Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Exploits Emerge For Linux Privilege Escalation Flaw

samzenpus posted more than 2 years ago | from the protect-ya-neck dept.

Security 176

angry tapir writes "Linux vendors are rushing to patch a privilege escalation vulnerability in the Linux kernel that can be exploited by local attackers to gain root access on the system. The vulnerability, which is identified as CVE-2012-0056, was discovered by Jüri Aedla and is caused by a failure of the Linux kernel to properly restrict access to the '/proc//mem' file."

cancel ×

176 comments

Sorry! There are no comments related to the filter you selected.

Time to reset the local exploits sign (-1)

Anonymous Coward | more than 2 years ago | (#38823319)

What do you mean it was already at -3000?

Organized trolling campaign by GreatBunzinni (-1, Offtopic)

Anonymous Coward | more than 2 years ago | (#38823381)

GreatBunzinni [slashdot.org] has been posting anonymous accusations [slashdot.org] listing a whole bunch of Slashdot accounts as being part of a marketing campaign for Microsoft, without any evidence. GreatBunzinni has accidentally outed himself [slashdot.org] as this anonymous poster. Half the accounts he attacks don't even post pro-Microsoft rhetoric. The one thing they appear to have in common is that they have been critical of Google in the past. GreatBunzinni has been using multiple accounts to post these "shill" accusations, such as Galestar [slashdot.org] , NicknameOne [slashdot.org] , and flurp [slashdot.org] .

That's not the problem. The problem is that moderators gave him +5 Informative and are now modding down the accused, even for legitimate posts. Metamoderation is supposed to address this by filtering out the bad moderators, but clearly it's not working.

This "shill" crap that has been flying around lately has to stop. It's restricting a variety of viewpoints from participating on the site and creating an echo chamber.

Re:Organized trolling campaign by GreatBunzinni (-1)

Anonymous Coward | more than 2 years ago | (#38823409)

You sure seem to have a lot of free (perhaps well paid?) time to troll slashdot all day.

Re:Organized trolling campaign by GreatBunzinni (-1)

Anonymous Coward | more than 2 years ago | (#38823499)

Overly Critical Guy, is that you? [slashdot.org] Some sort of meta trolling I guess, interesting.

Re:Organized trolling campaign by GreatBunzinni (-1)

Anonymous Coward | more than 2 years ago | (#38823549)

Or bonch. That's the same thing, really [slashdot.org] .

Re:Organized trolling campaign by GreatBunzinni (-1)

Anonymous Coward | more than 2 years ago | (#38823541)

Bonch definitely is a sockpuppet, shill or not. I have seen his comments get +5 seconds after being posted, on stories with 4 other posts and no other moderations. That doesn't happen honestly.

Re:Organized trolling campaign by GreatBunzinni (-1)

Anonymous Coward | more than 2 years ago | (#38823773)

People with first post usually get upmodded quickly because they're the first person moderators see.

For the record, this conspiracy stuff is stupid.

Re:Organized trolling campaign by GreatBunzinni (-1)

Anonymous Coward | more than 2 years ago | (#38823923)

For the record, this conspiracy stuff is stupid.

Only a $hill would say that.

Re:Organized trolling campaign by GreatBunzinni (-1)

Anonymous Coward | more than 2 years ago | (#38823929)

If you think corporations don't pay people to comment/mod on stories on here and other sites you're naive.

Re:Organized trolling campaign by GreatBunzinni (-1)

Anonymous Coward | more than 2 years ago | (#38823945)

Yet I've seen this multiple times, usually with Bonch trolling, and at least one of the other posts being perfectly reasonable. How do you manage +5 for an inflammatory post when there are posts with actual facts relating to the story at 1? I think I know.

Re:Organized trolling campaign by GreatBunzinni (-1)

Anonymous Coward | more than 2 years ago | (#38823905)

Bonch, you had me convinced that you were just a moron until this crap started popping up.

Only a shill would have time to waste on postings like these. Every other rational person -- with nothing to lose but karma -- would just ignore the shill accusations. Every time I get mod points, I'm going to spend every one on one of your sockpuppets.

Re:Organized trolling campaign by GreatBunzinni (-1)

Anonymous Coward | more than 2 years ago | (#38824161)

Err, you got it exactly wrong.

Shills, like our friend InsightfulTechGuysLaser, don't bother running around with personal attacks and too obvious trolling. They just silently drop away and come back with a new account posting same truthinessful shit.

That's genuine nuts, like APK or this here Overly Critical Bonch are ones who give most entertainment, but hurt the genuine useful discussion. Getting personal? Check - for APK and bonch. Pushing agenda wherever he could? Check - HOSTS file for APK, Apple superiority, Google, RMS and GPL inferiority for bonch. Naive denial of sockpuppetry paired with absolute inability to change writing style? Check. Accusing everyone around in his own faults? Check, "It's not I'm too Apple-leaning, it's all /. too anti-Apple! I'm not a troll and puppeteer, it's Great Bunzini (that's why I'm posting it in every topic!)"

Sure, bonch didn't reach APK's level of insanity yet, but give him time.

Re:Time to reset the local exploits sign (0)

Anonymous Coward | more than 2 years ago | (#38823907)

Just so everybody knows, I'm not involved with the stupid troll/countertroll argument!

Although I should have made the number -1337.

first ever first.. (-1)

Anonymous Coward | more than 2 years ago | (#38823325)

this truly has been a special mom

Re:first ever first.. (0)

Anonymous Coward | more than 2 years ago | (#38824195)

And yet you still failed.

iOS now has more marketshare than Android (-1, Flamebait)

Anonymous Coward | more than 2 years ago | (#38823327)

It's official: iOS now has more marketshare than Android. Reuters reports that Apple completely erased Android's marketshare lead [reuters.com] , confirming earlier reports by both Nielsen [nielsen.com] and NPD [gigaom.com] . Over 150 Android smartphones couldn't outcompete the iPhone 4S. With 37 million iPhones sold last quarter, Apple is the largest smartphone marker, and their profits exceed Google’s entire revenue, $13 billion to $10.6 billion. Finally, with 15 million iPads sold last quarter, the tablet market is now larger than the entire desktop PC market.

The clock is ticking, Fandroids.

Re:iOS now has more marketshare than Android (0, Offtopic)

jm.one (655706) | more than 2 years ago | (#38823457)

It's official: iOS now has more marketshare than Android. Reuters reports that Apple completely erased Android's marketshare lead [reuters.com] , confirming earlier reports by both Nielsen [nielsen.com] and NPD [gigaom.com] . Over 150 Android smartphones couldn't outcompete the iPhone 4S. With 37 million iPhones sold last quarter, Apple is the largest smartphone marker, and their profits exceed Google’s entire revenue, $13 billion to $10.6 billion. Finally, with 15 million iPads sold last quarter, the tablet market is now larger than the entire desktop PC market.

The clock is ticking, Fandroids.

Funny that you mention the f word, after the expected RETURN of Apples marketshare lead has been comented as a "complete erase". Note: Apples marketshare accoring to the quoted market researchers is 44.9 versus googles 44.8. Wow. Beaten into the ground eh? And then.. 10.6 isnt Googles entire revenue. It s their profit. http://investor.google.com/financial/tables.html [google.com] With all that said. Even if Apple had a marketshare of 70 or 80 percent or more on smartphones (NOT:all mobile phones): thats totally not a reason to buy their product. It would be a reason to worry bout market domination though. But besides that, for many people there are other more valid reason to decide for another phone.

Re:iOS now has more marketshare than Android (5, Funny)

tqk (413719) | more than 2 years ago | (#38823685)

Pardon me, but I'm going to go watch Firefly now, as it appears none of you make any sense. Bye.

Re:iOS now has more marketshare than Android (0)

Anonymous Coward | more than 2 years ago | (#38824781)

>Pardon me, but I'm going to go watch Firefly now, as it appears none of you make any sense. Bye.

But.. but... how can you watch Firefly when Nielsen and NPD confirm that people buy cellphones? :O

I need a new wristwatch... one with a stockmarket ticker... so I know with which mp3 player i"ll father my next child..

Better than Windoze (-1, Troll)

Anonymous Coward | more than 2 years ago | (#38823329)

All us Linucks fanboys know that windoze is insecure and Lincks is not.

Open Sores makes everything more secure. It's like nobody wants to go near open sores.

This must be a vulnerability in Windoze or user error. Linucks is perfect thanks to open sores.

Broken on Android too (1, Interesting)

StayFrosty (1521445) | more than 2 years ago | (#38823333)

Awesome that this will lead to easier root access on Android devices.
On the flip side I'm sure Android vendors won't get around to patching this for a while and our devices will be vulnerable.

Now, off to patch my Linux boxen.

Re:Broken on Android too (-1)

Anonymous Coward | more than 2 years ago | (#38823347)

The Patch for Linux? OSX.

Re:Broken on Android too (-1, Troll)

Anonymous Coward | more than 2 years ago | (#38823365)

The Patch for OSX? A brain.

Re:Broken on Android too (0)

Anonymous Coward | more than 2 years ago | (#38823417)

The patch for Brain? Uhh... Well... Damn

Re:Broken on Android too (2)

jd (1658) | more than 2 years ago | (#38823833)

Pinky, are you thinking what I'm thinking?

Re:Broken on Android too (5, Funny)

Abreu (173023) | more than 2 years ago | (#38823949)

Wuh, I think so, Brain, but if we didn't have ears, we'd look like weasels

Re:Broken on Android too (0)

Anonymous Coward | more than 2 years ago | (#38823971)

I think so, but this time you get to wear the rubber trousers.

Re:Broken on Android too (-1)

Anonymous Coward | more than 2 years ago | (#38824047)

Oh my, the fagbois got their panties in a bunch. LolZZZ!!!!!
 
Fucking faggots... go back to sucking some more open sores dicks.

Re:Broken on Android too (1)

alreaud (2529304) | more than 2 years ago | (#38825135)

What out there AC. Latest news is the fucking faggots have these special wands now that they shoot glitter into your eyes with and blind you. It's been all over Twitter...

Re:Broken on Android too (2)

toadlife (301863) | more than 2 years ago | (#38823471)

this will lead to easier root access on Android devices

When I saw the headline that's exactly what popped into my head; "one-click" root tools for various Android devices that don't currently have any.

Re:Broken on Android too (0)

Anonymous Coward | more than 2 years ago | (#38823625)

That's probably the only fix AT&T will provide, so you cannot uninstall their Navigator (and other software/bloatware from the phones).

Re:Broken on Android too (1)

JAlexoi (1085785) | more than 2 years ago | (#38824483)

Except that only version 4.0 is vulnerable. And only GNex and Nexus S have that version deployed by.... Google! So I see an update pretty soon.

Re:Broken on Android too (3, Informative)

bfree (113420) | more than 2 years ago | (#38824513)

Really? This bug was only present in kernel releases 2.6.39 and newer. Do any Android devices use kernel's based on a Linux this current? A quick search says Android 2.3. used 2.6.35 and 3.0 used 2.6.36 so the number of devices this might possibly help you root looks miniscule.

Re:Broken on Android too (5, Funny)

NeoMorphy (576507) | more than 2 years ago | (#38824643)

Really? This bug was only present in kernel releases 2.6.39 and newer. Do any Android devices use kernel's based on a Linux this current? A quick search says Android 2.3. used 2.6.35 and 3.0 used 2.6.36 so the number of devices this might possibly help you root looks miniscule.

I am replying with my new Asus Transformer Prime, which is running ICS(Android version 4.03), kernel is 2.6.39.4.

I'm thinking this bug is God's way of saying "You are loved. Now go forth and exploit your tablet!"

Re:Broken on Android too (0)

Anonymous Coward | more than 2 years ago | (#38825301)

God doesn't speak in modern English.

Yea, thou art loved. Now, goest thou forth and do exploitest thine own tablet!

Hrrm (5, Insightful)

Anonymous Coward | more than 2 years ago | (#38823337)

If someone is in a position to run a local exploit, aren't you pretty much fucked anyways?

Re:Hrrm (3, Insightful)

JimCanuck (2474366) | more than 2 years ago | (#38823373)

Yes that you are.

Re:Hrrm (4, Insightful)

MichaelSmith (789609) | more than 2 years ago | (#38823375)

Web servers are vulnerable because they run server side code, often uploaded with vulnerable content management systems, etc.

Re:Hrrm (2)

EvanED (569694) | more than 2 years ago | (#38823421)

Right, because no organization would give their employees user access to a machine but not root.

Re:Hrrm (2, Insightful)

Barbara, not Barbie (721478) | more than 2 years ago | (#38823517)

Of course. The best local exploit is a screwdriver and a spare moment or two.

Some quick contrarian rules:

Rule #1: There is no such thing as 100% secure. Even 100% bug-free cannot be considered 100% secure. It may work according to the design, and the design can be 100% correct today, but today is not tomorrow.

Rule #2: The more complicated layers of security you add, the more security holes you add. For those into car analogies, security always ends up being bolted on, like bondo dent filler, because you can't anticipate every future accident scenario. Anyone who claims otherwise is either a charlatan, a snake-oil salesman, a liar, or just plain deluded. Those who claim "you can't add security later" are liars. Those who use unix as an example don't know history - unix originally had zero security.

Rule #3: All security is ultimately "security through obscurity." If you believe open is more secure, please post your account info, including cc numbers, banking info, user names and passwords, to help make them "more secure". I'd say just email them to me, but "more eyes" and all that :-)

template twins (-1, Offtopic)

epine (68316) | more than 2 years ago | (#38823623)

Anyone who claims otherwise is either a charlatan, a snake-oil salesman, a liar, or just plain deluded.

I just had an eidetic flashback to something I fled an hour ago.

From On The Evolution Of Ashkenazi Jewish Intelligence [futurepundit.com]

But the higher average level of Ashkenazi Jewish intelligence is so glaringly obvious that I figure anyone who tries to argue otherwise is either engaged in intellectual con artistry or is ignorant or foolish.

Welcome to racially slanted IQ, goldbug, futurology hell. Your application shows merit, but fails to display elite OCD stamina. Please try again when your vigour suffices.

Re:Hrrm (5, Informative)

Anonymous Coward | more than 2 years ago | (#38823747)

I was with you up until Rule #3 which is nonsense.

Re:Hrrm (0)

Barbara, not Barbie (721478) | more than 2 years ago | (#38824159)

Really? Try proving it's "nonsense". .

It's not "nonsense" for physical security, for hashed passwords, one-time pads, or for biometric security (and biometric is the biggest joke of all). Given enough knowledge and physical access, ALL security can be defeated, either by gaining access or denying the recipient access, or both.

Beware of ALL blanket statements ;-) (4, Insightful)

Zero__Kelvin (151819) | more than 2 years ago | (#38824509)

All security is ultimately "security through obscurity."

"I was with you up until Rule #3 which is nonsense."

Really? Try proving it's "nonsense". .

You either don't know what the word all means, or you don't know what the term security through obscurity means.

Re:Hrrm (2)

alreaud (2529304) | more than 2 years ago | (#38825235)

... (and biometric is the biggest joke of all).

Explain please. I worked on a very secure military installation east of Colorado Springs. You had your retina scanned, locked in a bomb-proof slightly bigger than coffin-sized box, as you keyed in a pin and were weighed. This while being watched by the biggest grunts I have seen in my life with M16's. If the biometrics didn't match the pin, the grunts would escort you out of the box. The sign on the wall in big bold letters says "USE OF DEADLY FORCE AUTHORIZED".

Joke? That was the only for real security I have seen in my life. Any spying done on that base is an inside job or a contractor. So in the end, your last statement is true, but #3 is still only partially correct. The best kept secrets are those that can be hidden in plain view. Obscurity sometimes is a hole that invites a peek. An example is hidden SSIDs.

Re:Hrrm (4, Interesting)

Mad Merlin (837387) | more than 2 years ago | (#38823787)

Rule #1: There is no such thing as 100% secure. Even 100% bug-free cannot be considered 100% secure.

There's also no such thing as 100% bug-free.

Rule #3: All security is ultimately "security through obscurity."

While in the strictest sense, this may not be untrue, to phrase it that way is extremely dishonest. An encryption algorithm that relies on the secrecy of the algorithm is totally worthless (security by obscurity), whereas an encryption algorithm that relies on the secrecy of the keys used for encryption is quite useful (not security by obscurity in the normal sense).

In fact, if you want to be pedantic about it, the relevant definition for obscure is...

not readily understood or clearly expressed; also : mysterious [1]

Which is about understanding and not so much about knowledge. I may understand that I need a username and password to log into your system, just because I don't know what the username or password is doesn't make it security by obscurity. In fact, say I wanted to break into your house, I may have seen you use a physical key to open the front door and walk in and I may have even memorized the pattern of teeth on the key, but it does me no good if I don't have a key of my own to open the door with. There is certainly no obscurity in that security.

If you're going to go ahead and say that all security is "security through obscurity", then you may as well make the next logical step of not implementing any of it.

[1] http://www.merriam-webster.com/dictionary/obscure [merriam-webster.com]

Re:Hrrm (0)

Barbara, not Barbie (721478) | more than 2 years ago | (#38824137)

Your "contrary example" actually proves my point.

In fact, say I wanted to break into your house, I may have seen you use a physical key to open the front door and walk in and I may have even memorized the pattern of teeth on the key, but it does me no good if I don't have a key of my own to open the door with. There is certainly no obscurity in that security.

Once you have the pattern, you no longer need a key of your own - you just go and get one manufactured. Or you take a blank and you file it down. How do you think a locksmith can make a key to a lock they don't have the original key to? You just bring the door handle/lockset to them, and they can do it from the pins.

Or if they want to change the key (for example, after someone's been fired or quit) they don't need an all-new barrel - they just move a few pins around and cut a new set of keys to the new pattern.

Proof you are 100% wrong per your request (5, Insightful)

Zero__Kelvin (151819) | more than 2 years ago | (#38824553)

Again, you don't know what security through obscurity [wikipedia.org] means. If the access to the code or other design that implements the security breaks it, then that is security through obscurity. All security relies on a secret known by one party, but unknown to others. This has absolutely nothing to do with security by obscurity.

Re:Proof you are 100% wrong per your request (-1, Troll)

Barbara, not Barbie (721478) | more than 2 years ago | (#38824941)

By your own definition the design in every case is flawed because it requires something be kept secret / obscure. So my statement stands.

Too many people believe that you can make something 100% secure, when that's been proven to be impossible in every case. If you can either break it, or prevent the people who are depend on it from using it, it's broken.

Doesn't matter how secure even your quantum-entangled communications channel is to 3rd-party decryption if, by interfering through the act of observing, no information is transmitted to anyone.

Re:Proof you are 100% wrong per your request (4, Insightful)

Zero__Kelvin (151819) | more than 2 years ago | (#38825105)

Do you have a problem reading and understanding the English language? While I appreciate your attempts to credit the definition as my own, it has been an accepted term in security circles for a long time, and I am not the one who came up with it. Nobody worth their salt ever said that 100% security can be achieved, and you are not saying anything that isn't obvious to even a security neophyte like yourself. What is known is that security through obscurity is not an effective method of achieving security, even in deference to the fact that nobody will ever achieve 100% security.

Re:Proof you are 100% wrong per your request (1)

AsmCoder8088 (745645) | more than 2 years ago | (#38825265)

Earlier you made the following statement:

Rule #3: All security is ultimately "security through obscurity."

That is what is under debate. Is it true that all security is "security through obscurity"? There is a difference between understanding how an encryption algorithm works (obscuring an algorithm), and knowing a particular key to decrypt ciphertext using that same algorithm (obscuring an input to that algorithm).

For instance, it is possible to understand how the Diffie-Hellman algorithm [wikipedia.org] works works -- meaning it is not obscure -- and yet still be unable to decipher the contents of a message encrypted via that algorithm. In this example, as in many others, the workings of an encryption algorithm need not be obscure in order to be considered secure.

In the sense that algorithms rely on their inputs, such as private keys, to be kept hidden (obscure), you would be correct. But since the phrase "security through obscurity" typically refers to the algorithm, and not its inputs, it would be misleading to claim that all security is "security through obscurity".

Re:Proof you are 100% wrong per your request (1)

alreaud (2529304) | more than 2 years ago | (#38825311)

Operating a server that gets regularly attacked from all over the world, I can assure you that the breakage is only temporary at best. Case in point, Anon attack on DOJ website post-Megaupload fiasco. They where very successful in DDOS, but actually couldn't do shit to the servers to cause permanent damage.

To do that you have to administer the "kiss of death" as root. It's not as easy as lay people think to get root access if the individual setting it up knew what they were doing.

Re:Hrrm (1)

Mad Merlin (837387) | more than 2 years ago | (#38824789)

Your "contrary example" actually proves my point.

In fact, say I wanted to break into your house, I may have seen you use a physical key to open the front door and walk in and I may have even memorized the pattern of teeth on the key, but it does me no good if I don't have a key of my own to open the door with. There is certainly no obscurity in that security.

Once you have the pattern, you no longer need a key of your own - you just go and get one manufactured.

You contradict yourself. If you didn't need a key why would you go get one made? Furthermore, what ceases to be obscured through the process of taking your knowledge of the key's teeth and having a replica made? (Hint: nothing)

Re:Hrrm (1)

Barbara, not Barbie (721478) | more than 2 years ago | (#38824897)

The fact is that keys only work when the pin lengths are not known. You can also open a lock without the key (or any key) - just search for MIT Guide to Lock Picking.

Re:Hrrm (3, Interesting)

anonymov (1768712) | more than 2 years ago | (#38825241)

"The fact is private encryption keys only work when P and Q are not known. You can also decrypt the cyphertext without the key - just search for $5 wrench"

You're mistaking "secret", which is necessary part of every encryption scheme, with "obscurity", which is useful only in very specific circumstances.

Following your analogy, security by obscurity is making key duplication method secret and hiding the lock's inner working. Good security, on the other hand, is when you can't duplicate the key unless you snatch it from the owner and can't pick the lock even if you know how it's built.

Security by obscurity is useful only as preliminary defense line to stall an attacker until he gathers enough information about your systems to begin targeted attack.

Re:Hrrm (0)

dog77 (1005249) | more than 2 years ago | (#38824453)

There's also no such thing as 100% bug-free.

int main() { return 0; }

Re:Hrrm (2)

Carnildo (712617) | more than 2 years ago | (#38824495)

Have you vetted crt1.o for correctness?

Re:Hrrm (0)

Anonymous Coward | more than 2 years ago | (#38824671)

Do you trust your hardware?

Re:Hrrm (1)

Myria (562655) | more than 2 years ago | (#38825079)

Have you vetted crt1.o for correctness?

Fine.

mov eax, 60
xor ebx, ebx
int 0x80

Turtles all the way down (3, Insightful)

tepples (727027) | more than 2 years ago | (#38825115)

Have you vetted your x86 CPU vendor's microcode for correctness? How far down do the proverbial turtles go?

Re:Hrrm (1)

Mad Merlin (837387) | more than 2 years ago | (#38824757)

Your program didn't do what it was asked to. Why didn't it return an error code?

Re:Hrrm (1)

alreaud (2529304) | more than 2 years ago | (#38825335)

You forgot the header files too...;-)

Re:Hrrm (1)

LingNoi (1066278) | more than 2 years ago | (#38825391)

and if you compile it with a buggy compiler?

Re:Hrrm (1)

NeoMorphy (576507) | more than 2 years ago | (#38824845)

There's also no such thing as 100% bug-free.

What kind of attitude is that? /bin/true on Solaris looks bug free to me.

Re:Hrrm (0)

Anonymous Coward | more than 2 years ago | (#38823953)

If someone is in a position to run a local exploit, aren't you pretty much fucked anyways?

no, ur wrong

Not completly. (0)

Anonymous Coward | more than 2 years ago | (#38824397)

Believe it or not there are still machines where you can get a shell account, and
hence try a local exploit. Plus exploits kind of multiply their power. Remote
unprivileged execution + local root exploit = remote root exploit.

Remember local access isn't the same as physical access (in which case without
special hardware locks you ARE f**ked.).

Re:Hrrm (1)

LingNoi (1066278) | more than 2 years ago | (#38825219)

I could see a few ways to do it..

- Linux games are becoming more popular
- A poorly coded script on a webserver that lets you upload and execute a file

Don't worry (1)

spidercoz (947220) | more than 2 years ago | (#38823399)

It'll be fixed tomorrow

Re:Don't worry (0)

Anonymous Coward | more than 2 years ago | (#38823411)

It'll be fixed tomorrow

Yeah. Fixed by the cracker who used an app flaw to gain local access, then this one to escalate to root, then patched the system to prevent others from doing the same.

Local exploit? (0)

present_arms (848116) | more than 2 years ago | (#38823437)

so someone has to be sitting in front of the boxen to exploit the exploit, why not just init 1? Serious question :)

Re:Local exploit? (0)

Anonymous Coward | more than 2 years ago | (#38823463)

no, they just have to have a user account on that machine.

Re:Local exploit? (5, Informative)

Lumpio- (986581) | more than 2 years ago | (#38823483)

A weak SSH user account/PHP script/whatever + local privilege escalation = instant remote root

Re:Local exploit? (2)

present_arms (848116) | more than 2 years ago | (#38823597)

Fair enough, I guess I learn something new every day :)

Re:Local exploit? (1)

Anonymous Coward | more than 2 years ago | (#38823489)

a) Someone just has to has a non-privileged (I.e. non-root) account, not local console access.
b) Changing run-level requires privileged access, that's why not.

All of the machines I manage are O.K: we haven't installed anything newer than 2.6.38 yet anyway.

Reboot into single-user mode (1)

tepples (727027) | more than 2 years ago | (#38825165)

I think present_arms's point is that local console access involves access to the big red switch and the bootloader, which on a PC-type system can be used to gain root by booting into single-user mode [debuntu.org] .

Re:Local exploit? (1)

gl4ss (559668) | more than 2 years ago | (#38823505)

so someone has to be sitting in front of the boxen to exploit the exploit, why not just init 1? Serious question :)

"local" in this context usually means having a shell on the target machine - or similar way to upload and execute what you wish( and escalating privileges means that you escalate from "normal user who can't do shit" to something else, in this case root).

Re:Local exploit? (2)

guabah (968691) | more than 2 years ago | (#38823585)

Asumming that by local they mean shell access, init 1 would disconnect you from ssh.

Re:Local exploit? (5, Funny)

BasilBrush (643681) | more than 2 years ago | (#38824005)

so someone has to be sitting in front of the boxen to exploit the exploit, why not just init 1?

Or they could use axen to destroy the boxen. Or set some foxen on them to tear them to pieces. Or they could fill the boxen with melted waxen. Or bury them in faxen. This exploit is usable by people of both sexen, so long as they pay their taxen.

Re:Local exploit? (0)

Anonymous Coward | more than 2 years ago | (#38824171)

Except that your made-up words don't rhyme with oxen.

I could make fun of this guy all day. He doesn't even know I'm here!

VAXen (1)

tepples (727027) | more than 2 years ago | (#38825167)

Some of them rhyme with VAXen [jargon.net] though.

Re:Local exploit? (0)

Anonymous Coward | more than 2 years ago | (#38824785)

so someone has to be sitting in front of the boxen to exploit the exploit, why not just init 1?

Or they could use axen to destroy the boxen. Or set some foxen on them to tear them to pieces. Or they could fill the boxen with melted waxen. Or bury them in faxen. This exploit is usable by people of both sexen, so long as they pay their taxen.

And I throw up a little in my mouth whenever somebody says or writes "boxen."

Re:Local exploit? (1)

Zero__Kelvin (151819) | more than 2 years ago | (#38824581)

They don't have to be in front of the box, but even if they are the bootloader and BIOS might be locked down and they might have only non-privileged access to the OS.

We all call for it! UAC for Linux! (0)

fluor2 (242824) | more than 2 years ago | (#38823493)

Start programming, Linus!

Re:We all call for it! UAC for Linux! (1)

Culture20 (968837) | more than 2 years ago | (#38823811)

sudo and selinux/apparmor. done.

lol.. (-1)

Anonymous Coward | more than 2 years ago | (#38824257)

Yes.. thats how much UNIX design sucks and lags behind NT. While NT has always had superior fine-grained process security descriptors.. the UNIX shitty design had to create more bolted-on shit into an even more shitty monolithic kernel with spaghetti dependencies and no clear kernel ABI.

UAC has nothing to do with sudo or apparmour (also GP is a moron for even bringing it up). All those things have been present in NT for about 20 years since the first version came out. Its embarrassing that the NSA had to come out and say.. dude your OS kinda sucks and create a new security layer for it (which is still broken) just to bring it on par with NT.

Re:lol.. (1)

alreaud (2529304) | more than 2 years ago | (#38825423)

LOL indeed! Last I remember of NT was a very cantankerous beast that wouldn't fucking run anything correctly but ecosystem programs.

"Windows NT is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. It was a powerful high-level-language-based, processor-independent, multiprocessing, multiuser operating system with features comparable to Unix "
http://en.wikipedia.org/wiki/Windows_NT [wikipedia.org]

Try a bigger worm on the hook, please...;-)

Re:We all call for it! UAC for Linux! (0)

Anonymous Coward | more than 2 years ago | (#38824345)

sudo and selinux/apparmor. done.

It didn't work. I think, I'm missing something from my Linux box.

sudo: and: command not found

Any hints?

Link to more info (5, Informative)

milbournosphere (1273186) | more than 2 years ago | (#38823511)

It's a geekier breakdown, but is quite informative.

http://blog.zx2c4.com/749

Gets into the memory specifics of the bug. I found it to be far better than the actual article.

Re:Link to more info (1)

c++0xFF (1758032) | more than 2 years ago | (#38823915)

Thank you! I was browsing through Linus's patch and couldn't make heads or tails of it.

That and I couldn't help noticing that he got rid of a bunch of goto statements while he was at it. At least these gotos were actually used for error handling...

goto (0)

Anonymous Coward | more than 2 years ago | (#38823573)

And we killed 8 goto's along the way.
Nice work folks. ;)

Debian (mostly) not affected (5, Informative)

Trogre (513942) | more than 2 years ago | (#38823769)

Since this bug was introduced in Linux 2.6.39 Debian Stable (squeeze, Linux 2.6.32) is not affected. Unstable(sid, Linux 3.1) has already been patched, though Testing (wheezy) is still vulnerable.

More information here [debian.org]

Re:Debian (mostly) not affected (1)

IpalindromeI (515070) | more than 2 years ago | (#38824597)

I've been looking around but haven't found any information on when the fix might migrate into Testing. Any idea?

/proc/pid/mem is an interface for reading and ... (-1)

Anonymous Coward | more than 2 years ago | (#38823897)

/proc/pid/mem is an interface for reading and writing, directly, process memory by seeking around with the same addresses as the process’s virtual memory space.

Seriously, WHAT THE FUCK?

What absolutely fucking stupid moron came up with this idea? This is beyond retarded and the reason why Linux' code is nothing but a spaghetti mess - no design, no forthought, just code away like in good old BASIC times.

Re:/proc/pid/mem is an interface for reading and . (0)

Anonymous Coward | more than 2 years ago | (#38824215)

Go to bed, bonch.

Re:/proc/pid/mem is an interface for reading and . (1)

LordThyGod (1465887) | more than 2 years ago | (#38824493)

It only seems that way to the miserably uninformed. Relax. Smoke something.

Simple explanation (5, Informative)

Chemisor (97276) | more than 2 years ago | (#38824241)

There is /proc/pid/mem, a pseudofile referring to the memory of process pid. It has 0600 permissions so you can't write to the memory of other users' processes. The bug occurs when you exec an suid executable and the kernel does not change open fds for /proc/pid/mem. This way, you can open mem, dup it to stderr, and exec su with a garbage parameter. su will duly print an error, quoting the offending parameter, writing to its process memory. With a properly selected shellcode you can get root.

First thought... (1, Troll)

scot4875 (542869) | more than 2 years ago | (#38824409)

My first thought is that this is a perfect example of why Linux fanbois should pay more attention to the speck of dust in their eye than the logs stuck in Windows' and OSX's eyes.

Err, at least I think that's how the saying goes.

--Jeremy

Re:First thought... (0)

Anonymous Coward | more than 2 years ago | (#38824603)

remote exploits are regularly patched on Windows systems, even Windows 7, they are, in black and white, quite descriptive and often comment the exploit being patched could previously be allowed to take control over the system.

Linux and BSD, by comparison, do not have the same amount of remote exploit patches.

Re:First thought... (2)

LingNoi (1066278) | more than 2 years ago | (#38825413)

Look everyone, yet another OS war on linux exploit news, how original!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>