Passes it's-not-crying-wolf test

Chat about Linux in general

Passes it's-not-crying-wolf test

Postby aged hippy on Sun Aug 16, 2009 4:27 am

Worth being aware of:
Linux developers have issued a critical update for the open-source OS after researchers uncovered a vulnerability in its kernel that puts most versions built in the past eight years at risk of complete takeover.

The bug involves the way kernel-level routines such as sock_sendpage react when they are left unimplemented. Instead of linking to a corresponding placeholder, (for example, sock_no_accept), the function pointer is left uninitialized. Sock_sendpage doesn't always validate the pointer before dereferencing it, leaving the OS open to local privilege escalation that can completely compromise the underlying machine.

"Since it leads to the kernel executing code at NULL, the vulnerability is as trivial as it can get to exploit," security researcher Julien Tinnes writes here. "An attacker can just put code in the first page that will get executed with kernel privileges."

Tinnes and fellow researcher Tavis Ormandy released proof-of-concept code that they said took just a few minutes to adapt from a previous exploit they had. They said all 2.4 and 2.6 versions since May 2001 are affected.

Security researchers not involved in the discovery were still studying the advisory at time of writing, but at least one of them said it appeared at first blush to warrant immediate action.

"This passes my it's-not-crying-wolf test so far," said Rodney Thayer, CTO of security research firm Secorix. "If I had some kind of enterprise-class Linux system like a Red Hat Enterprise Linux...I would really go check and see if this looked like it related, and if my vendor was on top of it and did I need to get a kernel patch."

This is the second time in less than a month that a serious security vulnerability has been reported in the Linux kernel. In mid July, a researcher alerted Linux developers to a separate "NULL pointer dereference" bug that put newer versions at risk of complete compromise. The bug, which was located in several parts of the kernel, attracted plenty of notice because it bit even when SELinux, or Security-Enhanced Linux, implementations were running.

More about the latest vulnerability is here, and additional details about the patch are here. ®

http://www.theregister.co.uk/2009/08/14 ... linux_bug/
"Happiness be the lot of him who works for the happiness of others."
Zarathushtra - Ushtavaiti Gatha (Yasna 43)
User avatar
aged hippy
Level 1
Level 1
 
Posts: 16
Joined: Tue Sep 16, 2008 6:43 pm
Location: Suffolk

Linux Mint is funded by ads and donations.
 

Re: Passes it's-not-crying-wolf test

Postby lagagnon on Sun Aug 16, 2009 12:13 pm

The above security threat relates to "sockets" and enterprise-class servers. As the vast majority of users here are personal workstation users with no ports open other than those absolutely necessary I don't think this is anything we should generally be concerned about.
User avatar
lagagnon
Level 7
Level 7
 
Posts: 1888
Joined: Wed Jun 17, 2009 7:38 pm
Location: an island in the Pacific...

Re: Passes it's-not-crying-wolf test

Postby moodywoody on Mon Aug 17, 2009 6:16 am

lagagnon wrote:The above security threat relates to "sockets" and enterprise-class servers. As the vast majority of users here are personal workstation users with no ports open other than those absolutely necessary I don't think this is anything we should generally be concerned about.


While I agree that most users shouldn't be concerned about this, the vulnerability "affects all 2.4 and 2.6 kernels since 2001 on all architectures."

Source
moodywoody
Level 2
Level 2
 
Posts: 70
Joined: Fri Aug 07, 2009 5:27 am

Re: Passes it's-not-crying-wolf test

Postby aged hippy on Mon Aug 17, 2009 7:34 am

moodywoody wrote:
While I agree that most users shouldn't be concerned about this, the vulnerability "affects all 2.4 and 2.6 kernels since 2001 on all architectures."

Source


Which is why i posted it, along with the "Worth being aware of" comment. :)
"Happiness be the lot of him who works for the happiness of others."
Zarathushtra - Ushtavaiti Gatha (Yasna 43)
User avatar
aged hippy
Level 1
Level 1
 
Posts: 16
Joined: Tue Sep 16, 2008 6:43 pm
Location: Suffolk

Re: Passes it's-not-crying-wolf test

Postby DrHu on Mon Aug 17, 2009 9:21 am

aged hippy wrote:Which is why i posted it, along with the "Worth being aware of" comment. :)
http://blog.cr0.org/2009/06/bypassing-l ... inter.html
--some explanation of the exploit available..

However I think it will likely be addressed in the next Linux kernel 2.6.3x; if they think it is serious enough of an issue
--it is not so strange that there is more than one entry door, whether applications on the desktop or as part of the default install or the kernel(s) themselves..

Remotely ..
    In the realm of userland applications, exploiting them usually requires being able to somehow control the target's allocations until you get page zero mapped, and this can be very hard.
Locally exploiting..
    Desktop Linux machines by default: pulseaudio. pulseaudio will drop privileges and let you specify a library to load though its -L argument. Exactly what we needed!

    Once we have one page mapped in the forbidden area, it's game over. Nothing will prevent us from using mremap to grow the area and mprotect to change our access rights to PROT_READ|PROT_WRITE|PROT_EXEC. So this completely bypasses the Linux kernel's protection.
User avatar
DrHu
Level 16
Level 16
 
Posts: 6599
Joined: Wed Jun 17, 2009 8:20 pm

Re: Passes it's-not-crying-wolf test

Postby Acid_1 on Thu Aug 20, 2009 3:43 am

Awww. Beaten to the punch by two days. Oh well, here's a link the the OP if you want it:

http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html


and how to use it here:

viewtopic.php?f=6&t=31414&p=181154
Website: Forkwhilefork
User avatar
Acid_1
Level 5
Level 5
 
Posts: 817
Joined: Thu Nov 01, 2007 11:12 pm
Location: Saskatchewan, Canada


Return to Chat about Linux

Who is online

Users browsing this forum: No registered users and 3 guests