Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Bug In Most Linuxes Can Give Untrusted Users Root

kdawson posted more than 4 years ago | from the patchin'-place dept.

Security 281

Red Midnight and other readers brought to our attention a bug in most deployed versions of Linux that could result in untrusted users getting root access. The bug was found by Brad Spengler last month. "The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at the moment vulnerable. While attacks can be prevented by implementing a common feature known as mmap_min_addr, the RHEL distribution... doesn't properly implement that protection... The... bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature. ... [Spengler] said many other Linux users are also vulnerable because they run older versions or are forced to turn off [mmap_min_addr] to run certain types of applications." The register reprints a dialog from the OpenBSD-misc mailing list in which Theo De Raadt says, "For the record, this particular problem was resolved in OpenBSD a while back, in 2008. We are not super proud of the solution, but it is what seems best faced with a stupid Intel architectural choice. However, it seems that everyone else is slowly coming around to the same solution."

cancel ×

281 comments

First post (5, Insightful)

wisty (1335733) | more than 4 years ago | (#29977310)

But you don't know if I didn't just hack the servers ;)

So? (-1, Troll)

zennyboy (1002544) | more than 4 years ago | (#29977330)

So, anti-Windows people? Whatcha say now? ;-)

Re:So? (1, Troll)

yttrstein (891553) | more than 4 years ago | (#29977352)

I say "I'd rather pay nothing for bugs like this than $400 for all the same borkedness in Server 2008"

I'd rather pay $400 for bugs likes this (2, Insightful)

coryking (104614) | more than 4 years ago | (#29977754)

And know the fix would be back-ported to Server 2003. How many "stable" kernel versions will the fix be back ported to? Will my 2.4.x kernels get a patch?

Re:I'd rather pay $400 for bugs likes this (2, Insightful)

RAMMS+EIN (578166) | more than 4 years ago | (#29977840)

``Will my 2.4.x kernels get a patch?''

Are they vulnerable?

Re:So? (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29977998)

For every obvious down-mod due to lack of maturity, such as this one, I use a number of "excellent" karma-ed accounts to randomly down mod stuff randomly as "troll".

It's pretty fun, and it works much better than all my "downmodding for opinion isn't nice!" signatures at blowing off a little steam.

I'm not the only one doing it, either, it turns out. There's actually a yahoo group. Wonder!

obvious troll is obvious. (2, Insightful)

Anonymous Coward | more than 4 years ago | (#29977376)

So, anti-Windows people? Whatcha say now? ;-)

Thank god that independent forces are out there finding and reporting kernel bugs in Linux. If only the bug-finders for windows were so altruistic.

Re:obvious troll is obvious. (0, Troll)

zennyboy (1002544) | more than 4 years ago | (#29977586)

Actually, I was not trolling. Put simply, if this EXACT BUG was discovered in Windows, OS persons would be jumping about like grass-hoppers that THIS could never happen in OS software, MS is EV1L etc. Yet here we are, and several releases later, only NOW is this bug discovered... The Many Eyes theory looks weak...

Re:obvious troll is obvious. (3, Insightful)

blueskies (525815) | more than 4 years ago | (#29977642)

OS persons would be jumping about like grass-hoppers that THIS could never happen in OS software...The Many Eyes theory looks weak...

You misunderstand then. It's not the point that it could never happen, but that it gets found and fixed. This bug was found in the absence of proof of concept code unlike the reverse situation.

Re:obvious troll is obvious. (1)

noundi (1044080) | more than 4 years ago | (#29977876)

You are trolling since you're trying to imply that this is the first time a flaw was found in the Linux kernel. This has happened numerous times, and it has been posted on /. numerous times, and there's always some fucking troll saying "If this was Windows...". Who the fuck cares!? Why make everything into some political bullshit with extremists throwing rocks at eachother?
 
I'm going to drop a bomb here and it might shock you all, but it's the truth, here it goes: Linux is not perfect nor did anybody with half a brain claim it to be so.
 
There now troll elsewhere.

Re:obvious troll is obvious. (1)

Clairvoyant (137586) | more than 4 years ago | (#29978194)

Well the fact that it (the troll) actually found it necessary to post this would mean that it is actually less common than on Windows.
You don't see Linux fans posting "If this were Linux" on all Windows bugs. Apart from the fact that if they would; it might actually be even more annoying! Maybe "we" should start doing that. For every critical Windows bug say "If this were any other OS...". Doesn't sound so smart now, does it, zennyboy?

Re:obvious troll is obvious. (1)

jabjoe (1042100) | more than 4 years ago | (#29977966)

Bit of a sweeping statement for a single case. So open source software isn't perfect either, course not, it's programmed by monkeys in shoes like all other software. But if you look at the statistics, even weighting for market scale, open comes out on top. This is actually a example of why, exploits are easier to find as researchers can look at, debug, pull apart, the source, unlike when it's a closed box. The fix will be done quickly (maybe in multiple ways by multiple people, until one stands out as best) and then backported to anything required, not only for what makes business sense to the company with the source.

Re:obvious troll is obvious. (1, Offtopic)

zennyboy (1002544) | more than 4 years ago | (#29978040)

OK then; I reply to myself rather than attaching this to any one particular reply. But Flaimbait?? Really? I thought it was a reasonably concise, intelligent reply. It may be that my observation had been made before about other similar situations, but then, in similar situations, of-course people will make similar replies. I had not read about the other bugs in the Linux kernel, but I do see people hammering Windows day after day after day. And these comments get modded up day after day after day. Why am I a troll? Why is my comment Flaimbait? It was not intentional but perhaps it reflects Slashdot mentality?

Re:So? (2, Funny)

Aim Here (765712) | more than 4 years ago | (#29977468)

Hah, this just shows how EFFICIENT Linux is. Until recently, Windows achieved their local privilege escalation vulnerability rollout by having almost every home user running as fully privileged administrator accounts all the time. Linux achieves all this through a small tweak to the kernel build system, thus getting this feature to 100% of Linux users without any manual intervention at all.

Re:So? (1)

intheshelter (906917) | more than 4 years ago | (#29977480)

Get a Mac!!

Re:So? (0)

Anonymous Coward | more than 4 years ago | (#29977686)

Anti-Windows people have already patched this:

For the record, this particular problem was resolved in OpenBSD a while back, in 2008. ... basically they are resisting this for Windows binary compatibility[.] Ironic, isn't it? ... We decided we don't care about Wine.

(Theo de Raadt on the OpenBSD mailing list)

:-)

Re:So? (1, Troll)

morgauxo (974071) | more than 4 years ago | (#29978296)

I could say "The... bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature."

I could compare the average time to fix a critical bug between the two platforms.

I could point out that we will never know what bugs Microsoft is sitting on without reporting.

I could point out how Windows servers just don't seem to work well if they aren't rebooted regularly while Linux boxes just seem to go until the hardware wears out.

I could point out that my wife's Vista box is 2 to 4 times faster than my Gentoo box in just about all hardware stats and yet I usually get about 10 times the framerate in games with 3D graphics.

I could point out all the hardware (printers, scanners, etc...) my Windows using friends and relatives threw out because there were no Vista drivers.

I could point out the ease of installing software with a good package manager.

I talk about the wealth of free software available for Linux (yes, some of it has Windows ports)

I could mention the price of Windows, or the prices of most of the popular software that most Windows users claim they need Windows for. (not really relevant when most people pirate it anyway though)

I might go on and on telling all sorts of true stories about Windows vs Linux but who would really want to read them.

Isn't this a dupe? (1, Insightful)

Aim Here (765712) | more than 4 years ago | (#29977346)

Surely this [slashdot.org] is the same story, from 2 months ago.

One Word: (0)

Anonymous Coward | more than 4 years ago | (#29977438)

Surely this [slashdot.org] is the same story, from 2 months ago.

One word: "Kdawson"

Re:Isn't this a dupe? (5, Informative)

Xonea (637183) | more than 4 years ago | (#29977444)

Nope, it is a new one, but the same old bugfix still works.

Just type sysctl -w vm.mmap_min_addr=4096 in your box (or any other number > 0) and you are safe.

Re:Isn't this a dupe? (3, Informative)

gzipped_tar (1151931) | more than 4 years ago | (#29977782)

This is from Fedora running kernel 2.6.30 with minimal customization (almost default, and no tweaking related to this one):

$ cat /proc/sys/vm/mmap_min_addr
65536

The devs seem to be doing an adequate job to mitigate this problem.

Re:Isn't this a dupe? (4, Informative)

tayhimself (791184) | more than 4 years ago | (#29977850)

This solution works, please see the links below. However I would reccomend seing what your settings are on your system
$ sysctl -n vm.mmap_min_addr to find what your setting is.
On Ubuntu 8.04 LTS servers (including Xen kernels) and on 9.10 desktops it is 65536. Not a big deal.
http://wiki.debian.org/mmap_min_addr [debian.org]
https://lists.ubuntu.com/archives/ubuntu-devel/2008-July/025805.html [ubuntu.com]
http://www.securityfocus.com/bid/26831/info [securityfocus.com]

Re:Isn't this a dupe? (2, Insightful)

Shikaku (1129753) | more than 4 years ago | (#29977896)

Ran off my Ubuntu 9.10 fresh installed desktop:

#cat /proc/sys/vm/mmap_min_addr
0 ... Oh shit.

Re:Isn't this a dupe? (2, Interesting)

tayhimself (791184) | more than 4 years ago | (#29978008)

Ran off my Ubuntu 9.10 fresh installed desktop:

#cat /proc/sys/vm/mmap_min_addr 0 ... Oh shit.

Is it possible that you are running wine or some other emulator program. The only software similar to an emulator I have is Virtualbox on my 9.10 desktop and it still has the 65536 setting.
Anyone else can shed light on this?

Re:Isn't this a dupe? (2, Informative)

Shikaku (1129753) | more than 4 years ago | (#29978102)

I have VirtualBox and Wine, and VirtualBox uses a kernel module. So it's possible that one of those could have set it to 0. I set it to 65000 just in case and it didn't break Wine or VirtualBox...

Re:Isn't this a dupe? (4, Informative)

0123456 (636235) | more than 4 years ago | (#29978168)

Ubuntu sets this to zero if you have wine installed.

Re:Isn't this a dupe? (1, Funny)

Anonymous Coward | more than 4 years ago | (#29977990)

What? You mean I don't have to wait until patch tuesday? Outrageous!

Re:Isn't this a dupe? (5, Informative)

eparis (1289526) | more than 4 years ago | (#29978066)

No, this isn't the same bug. People confuse two issues. I wrote the mmap_min_addr protections to try to mitigate the effects of a certain class of common kernel bugs which exist because of design choices by Intel. That class of bugs can be summed up as NULL pointer usage. Every time someone finds a new NULL pointer usage bug we get the same story. RHEL (and any system with SELinux enabled) did not have protections for mapping the 0 page by local authenticated users, but did have protections for network facing daemons and the like. Other distros had protections for the local authenticated user but weaker protections for network facing daemons. The mmap_min_addr protections have since been enhanced in SELinux systems such that they have stronger protections, both for local authenticated users and for network facing daemons. My old comments from the first time this came up are at http://eparis.livejournal.com/ [livejournal.com]

But the key to remember is that mmap_min_addr implementation is not the bug that allows elevation of privilege. In this case it was a very very old bug in the implementation of pipes. Previously Spender and friends have found bugs in performance counters (one which was actually much worse as it didn't fit into the very narrow class which might be mitigated by mmap_min_addr), in network sockets, and other places. These are the bugs which cause this to be a new story. Once he finds the real bugs he applies some of the same basic techniques (plus a whole lot of thought) to create an exploit. If the Linux kernel was bug free we wouldn't need mmap_min_addr. If mmap_min_addr was bug free (over the years Spender has found multiple problems with my work) this class of bugs would be just a bit less devastating.

Everyone in the kernel development community needs to think of invalid pointer bugs as a larger security threat then they currently do. The lesson here, keep your systems patched.

Re:Isn't this a dupe? (0)

Anonymous Coward | more than 4 years ago | (#29978274)

Title: "Bug In Most Linuxes Can Give Untrusted Users Root"

Article: "The... bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature"
What the heck? The title says one thing the article another? Slow news day? This isn't the first time ... or third for that matter ...

huh? (0)

Anonymous Coward | more than 4 years ago | (#29977350)

DeliberateBug In Most Linuxes Can Give Untrusted Users Root

fixed that for u.

Everyone knows that....don't they?

Stupid masturbating monkeys... (0)

Anonymous Coward | more than 4 years ago | (#29977388)

...they should've listened to Linus and ignored this until now, like all the others. Linus knows best.

My Unsettling Ubuntu Experience (1, Troll)

Smidge207 (1278042) | more than 4 years ago | (#29977390)

I'd been using Ubuntu 9.04's LiveCD feature at work to migrate Windows profiles. Unlike Windows, which never properly migrates user directories no matter how you coax it, Ubuntu's simple drag-and-drop replacement from network backup makes user migration a piece of cake.

I simply booted, configured the network settings, logged into our network backup, and copied the old user directory over top of the new one (we're on a domain). When the user logged back in, their old stuff was all in place. It had really been a lifesaver, and I'd started reading up on it more and started to set up an Ubuntu workstation. But that's when I ran into some weird problems.

After installing and tinkering around on the GNOME desktop, I opened Terminal. After writing some scripts and creating user accounts, a new terminal window opened. I thought this very odd since I hadn't initiated a new session and none of my scripts would have either. As I was about to close it, I paused my mouse. The terminal session had printed something to the screen, seemingly by itself.

        trollaxor@ubuntor:~$
        *** DO U LIKE GUYS Y OR N

I typed N and the window disappeared. "How weird," I thought, and figured one of my buddies had installed some third party software or something to covertly mess with me. I couldn't remember when I'd told anyone about this install, but I was content to leave it at that since everything was otherwise fine.

A half hour later, I was farting around in GNOME when it happened again. This time, there was no terminal session even open to begin with; the window just popped up out of nowhere. And again it asked the same question, ominously blinking at me.

        trollaxor@ubuntor:~$
        *** DO U LIKE GUYS Y OR N

Before I did anything else I opened another terminal session and ran top so I could figure out what the fuck was running in the background that was randomly harassing me. I peered through it, sorted by CPU, memory usage, command name—but nothing. I'm pretty familiar with Linux and I didn't see anything that looked out of the ordinary. At this point I switched back to the frustrating terminal session and typed N and the window closed Only to open right back up and ask again:

        trollaxor@ubuntor:~$
        *** DO U LIKE GUYS Y OR N

Now irritated, I texted several of my buddies the same question, figuring they'd own up when it became obvious to them their little joke had succeeded. Two asked me "wtf" and another said "no y do u? fag!" No admissions came, implicit or otherwise, and I began running ps with its myriad options in hopes of spotting the offending process. A second terminal window popped up on top of the first with the same damn question blinking at me.

        trollaxor@ubuntor:~$
        *** DO U LIKE GUYS Y OR N

Finally in desperation I typed Y and hit return in both of the windows. At first, they went away and I sat silently in anticipation. When nothing happened after ten seconds, I returned to editing my GNOME config files when the desktop wallpaper changed all by itself. Instead of the boring orange default, I was staring at something much different. This was no longer mildly irritating or perplexing—now I was freaking out and wanted answers. I logged onto Freenode and joined #ubuntu.

        #ubuntu Official Ubuntu Support Channel
          hi. i was wondering if anyone ever noticed any versions of ubuntu throwing up terminal sessions with text inside.

Minutes passed as conversations about screen resolution problems on netbooks, laptop fans running non-stop, and permissions errors on an external USB drives ran back and forth—typical IRC chatter—but someone eventually responded to my question.

          trollaxor, it's possible but unlikely. that's really weird.
          troll, what are the sessions saying?
          "DO YOU LIKE GUYS Y OR N"
          You must have installed some 3rd party applications.
          trollaxor, well what did you answer? Y or N?
          has anyone else had access to that system, trollaxor?
          mechabuntu, no. just me since i set it up a few hours ago.
          troll, did you give anyone remote login access?
          rasputin, I answered "N" at first and the sessions disappeared
          hmm, that's too bad!
          but when I answered "Y" it changd my wallpaper
          troll, wtf. what did it change it to?
          here, i'll just link you to it... http://tinyurl.com/kucg8v [tinyurl.com]
          Ha! Did troll install GNU/Linux or GAY/Linux?
          troll, that is fucked. are you sure someone's not messing with you??
          trollaxor, it's so intuitive, it knew JUST the right wallpaper for you!
          mechabuntu: no, this is really happening. i'm actually getting scared...
          rasputin, uh, no, this is not supposed to happen on any unix install ever
          you've never heard of gaybuntu, have you, trollaxor?
          oh no, not this shit again
          uh no what the hell is that
          is marked as being away: Away.
        rasputin_ has invited you to join #gaybuntu
          !op

Obviously something was going on in #ubuntu but I didn't stick around long enough to find out what it was. I logged out, deleted the Freenode connection and log files, and opened http://www.freebsd.org/ [freebsd.org] in Firefox.

FreeBSD 7.2R had been out since May and I'd gladly put up with migrating pains over Gaybuntu any day. I could play with it on my server and check out FreeBSD LiveCD for work. The sooner I wiped this machine the better. And lo and behold, just as I started copying the ISO to my flash drive, Ubuntu's image viewer started opening pictures of young nude boyish men engaging in carnal acts so lurid I won't describe them here.

By the time I had burned a copy of the FreeBSD 7.2R install disc, the Ubuntu machine was spitting the CD drive out at me while playing a chorus of moaning sexual intercourse sounds from the speakers. It was like my machine was possessed by a gay Linux ghost!

I was really messed up by this and didn't sleep well the next couple of nights. In fact, I kind of stayed away from computers altogether and my boss got on my case for slacking. I wanted to tell him the truth about what had happened, but I thought better of it and suffered in silence. Every time I approached a Linux machine I held my breath in fear. I made peace with manual Windows profile migration and ditched all of our Ubuntu discs.

A couple days later, in my final act of destroying Gaybuntu, I microwaved the CD-R I'd burned. After several seconds of blue electrical crackling and a small puff of smoke, the disc was burned beyond use. I shredded it and double-bagged the shards before throwing it in my neighbor's trash. I suggest taking a long, hard look at your Ubuntu installs for any strange behavior—my unsettling Ubuntu experience still rattles my psyche to this day. Don't let gay Linux happen to you.

Another story that isnt a story (-1)

Kilz (741999) | more than 4 years ago | (#29977404)

The lead in says its "a bug in most deployed versions of Linux"

Then says in the excerpt " in the upcoming 2.6.32 release candidate of the Linux kernel"

Its a release candidate, therefore it cant be in "most deployed versions".
The newest version of Ubuntu (karmic) for instance only uses 2.6.31.

Re:Another story that isnt a story (0)

Anonymous Coward | more than 4 years ago | (#29977454)

Read again.

Re:Another story that isnt a story (3, Informative)

Xonea (637183) | more than 4 years ago | (#29977462)

It says that it was only fixed " in the upcoming 2.6.32 release candidate of the Linux kernel" - hence everything before that is vulnerable.

But the bug is not exploitable on ubuntu, because they set vm.mmap_min_addr > 0 by default.

Ubuntu not necessarily safe (2, Informative)

daveewart (66895) | more than 4 years ago | (#29977852)

But the bug is not exploitable on ubuntu, because they set vm.mmap_min_addr > 0 by default.

That doesn't seem to be generally true.

Ubuntu Hardy 8.04 LTS, 2.6.24-25-generic: vm.mmap_min_addr = 65536; Ubuntu Jaunty 9.04, 2.6.28-16-generic: vm.mmap_min_addr = 0. So, by the above logic, Ubuntu Jaunty is vulnerable, although Hardy is safe.

Also seems like vm.mmap_min_addr = 0 for all the Debian boxes I can get my hands on...

(All my comments above relate to the stock/packaged kernels for the distribution)

Re:Ubuntu not necessarily safe (1)

pjt33 (739471) | more than 4 years ago | (#29977944)

It was certainly 0 for Deb. lenny.

Re:Ubuntu not necessarily safe (3, Informative)

eparis (1289526) | more than 4 years ago | (#29978100)

Installing the wine package on ubuntu automatically sets mmap_min_addr to 0. The default install will have it set higher. Solution, remove wine.

Re:Ubuntu not necessarily safe (1)

daveewart (66895) | more than 4 years ago | (#29978250)

Installing the wine package on ubuntu automatically sets mmap_min_addr to 0. The default install will have it set higher

Interesting. (See /etc/sysctl.d/wine.sysctl.conf for some comments).

Solution, remove wine.

Hardly a solution if one needs to use Wine, though, is it? Probably just a good idea to wait for a patched kernel, I should think.

Re:Ubuntu not necessarily safe (1)

Anonymous Psychopath (18031) | more than 4 years ago | (#29978226)

Also seems like vm.mmap_min_addr = 0 for all the Debian boxes I can get my hands on...

I just looked and it's >0 on my Debian box, which is patched regularly but still uses packaged kernels. So I guess that would be one of the ones you can't get your hands on. :P

Re:Another story that isnt a story (1)

Shikaku (1129753) | more than 4 years ago | (#29977956)

# sysctl -n vm.mmap_min_addr
0

On 9.10. Right. Did you try running the command yourself?

Full quote from article (2, Informative)

Dareth (47614) | more than 4 years ago | (#29977474)

The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at the moment vulnerable.

You know you can click on the article links and actually read them.

Re:Another story that isnt a story (1)

raddan (519638) | more than 4 years ago | (#29977560)

The bug is fixed in the release candidate. The point being that "most deployed versions" of Linux do not have the fix.

Same Exploit from July? (1, Redundant)

eldavojohn (898314) | more than 4 years ago | (#29977406)

The bug was found by Brad Spengler last month.

I thought we discussed this in July [slashdot.org] ? Or is this a different exploit?

I think it's pretty clear that De Raadt and others have been discussing this vulnerability for quite sometime. On a list of affected systems [securityfocus.com] , you can see it's been known on that site since August. Here's another fix discussed [kernel.org] that involves setting PER_CLEAR_ON_SETID mask to MMAP_PAGE_ZERO and that's from July (unfortunately, as the Register article said, that might cause problems with applications). In fact I think Spengler has been talking about this for quite sometime as I believe you can find exploit code here [grsecurity.net] and a video of it in use here against SELinux [youtube.com] . If that's not the same exploit it sure seems to be very similar in nature.

Re:Same Exploit from July? (0)

RAMMS+EIN (578166) | more than 4 years ago | (#29977666)

``I thought we discussed this in July? Or is this a different exploit?''

I have been wondering this, as well. It would be useful if, when discussing bugs, people included some sort of unique identifier, to make clear exactly which bug they are talking about.

Re:Same Exploit from July? (2, Insightful)

idontgno (624372) | more than 4 years ago | (#29977920)

Well, there's always MITRE Common Vulnerabilities and Exposures [mitre.org] , which is a good pretty much dupe-free index of reported vulns. Most professional discussions of vulnerabilities tend to use CVE references.

For instance, this particular vuln looks like CVE 2009-2695 [mitre.org] . The one discussed in the July /. article appears to be CVE 2009-1897 [mitre.org] .

The CVE pages are pretty good, complete with cross references to discussions and some pretty detailed analysis of the vulnerability.

Re:Same Exploit from July? (1)

RAMMS+EIN (578166) | more than 4 years ago | (#29978144)

Thanks. With the CVE numbers, at least we know what we're talking about.

Re:Same Exploit from July? (1)

raffo (310036) | more than 4 years ago | (#29977926)

I looked at the exploit code above, it relies on the pulseaudio binary to be set SUID (run as root when executed). The "exploit" is to run pulseaudio and pass it an executable module, the module, obviously, will run as root as well.

If pulseaudio is not set SUID, the "exploit" code terminates with an error message... hilarious.

This seems to me a bunch of "security" experts trying to call attention to themselves.

Re:Same Exploit from July? (1, Informative)

JasterBobaMereel (1102861) | more than 4 years ago | (#29978096)

So it's really a bad design on Intel chips, that all operating system have to work around, except Windows which requires it to work like this... ...and on most Linux and BSD systems it will not work even if unpatched ... and it has already been patched ... and you need to be able to get a user on the local machine to run an app to exploit it (most users install from the Package Manager and so will never run a random downloaded app), and this does not appear to be a remote exploit?

Patch (5, Informative)

tomtomtom (580791) | more than 4 years ago | (#29977430)

For those who just want to know how to fix it, you need to apply this git commit [kernel.org] to your kernel tree and then either recompile and reboot or apply the patch using ksplice.

Re:Patch (5, Informative)

Xonea (637183) | more than 4 years ago | (#29977594)

Or, if you want to wait for your vendor patch, set vm.mmap_min_addr manually, if it hasn't been set by your vendor already - the only distribution I have where this is necessary is debian.

You can either do
# sysctl -w vm.mmap_min_addr = 65536
and redo that every reboot or do

# echo "vm.mmap_min_addr = 65536" > /etc/sysctl.d/mmap_min_addr.conf
# /etc/init.d/procps restart
and be done with it.

Re:Patch (-1, Flamebait)

jellomizer (103300) | more than 4 years ago | (#29977940)

Of course it is obvious to any person all you need to do is that. I love it when windows has a bug everyone is excited saying how unsecured windows is, even if there is a fix the user can do it is not there problem. And will rather get their system infected then run it.

But for Linux if they find the user fix they make it seem like an obvious fix and if it was broken it was user error not Linux.

Re:Patch (1)

natehoy (1608657) | more than 4 years ago | (#29978306)

No, it's not obvious at all. Which is why a bunch of people are posting instructions on how to do it. Actually, did either of the posts you were replying to use the term "obvious" or "user error"? I sure didn't see it.

I saw people posting relatively clear instructions to protect yourself until a proper fix is released.

I see the same thing on a lot of bugs, be they Windows or Linux or Mac or iOS or whatever. Someone comes up with a way to mitigate the risk and publishes that method to reduce the number of infections until the vendor/author can release a better solution. People can either take the step to mitigate the risk, or run the risk of infection. It doesn't change the fact that there is an underlying flaw in the code, it just gives you a way to mitigate your risk until a patch comes out.

If you are running a possibly vulnerable version of the operating system in question, and the fix doesn't break something you need to do, then it's in your best interests to implement it. If you choose not to, well, you choose not to. The vendor/author still shares some blame for releasing buggy stuff in the first place, but you've also made your own decision on whether the temporary fix is worth the effort to you.

Re:Patch (0)

Anonymous Coward | more than 4 years ago | (#29977606)

Reboot? What's that?

sysctl vm.mmap_min_addr (3, Informative)

MrMr (219533) | more than 4 years ago | (#29977432)

If the result is non-zero the vulnerability doesn't exist.
'Most deployed versions of linux'?.
So far only some unpatched RHEL versions allow this local exploit, even the Centos rip-off doesn't have it.

Re:sysctl vm.mmap_min_addr (2, Funny)

ByOhTek (1181381) | more than 4 years ago | (#29977776)

But I use RedHat you insensitive clod!

Re:sysctl vm.mmap_min_addr (1)

b00fhead (669286) | more than 4 years ago | (#29977818)

vm.mmap_min_addr = 0

on Ubuntu Karmic.

Re:sysctl vm.mmap_min_addr (1)

MrMr (219533) | more than 4 years ago | (#29977922)

That's weird, because 9.04 gives: vm.mmap_min_addr = 65536 and so did the 9.10 desktop version a few posts up...
Anyway, you can fix it with 'systcl -w'.

Re:sysctl vm.mmap_min_addr (2, Informative)

0123456 (636235) | more than 4 years ago | (#29978074)

That's weird, because 9.04 gives: vm.mmap_min_addr = 65536 and so did the 9.10 desktop version a few posts up.

You probably don't have Wine installed. AFAIR Wine needs it set to zero to run some old 16-bit applications, so installing Wine installs a config file which sets it to zero.

Re:sysctl vm.mmap_min_addr (1)

IBBoard (1128019) | more than 4 years ago | (#29978104)

Must be an Ubuntu oddity for Wine, then. My Fedora 11 system gives me:

$ sysctl vm.mmap_min_addr
vm.mmap_min_addr = 65536
$ rpm -q wine
wine-1.1.29-1.fc11.x86_64
$

Re:sysctl vm.mmap_min_addr (1)

0123456 (636235) | more than 4 years ago | (#29978282)

Must be an Ubuntu oddity for Wine, then.

Yeah, I don't know of any other distribution than Ubuntu which automatically reconfigures it when you install Wine.

Re:sysctl vm.mmap_min_addr (0)

Anonymous Coward | more than 4 years ago | (#29978188)

Interesting...mine's not zero....

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 9.10
Release: 9.10
Codename: karmic

$ uname -r
2.6.31-14-generic

$ sysctl vm.mmap_min_addr
vm.mmap_min_addr = 65536
$

Re:sysctl vm.mmap_min_addr (1)

idontgno (624372) | more than 4 years ago | (#29977962)

I haven't looked on my household server yet, but since CentOS is a direct clone of RHEL, I assume it's also vulnerable to this by default.

Re:sysctl vm.mmap_min_addr (1)

whyloginwhysubscribe (993688) | more than 4 years ago | (#29978192)

Yes - even the summary says that the bug is mitigated by default by most dists, yet gives the story the title "...most linuxes..."
This is still a serious problem though!

This can't be true (0)

Anonymous Coward | more than 4 years ago | (#29977472)

Linux is teh roxerz!!!!onehundredeleven!!!
 
M$ wants to p0wn3d joo.

standard author/exploiter response? (5, Insightful)

Gopal.V (532678) | more than 4 years ago | (#29977476)

I'm not a real security guy, but my experiences with security bug reporting shows that nearly all such subtle bugs are pooh-poohed by the original authors till the exploit writer resorts to petulant scaremongering. I'm not sure which one is to blame for either one's behaviour.

All of these attacks IIRC require you to be able to mmap() page zero. Which is why mmap_min_addr is almost never set low enough in a decently protected OS. But the fact is that the exploit is a valid bug for a system which hasn't got that set to 4k. And there is a valid root exploit using pulseaudio (*ouch*) as a vector.

Linus might have been right in saying setuid is a 'vulnerability', but to call it a design flaw is wrong. Setuid is not a design flaw, it is a trade-off - needed for something as simple as 'ping' to function (yeah, ping's got setuid, check it).

Being able to exploit a setuid binary after mmap'ing page zero with executable shell code, via a phpbb vulnerability which is exposed because of lack of php filtering is like saying ... "look, having arranged these six dominoes, I only need to push *one* over".

I'm not denying either of them aren't right in their own way - but invariably original author vs security researcher sets up a very immature exchange of insults (and the ego of both types don't help either).

Egos in the IT security industry? Say it aint so! (-1, Troll)

Viol8 (599362) | more than 4 years ago | (#29977542)

People who spend their lives looking for exploits and holes in a system whether white or black hat are only doing it so they can puff their egos by getting one over the codes original author and showing the world how l337 they are , so no great surprise when said egos bloat out in arguments.

Re:standard author/exploiter response? (0)

Anonymous Coward | more than 4 years ago | (#29977692)

Interesting, I just check in Linux and /bin/ping is Setuid, but curiously enough /sbin/ping in Mac OS X is not Setuid.

Re:standard author/exploiter response? (2, Informative)

robmv (855035) | more than 4 years ago | (#29977946)

That is being solved with Filesystem capabilities [lwn.net] . Fedora 11 still has ping as setuid, not sure if Fedora 12 beta already switched it

Re:standard author/exploiter response? (2, Informative)

sqlrob (173498) | more than 4 years ago | (#29978068)

Not necessarily. You can create raw sockets with some limitations without root access on OS X. There's enough control to implement ping, but not enough to forge.

Re:standard author/exploiter response? (1)

Late Adopter (1492849) | more than 4 years ago | (#29977720)

Setuid is certainly a trade-off, but it seems a little absurd that you need full root permissions to access just the special resources "ping" needs to function. If anything, vulnerabilities like these are calls for a more fine-grained capability-based security system, that only grants the expected privileges needed for a given process to function.

While I'm dreaming I'll also take sandboxing for user-executed processes. And a pony.

Re:standard author/exploiter response? (2, Interesting)

dkf (304284) | more than 4 years ago | (#29977952)

Setuid is certainly a trade-off, but it seems a little absurd that you need full root permissions to access just the special resources "ping" needs to function. If anything, vulnerabilities like these are calls for a more fine-grained capability-based security system, that only grants the expected privileges needed for a given process to function.

You are aware that in order for ping to work at all, it needs raw sockets so that it can write ICMP packets? Those are restricted because they allow you to spoof all sorts of network traffic (e.g., the ethernet address to IP address mapping) Which Would Be Bad.

The only way to remove the setuid requirement from ping (apart from making your system thoroughly insecure) is to allow messages to be sent and received on raw sockets opened by non-root only if they're ICMP ECHO messages (I'm not aware of any other ICMP messages that it's useful for user code to send). Do you want to put such deep packet inspection in the kernel?

Re:standard author/exploiter response? (1, Insightful)

Wrath0fb0b (302444) | more than 4 years ago | (#29978170)

You are aware that in order for ping to work at all, it needs raw sockets so that it can write ICMP packets? Those are restricted because they allow you to spoof all sorts of network traffic (e.g., the ethernet address to IP address mapping) Which Would Be Bad.

This seems less bad than kludgy workarounds.

Network services should never trust that the packets sent to it are not forged. Ever. Session-based authentication If the network services were written with this caveat in mind (which can never really be eliminated anyways, since there's no way of knowing whether the client app is mangling packets) then there would be no problem letting userland programs have access to raw sockets.

Re:standard author/exploiter response? (3, Insightful)

Late Adopter (1492849) | more than 4 years ago | (#29978286)

The only way to remove the setuid requirement from ping (apart from making your system thoroughly insecure) is to allow messages to be sent and received on raw sockets opened by non-root only if they're ICMP ECHO messages (I'm not aware of any other ICMP messages that it's useful for user code to send).

That's absolutely not the only way. You can make raw sockets accessible via a node in /dev, which you can assign to a group, control membership in, and setuid/setgid a NON-root user to "ping".

A *lot* of system resources are controlled in this manner (dri, sound, disks). I still don't think it's a sufficiently versatile security model (cf my comment on sandboxing), but it's a good place to start.

Long fixed in Linux stable (0)

omb (759389) | more than 4 years ago | (#29977890)

I for one am getting royally pissed off by shards of Security Dupes as non-tech writers catch up with Security exploits.

All kernels have exploits. This exploit is complicated to excercise, you would need very good low-level knowledge to map page 0 then set page 0, location 0 to a valid (code *) and valid kernel code to set up the exploit, or a published HOWTO, after which any script-kiddie can do it. It was discussed on LKML and fixed in short order, a day or so AFAIR. That fix rapidly made it into the Stable Kernel series, and, ...

You also have to have local shell access first, to a system with compile capabilities or other no-no like ksyms radable by non-root, so yes this was exploitable but with difficulty, not like the many gaping holes in Windoze. It confuses the normal user.

I for one am much more concerned by things like continuous ssh attacks, which you can defend with iptables but really needs support in sshd.

Ubuntu (0)

Anonymous Coward | more than 4 years ago | (#29977538)

Then it doesn't exist in karmic.

"vm.mmap_min_addr = 65536"

Re:Ubuntu (1)

RAMMS+EIN (578166) | more than 4 years ago | (#29977806)

Interesting, on karmic, I have:

$ sysctl vm.mmap_min_addr
vm.mmap_min_addr = 0

Then again, I don't know if my system is actually vulnerable, because I have yet to see a description of how the exploit works.

Somebody fill me in.. (1)

jcr (53032) | more than 4 years ago | (#29977602)

I pay very little attention to open-source politics. What's the beef between Linus and Theo? Is it just a matter of dueling egos?

-jcr

Re:Somebody fill me in.. (3, Funny)

Daniel_Staal (609844) | more than 4 years ago | (#29977702)

It's not Linus and Theo, it's Theo and everybody.

And yes, it's dueling egos. Theo is a very good coder, and OpenBSD is an amazing system, but Theo should stop talking to the public. It never helps. (Even when he's right, which he usually is when the discussion involves something technical.)

Re:Somebody fill me in.. (1, Insightful)

teknopurge (199509) | more than 4 years ago | (#29978166)

It never helps. (Even when he's right, which he always is when the discussion involves something technical.)

Fixed.

Re:Somebody fill me in.. (1)

Dog-Cow (21281) | more than 4 years ago | (#29978112)

It's not dueling egos. For there to be a duel, Linus would actually have to care about Theo and his opinions.

Theo seems to have the idea that if security isn't your priority that you are a waste of resources and shouldn't be alive. He basically bashes anyone who doesn't agree with him on anything.

That's because he's a fucking asshole.

Re:Somebody fill me in.. (1)

teknopurge (199509) | more than 4 years ago | (#29978146)

Theo is a rock star when it comes to OS code, and as such has the attitude to go along with it. More power to him.

And? (5, Interesting)

FlyingBishop (1293238) | more than 4 years ago | (#29977604)

Torvalds:

That does not look like a kernel problem to me at all. He's running a setuid program that allows the user to specify its own modules. And then you people are surprised he gets local root?

Am I missing something? Torvald's reply actually sounds pretty reasonable to me here. It might be nice if this exploit could be patched, but it seems a little preposterous to me that you could make that work in a way that doesn't leave an exploit. I'd say you need to be locking down your suid binaries more, not blaming kernel management.

Bishop bashing bonobos (2, Informative)

LizardKing (5245) | more than 4 years ago | (#29977630)

Before people jump on Theo's comment, it's worth pointing out that it was Linus who first described the OpenBSD developers as "masturbating monkeys". That said, it's still bloody childish irrespective of who it's coming from.

Re:Bishop bashing bonobos (0)

Anonymous Coward | more than 4 years ago | (#29977724)

They _are_ masterbating monkeys.. they all use OS-X now and are apple fan bois.

Re:Bishop bashing bonobos (5, Funny)

babblefrog (1013127) | more than 4 years ago | (#29977836)

I thought Masturbating Monkey was Ubuntu 10.10?

Re:Bishop bashing bonobos (1)

HisMother (413313) | more than 4 years ago | (#29978064)

Oh god I wish I had mod points!

Re:Bishop bashing bonobos (0)

Anonymous Coward | more than 4 years ago | (#29978056)

Before people jump on Theo's comment, it's worth pointing out that it was Linus who first described the OpenBSD developers as "masturbating monkeys".

Probably true, but BSD has better booth babes. Sexy daemons instead of fat-ass penguins:

http://freebsd-image-gallery.netcode.pl/?gallery=Daemonette [netcode.pl]

Re:Bishop bashing bonobos (0)

Anonymous Coward | more than 4 years ago | (#29978076)

Considering that deraadt is either
a) deliberately mischaracterizing Linus' passing insult as being an article "about" masturbating monkeys
or
b) completely lacking in reading comprehension that he actually believes what he himself wrote

I wouldn't want to trust him with MY security, and he certainly has earned the mastubating monkey moniker.

Re:Bishop bashing bonobos (0, Troll)

teknopurge (199509) | more than 4 years ago | (#29978216)

Linus was upset that someone was basing a modern OS on BSD. boo-hoo. Solaris still innovates more than Linux, all Linux does is try to replicate commercial functionality in "Open Source". The case can be made that the OpenBSD project has had more innovation(openssh, CARP, etc.) than Linux.

On the bright side... (1)

gzipped_tar (1151931) | more than 4 years ago | (#29977674)

... most distro maintainers seem to be doing a good job backporting fixes and features from upstream to the "mainline" kernels. At least this is true with Fedora, whose maintainers keeps cherrypicking fixes from 2.6.31 or rc for the mainline F11 2.6.30 kernels.

Exploit? (1)

RAMMS+EIN (578166) | more than 4 years ago | (#29977704)

Is there some sort of exploit code I can run to check if my system is vulnerable? I tried to find some online, but I only came up with some code for SCO Unix [packetstormsecurity.org] and some code [grsecurity.net] that is so horrendously long that I don't dare running it for fear it might do something I don't want to happen on my system.

meta-trolling (0, Troll)

Gothmolly (148874) | more than 4 years ago | (#29977728)

Editors, why troll by quoting the vocal spokesperson of a different OS to comment on a Linux problem?

Re:meta-trolling (1)

LizardKing (5245) | more than 4 years ago | (#29977858)

Increased comments. Increased page views. Increased advertising revenue.

Re:meta-trolling (1)

MrMr (219533) | more than 4 years ago | (#29977980)

They have advertising on slashdot?

What's the deal with the masturbating monkeys? (5, Funny)

Johnny Loves Linux (1147635) | more than 4 years ago | (#29977924)

I read Theo's comments and he's going on an on about Torvald's fixation with masturbating monkeys. Then some member of the openBSD crowd even offers a link to purchasing "your very own" **masturbating monkey** http://www.wellcoolstuff.com/Merchant2/graphics/00000001/20-Apr-07-05.jpg [wellcoolstuff.com]

Then I read Torvald's comment about the Linux exploit, with Torvald referring to the openBSD developers as being __like__ a "bunch of masturbating monkeys".

Ok, so is this like some kind of secret code used among OS kernel developers? Like saying "my shoe is blue but the cow is hungry" really means "Oh man, this code is leaking memory and crashing my system"? Or is this some kind of secret initiation thing, where in order to truly become a member of the OS development club, you have to first ... masturbate a monkey??!! Can somebody explain it, or maybe do some investigative reporting on this?

I'm in your Linux box (0, Redundant)

LuxMaker (996734) | more than 4 years ago | (#29978046)

Getting your root access.

Nothing more than a publicity stunt? (1)

BhaKi (1316335) | more than 4 years ago | (#29978062)

Linus's comment: "That does not look like a kernel problem to me at all. He's running a setuid program that allows the user to specify its own modules. And then you people are surprised he gets local root?" Sounds reasonable to me.

Kernel default? (1)

gweihir (88907) | more than 4 years ago | (#29978090)

Just checked my installations (Debian with custom kernel from kernel.org). They are all at 4096 for mmap_min_addr (and hence not vulnerable), but I seem to be unable to find a place where this is set. Does anybody know whether this is the kernel default?

Local access has never been secure. (1)

Vellmont (569020) | more than 4 years ago | (#29978136)

I've felt for a long time that giving someone local shell access to a machine is never going to be completely secure. There's just too many degrees of freedom available, and too many different things that need to be secured. This is just another proof of concept of that principle.

With all the various different interfaces we have today, shell access is something only a small percentage of people need. Even those you could likely limit down to a few administrators, some programmers, and possibly a few special cases.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...