×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hole In Linux Kernel Provides Root Rights

Soulskill posted more than 3 years ago | from the everything-old-is-new-again dept.

Security 274

oztiks writes with this excerpt from The H: "A vulnerability in the 32-bit compatibility mode of the current Linux kernel (and previous versions) for 64-bit systems can be exploited to escalate privileges. For instance, attackers can break into a system and exploit a hole in the web server to get complete root (also known as superuser) rights or permissions for a victim's system. According to a report, the problem occurs because the 32-bit call emulation layer does not check whether the call is truly in the Syscall table. Ben Hawkes, who discovered the problem, says the vulnerability can be exploited to execute arbitrary code with kernel rights. ... Hawkes says the vulnerability was discovered and remedied back in 2007, but at some point in 2008 kernel developers apparently removed the patch, reintroducing the vulnerability. The older exploit apparently only needed slight modifications to work with the new hole."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

274 comments

Serve them right (5, Funny)

Anonymous Coward | more than 3 years ago | (#33623270)

That's why those of us in the know stick to 8-bit Linux kernal.

Re:Serve them right (0, Offtopic)

Anonymous Coward | more than 3 years ago | (#33623292)

Those of us in the know think you are referring to a UNIX breed...not Linux which was i386...

Re:Serve them right (1, Funny)

Anonymous Coward | more than 3 years ago | (#33623304)

Yes, LUNIX.

Re:Serve them right (3, Interesting)

iGaucho (1904126) | more than 3 years ago | (#33623362)

And that's why I use OpenBSD :)

Re:Serve them right (5, Funny)

Anonymous Coward | more than 3 years ago | (#33623476)

I thought that was because you were a pretentious wanker?

Re:Serve them right (0)

Anonymous Coward | more than 3 years ago | (#33623974)

No I'm a pretentious wanker. He's just a BSD user!

Re:Serve them right (-1, Flamebait)

Anonymous Coward | more than 3 years ago | (#33623638)

Who the hell moderated parent as flamebait?

Re:Serve them right (0)

Anonymous Coward | more than 3 years ago | (#33623862)

Because no one gives a fuck what OS some random goofball uses?

Re:Serve them right (1)

Nethead (1563) | more than 3 years ago | (#33623478)

Re:Serve them right (0)

Anonymous Coward | more than 3 years ago | (#33623654)

I have a binary kernel. It's either popped or not.

Of course I once tried to pop it using radioactive isotopes and left myself eternally wondering.

Re:Serve them right (5, Funny)

jamesh (87723) | more than 3 years ago | (#33623904)

And those even more in the know use a two-bit operating system like Windows :)

Perhap the kernel's size is becoming too unweildy (3, Interesting)

Anonymous Coward | more than 3 years ago | (#33623272)

I mean this is what, the third 'reverted' security patch we've heard about in the recent past that needed replacement?

Maybe it's time to seperate out core kernel code and the arch specific stuff into seperate modules with seperate administration. Git would make this easy, so why aren't we seeing it done?

Re:Perhap the kernel's size is becoming too unweil (4, Informative)

siride (974284) | more than 3 years ago | (#33623294)

You're talking about git submodules and I'm gonna go ahead and guess that the answer you'll receive from the kernel folks about that is a big fat "no". Maybe if Git had usable project hierarchies, things might be different.

Also to note: even Git can't fix stupid policy or stupid programming decisions.

Re:Perhap the kernel's size is becoming too unweil (0)

Anonymous Coward | more than 3 years ago | (#33623564)

You're talking about git submodules and I'm gonna go ahead and guess that the answer you'll receive from the kernel folks about that is a big fat "no". Maybe if Git had usable project hierarchies, things might be different.

Also to note: even Git can't fix stupid policy or stupid programming decisions.

If ever there was a case of missing the forest for the trees, it's this right here.

Re:Perhap the kernel's size is becoming too unweil (1)

Nikker (749551) | more than 3 years ago | (#33623662)

I always like it when other programmers complain they can't do something because of a programs behavior, gives me this warm fuzzy feeling.

Re:Perhap the kernel's size is becoming too unweil (1)

siride (974284) | more than 3 years ago | (#33623766)

Unfortunately, it's often prohibitive for you to fix every other piece of software out there that doesn't work the way you want it to, especially when it's quite enough just to deal with your own software.

Re:Perhap the kernel's size is becoming too unweil (2, Insightful)

Anonymous Coward | more than 3 years ago | (#33623812)

Also, since the kernel is fairly 'well documented', we should be able to tell WHO is responsible for removing the patch, and reintroducing the vulnerability.

Perhaps, we could ask them why such a thing happened, and whether the linux community needs to backtrack this specific dev/s, kernel patching to date.

You want to talk about 'quality control' in the open source world, here it is right in front of us. Will it be done properly and thoroughly?

Re:Perhap the kernel's size is becoming too unweil (1, Offtopic)

Lumbre (1822486) | more than 3 years ago | (#33623348)

I mean this is what, the third 'reverted' security patch we've heard about in the recent past that needed replacement?

In other news, direct from Windows Update: "A security issue has been identified that could allow an authenticated remote attacker to compromise your system and gain control over it." x10 "A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it." x5 and other misc. vulnerabilities =)

Re:Perhap the kernel's size is becoming too unweil (1, Insightful)

Goaway (82658) | more than 3 years ago | (#33623380)

So if you can't find any real reason why Linux is better, you just lie about the competition?

Re:Perhap the kernel's size is becoming too unweil (0)

Anonymous Coward | more than 3 years ago | (#33623406)

He is probably referring to the bout of security fixes for windows 7 with the same wording.. there has been quite a few of them lately.

Re:Perhap the kernel's size is becoming too unweil (3, Informative)

AnonymousClown (1788472) | more than 3 years ago | (#33623468)

He is probably referring to the bout of security fixes for windows 7 with the same wording.. there has been quite a few of them lately.

And that's relevant to this thread how again?

Might as well start posting stuff about Chewbacca.

Maybe Linux' kernel is too big?

Chewbacca lives on Endor wihout any Linux or Windows computers ....

Re:Perhap the kernel's size is becoming too unweil (0, Troll)

Runaway1956 (1322357) | more than 3 years ago | (#33623552)

I'm not sure, but I think they have BSD machines on Endor. And, yes, a few Apples - they also have a few elitests who admire bling above all else.

Re:Perhap the kernel's size is becoming too unweil (1, Redundant)

TheRaven64 (641858) | more than 3 years ago | (#33623504)

Linux sucks, but it's okay because Windows sucks too? Great reasoning. I look forward to using it to convince people to switch.

Re:Perhap the kernel's size is becoming too unweil (4, Funny)

Runaway1956 (1322357) | more than 3 years ago | (#33623568)

No, Linux sucks, but it sucks a lot less than Windows. I mean, the "fix" is already out. My update reminder has been sitting in the taskbar ever since I woke up. Every time my mouse rolls over my autohidden taskbar, I get a flash of red to remind me about the kernel update. I've ignored it, because the exploits are simply not deployed. Unlike Windows, where there are thousands of exploits deployed, some of them sitting on servers waiting for the opportunity to do a "drive by" installation. When it is convenient for me to do so, I'll download the update, and apply it.

Re:Perhap the kernel's size is becoming too unweil (1, Funny)

Anonymous Coward | more than 3 years ago | (#33623606)

The fix was out before the maintainers rolled it back, too. Whoops.

Re:Perhap the kernel's size is becoming too unweil (3, Informative)

X0563511 (793323) | more than 3 years ago | (#33623810)

I've seen far too many rooted servers to agree with you about the deployment issue.

Re:Perhap the kernel's size is becoming too unweil (3, Informative)

melikamp (631205) | more than 3 years ago | (#33623944)

A LOT of hosts still get rooted because of weak passwords. A LOT of valuable hosts get rooted through social engineering. Just because you've seen rooted hosts, doesn't mean that there is any wide-scale deployment of anything.

Re:Perhap the kernel's size is becoming too unweil (1)

forkazoo (138186) | more than 3 years ago | (#33623796)

Linux sucks, but it's okay because Windows sucks too? Great reasoning. I look forward to using it to convince people to switch.

Meh. Do you make your living from convincing people to switch from Windows to Linux? Does it really matter to you what other people use? As far as I'm concerned, Linux just needs to suck less than Windows, which it does. As long as that remains true, I won't have to worry about the hassle of considering migrating everything I do to Windows.

Re:Perhap the kernel's size is becoming too unweil (3, Insightful)

Anonymous Coward | more than 3 years ago | (#33623450)

And that has to do with linux?... Oh thats right nothing.

Pointing at what other people are doing wrong so you can look better makes you look like an ass in the long run. People notice it. Stop doing it and worry about what you are doing...

Root escalation is a serious issue but instead of figuring out 'hey how can we stop this from happening again' you are busy saying 'look see teh windowz sux'.

uh ok...

Re:Perhap the kernel's size is becoming too unweil (1)

X0563511 (793323) | more than 3 years ago | (#33623820)

Yea, because one bitch on slashdot spending 2 minutes writing such a post is really detracting from figuring out "hey how can we stop this from happening again"

I'm pretty sure the people that actually matter won't be found on slashdot poking fun at everyone else.

Re:Perhap the kernel's size is becoming too unweil (0)

Anonymous Coward | more than 3 years ago | (#33623610)

Maybe it's time to write unit tests for the kernel.

Re:Perhap the kernel's size is becoming too unweil (2, Funny)

wampus (1932) | more than 3 years ago | (#33623762)

Not interesting enough. Rewriting something that already works is where it's at.

Re:Perhap the kernel's size is becoming too unweil (0)

Anonymous Coward | more than 3 years ago | (#33623784)

Because it's spelled separate, not "seperate".

Re:Perhap the kernel's size is becoming too unweil (2, Insightful)

mysidia (191772) | more than 3 years ago | (#33623876)

Yeah... at this point i'm wondering if there are some kernel developers who like there to be security bugs in the kernel?

Why else would they revert the security patch? Polticial reasons? They don't like the fix?

Or perhaps some of the kernel developers a black hats working covertly, and the 'fixes' cause them problems exploiting their secret bugs.......

Re:Perhap the kernel's size is becoming too unweil (1)

John Hasler (414242) | more than 3 years ago | (#33623942)

> Why else would they revert the security patch?

Because they made a mistake. People do that.

WOOP (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33623276)

*sigh* first

Patch (5, Funny)

Anonymous Coward | more than 3 years ago | (#33623282)

For those who compile from source, here is the patch:

---kernel.c
+++kernel.c
@@ -1,1 +1,1 @@
- void goatse(long cx) {
+ void goatse(int cx) {

The change from long to int closes the massive hole.

Re:Patch (1)

leromarinvit (1462031) | more than 3 years ago | (#33623342)

Shouldn't that be a char? After all, an int can still be 2^31-1, so depending on the units used, it would still be a pretty huge hole.

Re:Patch (1)

Kjella (173770) | more than 3 years ago | (#33623364)

No, it should be a boolean, inscribed to false in stone - or at least ROM, and none of the rewritable kind.

Re:Patch (1, Funny)

Anonymous Coward | more than 3 years ago | (#33623776)

@Kjella once you see #goatse, that memory will never be lost or overwritten

Re:Patch (1)

lennier1 (264730) | more than 3 years ago | (#33623368)

Let's just settle on a boolean value (open|closed).

Re:Patch (1)

leromarinvit (1462031) | more than 3 years ago | (#33623414)

And, alas, the way the memory-conscious C programmer would store that single boolean is a char. Of course, if you wanted to have a beowulf cluster of massive holes, you'd use bit fields or manual bit arithmetic.

Re:Patch (0)

Anonymous Coward | more than 3 years ago | (#33623718)

And, alas, the way the memory-conscious C programmer would store that single boolean is a char.

The Linux kernel compiled by gcc uses a 4-byte aligned stack frame, so this optimization gets you nothing...

But more generally, use bool unless you have a good reason to save space, e.g. bool[100000] might be a bad idea, but a single bool on the stack as either a function argument or a local variable isn't going to hurt, and using char instead may lead to a slight performance degradation versus bool due to alignment issues (that are beyond my understanding).

There's a reason gcc implements sizeof(bool) > 1. I don't claim to understand what it is, but I do know that gcc developers are smarter than me...

Re:Patch (0)

Anonymous Coward | more than 3 years ago | (#33623518)

char is also system specific and could be 2^31-1 on a system with 32bit characters.
Use short for something less than long.
For bytes you will have to define your own types or include someone elses.

Re:Patch (1)

optikos (1187213) | more than 3 years ago | (#33623618)

On a system with 32-bit characters because ISO9899-bytes are 32-bit on that processor, for octets you will have to define your own types or include someone elses.

There, I fixed that for you.

DSPs are the typical processor with 32-bit chars. On DSPs, as per ISO9899, if chars are 32-bit because bytes are 32-bit (because 32-bit bytes are the smallest addressable unit of memory as each memory address is incremented by one), then short and int is 32-bit as well. As per ISO9899, none of {long long, long, int, short} can be smaller than a char, because by definition that smaller-than-char thing would nullify the claim that 32-bit bytes as chars are the smallest addressable unit.

Re:Patch (2, Interesting)

larry bagina (561269) | more than 3 years ago | (#33623818)

The C standard doesn't specify sizes but requires that

sizeof(long) >= sizeof(int) >= sizeof(short) >= sizeof(char)

so if a char is 32-bit, a short must be 32-bit (or more) as well. C-99's <stdint.h>, requires typedefs (eg, uint8_t, int8_t) for 8, 16, and 32-bit signed and unsigned integers.

Re:Patch (0)

Anonymous Coward | more than 3 years ago | (#33623674)

Oh man, goatse is finally funny.

Breaking News (0)

Anonymous Coward | more than 3 years ago | (#33623300)

Linux Kernel used to have hole that provided root rights.

Doesn't work (0, Offtopic)

93 Escort Wagon (326346) | more than 3 years ago | (#33623326)

For instance, attackers can break into a system and exploit a hole in the web server to get complete root (also known as superuser) rights or permissions for a victim's system.

Something must be wrong with my Linux - this "superuser" account doesn't appear to exist.


$ su - superuser
su: user superuser does not exist
$

Re:Doesn't work (-1)

Anonymous Coward | more than 3 years ago | (#33623344)

You are too stupid to live....

Re:Doesn't work (-1, Offtopic)

frozentier (1542099) | more than 3 years ago | (#33623366)

You are too stupid to live....

Wow, anonymous cowards sure are getting trolled good tonight.

Re:Doesn't work (0)

Anonymous Coward | more than 3 years ago | (#33623480)

It's called a Fishing Expedition, bitch.

Re:Doesn't work (0)

Anonymous Coward | more than 3 years ago | (#33623370)

AC, I think you need to double-check your embedded humor sensor. It appears to be broken.

Re:Doesn't work (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33623692)

The only thing funny about that joke is that the guy telling it will never touch a woman.

Re:Doesn't work (2, Funny)

93 Escort Wagon (326346) | more than 3 years ago | (#33623472)

You are too stupid to live....

I guess for people like you, next time I need to add...

*** BEGIN JOKE ***

and

*** END JOKE ***

If that's still not enough - I can incorporate the blink tag and some colored fonts.

Re:Doesn't work (3, Funny)

TheRaven64 (641858) | more than 3 years ago | (#33623514)

protip: If you need markup to indicate your joke, you might be using a different definition of 'joke' to your readers.

Re:Doesn't work (0)

Anonymous Coward | more than 3 years ago | (#33623760)

protip: using "protip" makes you look like a douche.
 
Also, nothing wrong with the joke in question. The real problem is that the three hundred or so real geeks on slashdot have to deal the inane comments and inappropriate moderation from the hundreds of thousands of wannabes that infest slashdot these days.

Re:Doesn't work (1)

optikos (1187213) | more than 3 years ago | (#33623664)

Most of those of us who have taught other people for decades 1) that the "su" command stands for "switch user" not for "super user" and 2) that root is the proper term and 3) that anyone who uses the term "superuser" is displaying a certain degree of ignorance have given up. Perhaps you should too.

Re:Doesn't work (0)

Anonymous Coward | more than 3 years ago | (#33623850)

What's so funny about the word and?

Re:Doesn't work (0, Offtopic)

Runaway1956 (1322357) | more than 3 years ago | (#33623580)

Don't you have to create the account if the installer forgets it? That's what I do on all my machines! /end offtopic bullshit response here

Error in title (5, Funny)

Anonymous Coward | more than 3 years ago | (#33623486)

Root is a privilege, not a right.

Patch (4, Funny)

Frankie70 (803801) | more than 3 years ago | (#33623500)

You can get a patch here [microsoft.com].

Re:Patch (0, Offtopic)

fnj (64210) | more than 3 years ago | (#33623578)

Patch contains an even worse vulnerability. It renders your system a piece of crap.

Re:Patch (0, Insightful)

Anonymous Coward | more than 3 years ago | (#33623586)

A piece of crap that's compatible with a rather wide variety of consumer software.

(Though I'll admit that I really don't use most of it.)

Re:Patch (0)

Anonymous Coward | more than 3 years ago | (#33623738)

Patch contains an even worse vulnerability. It renders your system a piece of crap.

Cool... I've been looking for some 3D rendering software that can render piles of manure.

Re:Patch (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33623670)

If I had mod points, I'd give this a Funny

Then again, I suppose the reason it's funny is because I administer quite a few Windows and Linux boxes, so I read quite a lot of sarcasm into this troll – "patching" Linux with Win7 is like shooting a radio to "fix" the crappy music coming out; come to think of it, that's giving way too much credit to Win7.

It's called humor, you should try it.

exploited (1, Informative)

Anonymous Coward | more than 3 years ago | (#33623532)

I'm just guessing here but someone (not me) may have used it already. Travelnotes [travelnotes.org] has been rooted.

Re:exploited (1)

X0563511 (793323) | more than 3 years ago | (#33623852)

Fucking idiots.

What's the point of rooting a server and making it obvious? These are the ones that get noticed and cleaned. It's the ones who did it quietly that sit around for years!

Re:exploited (3, Funny)

koreaman (835838) | more than 3 years ago | (#33623948)

<META content="MSHTML 6.00.2900.2180" name=GENERATOR>
<META content=FrontPage.Editor.Document name=ProgId>

Classy.

Patches are available (3, Informative)

Athanasius (306480) | more than 3 years ago | (#33623548)

If you know how to drive git you could try applying these:

  • commit eefdca043e8391dcd719711716492063030b55ac:
    x86-64, compat: Retruncate rax after ia32 syscall entry tracing
  • commit 36d001c70d8a0144ac1d038f6876c484849a74de:
    x86-64, compat: Test %rax for the syscall number, not %eax

there is a workaround of disabling 32bit binaries (I'd paste a link if Google Chrome dev channel would let me... for some reason I can only paste into /.'s comment box before I've typed anything else, I'll follow-up with it), but of course you may need them depending on what your machine does.

There's also a separate issue that also gives local root, fixed by:

  • commit c41d68a513c71e35a14f66d71782d27a79a81ea6:
    compat: Make compat_alloc_user_space() incorporate the access_ok()

I'm running a kernel base don 2.6.35.4 but with all 3 of those commits applied (note the last one tries to modify an arch/tile/ file which doesn't exist in 2.6.35.4, just ignore that) and can confirm that neither exploit works.

Re:Patches are available (0)

Anonymous Coward | more than 3 years ago | (#33623642)

I got the first two patches and upload here:

http://www.4shared.com/file/KIXq30ui/patch-remove-exploittar.html

If you are afraid of something, just check with the two git entries, then run patch -p0 [patch files] and your system will be safe.

Why is there anything 32 bit on a 64 bit server? (1)

erroneus (253617) | more than 3 years ago | (#33623616)

Okay, I get that when system calls are made to 32 bit whatever, bad things could happen. But why would there be anything 32 bit there at all? Shouldn't everything that is running on a server be compiled for 64 bit? I gotta say, this is a good reason to hate 32 bit binary blobs being distributed by vendors who don't want to release the source for their drivers and what-not... well more than I already do.

Perhaps I am misunderstanding something and that 32 bit calls are still an inherent part of 64 bit Linux? I've been running 64 bit for years and years and now I wonder if I'd be better off running 32 bit?

Re:Why is there anything 32 bit on a 64 bit server (-1)

Anonymous Coward | more than 3 years ago | (#33623632)

Unless you need the big address space and MOST apps don't - 32 bit code runs faster.
It's also smaller - uses less disk, uses less memory.
Quite a lot faster in some cases - those are good reasons.

There are also legacy code issues - some source just isn't 64 bit aware yet.

Re:Why is there anything 32 bit on a 64 bit server (1)

0123456 (636235) | more than 3 years ago | (#33623658)

Unless you need the big address space and MOST apps don't - 32 bit code runs faster.

Since when?

64-bit code gives you twice as many registers at the cost of doubling the size of pointers, and on older Intel CPUs losing some of the microop fusion optimisations. Every time I've seen people post comparative benchmarks of their 32-bit code recompiled to 64-bit, they've shown significant speedups.

Re:Why is there anything 32 bit on a 64 bit server (0)

Anonymous Coward | more than 3 years ago | (#33623878)

no, it does not run faster, all things being equal. 64 bit compiled code runs 20-25% faster. no I'm not counting specially optimized code that's heavy on SSE and f riends. yes, it does use more ram and disk space.

Re:Why is there anything 32 bit on a 64 bit server (1)

0123456 (636235) | more than 3 years ago | (#33623684)

Okay, I get that when system calls are made to 32 bit whatever, bad things could happen. But why would there be anything 32 bit there at all? Shouldn't everything that is running on a server be compiled for 64 bit?

Flash. Ubuntu handles 32-bit Flash integration automatically with 64-bit Firefox, but on some other distros it's easier just to install 32-bit Firefox instead.

Re:Why is there anything 32 bit on a 64 bit server (1)

koreaman (835838) | more than 3 years ago | (#33623958)

If you're using your Linux server to browse Flash apps on the web, you might be doing it wrong...

Re:Why is there anything 32 bit on a 64 bit server (1)

Runaway1956 (1322357) | more than 3 years ago | (#33623706)

Flash and Java are almost necessities on many servers. Sun Java and Adobe Flash have lacked 64 bit support, so 32 bit versions were mandatory. Or, nearly mandatory. There are options to Sun and Adobe, but performance isn't exactly the same. (Not saying better or worse, just different, which can be a problem in and of itself) When Adobe and Oracle both get around to releasing a consumer grade, final version of these ubiquitous applications, then Linux and Windows will both probably drop 32 bit compatibility as "default" installation options.

Bit late to be news (4, Informative)

0123456 (636235) | more than 3 years ago | (#33623648)

Ubuntu, at least, has already released the patch as a kernel upgrade; it was fixed early in the week so I presume most other distros have too.

Let's pretend Slashdotters are clueless (1)

General Wesc (59919) | more than 3 years ago | (#33623836)

root (also known as superuser)

On a largely Linux-focues tech news site you just defined 'root'. Why not also define '32-bit compatibility mode', 'Linux', 'kernel', '64-bit', 'privileges', 'web server', 'call', 'emulation layer', 'Syscall table'.

Protip: We're nerds. Write for your audience. If I don't understand a term, I can look it up. I'd prefer to have to do that than have random definitions stuck in the summary.

code comments? (5, Insightful)

Cyko_01 (1092499) | more than 3 years ago | (#33623842)

Hawkes says the vulnerability was discovered and remedied back in 2007, but at some point in 2008 kernel developers apparently removed the patch, reintroducing the vulnerability

and this, my friends, is why we add comments to our code

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...