Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Linux Kernel Exploit Busily Rooting 64-Bit Machines

timothy posted more than 3 years ago | from the get-your-patch-on dept.

Security 488

An anonymous reader writes "Running 64-bit Linux? Haven't updated yet? You're probably being rooted as I type this. CVE-2010-3081, this week's second high-profile local root exploit in the Linux kernel, is compromising machines left and right. Almost all 64-bit machines are affected, and 'Ac1db1tch3z' (classy) published code to let any local user get a root shell. Ac1db1tch3z's exploit is more malicious than usual because it leaves a backdoor behind for itself to exploit later even if the hole is patched. Luckily, there's a tool you can run to see if you've already been exploited, courtesy of security company Ksplice, which beat most of the Linux vendors with a 'rebootless' version of the patch."

cancel ×

488 comments

Sorry! There are no comments related to the filter you selected.

But wait (3, Insightful)

drinking12many (987173) | more than 3 years ago | (#33632006)

I thought only windows got exploited this way.... oh thats right All OS's do.

Re:But wait (1, Interesting)

sirrunsalot (1575073) | more than 3 years ago | (#33632158)

oh thats right All non-Apple OS's do.

FTFY.

Re:But wait (3, Insightful)

similar_name (1164087) | more than 3 years ago | (#33632222)

Ah if that is true then it only means Linux is more popular that Apple. Zing.

Re:But wait (5, Informative)

IICV (652597) | more than 3 years ago | (#33632424)

It's a local user privilege escalation exploit. Every OS has those. What it means is that if someone can get in to your computer as a local user (or gain control of a process that runs as a local user, such as the web server process), then they can gain root access to your system.

However, the first step - getting in as a local user - is really really hard on most servers. Unless you're handing out local user accounts to people left and right (like a university cluster or something), it's going to be nearly impossible for Joe Random Hacker to get control of a local user account.

You know how it's generally held to be true that if you have physical access to a running machine, the only thing stopping you from getting root access to it is time? Well, the next step up (in terms of difficulty) is not having physical access, but having access to a local user account.

The exploits that work on Windows, on the other hand, are ones where someone who doesn't even have local user privileges - who's just looking at your website - can get root access, like the one Slashdot posted here [slashdot.org] .

virus scanner (0)

Anonymous Coward | more than 3 years ago | (#33632012)

Oh no, now I need a permanently running virus scanner... may as well switch back to M$ :-(

Re:virus scanner (2, Insightful)

socceroos (1374367) | more than 3 years ago | (#33632172)

A virus scanner isn't going to do much against a rootkit.

Re:virus scanner (1)

zaphod777 (1755922) | more than 3 years ago | (#33632310)

this is an exploit to gain "root" (administrator) access not a rootkit which is a malicious program built to hide itself from the operating system.

Re:virus scanner (2, Interesting)

dougmc (70836) | more than 3 years ago | (#33632340)

this is an exploit to gain "root" (administrator) access not a rootkit which is a malicious program built to hide itself from the operating system.

But the exploit leaves a backdoor (hell, it's right there in the summary) which *is* what a rootkit does.

Rootkits do typically hide themselves -- but only so they aren't removed, so they can provide root access at a later date. Their primary function is to provide root access at a later date -- which this exploit does, according to the summary.

Is Slashdot advertising now? (4, Insightful)

fluffy99 (870997) | more than 3 years ago | (#33632014)

Why does the summary and articles read like a paid advertisement for Ksplice?

Re:Is Slashdot advertising now? (5, Interesting)

tomhudson (43916) | more than 3 years ago | (#33632212)

Because the article is alarmist bs? You are probably NOT being rooted even as you read this. Every ksplice story slashdot has carried has turned out to be no big deal. I'm going to ignore it, based on their previous performance.

Re:Is Slashdot advertising now? (4, Funny)

clang_jangle (975789) | more than 3 years ago | (#33632246)

Because the article is alarmist bs? You are probably NOT being rooted even as you read this.

***Ding ding ding***

We have a winner -- Don Pardot, tell Ms. Hudson what she's won!

Re:Is Slashdot advertising now? (-1, Troll)

Anonymous Coward | more than 3 years ago | (#33632288)

she's won a dick in her mouth, balls on her chin, and a nice nice fat deuce on her tits.

Re:Is Slashdot advertising now? (1)

clang_jangle (975789) | more than 3 years ago | (#33632338)

Hey Pardo, don't make me tell you again -- if you don't clean up that potty mouth you're outta here!

Re:Is Slashdot advertising now? (1)

RMS Eats Toejam (1693864) | more than 3 years ago | (#33632390)

Thanks. You can take a break now When we need a flaming homo we'll give you a call.

Re:Is Slashdot advertising now? (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33632220)

More to the point, why does the summary suggest its being exploited 'left and right'. Its still a local exploit right? That means they're getting to your machine either through visiting a website, reading an email or via another remote exploit. Seems a might sensationalist.

Having said that, way to stuff up - kernel devs. Whoever reverted that patch needs a swift kick in the go-nads.

Re:Is Slashdot advertising now? (4, Insightful)

tomhudson (43916) | more than 3 years ago | (#33632252)

iWeb caught it running on ONE shared-hosting server. Are you running a publicly-facing shared-host serveer? No? Then don't worry about it, and when your distro comes out with a new kernel, just update.

Ksplice are attention whores.

Re:Is Slashdot advertising now? (1)

jcwayne (995747) | more than 3 years ago | (#33632468)

How else are they supposed to complete with Gawker?

Hmmm... (1, Funny)

Anonymous Coward | more than 3 years ago | (#33632024)

First root! Oh crap...

Bad Publicity... (-1, Troll)

Frosty Piss (770223) | more than 3 years ago | (#33632028)

Microsoft and their associated Windows shills are loving this. Fortunately, I'm not rich enough to afford 64bit hardware, but still this is not good...

Re:Bad Publicity... (0)

JDmetro (1745882) | more than 3 years ago | (#33632090)

I have 64 bit hardware but I run x86 based distros. 64 bit is only good for the extra ram maybe to the desktop user. And there still is a lot of issues getting older programs to run on a 64 bit distro.

Re:Bad Publicity... (1)

mattventura (1408229) | more than 3 years ago | (#33632130)

You don't even need that. PAE makes 64-bit unnecessary for a lot of things. Whenever I install linux on a USB drive with the intention of using it on multiple computers, I usually stick to a PAE-enabled 32-bit kernel, since it will work on older hardware and still support more than 4GB of RAM.

Re:Bad Publicity... (2, Interesting)

HTMLSpinnr (531389) | more than 3 years ago | (#33632214)

... until you get closer to 16GB of RAM and you start running out of lowmem (especially on older 2.4 kernel systems).

Re:Bad Publicity... (5, Insightful)

simcop2387 (703011) | more than 3 years ago | (#33632140)

There is something to be said though about going to a 64bit operating system. The fact that there are a little more than twice as many general purpose registers in the CPU available means that code can be compiled to not need to do memory fetches anywhere near as often which means that the code will run faster. the extra addressing space has always been a red herring argument (e.g. i only need it if i have more than 4gb of ram).

Re:Bad Publicity... (0)

Anonymous Coward | more than 3 years ago | (#33632154)

@JDMetro my x64 distro handles x86 programs just find #osxftw #linuxsux

Re:Bad Publicity... (1, Informative)

Anonymous Coward | more than 3 years ago | (#33632368)

Stop perpetuating this fucking myth. There are other good reasons to use a 64-bit build besides the address space it gets its namesake from. I can run crufty old 32-bit software just fine on a 64-bit Linux.

There have been plenty of benchmarks pointing to 64-bit being no worse and in many cases outperforming their 32-bit counterparts. Things like SSE being enabled for all 64-bit binaries by default with GCC, extra registers, NX bit, and so on all standard on 64-bit Linux machines.

As for compatibility, I want to know. WTF doesn't run on a 64-bit Linux that actually affects more than some obscure corner case that maybe 10 know about and three of which actually care about? I hear it all the time, but never actually see it. What is this compatibility problem?

Its just a bunch of crap that has been regurgitated on the internet because it once had some amount of truth many years ago. Go ahead with your i386 and i586 packages built for 1993 and act all smug.

Re:Bad Publicity... (5, Informative)

dougmc (70836) | more than 3 years ago | (#33632454)

I have 64 bit hardware but I run x86 based distros. 64 bit is only good for the extra ram maybe to the desktop user. And there still is a lot of issues getting older programs to run on a 64 bit distro.

The x86_64 architecture has more registers than i386 and can do some operations 64 bits at a time rather than 32 bits. This means that programs compiled to run on a 64 bit architecture are often significantly faster than those compiled to run on 32 bit architectures.

I think an average figure is 20% faster or so on the same hardware -- you get this simply by installing a 64 bit distribution and using 64 bit binaries. Your system can probably still run 32 bit binaries (if it has the right libraries) but they won't be faster.

The advantages go beyond a larger address space.

Re:Bad Publicity... (1)

dougmc (70836) | more than 3 years ago | (#33632472)

I should also mention that the issue about getting "older programs to run" used to be a big deal -- but isn't any more. The old 32 bit binaries typically work after installing the 32 bit libraries needed (and they're usually part of the distribution) and most programs that have been maintained in the last five years or so compile and work on 64 bit distributions just fine.

Re:Bad Publicity... (2, Interesting)

cybrthng (22291) | more than 3 years ago | (#33632092)

1. MS & Windows shills may laugh about this, but only because they feel your pain. Beyond that, what does making this statement even mean?
2. 64bit hardware is cheap. You can buy an AMD64 X2 5000 Dual Core CPU for 38 bucks shipped.. add a mobo for another 45 and if you need ram, another 50. eBay for more savings

Re:Bad Publicity... (1)

uvajed_ekil (914487) | more than 3 years ago | (#33632210)

I'm not rich enough to afford 64bit hardware, but still this is not good...

Dang, my 3 year-old laptop, mid-level (at best) when it was news, runs 64-bit operating systems, and so does the $200 desktop I just built for my mom. There's plenty of decent 3-4 year-old hardware available used for dirt cheap that is 64-bit. this isn't a new thing any more, and you don't have to be rich. That comment just sounds odd in 2010, unless you are not in an English-speaking country or Western Europe.

Re:Bad Publicity... (5, Interesting)

marcansoft (727665) | more than 3 years ago | (#33632318)

Microsoft already felt the pain, because the Xbox 360 hypervisor got owned by the same exact hole . It would almost be the same instruction-by-instruction identical bug were it not for the fact that the 360 is a PowerPC system and this is an x86_64 hole. Yes, they, too, used a 32-bit compare to check the system call humber, then indexed into the array using the full 64 bits, exactly the same bug that caused this Linux hole.

Re:Bad Publicity... (1)

0123456 (636235) | more than 3 years ago | (#33632364)

Fortunately, I'm not rich enough to afford 64bit hardware, but still this is not good...

An Atom-330 and motherboard costs about $80... and I think the 230 is 64-bit for a few dollars less.

Re:Bad Publicity... (1)

oiron (697563) | more than 3 years ago | (#33632420)

Pretty much everything since Prescott on the Intel side and, err... everything on the AMD side is 64bit. If you have anything you bought since late 2006, good changes that it's a 64bit system...

Re:Bad Publicity... (1)

MobileTatsu-NJG (946591) | more than 3 years ago | (#33632434)

Microsoft and their associated Windows shills are loving this.

You lot stopped just short of calling Linux 'unsinkable'. Of course people are going to have fun with it, it's just not limited to shills.

Scriptkiddies these days (1, Interesting)

Pseudonym Authority (1591027) | more than 3 years ago | (#33632030)

Acidbitches..... In my day, naming your ubeR l3e7 h4xX0r 6r00p MEANT something.

Re:Scriptkiddies these days (1)

socceroos (1374367) | more than 3 years ago | (#33632236)

Excuse me, Mr. ID 1591027, but your day hasn't even begun yet. =)

Re:Scriptkiddies these days (1)

Miseph (979059) | more than 3 years ago | (#33632278)

Isn't it a little past your bed time, Mr. 1374367?

Re:Scriptkiddies these days (2, Funny)

socceroos (1374367) | more than 3 years ago | (#33632308)

Speaking from the grave I see, Mr. 979059. =D

Re:Scriptkiddies these days (4, Funny)

smash (1351) | more than 3 years ago | (#33632336)

quiet, children.

Re:Scriptkiddies these days (4, Funny)

socceroos (1374367) | more than 3 years ago | (#33632380)

Guys, come look, its Abraham!

Re:Scriptkiddies these days (0)

Anonymous Coward | more than 3 years ago | (#33632474)

SEEEEE!!!! That guy rooted your Linux box for your low account number! No better than Windows thanks to this masterpiece from that scrub Torvalds.

(-1 Troll, Incoming woosh)

Re:Scriptkiddies these days (1)

Xacid (560407) | more than 3 years ago | (#33632328)

You guys are cute.

Re:Scriptkiddies these days (1)

Xacid (560407) | more than 3 years ago | (#33632426)

Wait, no. What I mean to say is - get off my lawn.

Re:Scriptkiddies these days (1)

PapayaSF (721268) | more than 3 years ago | (#33632332)

All you kids, keep it down in there!

Re:Scriptkiddies these days (2, Funny)

Pseudonym Authority (1591027) | more than 3 years ago | (#33632348)

I used to have a 4 digit UID, but it was stolen by Ac1db1tch3z.

Oh Noes (5, Insightful)

symbolset (646467) | more than 3 years ago | (#33632036)

Yes, there's an available rights escalation vulnerability in recent Linux Kernels that's best patched by updating your system with the latest updates. The breathless nature of the fine summary betrays an eagerness to get Linux admins to click the links before they've done so. I'd rather not. Social engineering is such a powerful exploit mechanism after all.

The Windows geeks obviously will want to paint this as a native Linux vulnerability that they don't have - and it is marginally true. That's fine - but it's an escalation bug, not a remote root, and they've several dozen remote root bugs to close before they point fingers.

Re:Oh Noes (1, Troll)

syousef (465911) | more than 3 years ago | (#33632136)

The Windows geeks obviously will want to paint this as a native Linux vulnerability that they don't have - and it is marginally true.

"Marginally true"??? What's that? Is it like marginally dead or perhaps marginally pregnant? Wait a second. That can't be true. Everyone knows Linux users don't get rooted ;-)

Re:Oh Noes (2, Insightful)

Anonymous Coward | more than 3 years ago | (#33632198)

The Windows geeks ... they've several dozen remote root bugs to close before they point fingers.

Care to point them out?

Re:Oh Noes (1)

93 Escort Wagon (326346) | more than 3 years ago | (#33632292)

The Windows geeks ... they've several dozen remote root bugs to close before they point fingers.

Care to point them out?

Just subscribe to the SANS newsletters - they point them out every week (for all OSes, not just Windows).

Then perhaps do as the GP asks (3, Insightful)

Sycraft-fu (314770) | more than 3 years ago | (#33632320)

Point out a current remote root exploit in Windows. To the best of my knowledge, there are none. Which means that the original poster is just fluffing his feathers trying to divert attention from the Linux issue.

While this isn't something that means Linux is majorly insecure or anything, it is a Linux issue. However fanboys don't like that, they can't just say "Yep, there's a problem." Instead they want to try and deflect it, make it about something else. So he deflects the issue by claiming there are some nebulous "remote root bugs," without any specifics.

Re:Then perhaps do as the GP asks (4, Informative)

Hackeron (704093) | more than 3 years ago | (#33632408)

Just a quick google search: http://secunia.com/advisories/41122 [secunia.com]

There are quite a few listed on secunia, it's a really good site. Currently lists 10 unpacked vulnerabilities in Windows Vista, none for Linux surprisingly, it must be a conspiracy against Microsoft and those damn Linux fanboys.

Re:Then perhaps do as the GP asks (1)

IICV (652597) | more than 3 years ago | (#33632442)

Uhm how's about this one, that's like three posts down from here? It's not quite a remote root exploit, but it is an exploit that, for a great many asp.net installations, will inevitably lead to you getting remote root.

Re:Then perhaps do as the GP asks (1)

internettoughguy (1478741) | more than 3 years ago | (#33632450)

Point out a current remote root exploit in Windows. To the best of my knowledge, there are none. Which means that the original poster is just fluffing his feathers trying to divert attention from the Linux issue.

While this isn't something that means Linux is majorly insecure or anything, it is a Linux issue. However fanboys don't like that, they can't just say "Yep, there's a problem." Instead they want to try and deflect it, make it about something else. So he deflects the issue by claiming there are some nebulous "remote root bugs," without any specifics.

Point out a current remote root exploit in Linux.

Re:Oh Noes (0)

Anonymous Coward | more than 3 years ago | (#33632300)

Wait a day or two. Another will make the headlines. And then another, and another...

EH (4, Insightful)

Anonymous Coward | more than 3 years ago | (#33632040)

This is a local exploit so I'm not horribly concerned and here is why.

You should always treat your systems as if an exploit already exists for both remote and local connections.

The systems I maintain are part of a bit of an elaborate network. There is a huge investment in controlling incoming and outgoing traffic as well as managing who actually has access to systems. While a local exploit a big deal it's not like there are a great number of places for users to inject this code. If someone could compromise an input vector and piggyback the exploit that still wouldn't get them very far. In fact, without knowing key details regarding the network infrastructure they would simply nab a host that could not reach the outside world.

With that said we do have a bit of reliance on lbs, traffic inspection, firewalls and a good bit of monitoring equipment. However, there is a solid investment in specific purpose network and security protocols to accomplish these goals. In a bit of a cheaper shop I'm wondering what others do to maintain security and get some of the same tools. (I'm being very vague about our setup intentionally, but there have to be some decent foss network tools as well).

Re:EH (4, Insightful)

GNUALMAFUERTE (697061) | more than 3 years ago | (#33632166)

THIS ^^^^^^

I understand why you are posting as AC and being vague about it, I'm fucking paranoid about revealing details of the entrails of my network too.

People don't understand how security works. If I told you the alarm in my office will fail to detect movement in zone 7 if you do X and Y, would you say that my office is absolutely compromised? No. I still have a security guy, bars, security doors, CCTV, and most things of real value inside is doubly secured (source code is encrypted, money is in the safe). A simple glitch doesn't mean I'm getting robbed.

The problem is that there are many admins out there that do it by the book, and just think that patching systems is enough. You have to work with the OS to keep it secure, not just rely on it. Of course, securing a platform like windows is fucking impossible, that's why we don't use it (not even in the desktops). But if you have a reasonably secure OS, you have to use the rest of your architecture plus some level of monitoring and log-watching to keep things safe.

Re:EH (1)

uvajed_ekil (914487) | more than 3 years ago | (#33632302)

A simple glitch doesn't mean I'm getting robbed.

But, you see, some anonymous reader said you are probably already rooted. He said probably, which indicates there is greater than a 50% chance you are already screwed, so it must be true. Nevermind that that the summary reads like an ad, looks very fishy, and is preaching doom and gloom, it got approved here, so believe it!!! .01% insecure from an inside job means YOU ARE SCREWED!

*Yawn* Local Root Exploit (4, Insightful)

Greyfox (87712) | more than 3 years ago | (#33632052)

If hostile users have local access, you're pretty much boned anyway.

Re:*Yawn* Local Root Exploit (5, Insightful)

Anonymous Coward | more than 3 years ago | (#33632074)

This doesn't require being physically close to the computer. For example, a web hosting company might give people limited permission ssh accounts on a web server, and the people could then use this exploit to get root.

Re:*Yawn* Local Root Exploit (1)

mysidia (191772) | more than 3 years ago | (#33632144)

A web hosting company might give people the ability to run PHP scripts on the web server. The user could cross-compile an exploit binary, upload it to the web server, then write a PHP script to cause the exploit binary to run non-interactively as a means of opening a backdoor where further access could be obtained.

Re:*Yawn* Local Root Exploit (4, Insightful)

mlts (1038732) | more than 3 years ago | (#33632102)

Pretty much Greyfox sums it up right there. The days of having hundreds to thousands of users with shell access on a university or public access machine are long gone. Instead, the focus of security has moved from keeping users out of root [1] to keeping people from getting to the machine in the first place, and if they get to the machine via a networking protocol, not being able to execute code in any meaningful context on the machine.

The only time I'd worry about this is if someone could get a shell or execute code in an application's context (say they manage to do a buffer overrun and are able to stick a user shell on a port, for example.) However, this is what AppArmor and SELinux are designed to stop anyway, so even with root context, and attacker is limited to what they can do.

[1]: This isn't to say that user to root priv exploits are something to be completely neglected, of course.

Re:*Yawn* Local Root Exploit (3, Informative)

mysidia (191772) | more than 3 years ago | (#33632178)

The exploit in question actually includes a SELinux bypass. SELinux and AppArmor are not as great as you think; they are understood well enough that hackers can defeat them, and they are deployed on enough systems that hackers write their exploits so these protections are defeated.

Re:*Yawn* Local Root Exploit (2, Informative)

0123456 (636235) | more than 3 years ago | (#33632330)

SELinux and AppArmor are not as great as you think; they are understood well enough that hackers can defeat them, and they are deployed on enough systems that hackers write their exploits so these protections are defeated.

SELinux and Apparmor can't do much if you have an exploit that allows you to execute arbitrary code inside the kernel (which I believe this does). But they'll certainly stop the kind of random buffer overflow exploit that's been the most common avenue of remote attack.

Re:*Yawn* Local Root Exploit (3, Informative)

mysidia (191772) | more than 3 years ago | (#33632452)

SELinux and Apparmor can't do much if you have an exploit that allows you to execute arbitrary code inside the kernel (which I believe this does). But they'll certainly stop the kind of random buffer overflow exploit that's been the most common avenue of remote attack.

They will stop the simple use of a buffer overflow exploit to do something the program with the vulnerability couldn't do.

That is: a buffer overflow exploit allows running arbitrary code in the context of the program. SELinux limits what files can be accessed by arbitrary code based on security labels.

However, if there is also a vulnerability in the kernel. SELinux cannot stop a buffer overflow in a program from being used in conjunction with a kernel vulnerability, to run arbitrary code in kernel mode.

Basically: buffer overflow in a program + kernel escalation bug = SELinux or AppArmor fail

Re:*Yawn* Local Root Exploit (1)

oiron (697563) | more than 3 years ago | (#33632446)

The exploit in question actually includes a SELinux bypass. SELinux and AppArmor are not as great as you think; they are understood well enough that hackers can defeat them, and they are deployed on enough systems that hackers write their exploits so these protections are defeated.

Cue scary Theremin music

Re:*Yawn* Local Root Exploit (5, Informative)

langelgjm (860756) | more than 3 years ago | (#33632326)

The days of having hundreds to thousands of users with shell access on a university or public access machine are long gone.

What makes you say that? All of the three universities I've been at in the past eight years have provided shell access for all students and faculty to at least one cluster, and often more than one. The current university uses Solaris, so this particular issue isn't relevant, but I would be more surprised to hear of a university that doesn't offer shell access.

k/x/ubuntu should be patched by now (0)

Anonymous Coward | more than 3 years ago | (#33632094)

just checked my kernel version against the ubuntu advisory, all good.

I guess the real story here is how quickly the holes are patched. No one should claim linux is perfect...but at least things like this should be fixed very quickly.

In this case...all is well - thank you ubuntu team (and those of other distros) !

slashdvertisement ... and full of crap. (2, Insightful)

GNUALMAFUERTE (697061) | more than 3 years ago | (#33632098)

Now Ksplice is really starting to piss me off. This is at least the fifth time we've get this kind of crap on slashdot.

Besides that, this is an escalation vuln ... it's local, ok? Not a remote exploit. And, regardless of all that, there's already a fix, which was promptly released before this got out of hand.

So, between the ksplice assholes that abuse each vulnerability that is published to blow it out of proportion and somehow imply that if you require ksplice to patch this without loosing your job (I mean, come on, If your service is critical enough that it can't accept 2 minutes of downtime for a reboot, then you have redundancy and can update machines one by one without any real downtime) ; and the winslow assholes that don't understand shit about security and somehow think that this means that GNU/Linux is insecure and as bad as their shitty system, I'm going nuts every time there is a new vuln in the kernel.

Re:slashdvertisement ... and full of crap. (2, Insightful)

sdasher (1586493) | more than 3 years ago | (#33632282)

Actually, RHEL and CentOS have still yet to release a fix. So for your average Linux sysadmin out there, there still isn't an easy-to-use fix. Well, besides Ksplice anyway.

Re:slashdvertisement ... and full of crap. (0, Troll)

GNUALMAFUERTE (697061) | more than 3 years ago | (#33632418)

Come on. RHEL sucks, and the only people using it are noobs and sysadmins that didn't have the balls to tell their managers "fuck you, I'm installing slackware".

CentOS is the same, but for cheap bastards.

Regardless, you don't need an "easy fix". No qualified sysadmin uses the stock kernel that came with the distro in any critical server. If there's a patch, you'll just apply it to your sources and recompile. Only desktop users and not-critical services should rely on distro's updates. If you are relying on your distribution's updates for critical fixes on any service even remotely important, you are either fucking nuts or absolutely incompetent.

Re:slashdvertisement ... and full of crap. (0)

Anonymous Coward | more than 3 years ago | (#33632324)

Now Ksplice is really starting to piss me off. This is at least the fifth time we've get this kind of crap on slashdot.

To be fair, they were mentioned as kinda an afterthought.

Also, there are like 2 or 3 average-to-fugly chicks on that team of weirdos and neckbeards, and you know how most of Slashdot's readership start pocketpooling themselves the second they see boobs and vaginas within 3 feet of a computer.

Signed, Your pal,
Ethan Fuentes

Ya (4, Insightful)

Sycraft-fu (314770) | more than 3 years ago | (#33632366)

Our UNIX admin has the philosophy that anyone with local access can get root if they want it bad enough. Security isn't done by presuming you've made that impossible. Rather security is done by making sure you don't give access to just anyone, and to monitoring what people do. Local escalation exploits are things to be fixed, since they can always make a remote exploit worse (someone exploits something remotely, gets unprivileged access, exploits the local exploit to get root) they aren't a critical threat usually.

However I will say you don't make things much better when you start with name calling with regards to Windows and the people that run it. That smacks of being the sort of asshole that knows little about the other platform that you are painting them to be. That you have a preferred platform is great. One would hope it is based on good reasons. However name calling on another platform indicates it is more likely based on zealotry than anything else.

Re:Ya (1)

GNUALMAFUERTE (697061) | more than 3 years ago | (#33632460)

Well, that "other platform" hasn't published its source, provides no real documentation as to the internals of the system, doesn't conform to any published standard, and doesn't even have a published roadmap. Therefore, we all know very little about that platform, except for the actual coders. That is, in itself, a valid enough reason to completely disregard that platform as a reliable alternative. To make matters worse, it has such a ludicrous security record, and some oh so obvious design flaws that are apparent to anyone even without using the system (the mandatory graphic interface, for instance), that any further investigation into it seems pointless.

Does that answer your question?

Need help patching/checking (0)

Anonymous Coward | more than 3 years ago | (#33632110)

I have an Ubuntu 10.04 cloud server and want to make sure everything is patched and not rooted. Does apt-get update/upgrade fix this particular exploit at this time? I also tried to run the Ksplice tool to see if I'm already rooted but it tells me this when I try to run it:

$ ./diagnose-2010-3081
Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.
(see http://www.ksplice.com/uptrack/cve-2010-3081)

$$$ Kernel release: 2.6.33.5-rscloud
!!! Error in setting cred shellcodes

Any advice?

Re:Need help patching/checking (1)

0123456 (636235) | more than 3 years ago | (#33632306)

Ubuntu released the patch last week. Unfortunately you don't seem to be running an Ubuntu kernel.

Re:Need help patching/checking (3, Funny)

larry bagina (561269) | more than 3 years ago | (#33632358)

post your ip address and root password and I'll check it for you.

Oh what rubbish (1)

Nursie (632944) | more than 3 years ago | (#33632116)

First you need remote access to my home machine, which is behind a NAT'd router and doesn't expose any services outside. That means that drive-by scanning won't work, and even if it did you'd have to find your way in via the only open port - ssh.

My systems in the commercial space are properly firewalled. It's a bad thing if anyone has shell access to them at all, let alone root.

Re:Oh what rubbish (1)

catmistake (814204) | more than 3 years ago | (#33632182)

NAT routers are nice... like a honey trap, but functional. Unless it's wireless, too... that's sort of like having a house with a decent heavy front door... but no roof.

Re:Oh what rubbish (1)

Nursie (632944) | more than 3 years ago | (#33632470)

1. Wireless security has got a lot better. I don't run WEP

2. To get in that way you have to get up close and personal, you can't do it from a continent away.

Re:Oh what rubbish (1)

DeathFromSomewhere (940915) | more than 3 years ago | (#33632244)

Cool anecdote bro. Thanks for reminding us all that every network on the internet is configured exactly like yours.

Re:Oh what rubbish (1)

oiron (697563) | more than 3 years ago | (#33632478)

Pretty much any decently setup service is, these days. Except for some specific use cases.

In other words, 99% of users won't be affected even on 64bit

Re:Oh what rubbish (3, Informative)

mysidia (191772) | more than 3 years ago | (#33632350)

You don't necessarily need shell access, just the ability to run a binary as any user.

This could be done, for example, if it is a web server and there is a PHP script with a vulnerability. If a hacker can run arbitrary PHP code, then they can run code to accept an upload of the binary.

Once the binary is uploaded to a world-writable directory such as /tmp or /var/lib/php/sessions, the hacker can use the ability to run arbitrary PHP code again to invoke fchmod(), make the binary executable then use the system's dynamic loader and execute the binary, as in passthru("/lib/ld-linux.so.2 /path/to/some/exploit/binary");

Re:Oh what rubbish (1)

Nursie (632944) | more than 3 years ago | (#33632490)

Well, not on my machines, but point taken, there are remote vulnerabilities in badly configured or badly written services.

As ever it comes down to being bloody careful what you expose to the internet.

Not running it... (5, Insightful)

Dragoniz3r (992309) | more than 3 years ago | (#33632118)

Am I the only person who says "hell no" to running that "diagnosis" program? After looking through the code real quick, I have no interest whatsoever in running a program that performs the very exploit I'm supposed to be scared of, cuz I don't have time to make sure ksplite neutralized it properly. Also, since it's only a local exploit, I'm not concerned enough about it to run a diagnosis tool that implements it.

And good lord god almighty, what 12 year old wrote this code, that they think having function names like put_your_hands_up_hooker() makes them cool?

Re:Not running it... (0)

Anonymous Coward | more than 3 years ago | (#33632162)

probably explains why they r stuck at some dead-end IT job doing hacking at night -- not mature enough to grow up and capitalize on the brains they got

Re:Not running it... (1)

cpghost (719344) | more than 3 years ago | (#33632208)

Am I the only person who says "hell no" to running that "diagnosis" program?

Testing it in a quick throw-away VM (e.g. in VirtualBox) is always instructive though. Just don't run it on your real machine.

It appears to be safe. (was: Re:Not running it...) (1, Informative)

Anonymous Coward | more than 3 years ago | (#33632290)

I'm not the king of all C coders, and please for the love of all that is good and holy don't trust some random stranger on the internet, but I read the source and if it's doing anything bad, it's doing it quite sneakily -- more so than I'd expect the teenager who wrote the exploit source to be capable of, frankly.

Now, do I wish the ksplice guys would've cleaned up/de-obfuscated their 'borrowed' code to make it a little less alarming-looking? Yep. Do I wish they weren't doing their ridiculous Chicken-Little routine in a transparent attempt to move some product? Also yes. Could that binary be pretty much anything? Uh-huh.

Is anything bad going to happen to you if you compile and run that C code? As far as I can tell, no.

Re:Not running it... (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33632422)

I don't know, glancing at the code it looks fairly clean.

The naming convention, on the other hand, reverses all attempts to make the code tolerable.

Maybe I am just getting old, but WTF is stuff like this about?

__yyy_tegdtfsrer("!!! Un4bl3 t0 g3t r3l3as3 wh4t th3 fuq!\n");

Really? Writing, "!!! Unable to get release, what the fuck?\n" was too hard?

OSS Strikes Again (-1)

Anonymous Coward | more than 3 years ago | (#33632120)

Tell us how great OSS is.

Tell us how much better Linux is.

Tell us how badly Microsoft sucks.

I'm a PC, and using Windows instead of Linux was my idea.

Re:OSS Strikes Again (2, Informative)

0123456 (636235) | more than 3 years ago | (#33632266)

Tell us how great OSS is.

OSS is great... my Ubuntu machines were already patched a day before the first scare stories about this exploit appeared here on Slashdot.

Re:OSS Strikes Again (3, Insightful)

picoboy (1868294) | more than 3 years ago | (#33632436)

Tell us how great OSS is.

Tell us how much better Linux is.

Tell us how badly Microsoft sucks.

I'm a PC, and using Windows instead of Linux was my idea.

I knew it was just a matter of time before Ballmer showed up as an AC on Slashdot.

Patch on its way... (1)

Korbinus (589005) | more than 3 years ago | (#33632146)

Downloading the fix from Ubuntu as I read this article :-)

Re:Patch on its way... (1, Informative)

jadedoto (1242580) | more than 3 years ago | (#33632274)

Me too. Let's see Microsoft get a patch out that fast. ;)

FUD (5, Insightful)

proxima (165692) | more than 3 years ago | (#33632180)

Running 64-bit Linux? Haven't updated yet? You're probably being rooted as I type this.

C'mon now. As others have pointed out, and has been mentioned earlier on /., this is a local root exploit. It's bad, it affects a lot of users (in theory), but to write this is to simply spread fear for most of those using Linux.

Why? Because the systems that inexperienced users run also happen to be those with a few, generally trusted users. Think netbooks. Sure, all local root exploits are bad and should be patched asap. But that doesn't mean "you're probably being rooted as I type this". It means that a remote attacker needs user-level privileges (say, with a browser or plugin vulnerability) first. Since Ubuntu and probably other major distros have already patched this, and the default settings for updates on these systems is to check fairly frequently, most end users will have the patched kernel quickly.

That leaves multi-user systems. The admins of these servers certainly benefit from finding out about the vulnerability asap, and they did (including through previous stories here). By now, though, most admins should have something in place if they don't have full trust in their users. If they don't, they should definitely be looking at whether this was exploited.

The bottom line is that there are many local root exploits which come out every year. This is the latest one, with a patch already available. Responsible admins of multi-user systems are used to dealing with this, and home users are almost certainly going to be patched before it causes any issues. For them, the latest Flash vulnerability is more worrisome. Even the extremely rare remote exploit of a service isn't usually an issue, since most modern distros don't start much of anything by default (including ssh, IIRC).

Re:FUD (1)

fnj (64210) | more than 3 years ago | (#33632228)

Absurdly sensationalistic line in the summary.

OMG GNU + Linux machines being rooted? (0)

Anonymous Coward | more than 3 years ago | (#33632194)

Whats new in that? Tons of GNU + Linux webservers are rooted & defaced every single day. Yawn... most non-zealots already knew that.

Obvious (1)

Konster (252488) | more than 3 years ago | (#33632312)

The obvious way to have the most fum with this is to run a W7 host with a Linux client in a VM so you can be rooted while you are being rooted. ;)

Tomorrow's article: Linux exploit story sends (0)

Anonymous Coward | more than 3 years ago | (#33632382)

Linux exploit story sends the Slashdot crowd into a hissy fit lol.

Talk about a biased group. Mention a Linux exploit, a very serious one in this case, and look at them up in arms. More biased than Fox News and CNN combined.

Oh and you missed the "defective by design" tag on this article.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>