Passes it's-not-crying-wolf test

Chat about Linux in general
User avatar
aged hippy
Level 1
Level 1
Posts: 16
Joined: Tue Sep 16, 2008 6:43 pm
Location: Suffolk
Contact:

Passes it's-not-crying-wolf test

Postby aged hippy » Sun Aug 16, 2009 4:27 am

Worth being aware of:
Linux developers have issued a critical update for the open-source OS after researchers uncovered a vulnerability in its kernel that puts most versions built in the past eight years at risk of complete takeover.

The bug involves the way kernel-level routines such as sock_sendpage react when they are left unimplemented. Instead of linking to a corresponding placeholder, (for example, sock_no_accept), the function pointer is left uninitialized. Sock_sendpage doesn't always validate the pointer before dereferencing it, leaving the OS open to local privilege escalation that can completely compromise the underlying machine.

"Since it leads to the kernel executing code at NULL, the vulnerability is as trivial as it can get to exploit," security researcher Julien Tinnes writes here. "An attacker can just put code in the first page that will get executed with kernel privileges."

Tinnes and fellow researcher Tavis Ormandy released proof-of-concept code that they said took just a few minutes to adapt from a previous exploit they had. They said all 2.4 and 2.6 versions since May 2001 are affected.

Security researchers not involved in the discovery were still studying the advisory at time of writing, but at least one of them said it appeared at first blush to warrant immediate action.

"This passes my it's-not-crying-wolf test so far," said Rodney Thayer, CTO of security research firm Secorix. "If I had some kind of enterprise-class Linux system like a Red Hat Enterprise Linux...I would really go check and see if this looked like it related, and if my vendor was on top of it and did I need to get a kernel patch."

This is the second time in less than a month that a serious security vulnerability has been reported in the Linux kernel. In mid July, a researcher alerted Linux developers to a separate "NULL pointer dereference" bug that put newer versions at risk of complete compromise. The bug, which was located in several parts of the kernel, attracted plenty of notice because it bit even when SELinux, or Security-Enhanced Linux, implementations were running.

More about the latest vulnerability is here, and additional details about the patch are here. ®

http://www.theregister.co.uk/2009/08/14 ... linux_bug/
"Happiness be the lot of him who works for the happiness of others."
Zarathushtra - Ushtavaiti Gatha (Yasna 43)

User avatar
lagagnon
Level 7
Level 7
Posts: 1886
Joined: Wed Jun 17, 2009 7:38 pm
Location: an island in the Pacific...

Re: Passes it's-not-crying-wolf test

Postby lagagnon » Sun Aug 16, 2009 12:13 pm

The above security threat relates to "sockets" and enterprise-class servers. As the vast majority of users here are personal workstation users with no ports open other than those absolutely necessary I don't think this is anything we should generally be concerned about.

moodywoody
Level 2
Level 2
Posts: 70
Joined: Fri Aug 07, 2009 5:27 am

Re: Passes it's-not-crying-wolf test

Postby moodywoody » Mon Aug 17, 2009 6:16 am

lagagnon wrote:The above security threat relates to "sockets" and enterprise-class servers. As the vast majority of users here are personal workstation users with no ports open other than those absolutely necessary I don't think this is anything we should generally be concerned about.


While I agree that most users shouldn't be concerned about this, the vulnerability "affects all 2.4 and 2.6 kernels since 2001 on all architectures."

Source

User avatar
aged hippy
Level 1
Level 1
Posts: 16
Joined: Tue Sep 16, 2008 6:43 pm
Location: Suffolk
Contact:

Re: Passes it's-not-crying-wolf test

Postby aged hippy » Mon Aug 17, 2009 7:34 am

moodywoody wrote:
While I agree that most users shouldn't be concerned about this, the vulnerability "affects all 2.4 and 2.6 kernels since 2001 on all architectures."

Source


Which is why i posted it, along with the "Worth being aware of" comment. :)
"Happiness be the lot of him who works for the happiness of others."
Zarathushtra - Ushtavaiti Gatha (Yasna 43)

User avatar
DrHu
Level 17
Level 17
Posts: 7560
Joined: Wed Jun 17, 2009 8:20 pm

Re: Passes it's-not-crying-wolf test

Postby DrHu » Mon Aug 17, 2009 9:21 am

aged hippy wrote:Which is why i posted it, along with the "Worth being aware of" comment. :)
http://blog.cr0.org/2009/06/bypassing-l ... inter.html
--some explanation of the exploit available..

However I think it will likely be addressed in the next Linux kernel 2.6.3x; if they think it is serious enough of an issue
--it is not so strange that there is more than one entry door, whether applications on the desktop or as part of the default install or the kernel(s) themselves..

Remotely ..
    In the realm of userland applications, exploiting them usually requires being able to somehow control the target's allocations until you get page zero mapped, and this can be very hard.
Locally exploiting..
    Desktop Linux machines by default: pulseaudio. pulseaudio will drop privileges and let you specify a library to load though its -L argument. Exactly what we needed!

    Once we have one page mapped in the forbidden area, it's game over. Nothing will prevent us from using mremap to grow the area and mprotect to change our access rights to PROT_READ|PROT_WRITE|PROT_EXEC. So this completely bypasses the Linux kernel's protection.

User avatar
Acid_1
Level 5
Level 5
Posts: 797
Joined: Thu Nov 01, 2007 11:12 pm
Location: Saskatchewan, Canada
Contact:

Re: Passes it's-not-crying-wolf test

Postby Acid_1 » Thu Aug 20, 2009 3:43 am

Awww. Beaten to the punch by two days. Oh well, here's a link the the OP if you want it:

http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html


and how to use it here:

viewtopic.php?f=6&t=31414&p=181154
Website: Forkwhilefork


Return to “Chat about Linux”

Who is online

Users browsing this forum: Fred Barclay and 1 guest