Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Kernel Exploit Cause Of Debian Compromise

simoniker posted more than 10 years ago | from the slightly-disturbing dept.

Debian 673

mbanck writes "The cause of the recent Debian Project server compromise has been published by the Debian security team: 'Forensics revealed a burneye encrypted exploit. Robert van der Meulen managed to decrypt the binary which revealed a kernel exploit. Study of the exploit by the RedHat and SuSE kernel and security teams quickly revealed that the exploit used an integer overflow in the brk system call. Using this bug it is possible for a userland program to trick the kernel into giving access to the full kernel address space'. This issue has been fixed in 2.4.23. Thus, the Linux kernel compromise was not Debian specific."

cancel ×

673 comments

Sorry! There are no comments related to the filter you selected.

A shift of focus (4, Interesting)

chrysalis (50680) | more than 10 years ago | (#7602876)

It's fun to see how security research shifted from applications to kernels lately.

Re:A shift of focus tsarkon reports (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7603010)

Yes. You see, fucking lame shit rickety fucked trash like Lin-sux copyright Faggus Linus Fuckvalds sucked dick. Fuck you. I'm glad you fucks get burned using this trash. Fuck you.

9 steps to greasing your anus for Yoda Doll Insertion!
v 3.95.0
$YodaBSD: src/release/doc/en_US.ISO8859-1/yodanotes/9steppro cess.sgml,v 3.95.0 2003/12/01 13:25:25 tsarkon Exp $

  1. Defecate. Preferably after eating senna, ex lax, prunes, cabbage, pickled eggs, and Vietnamese chili garlic sauce. Defecation could be performed in the Return of the Jedi wastebasket for added pleasure. [homestead.com]
  2. Wipe ass with witch hazel, soothes horrific burns. (Rob "CmdrTaco" Malda can use witch-hazel on mouth to soothe the horrific burns from performing so much analingus.)
  3. Prime anus with anal ease. [dimout.com] (Now Cherry Flavored for those butthole lick-o-phillic amongst you - very popular with 99% of the Slashdotting public!)
  4. Slather richly a considerable amount of Vaseline and/or other anal lubricants into your rectum at least until the bend and also take your Yoda Doll [starwars-rpg.net] , Yoda Shampoo bottle [homestead.com] or Yoda soap-on-a-rope [homestead.com] and liberally apply the lubricants to the Doll/Shampoo/Soap-on-a-rope.
  5. Pucker your balloon knot several times actuating the sphincter muscle in order to work it in.
  6. Put a nigger do-rag [firstlinemfg.com] on Yoda's head so the ears don't stick out like daggers!
  7. Make sure to have a mechanism by which to fish Yoda out of your rectum, the soap on the rope is especially useful because the retrieval mechanism is built in. [homestead.com]
  8. Slowly rest yourself onto your Yoda figurine. Be careful, he's big! [starwars-rpg.net]
  9. Gyrate gleefully in your computer chair while your fat sexless geek nerd loser fat shit self enjoys the prostate massage you'll be getting. Think about snoodling [urbandictionary.com] with the Sarlaac pit. Read Slashdot. Masturbate to anime. Email one of the editors hoping they will honor you with a reply. Join several more dating services - this time, you don't check the (desired - speaks English) and (desired - literate). You figure you might get a chance then. Order some fucking crap from Think Geek. Get Linux to boot on a Black and Decker Appliance. Wish you could afford a new computer. Argue that IDE is better than SCSI because you can't afford SCSI. Make claims about how Linux rules. Compile a kernel on your 486SX. Claim to hate Windows but use it for Everquest. Admire Ghyslain's courage in making that wonderful star wars movie. Officially convert to the Jedi religion. Talk about how cool Mega Tokyo is. Try and make sure you do your regular 50 story submissions to Slashdot, all of which get rejected because people who aren't fatter than CowboyNeal can't submit. Fondle shrimpy penis while making a Yoda voice and saying, use the force [toysrgus.com] , padawan, feeel the foooorce [toysrgus.com] , hurgm. Yes. Yes. When 900 years you reach [lemonparty.org] , a dick half as big you will not have. [toysrgus.com]
All in a days work with a Yoda figurine rammed up your ass.

I HAVE A GREASED UP YODA DOLL SHOVED UP MY ASS!

GO LINUX!!

Tux is the result after trimming Yoda's ears off so that Lunix people don't rip themselves a new Asshole

What you can do with you ass after sitting on a GREASED UP YODA DOLL. [theadultpress.com]

y______________________________YODA_ANUS [goatse.cx]
o_________________.'_:__`.________________y
d____________.-.'`.__;___.'`.-.___________o
a___________/_:____\_;__/____;_\__________d
s_,'__""--.:__;".-.";:_:".-.":__;.--""__`,a
e_:'_`.t""--.._'/@.`;___',@\`_..--""j.'_`;s
x______`:-.._J_'-.-'L___`--_'_L_..-;'_____e
________"-.___;__.-"__"-.__:___.-"________x
y____________L_'_/.------.\_'_J___________y
o_____________"-.___"--"___.-"____________o
d______________.l"-:_TR_;-";._____________d
a_________.-j/'.;__;""""__/_.'\"-.________a
s_______v.'_/:`._"-.:_____.-"_.';__`.v____s
e____.-"__/_;__"-._"-..-"_.-"__:____"-.___e
x_.+"-.__:_:______"-.__.-"______;-.____\__x
_v;_\__`.;_; I Yoda Have A _____:_:_"+._;_
y_:__;___;_;_Greased Up ME In __:_;__:_\:_y
o_;__:___;_:_MY ASS! This Goes__;:___;__:_o
d:_\__;__:__; On FOREVER!______:_;__/__::_d

- Ground Control to Yoda Doll - Ground Control to Yoda Doll - Take your ass grease pills and put your helmet on - Ground Control to Yoda Doll - Commencing countdown, engines on - Check ignition and may God's love shove up you - Ten, Nine, Eight, Seven, Six, Five, Four, Three, Two, One, Shove Up - This is Ground Control to Yoda Doll - You've really made the grade - And the papers want to know whose butts you tear - Now it's time to leave the suppository if you dare - This is Yoda Doll to Ground Control - I'm stepping through the door - And I'm stinking in a most peculiar way - And the ass look very different today - For here am I sitting in an ass can - Far inside the butt - My face is turning blue - And there's nothing I can do - Though I'm past one hundred thousand bowels - I'm feeling very still - And I think my buttship knows which way to go - Tell my wife I ream her very much, she knows" - Ground Control to Yoda Doll - Your circuit's dead, there's something wrong - Can you hear me, Yoda Doll? - Can you hear me, Yoda Doll? - Can you hear me, Yoda Doll? - Can you....- Here am I floating in my ass can - Far inside his Moon - My face is turning blue - And there's nothing I can do.

I pledge Allegiance to the Doll
of the Greased Up States of Yodarica
and to the Republic for which it shoves,
one nation under Yoda, rectal intrusion,
with anal lube and ass grease for all.


hello.mpeg lyrics.
I'm doin' this tonight ,
You're probably gonna start a fight .
I know this can't be right .
Hey baby come on,
I loved you endlessly ,
When you weren't there for me.
So now it's time to leave and make it alone .
I know that I can't take no more
It ain't no lie
I wanna see you out that door
Baby , bye, bye, bye...

A picture of your ass after YODA. [bmezine.com]

Re:A shift of focus (5, Funny)

Anonymous Coward | more than 10 years ago | (#7603106)


It's fun to see how security research shifted from applications to kernels lately.

Fun!? You must be Klingon.

Re:A shift of focus (5, Informative)

pclminion (145572) | more than 10 years ago | (#7603125)

The "nice" thing about kernel exploits (from a cracker's perspective, of course), is that it doesn't matter what sort of userland software is running on the machine -- if you can get local access, by whatever means, it is very easy to boost yourself to root.

Traditional local root exploits are all based on overflowing a setuid application or server. But if the box doesn't have any vulnerable apps installed, the attacker is SOL. However, if the kernel itself is exploitable, it no longer matters whether those setuid programs are present. All you need is to somehow acquire local access, and wham, you are root.

To summarize, kernel exploits are very convenient for turning local user account compromises into full-blown root compromises.

My my my, yet another Linux bug. (0, Flamebait)

Anonymous Coward | more than 10 years ago | (#7603194)

And they call Windows unsecure. How does crow taste, Slashdot?

Re:A shift of focus (0)

Anonymous Coward | more than 10 years ago | (#7603202)

pst, theres (current) pureftpd exploits. (re:sig)

Breaking News: DH RUNKAREN (-1)

Captain Goatse (715400) | more than 10 years ago | (#7602877)

NewsForNerds reports: "A teenager at the massive swedish LAN party DreamHack [dreamhack.org] was recently caught masturbating on video. The video can be seen at the website Fiskpinne.com [fiskpinne.com] , feel free to enjoy it. The video was shown on the big screen for all the 3000 visitors after it was recorded.

Parody Flash movies in the spirit of Badger [badgerbadgerbadger.com] have already been created: Bavern Runkar [amghost.com] . Do not miss out on them or you might miss the next new Big Thing(tm) on the Interweb Computer Screen(tm).

The culprit obviously tried to hide his actions by pulling his sleeping bag up, but no one could have missed his atrocious deeds.

The teenager, also known as Bavern, was watching something that looked like gay porn, according to witnesses. You can clearly see a man swiftly stroking his huge penis in the movie. Bavern rewinded the porn movie at that moment to catch it again. There are two groups of people right now, anti-masturbation christian heroes and filthy ring-loving hobbitses.

The police comments: 'The video can not be mistaken, this boy will be raped in the ass for the next 5 years. Public masturbation is a serious crime.'."


So, kids, what did we just learn from this? Never masturbate if all you have is a sleeping bag. Just go to the glory holes in the bathroom instead.

Notes for non-Swedish people(write it down, it might come in handy later on in your life):
Runka - Masturbate
Baver - Beaver

Mods, do you EVEN READ the trolls?!!! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7603149)

"There are two groups of people right now, anti-masturbation christian heroes and filthy ring-loving hobbitses."

Obviously this poor fellow's troll has been subverted!

Shows the dangers of C (4, Funny)

Anonymous Coward | more than 10 years ago | (#7602897)

If the kernel was coded in visual basic, this wouldn't be happening.

Re:Shows the dangers of C (0, Redundant)

Anonymous Coward | more than 10 years ago | (#7602926)

You moron. Should have been done in Java.

Re:Shows the dangers of C (2, Redundant)

Cro Magnon (467622) | more than 10 years ago | (#7602929)

If the kernel was coded in visual basic, this wouldn't be happening.


Get real! Everyone knows kernels should be coded in COBOL!

Re:Shows the dangers of C (0, Redundant)

Anonymous Coward | more than 10 years ago | (#7602952)

If this was coded in visual basic we'd have a lot more to be worried about

Re:Shows the dangers of C (-1, Redundant)

earlytime (15364) | more than 10 years ago | (#7602956)

You are absolutely correct. If the kernel was coded in vb, this wouldn't be happening because the kernel would suck, and it would need win32.dll to crash properly.

Re:Shows the dangers of C (1)

gnu-generation-one (717590) | more than 10 years ago | (#7602964)

Congratulations to the debian team.

Well then they'd better get some help (5, Funny)

Hal The Computer (674045) | more than 10 years ago | (#7603000)

CLIPPY:
You appear to be trying to write a kernel. Do you want to:
  • Automatically make sure the Visula Basic DLL is included in your program?
  • Answer some questions and have me generate a nice windows kernel for you?
  • Straigten me, and turn me into a very attractive piece of modern art?

Re:Shows the dangers of C (5, Funny)

stefanlasiewski (63134) | more than 10 years ago | (#7603026)

By 'this' do you mean the exploit wouldn't be happening? Or the Kernel?

Re:Shows the dangers of C (1)

the_2nd_coming (444906) | more than 10 years ago | (#7603232)

yes, it shows the dangers of C, so they should code the kernel is Ada, no way to get a buffer overflow in there.

what kind of person... (5, Funny)

potpie (706881) | more than 10 years ago | (#7602906)

What kind of person spends that much time trying to find exploits in operating system kernels? Likewise, why do I spend so much time on www.thinkgeek.com/fortune.shtml? We are a sad people.

Re:what kind of person... (1)

Mr Smidge (668120) | more than 10 years ago | (#7602951)

*Who* doesn't particularly matter that much - even though there was sorry news at first, I (and I'm sure the kernel team too) are happier to hear another exploit has been found and nailed. It's just annoying that this time round there was a compromise involved.

Re:what kind of person... (3, Informative)

Smallpond (221300) | more than 10 years ago | (#7603123)

What kind of person?
spammers [bbc.co.uk]

People who expect to make money by hacking systems and using them to send millions of unsolicited emails.

Re:what kind of person... (2, Insightful)

vadim_t (324782) | more than 10 years ago | (#7603199)

Oh, I am sure that there are very few people who really sit down and think "Hmm... how could I find an exploit in the kernel?". I think it's much more likely that it's some fairly normal programmer, working on something completely unrelated who one day makes a call the wrong way and finds that it crashes the kernel. And there comes the choice, to be a nice guy and send a mail to LKML, or to check that nobody seems to have noticed it yet and use it to break into some interesting place?

Oh... (1, Funny)

Anonymous Coward | more than 10 years ago | (#7602909)

Fark. This seems to be a local exploit though. Whose the naughty one that did it? We can't have rogue members in our proud Debian society now can we? Come on, take it like a man.

Userland exploits (5, Funny)

Hayzeus (596826) | more than 10 years ago | (#7602923)

The evidence mounts: users should be eliminated.

Yup (4, Funny)

ENOENT (25325) | more than 10 years ago | (#7602973)

Just like Nancy Reagan said: Users are Losers.

AKA Lusers (0)

Anonymous Coward | more than 10 years ago | (#7603057)

As the BOFH would say.

Re:Yup (1)

The One KEA (707661) | more than 10 years ago | (#7603219)

That's lusers, L-U-S-E-R-S.

Re:Userland exploits (4, Insightful)

Anonymous Coward | more than 10 years ago | (#7603005)

No really, a user account is as good as root on almost all systems. If you need security, don't have user accounts on the system.

Hmm, Methinks I've Heard this theme before (1)

Hal The Computer (674045) | more than 10 years ago | (#7603077)

You mean the machines will try to take over from the humans?

* The Matrix (V1.0 - V3.0)
* Terminator (V1.0 - V3.0)
* Several million others that I missed, which courteous slashdotters will point out.

Re:Hmm, Methinks I've Heard this theme before (5, Funny)

RetroGeek (206522) | more than 10 years ago | (#7603182)

Several million others that I missed, which courteous slashdotters will point out.

I'm sorry Dave, I can't do that...

Hurray for the Debian Security Team! (2, Informative)

pegr (46683) | more than 10 years ago | (#7602925)

And thus, a previously unknown kernel exploit is discovered and patched! (Now how many more exist?)

Hats off to the Debian Security Team.

Re:Hurray for the Debian Security Team! (2, Funny)

isaac338 (705434) | more than 10 years ago | (#7602960)

It obviously was known previously, as whoever cracked the Debian servers must have known about it.

Re:Hurray for the Debian Security Team! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7602975)

Read the god damn article you freaking stupid ass. This was known and was already fixed in both 2.4 and 2.6 they were running an older kernel. DIE FOOL DIE

Re:Hurray for the Debian Security Team! (3, Insightful)

__past__ (542467) | more than 10 years ago | (#7602978)

Hats off to the Debian Security Team.
And to the RedHat and SuSE security teams for helping them to track it down. In other words, hats off to the whole Free Software Community for collaborating when desaster strikes.

Re:Hurray for the Debian Security Team! (2, Informative)

Feyr (449684) | more than 10 years ago | (#7602980)

actually, the exploit was known (found by andrew morton) but didn't make it to 2.4.22 in time. RTA

Re:Hurray for the Debian Security Team! (5, Informative)

Troed (102527) | more than 10 years ago | (#7602992)

The bug had been found by Andrew Morton before, and was already fixed in 2.4.23. Thus, it wasn't unknown. It might even the because it was known that it was exploited aswell, I assume.

Quoting the Bugtraq post:

This problem was found in September by Andrew Morton, but unfortunately that was too late for the 2.4.22 kernel release.

Re:Hurray for the Debian Security Team! (2, Informative)

Pros_n_Cons (535669) | more than 10 years ago | (#7603004)

And thus, a previously unknown kernel exploit is discovered and patched! (Now how many more exist?) Hats off to the Debian Security Team.

from the article: "This problem was found in September by Andrew Morton, but unfortunately that was too late for the 2.4.22 kernel release." Good work by the Debian team in catching it before REAL problems ensued.
Hats off to Redhat and SuSe for reversing the code.

Re:Hurray for the Debian Security Team! (0)

Anonymous Coward | more than 10 years ago | (#7603156)

Well, it's not clear on this point. Just because the bug was found and fixed, they may not have known that it was exploitable. Maybe we have a sophisticated hacker (in both the media and geek sense of the word) keeping an eye on kernel patches?

It's been known since September (1)

enosys (705759) | more than 10 years ago | (#7603053)

Did you actually read what the Debian Security Team said [debian.org] ?

This problem was found in September by Andrew Morton, but unfortunately that was too late for the 2.4.22 kernel release. This bug has been fixed in kernel version 2.4.23 for the 2.4 tree and 2.6.0-test6 kernel tree.

So the exploit was known for a long time, and the next kernel version, 2.4.23, came out on 2003-11-28! This is dangerous. They shouldn't wait for the next kernel version to release a security-related patch.

Re:It's been known since September (0)

Anonymous Coward | more than 10 years ago | (#7603134)

Well, it's not clear on this point. Just because the bug was found and fixed, they may not have known that it was exploitable. Maybe we have a sophisticated hacker (in the media and geek sense of the word) keeping an eye on kernel patches?

Re:It's been known since September (1)

mbanck (230137) | more than 10 years ago | (#7603147)

So the exploit was known for a long time, and the next kernel version, 2.4.23, came out on 2003-11-28! This is dangerous.

Well, the issue was known for a long time, but apparently nobody thought it was exploitable until now. This is still very much on the edge of bug-handling by Linux upstream I guess.

Michael

Re:It's been known since September (1)

RedHat Rocky (94208) | more than 10 years ago | (#7603201)

I'm assuming (haven't checked) that the corrective patch was small, so one would have back ported the fix to 2.4.22 safely.

A lot of work, granted, but not out of the realm of possibility.

Re:Hurray for the Debian Security Team! (0)

Anonymous Coward | more than 10 years ago | (#7603073)


I wonder how many exploits there are in a closed source, illegally maintained, unethically obtained operating system?

Re:Hurray for the Debian Security Team! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7603094)

Which would be really cool if the Debian Security Team actually discovered the vulnerability. Stupid fucker.

to you "Thank goodness I use Windows" peeps (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7602931)

are you sure you want to admit that in public?

How did they get in to run a userspace util? (1)

SuperBanana (662181) | more than 10 years ago | (#7602935)

Using this bug it is possible for a userland program to trick the kernel into giving access to the full kernel address space'. This issue has been fixed in 2.4.23. Thus, the Linux kernel compromise was not Debian specific

That still doesn't get you into the box; you still need to run something in userspace- and thus I think claiming(based solely upon the evidence presented in the /. story) that the compromise was not Debian specific to be premature. Has it been established how access was obtained into the machine in the first place?

Re:How did they get in to run a userspace util? (2, Informative)

PPGMD (679725) | more than 10 years ago | (#7602950)

I believe an earlier article said that it appeared that he sniffed a password to the box.

RTFA (5, Informative)

Stradenko (160417) | more than 10 years ago | (#7602954)

Recently multiple servers of the Debian project were compromised using a Debian developers account and an unknown root exploit. Forensics revealed a burneye encrypted exploit. Robert van der Meulen managed to decrypt the binary which revealed a kernel exploit. Study of the exploit by the RedHat and SuSE kernel and security teams quickly revealed that the exploit used an integer overflow in the brk system call. Using this bug it is possible for a userland program to trick the kernel into giving access to the full kernel address space. This problem was found in September by Andrew Morton, but unfortunately that was too late for the 2.4.22 kernel release.

This bug has been fixed in kernel version 2.4.23 for the 2.4 tree and 2.6.0-test6 kernel tree. For Debian it has been fixed in version 2.4.18-12 of the kernel source packages, version 2.4.18-14 of the i386 kernel images and version 2.4.18-11 of the alpha kernel images.

Re:How did they get in to run a userspace util? (1)

krbvroc1 (725200) | more than 10 years ago | (#7603069)

That still doesn't get you into the box; you still need to run something in userspace

However, I'm not sure you really need to be logged into the box. After all, the 'apache/httpd' process runs in userspace (as user nobody)? So technically it could even happen remotely. Kudos to them fixing it rapidly and of course the fix/lesson learned is public (unlike other OS vendors) and immediate. However, getting everyone to update their kernel to 2.4.23 is not easy and is the same hurdle other vendors go through when they release fixes.

Re:How did they get in to run a userspace util? (2, Insightful)

Stradenko (160417) | more than 10 years ago | (#7603138)

There would then need to be a vulnerability in apache/httpd to allow a user to execute arbitrary code.

OMG (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7602955)

thank goodness i run windows and not linux...kernel exploit!!! oh the horrors!!!

How does this compare... (2, Insightful)

IamGarageGuy 2 (687655) | more than 10 years ago | (#7602966)

to the winodows hole found the other day. Has anybody heard if that was fixed yet(not sure if it has been 48 hours yet). Technically this hole was fixed before it was found. It looks like another win for open source.

Re:How does this compare... (3, Insightful)

Evil Adrian (253301) | more than 10 years ago | (#7603032)

It doesn't compare, because most Slashdot users won't be making a huge stink about it the way they would with a Microsoft hole.

Re:How does this compare... (0)

Anonymous Coward | more than 10 years ago | (#7603130)

> Technically this hole was fixed before it was found. It looks like another win for open source.

But practically the hole wasn't fixed in the majority of running kernels; it was patched only in the most recently released kernel. It looks like a loss for open source to me.

Kernel security holes should be patched Right Now, not simply folded in as an ordinary kernel patch (that can be delayed, if needed for scheduling purposes).

Re:How does this compare... (1)

NanoGator (522640) | more than 10 years ago | (#7603152)

"How does this compare... to the winodows hole found the other day."

This story is about how great the Open Source Community is for fixing an exploit. The Microsoft story was about how incompetent Microsoft is for having an exploit.

Re:How does this compare... (3, Insightful)

EverDense (575518) | more than 10 years ago | (#7603209)

This story is about how great the Open Source Community is for fixing an exploit. The Microsoft story was about how incompetent Microsoft is for having an exploit.

Actually the Windows story was about how Microsoft had not patched an exploit they had known about for months.

This Linux exploit had ALREADY been patched.

Re:How does this compare... (1)

spells (203251) | more than 10 years ago | (#7603178)

I hope you're joking (couldn't tell) since, according to the article, this bug was discovered in September.

Re:How does this compare... (1)

jazman_777 (44742) | more than 10 years ago | (#7603197)

to the winodows hole found the other day. Has anybody heard if that was fixed yet(not sure if it has been 48 hours yet). Technically this hole was fixed before it was found. It looks like another win for open source.

Microsoft PR: "This was a known exploit and was already fixed for the next patch release for tomorrow, uh, no, make that next week, yeah, next week!"

Bang goes everyone's uptimes... (2, Funny)

Anonymous Coward | more than 10 years ago | (#7602969)

yup... this'll make ms-windows look good on the uptime front for at least a week...

Will redhat provide an rpm??? (4, Interesting)

cybrthng (22291) | more than 10 years ago | (#7602971)

Just wondering if they will still support us lowly 7.3 and 8.0 users anymore with a fix for this.

Re:Will redhat provide an rpm??? (1)

Short Circuit (52384) | more than 10 years ago | (#7603035)

Build your own kernel. :) It's the ultimate in geek self-esteem boosting. :) (At least, when you do it the first time, with help, then with the first time, all on your lonesome.)

Re:Will redhat provide an rpm??? (1)

anonymous cupboard (446159) | more than 10 years ago | (#7603131)

It gets interesting because the RH fork isn't a straight Linus kernel - there are various ac thingies (as well as other fixes). On RH, I build my own kernel but from a kernel source rpm.

Re:Will redhat provide an rpm??? (0)

Anonymous Coward | more than 10 years ago | (#7603160)

No. The RedHat desktop is gone, move on now.

So it sounds like.... (5, Informative)

satyap (670137) | more than 10 years ago | (#7602977)

So it sounds like someone used a compromised user account to get in, ran a binary that exploited the bug, and got root that way. This is a local exploit, then.

Re:So it sounds like.... (0)

Anonymous Coward | more than 10 years ago | (#7603226)

thanks einstein!

Time for better security. (5, Insightful)

Sheetrock (152993) | more than 10 years ago | (#7602981)

It's obvious that with the gradual acceptance of Linux by the business community, it's time for a stricter security model to be adopted. While OpenBSD has not shared in the commercial success of Linux, it does have one area of technical superiority: its security review process has yet to permit a remote root compromise in a standard install.

Linux is a compelling choice in the Free Software world because of its pace of development and wide availability of software. However, it is this strength that is becoming a weakness. Perhaps it is time to slow down and review with more vigor to mimic the accomplishment of OpenBSD.

Re:Time for better security. (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7603066)

It's not a remote root exploit. RTFA

Re:Time for better security. (3, Interesting)

Free Bird (160885) | more than 10 years ago | (#7603068)

[OpenBSD's] security review process has yet to permit a remote root compromise in a standard install.


Strictly true, but there has been one remote hole and many local root holes. Remote hole + local root hole = remote root hole.

I'm not denying OpenBSD's superiority, but its security record isn't that much better than that of the other BSDs.

Re:Time for better security. (1, Informative)

RedHat Rocky (94208) | more than 10 years ago | (#7603071)

Perhaps you should check www.openbsd.org:

"Only one remote hole in the default install, in more than 7 years!"

Never mind that the default install is basically useless.

ObFlameBait (1)

CyberGarp (242942) | more than 10 years ago | (#7603072)

<sarcasm>Come on now, as any slashdot reader knows, BSD is dead.</sarcasm>

LONG LIVE BSD!

--

Mod me up, mod me down, they're your points to waste...

OpenBSD (1, Informative)

Anonymous Coward | more than 10 years ago | (#7603086)

openBSD did have one vurnability in the standard install, the openSSH issue of about a year ago.

according to the site:http://www.openbsd.org/

Only one remote hole in the default install, in more than 7 years!

http://www.openbsd.org/advisories/ssh_channelall oc .txt

But I suppose you could argue that openSSH, even if it was sponsored in part by the OpenBSD team, isn't really part of the OS, or at least part of the Kernal.

Of course, this is far better than just about any other OS.

Re:Time for better security. (1)

placeclicker (709182) | more than 10 years ago | (#7603095)

its security review process has yet to permit a remote root compromise in a standard install.
This isn't a remote root exploit..

Re:Time for better security. (0)

JoeBuck (7947) | more than 10 years ago | (#7603107)

This is incorrect: OpenBSD had a remote root compromise (the openssh bug). Furthermore, this particular exploit is not a remote root compromise, but a bug that allows a local user to get root, and OpenBSD has not been immune from this.

Re:Time for better security. (1)

Przepla (637674) | more than 10 years ago | (#7603112)

It's obvious that with the gradual acceptance of Linux by the business community, it's time for a stricter security model to be adopted. While OpenBSD has not shared in the commercial success of Linux, it does have one area of technical superiority: its security review process has yet to permit a remote root compromise in a standard install.
Ehem... Isn't OpenBSD motto is Only one remote hole in the default install, in more than 7 years!? So OpenBSD's security rewiev process already permitted (granted, only one), root compromise in default install.

Besides, as article stated, it was not a remote hole. It was local hole -- exploitable due to an access to the developer's shell account.

Re:Time for better security. (0)

Anonymous Coward | more than 10 years ago | (#7603159)

Benchmarking BSD and Linux [bulk.fefe.de]

OpenBSD 3.4 was a real stinker in these tests. The installation routine sucks, the disk performance sucks, the kernel was unstable, and in the network scalability department it was even outperformed by it's father, NetBSD. OpenBSD also gets points deducted for the sabotage they did to their IPv6 stack. If you are using OpenBSD, you should move away now.

Re:Time for better security. (4, Interesting)

chrysalis (50680) | more than 10 years ago | (#7603192)

Well... yes... and no.

The strength of OpenBSD is that people continously audit the code and implement preventive stuff like privilege separation to reduce the risks in case of a vulnerability.

On the other hand, the code of BSD kernels is a real mess. Some parts are really tricky, with glue between historic and new code and a lot of ugly, possible unsafe macros everywhere. The Linux kernel framework is way cleaner and more robust. When something goes wrong in a kernel thread, it can almost always properly recover and not just go to panic().

And Linux has also some barriers like SELinux that theorically renders uncommon situations not exploitable. Theorically, because there can still be bugs in SELinux or other parts of the kernel that would bypass it.

The "barriers" approach, although described as useless by some people is, in a real world, very efficient. Grsecurity (or recent OpenBSD with PaX and co) and SELinux make it very difficult to write reliable exploits. Still if an exploit would work, it will only work after having filled gigabytes of log files, giving a change to system administrators to take an action on time.

The cons of the "barriers" approach is that it cures the implications of a problem, not the cause. The bug is still there, but instead of being exploitable to execute arbitrary code, it crashes the process (eventually immediately restarted with a tool like Monit or Supervise).

The OpenBSD auditing approach aims at curing the bug itself, thus not causing any crash.

Both approaches are actually complementary, but still not 100% efficient.

The only way to make reliable and secure (even from a theoric point of view) is to prove the code. Unfortunately it's not a trivial task and it can't be made upon an existing unix-like base.

But if you never heard about it, have a look at the very promizing EROS Project :
http://www.eros-os.org/

Re:Time for better security. (5, Informative)

bahamat (187909) | more than 10 years ago | (#7603198)

I don't mean to burst your bubble, bash Theo or OpenBSD, but I read Bugtraq daily, and I can't count the number of exploitable bugs reported in the OpenBSD kernel over the past few weeks, but it would probably take both hands and at least one foot. Linux however, iirc, had somewhere about 3. Given this info, I wouldn't be so hot to boast about OpenBSD's QA process.

I repeat, I'm not trying to bash OpenBSD. Just trying to bring a little balance to the arguement. OpenBSD is an excellent choice for an operating system, but it's designed by humans. Humans make mistakes.

The real flaw in what happened with this exploit is that there were no backport patches created. When the ptrace vuln came out I was able to patch my 2.4.19 and 2.4.20 systems right away, I didn't have to wait for the next release to come out in order to get a working fix.

This should trun into a plea to the developers, if a bug is discovered through the normal course of development that is potentially serious enough for older kernels, it should be brought out into the open and the fix backported.

Re:Time for better security. (1, Insightful)

Anonymous Coward | more than 10 years ago | (#7603203)

...it does have one area of technical superiority: its security review process has yet to permit a remote root compromise in a standard install.

Perhaps, perhaps not. In this particular case it was not a remote root compromise. Someone had access to a developer account on the machine, and was then able to take advantage of a local exploit. The bug leading to this exploit was found in September, but had not worked its way to a released kernel until just recently. There was a window between the fix being published (and becoming publicly available knowledge) and it being distributed in 2.4.23 that was hit.

Some would claim (and have claimed) that this is a significant problem with open source security. Not only is the source open for undiscovered exploits to be dug up, but the source for their fixes (patches, etc) is available, easing efforts to target them. A possible solution would be maintaining a patch set for exploitable bugs such as this. Those who must be up to date on critical patches can then get them easily in the period between kernel releases.

Re:Time for better security. (0)

Anonymous Coward | more than 10 years ago | (#7603229)

> it's time for a stricter security model to be adopted. While OpenBSD ...

OpenBSD uses the same old boring and flawed UNIX SuperUser/Peon security model.

It's Linux that is moving towards Mandatory Access Controls, Capabilities, and "rootless" operation. Not OpenBSD.

(Not that it matters for a kernel-level exploit.)

Re:Time for better security. (2, Interesting)

jgreene_81 (689281) | more than 10 years ago | (#7603230)

If you had read the article...

Recently multiple servers of the Debian project were compromised using a Debian developers account

You would notice it was not a remote exploit. OpenBSD has had its share of local exploits lately too.

Don't get me wrong, OpenBSD is good stuff and has a great way of approaching security. But in this case, it could have been compromised just the same.

NEWSFLASH (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7602986)


This does not affect OpenBSD [openbsd.org] . Smart admins can sleep well tonight.

Re:NEWSFLASH (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7603055)

Except that an OpenBSD box can't do much more than power on, spin up, and then sit there, drawing electricity. It's pretty hard to exploit a box that does nothing in the first place.

Re:NEWSFLASH (1, Funny)

Aardpig (622459) | more than 10 years ago | (#7603056)

This does not affect OpenBSD. Smart admins can sleep well tonight.

Hell, who cares, OpenBSD is dying. In fact, in Soviet Russia it's already dead...

Re:NEWSFLASH (1)

anonymous cupboard (446159) | more than 10 years ago | (#7603171)

In post Soviet Russia OpenBSD runs firewalls!!!!

Allow Me, Windows Fanboys (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7603003)

Saving you all some time:

What, you mean your holy Lie-nucks has a FLAW? I thought only Microsoft had problems. Haw haw haw! Where's your Torvalds NOW, hippy scum. Take a bath,
commies! Microsoft is the BEST!

-1 Redundant.

Nice management (1, Insightful)

Anonymous Coward | more than 10 years ago | (#7603020)

The management of the incedent seems very professional to me. Thanks to all the people who had a lot of work because of this. They keept the reputation of debian up! Which is a good thing since this is my favorite distribution.
Disclaimer i'm no debian devel :)

Agreed (4, Insightful)

DenOfEarth (162699) | more than 10 years ago | (#7603114)

I agree with you totally. It's one thing to say that Linux is rock-solid secure, but in the real world this just might not always be true. It is however, a good thing to be able to say that the parties concerned with this particular security breach have been forthcoming to the community. A large part of security is just that. Hats off to the debian people.

This smells like the work of... (0, Flamebait)

Anonymous Coward | more than 10 years ago | (#7603054)

This exploit required a measure of sophistication to pull it off. But why would such an attacker target debian? He must have had a motive; something to gain. And who wins if debian were to suffer a setback?

(A: Microsoft)

Re:This smells like the work of... (1)

The One KEA (707661) | more than 10 years ago | (#7603161)

Not necessarily. For all we know the Debian servers could have been h@x0r3d simply because they were a high-profile target in the OSS world.

Although I do agree with the other poster who said that perhaps the cracker got the idea to try the exploit by reading the ChangeLog. Not that I'm condemning the use of known stable kernels on mision-critical servers or anything - but perhaps something like this would have warranted a kernel change?

Glass Houses (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7603088)

I hope this puts to rest the myth of the inherent (innate?) imperviousness of Linux. I'll have to save a few links regarding this issue to regurgitate the next time someone tells me how insecure my OS of choice is...

There goes my Saturday (5, Funny)

mariox19 (632969) | more than 10 years ago | (#7603100)

I had just convinced myself there was no compelling reason to upgrade my kernel from 2.4.22.

Actually, there still isn't, since the likelihood of my machine "coming under attack" is slight. But, what's the point of running Linux if you're not going to get all worked up over things like this ;-)

Happy make menuconfig to all!

so are other distros possible infected? (5, Insightful)

liquidpele (663430) | more than 10 years ago | (#7603109)


The people at debian caught on, but what about at other distros? Have they made sure that their machines havn't been exploited and no trojan type code was introduced?

I'm expecting so, but just a "yes, it's been taken care of" would be nice...

Re:so are other distros possible infected? (1)

__past__ (542467) | more than 10 years ago | (#7603216)

They aren't "possibly infected", they are "definitely vulnerable", as long as they use a kernel < 2.4.23, which are probably all of them. Mandrake has updated kernel packages, for others, you probably should build your own kernel or take your boxes offline until new packages are available (or make damn sure that no malicious user can get a local shell). I'd expect updates for most distros rather soon now, however. You decide.

Re:so are other distros possible infected? (0)

Anonymous Coward | more than 10 years ago | (#7603225)

I work for Mandrake, and yes, we have checked our machines.

--jackson.

Success sucks! (0)

Anonymous Coward | more than 10 years ago | (#7603132)

Now that Linux is coming up as winner and MS shows like the Wizard of Oz it is, we should investigate not who, but how did such exploit materialize.

Seriously, if such an exploit has been shown in September and was not patched, some unknown opportunist who hates Linux/Unix (and, yes, there are such beasts) could have time to code the exploit.

Now, not seriously, who could profit from this?

Who discovered the flaw?
Andrew Morton.

Who maintains Kernel 2.6?
Andrew Morton.

Who would profit more if Linux Kernel 2.4 was declared unsafe and Torvalds recommended immediate upgrade to 2.6?

Now Mr. Morton, where were you on Wednesday 19th November (2003), at approximately 5pm GMT?

You sure understand this question is merely rhetoric...I rest my case. Guards, take Mr. Morton to the dungeons. Children, don't look now... this won't be pretty.

And the Changelog entry of this bug is where? (0)

Anonymous Coward | more than 10 years ago | (#7603146)

Couldn't find it in ChangeLog-2.4.23 :-/

red hat and SUSE to the rescue (3, Insightful)

2057 (600541) | more than 10 years ago | (#7603168)

it seems everyones favorite whipping boys did alot of work in finding and fixing this bug. AND THEY SHARED THE INFO, who says corporate linux is evil now!@

Lin(s)ux got h4x0rr3d HAHAHAHAHAHAHA (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7603180)



The penguin got ass raped, bitches.

w00t.

Let's see (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7603185)

- Microsoft releases software with a known, publicized hole in it: HAHAHAHAHA M$ IS TEH SUXXOR HAHAHAH@!!! WINDOZE SUX!!! HAHAHHA!!! 134,532 DAIS UPTIME FOR TEH LINUX!!!!

- The people who write the goddamn Linux kernel release it knowing full well that it has a potential exploit that gives r00t, and then Debian (!) proceeds to install said kernel in their production machines, which are promptly compromised:

.

*sound of crickets*

.

Fair and balanced. Yay open source!

Seems someone noticed bugfix in -preN or -rcN (0)

Anonymous Coward | more than 10 years ago | (#7603221)

It seems that someone found the bug in -preN or -rcN kernel and used it before the final kernel found its way to be published.

This is the important lesson for kernel maintainers - if you found the security bug, publish the new kernel ASAP.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>