, the code appears to check if a program calling wait4() is using a particular invalid combination of two flags, and if the user invoking it is the computer's all-powerful root account. If both conditions are true, it aborts the call.

    But up close, the code doesn't actually check if the user is root at all. If it sees the flags, it grants the process root privileges, turning wait4() into an instant doorway to complete control of any machine, if the hacker knows the right combinations of flags.

    That difference between what the code looks like and what it actually is -- that is, between assignment and comparison -- is a matter of a single equal sign in the C programming language, making it easy to overlook. If the addition had been detected in a normal code review, the backdoor could even have been mistaken for a programming error -- no different from the buffer overflows that wind up in Microsoft products on a routine basis. "It's indistinguishable from an accidental bug," says security consultant Ryan Russell. "So unless you have a reason to be suspicious, and go back and find out if it was legitimately checked in, that's going to be a long trail to follow."

    Investigation Underway
    In all, the unknown hacker used exactly the sort of misdirection and semantic trickery that security professionals talk about over beer after a conference, while opining on how clumsy the few discovered source code backdoors have been, and how a real cyber warrior would write one.

    "That's the kind of pub talk that you end up having," says BindView security researcher Mark "Simple Nomad" Loveless. "If you were the NSA, how would you backdoor someone's software? You'd put in the changes subtly. Very subtly."

    "Whoever did this knew what they were doing," says Larry McVoy, founder of San Francisco-based BitMover, Inc., which hosts the Linux kernel development site that was compromised. "They had to find some flags that could be passed to the system without causing an error, and yet are not normally passed together... There isn't any way that somebody could casually come in, not know about UNIX, not know the Linux kernel code, and make this change. Not a chance."

    However sophisticated, the hack fell apart Wednesday, when a routine file integrity check told McVoy that someone had manually changed a copy of a kernel source code file that's normally only modified by an automated process, specifically one that pulls the code from BitMover's BitKeeper software collaboration tool and repackages it for the open source CVS system still favored by some developers.

    Even then, McVoy didn't initially recognize the change as a backdoor, and he announced to the Linux kernel developers list as a procedural annoyance. Other programmers soon figured out the trick, and by Thursday an investigation into how the development site was compromised was underway, headed by Linux chief Linus Torvalds, according to McVoy.

    If BitMover didn't run automated integrity checks, the backdoor could have made it into the official release of version 2.6 of the kernel, and eventually into every up-to-date Linux machine on the Internet. But to get there a kernel developer using CVS would have to have used the modified file as the basis for further development, then submitted it to the main BitKeeper repository through Torvalds.

    "If it had gotten out, it could have been really bad, because any Linux kernel that had this in it, anybody who had access to that machine could become root," says McVoy. But even then, he's convinced it wouldn't have lasted long. "If someone started getting root with it, some smart kid would figure out what was going on."

    But Loveless says the hack is a glimpse of a more sophisticated computer underground than is normally talked about, and fuel for speculation that backdoors in software products are far more common than imagined. "We've had bad examples of [backdoors], and we've had rumors of extremely good examples," says Loveless. "This is a concrete example of a good one."
    www.ADigitalPimp.com
    There is a ghost in the machine, and he is my friend.

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Does this episode in some way show the difference in Open Source versus Closed Source software. In closed source, to all intents and purposes the "hacks" are somewhat clumsy because the cracker can only really watch the behaviour of the application/OS and determine what can be done within it's operating environment. But in open source the cracker can be this subtle because he can see all the source code and can come up with what is, frankly, a delightful little trick......

    Thoughts, comments, flames accepted.......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member
    Join Date
    Nov 2003
    Posts
    247
    You're right. This is one problem with Open Source software. Fortunately, though, the number of problems that there are with Open Source are relatively few. Closed Source, I.E. Windows, as well as Open Source, I.E. Linux, are both making a lot of progress as far as the security issues go. Things are being caught a lot more quickly, and people are dealing with it much faster.

    Let's not forget, however, that Closed Source isn't perfect either. It's good to be aware of the problems with both, but let's not let one issue, in either case, push us to extremes.

    In any case, thanks for pointing that out, Tiger. I hadn't fully made the connection myself.
    www.ADigitalPimp.com
    There is a ghost in the machine, and he is my friend.

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Sonof: I wasn't "singing the praises" of Closed Source..... I was only pointing out that the closed source "hacks" tend to be clumsier and more recognizable.... The open source ones can be so subtle that, even in code review, can appear to be benign yet be close to, if not, quite devastating.

    It's a philosophical "question" rather than an attempt to start a flame war.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member
    Join Date
    Nov 2003
    Posts
    247
    Calm down. I wasn't trying to flame you, or even disagree with you. I was just saying that you were right, and making sure that anyone who reads the posts wouldn't get too confused.

    A few years ago, when I was just starting out, that happened to me often enough. People assumed I already knew things and I didn't, so I wound up a very confused little boy. (Granted it still happens more than I'd like.)

    ::Grins:: But, just to satisfy the part of you that was expecting a flame....

    [Flame]

    Moron.

    [/Flame]

    Just kidding. ;-)

    BTW, Call me Galen.
    www.ADigitalPimp.com
    There is a ghost in the machine, and he is my friend.

  6. #6
    Senior Member
    Join Date
    Jul 2003
    Posts
    813
    The way I see it, being that it's open-source allows for far more people to check the code once they notice something's wrong and be able to fix it - and signal the world about it. In closed source, the problem can be detected and it is sometimes more challenging to do so - but only a limited number of people have access to the code, so if they screwed up the first time, what if the patch isn't fully covering the hole? I am aware some such bugs are simply programming mistakes - and after millions of lines of code who wouldn't do one, overworked and underpaid? Open source simply allows more people to bring ideas forth at fixing these problems, on top of the people releasing the software. [I assume anybody writing code would want it to perform best for the task it was designed]

    That's just a point of view, naturally.

    Cheers!
    /\\

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •