×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Some Linux Distros Found Vulnerable By Default

Zonk posted more than 9 years ago | from the change-the-settings dept.

Security 541

TuringTest writes "Security Focus carries an article about a security compromise found on several major distros due to bad default settings in the Linux kernel. 'It's a sad day when an ancient fork bomb attack can still take down most of the latest Linux distributions', says the writer. The attack was performed by spawning lots of processes from a normal user shell. Is interesting to note that Debian was not among the distros that fell to the attack. The writer also praises the OpenBSD policy of Secure by Default."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

541 comments

In other news... (-1, Flamebait)

oscartheduck (866357) | more than 9 years ago | (#11975829)

every windows distro found insecure by default AND after patching.

Re:In other news... (2, Insightful)

woginuk (866628) | more than 9 years ago | (#11975864)

That is no reason why the same should be true of Linux. Or any other OS for that matter.

Re:In other news... (1)

Winterblink (575267) | more than 9 years ago | (#11975874)

every windows distro found insecure by default AND after patching.
You obviously missed the point of the article. Move along...

Re:In other news... (5, Insightful)

oscartheduck (866357) | more than 9 years ago | (#11975908)

No, I understand the article. I just couldn't resist the jab. The fact is that GNU/Linux ought to be the best it can be in and of itself. That some distributions are screwing that up and making very poor defaults is not to be forgiven. Not at all. Especially when it isn't difficult to do better.

Re:In other news... (-1, Troll)

Winterblink (575267) | more than 9 years ago | (#11976011)

No, I understand the article. I just couldn't resist the jab. The fact is that GNU/Linux ought to be the best it can be in and of itself. That some distributions are screwing that up and making very poor defaults is not to be forgiven. Not at all. Especially when it isn't difficult to do better.
First, I don't agree with the flamebait moderation here.

Second, that's what you SHOULD have posted to begin with, instead of doing the obvious and coming off like some kind of misinformed troll. :)

Re:In other news... (0, Offtopic)

HyperChicken (794660) | more than 9 years ago | (#11975949)

This is getting modded as funny? Are you joking? It's a clear troll. Replace "windows" with "linux" and it would have been modded down faster than GNAA.

Re:In other news... (0)

Anonymous Coward | more than 9 years ago | (#11975998)

The Windows holes aren't in the FRIGGING KERNEL.

As I said many times, comparing Windows security and Linux security is like comparing the San Fransisco 49ers and the Arizona Cardinals football teams, two of the worst teams in the NFL.

Re:In other news... (3, Informative)

MrHanky (141717) | more than 9 years ago | (#11976102)

No. I've played with fork bombs in Windows with SFU or Cygwin, and they didn't bring down the system. Seems like there was a sane ulimit on processes.

Try ":(){ :|:& };:" (without the quotes) on your bash prompt to see if you are vulnerable.

here we go! (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#11975830)

time for the apologists to rear their ugly heads (and most likely bodies) on slashdot!

Figures (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#11975832)

Big surprise another flaw in Windows...

Oh wait.. it says Linux? Damn. I was all ready to go off on how Windows sucks and Linux rules.

Fork vulnerability (5, Funny)

madaxe42 (690151) | more than 9 years ago | (#11975835)

Kittens are vulnerable to forks by default as well - you can easily get at the kernel if you just - oh, hang on, a different kind of fork, you say?

Thank god I use Windows (5, Funny)

Anonymous Coward | more than 9 years ago | (#11975841)

Thank god I use Windows, I'm safe!

Re:Thank god I use Windows (5, Funny)

rokzy (687636) | more than 9 years ago | (#11975976)

only if you're running XP Starter Edition!

Re:Thank god I use Windows (0)

Anonymous Coward | more than 9 years ago | (#11976153)

All your TCP connections are belong to us?

Re:Thank god I use Windows (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11975994)

Do not thank god,
god had nothing to do with it... ...or is billy your god?

Re:Thank god I use Windows (1, Informative)

Anonymous Coward | more than 9 years ago | (#11976086)

C:\>type bomb.bat
start bomb.bat
call bomb.bat
C:\>bomb.bat

How long? (0, Insightful)

Anonymous Coward | more than 9 years ago | (#11975848)

Let's see how long it will take before someone says the study is invalid...

Re:How long? (2, Funny)

biendamon (723952) | more than 9 years ago | (#11975922)

Let's see how long it will take before someone says the study is invalid...

The study is invalid!!!

yey (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11975851)

First comment - woohooo!!!!!! Yeee haar! Har mar superstar!! Lol.

Damn those frikkin' sharks with "lasers". Lol!
I bet that are saying all your base are belong to us.
Oh, and BTW, I for one welcome our new overlords.
Did I remember to mention that in Soviet Russia, owns you?! :-D

Re:yey (0, Offtopic)

Anonymous Coward | more than 9 years ago | (#11976082)

stop saying lol . jesus wept! i will kill you for saying lol so much! why - o - why. jesus wept (again) oh bloody fuck fuck shit wankstain bastard think of something else, like a proper repliy. Aaaaaaaaaaaaaaah!

Sheesh, it's a fork bomb (4, Insightful)

gowen (141411) | more than 9 years ago | (#11975853)

Sorry but the ability for a non-privileged user to run as many programs as the like is a feature, not a bug. Inability to turn that feature off would be a bug, but given that few modern Linux boxes are actually used as multi-user remote-login accounts, it's a completely unecessary overhead.

And if you are administrating a true multi-user old-style-Unix type server, you should know enough to stop people fork bombing you (i.e. quotas).

Re:Sheesh, it's a fork bomb (3, Insightful)

Anonymous Coward | more than 9 years ago | (#11975898)

And if you are administrating a true multi-user old-style-Unix type server, you should know enough to stop people fork bombing you (i.e. quotas).

Hope you're not administrating any multi-user Linux boxes then, since in Linux, the quotas only deal with drive space ;)

Wrong attitude. (5, Insightful)

Anonymous Coward | more than 9 years ago | (#11975942)

All my servers have multiple users. Those users are system accounts to run different software, and I do not want any of them to be able to cause a problem to the entire server. Reasonable limits should be in place by default, and those of us who actually need higher limits for certain users, can raise those limits.

Even on a single user desktop machine, its nice to have limits so shitty software can't take down my entire machine. With limits I can just log in on another terminal and kill the offending program, without limits you get to reboot, and lose any work you were doing.

Re:Wrong attitude. (3, Insightful)

gowen (141411) | more than 9 years ago | (#11976033)

Reasonable limits should be in place by default,
But given that distribution/kernel vendors do not have the first idea of
i) My hardware
ii) How many users I want
iii) What programs / services will be running,

how in the name of crikey are they supposed to determine what a "Reasonable limit" would be?

Re:Wrong attitude. (1)

jmcleod (233418) | more than 9 years ago | (#11976113)

Set it to something relatively low by default. If you have a need for more process space than that, you probably also have the knowledge necessary to raise it, or have it raised.

Re:Wrong attitude. (2, Insightful)

Anonymous Coward | more than 9 years ago | (#11976125)

They aren't, you are. They are supposed to make a reasonable default, not a reasonable limit. You look at the reasonable defaults, and decide to change them on a per user basis for the different users (mysql, apache, etc). This is how unix has always been, linux distros taking huge steps backwards isn't something to be accepted.

Lots of distros ask wether you are running a server or desktop, is it really so tough to ask if that server is dedicated to one task or many jobs, and set sane defaults based on your answer? Then say if you know you want mysql to be able to use more RAM, you can let the mysql user have a higher limit. But you don't have to worry about any of your services bringing your machine down.

Re:Sheesh, it's a fork bomb (4, Insightful)

CaymanIslandCarpedie (868408) | more than 9 years ago | (#11976003)

Sounds much like the same reasoning MS used to use for having defaults set to a "user-friendly" setting.

Now that its been found in Linux, its a "feature" ;-)

Come on, I love Linux but the hypocrocy is a bit much ;-) Its OK to admit it was bad or admit MS's settings were OK, but you cannot do both.

Re:Sheesh, it's a fork bomb (2, Insightful)

gowen (141411) | more than 9 years ago | (#11976073)

I love Linux but the hypocrocy is a bit much. Its OK to admit it was bad or admit MS's settings were OK, but you cannot do both.
There's no hypocrisy, at least not from me. I've never criticised MS software because local users are able to fill up disk space, spawn a zillion processes, suck the processor and generally exhaust the resources... That's what users do, they use up your resources.

Re:Sheesh, it's a fork bomb (3, Insightful)

woginuk (866628) | more than 9 years ago | (#11976020)

I don't know about how it works nowadays. But when I was new to UNIX, I would write the following program:
int main() {
while(1)
fork() ;

return 0 ;
}
Compiling and running it would hang the box. You could ping the system, but nothing else would would work.

Ultimately, I would have to switch the box off and on again. And I remember thinking that this was a bug.

A user should be allowed to do whatever he/she wants. But if the system becomes unusable, surely it is a bug.

Re:Sheesh, it's a fork bomb (2, Interesting)

gowen (141411) | more than 9 years ago | (#11976111)

But if the system becomes unusable, surely it is a bug.
I run codes *all the time* that cause my system to become completely unresponsive. By running huge numerical simulations without enough physical RAM. I'd be mightily annoyed if the kernel told me I wasn't allowed to do this.

Users use resources. If an admin wants to starve their untrustworthy users of resources, they can (and, if they've a lot of untrustworthy users, its highly recommended), but there is simply no compelling reason why it should be turned on by default.

Big Fuss (0)

Anonymous Coward | more than 9 years ago | (#11975856)

So?
There are lots of ways a normal user can take down a system. I don't think that there is any reasonable way of preventing all of them

Re:Big Fuss (1)

Skye16 (685048) | more than 9 years ago | (#11976094)

Perhaps, but when there are reasonable ways for preventing most of them, don't you think you should, oh, I donno, try?

"There are always going to be security holes in Windows, so why bother fixing any of them?" Pffft.

Re:Big Fuss (2, Interesting)

agraupe (769778) | more than 9 years ago | (#11976148)

The difference being that a default install of *anything*, except possibly OpenBSD, should be in a situation where there might be users on it that you don't trust completely. For my personal use of linux, all I need is a box that is secure from hackers, not users.

Grep Bomb (5, Interesting)

cheezemonkhai (638797) | more than 9 years ago | (#11975866)


So what would a good limit to the number of processes spawned be?

I mean what can say what is good for everyone?

Saying that if you think the fork bomb is good grep bombs are more fun and particularly good for silincing the mass of Quake 3 players in an undergraduate lab:

'grep foo /dev/zero &' fun about 5 of them and watch the box grind to a screaming halt then eventually recover.

Oh hang on did i just discover a new exploit :P

Re:Grep Bomb (0)

Anonymous Coward | more than 9 years ago | (#11976000)

No, you didn't discover anything, except that if you allow someone else to log in to your machine they can use the resources - shock, horror.

Re:Grep Bomb (try it in freebsd) (4, Informative)

keepper (24317) | more than 9 years ago | (#11976043)

A good vm should do enough accoutning to allow you to log back in and kill those.

So, try this in FreeBSD, and be amazed, now try it in any 2.4 or 2.6 linux kernel, and be disgusted.

Re:Grep Bomb (try it in freebsd) (1, Interesting)

Anonymous Coward | more than 9 years ago | (#11976089)

Linux users don't know what accounting is yet, because they haven't realised what *BSD is (except maybe that "OpenBSD is really secure, innit, i'm going to use it for a firewall ain't I").

Re:Grep Bomb (try it in freebsd) (0)

Anonymous Coward | more than 9 years ago | (#11976158)

I have process accounting turned on, am I going to be disgusted?

Re:Grep Bomb (1, Informative)

Anonymous Coward | more than 9 years ago | (#11976151)

So what would a good limit to the number of processes spawned be?

I mean what can say what is good for everyone?


You've hit the nail right on the head. The version of RedHat I'm using at work right now actually does have a "max user processes" limit set (presumably by default), it's just very high (5000+ per shell). So it's not a matter of that feature not existing, or even not being applied by default, but rather the defaults being too liberal. This is not clearly a bad thing -- setting the limit too low by default can cause as many problems as setting it too high.

Yawn. (3, Insightful)

BJH (11355) | more than 9 years ago | (#11975869)

So what? Anybody in their right mind would have locked down their box if they're letting third parties access it remotely.

Running around screaming "FORKBOMB! FORKBOMB! The sky's falling in!" seems to be a common pattern every few years. If you know what you're doing, it's trivial to prevent and if you don't know what you're doing, why are you running a public box?

Re:Yawn. (1, Insightful)

Anonymous Coward | more than 9 years ago | (#11975931)

So what? Anybody in their right mind would have locked down their box if they're letting third parties access it remotely.

Interesting that your "solution" is perfectly OK when applied to Linux, but is entirely unacceptable for the SAME problem with Windows.

Re:Yawn. (1)

gowen (141411) | more than 9 years ago | (#11975960)

Interesting that your "solution" is perfectly OK when applied to Linux, but is entirely unacceptable for the SAME problem with Windows.
Really? I take it you'll back that up with an earlier post from BJH in which he castigates Windows for allowing users to have fork bombs.

Re:Yawn. (1)

BJH (11355) | more than 9 years ago | (#11976056)

Please point out my criticism of Windows, because I seem to have missed it...

To be honest, I don't use it anyway, so I have no idea whether it's possible to forkbomb a Windows box, and even less interest in the subject.

Re:Yawn. (0)

Anonymous Coward | more than 9 years ago | (#11976131)

99% of multiuser Windows boxes are in managed Citrix environments. (Because each connection costs $$$) If someone sets off a forkbomb the Admin can easily LART their asses.

OTOH, there's quite a few public Unix shellservers out there.

Not your usual vulnerability (5, Informative)

David's Boy Toy (856279) | more than 9 years ago | (#11975871)

Fork bombs only work if you can log into the system in question. This is a bit lower priority than your usual vulnerabilities which allow outside attacks.

Re:Not your usual vulnerability (1)

theManInTheYellowHat (451261) | more than 9 years ago | (#11976045)

Sort of.... But coupled with an ssh or httpd exploit then you have real damage.
However, I could see some poorly writen loops and the first experiments with fork bringing down the house. But none of us would do that would we....

Re:Not your usual vulnerability (1)

Doc Ido (241430) | more than 9 years ago | (#11976046)

I took down one of my college's servers while programming in a networking class. I didn't know what fork meant, but now I do. :)

Re:Not your usual vulnerability (2, Insightful)

Jeff DeMaagd (2015) | more than 9 years ago | (#11976104)

The biggest security problems come from the inside. Other employees can't be trusted just because they work for the same company.

Retarded (4, Interesting)

0123456 (636235) | more than 9 years ago | (#11975881)

Sorry, but this article seems pretty retarded to me. Windows is insecure because people can use IE bugs to install scumware that takes over your entire machine... Linux is insecure because ordinary users who are legitimately logged into your machine can fork off as many processes as they want? Huh?

Sure, maybe if you're running a server that allows remote logins, you want to restrict how many processes a user can run. But as a single-user system, I want to be able to run as many processes as I choose, not be restricted by the distribution author's ideas of what's good for me.

Re:Retarded (4, Informative)

phasm42 (588479) | more than 9 years ago | (#11975991)

If you had read the article, you'd have realized that this was not Windows vs Linux. It was a report on how a fork bomb can take down default Linux installs, but not default BSD installs. Also, the article was clearly not concerned about single-user installs, but multi-user. Or if the box is hacked into, this is an extra bit of protection.

Re:Retarded (2, Insightful)

0123456 (636235) | more than 9 years ago | (#11976027)

"It was a report on how a fork bomb can take down default Linux installs,"

Yes, and? I don't care about fork bombs, since I don't run them on my PC... being able to run as many processes as I choose on that PC is a feature, not a flaw. I do care about having scumware remotely installed on my PC through security holes in applications and the operating system, which is a flaw, not a feature.

Seriously, if you're letting people log onto your PC and run fork bombs, you have far greater problems than a lack of resource limits in the default install.

Re:Retarded (1)

LurkerXXX (667952) | more than 9 years ago | (#11976019)

And if you run some badly coded app that has an unintended fork-bomb included from a screwup in some routine? Your machine freezes. It's not going to happen often, but why let it? Why not set some sane limits, and let the user modify those limits later as they see fit?

Debian not vulnerable? (5, Interesting)

lintux (125434) | more than 9 years ago | (#11975884)

I really wonder what kind of Debian installation he runs. Just a couple of weeks ago I had to reboot my Debian box after some experimenting with an obfuscated fork bomb. Won't work again now that I set some ulimits, but they're not there by default.

In case anyone is interested, here's the obfuscated fork bomb: :(){ :&:;};:

Running bash then :p (4, Informative)

cheezemonkhai (638797) | more than 9 years ago | (#11975958)

You were running bash then :p

I recognise that one... which is always good :)
just don't leave your box unlocked and have some "funny" person drop it in your .login or .bash_rc files.

Re:Debian not vulnerable? (2, Informative)

jon787 (512497) | more than 9 years ago | (#11975978)

You were reading bash.org weren't you?

And yes, my Debian box also fell to that the first time I ran it.

I put that on the wall of the CS computer lab here for fun, I don't know how many poor souls ran it.

Re:Debian not vulnerable? (3, Funny)

initsix (86050) | more than 9 years ago | (#11976123)

Sweet!
mark@stewie:~$ w
11:11:04 up 216 days, 19:50, 2 users, load average: 258.41, 767.84, 339.94

"Interesting to note" (0)

Anonymous Coward | more than 9 years ago | (#11975889)

Why is it interesting to note that Debian wasn't affected? Is Debian supposed to be super secure, or is this just Debian fanboy praise? Conversely, does Debian have a reputation for being very insecure and it is interesting that it wasn't affected?

Which other ones were not affected? Why aren't they noteworthy and interesting?

Not a vulnerability. (5, Insightful)

argent (18001) | more than 9 years ago | (#11975891)

A forkbomb is just a relatively simplistic way to mount a resource exhaustion attack. I would be extremely wary of anyone who claims that their UNIX class operating system is immune to resource exhaustion from a local user. There's just too many resources that can be commandeered, and to lock them all down would leave you with a system that's so restricted as to be nearly useless as a general computing platform.

It must be a slow day on /. if they're reporting this as news.

Re:Not a vulnerability. (3, Insightful)

mOdQuArK! (87332) | more than 9 years ago | (#11976059)

I would be extremely wary of anyone who claims that their UNIX class operating system is immune to resource exhaustion from a local user.

Eh? Most modern UNIX systems let you put some hard limits on all the collective ways that users can consume resources, including # processes, disks space, real/virtual memory, cpu time, etc. Any administrator who is responsible for a multi-user system should have those set to "reasonable" values, and no individual user (except for the administrator of course) would be able to bring down the system.

What kind of resource are you thinking of that any user can exhaust which would stop the system (through resource exhaustion)? Log file messages?

No, this is completely incorrect. (2, Insightful)

Anonymous Coward | more than 9 years ago | (#11976066)

You can limit users to using less than 100% of your resources, and those users can still do things. Its still a very usable system. I have this even on my laptop where I am the only user, so poorly written software or random mistakes don't result in me having to reboot my machine. Just the other day I messed up a pike script and it used up all my RAM. But my ulimit was set to 128MB of RAM, so pike just got an out of memory error and exited. Without ulimit it would have sucked up all my RAM and swap and I would have to reboot.

This kind of uninformed and ignorant attitude seems quite common in the linux world now that most users aren't experiences unix admins. It would be a good idea to learn about something before claiming to know how it should be setup.

Re:Not a vulnerability. (0)

Anonymous Coward | more than 9 years ago | (#11976099)

and everyone fails to mention that WINDOWS has been available for fork bombing cince day one and they will NEVER fix that.

cripes, what's next?

LINUX INSECURE! all versions allow people to log in!

Obligatory Quote (1, Flamebait)

cheezemonkhai (638797) | more than 9 years ago | (#11975910)

User - Give me a gun I want to shoot my foot off.

*NIX - Sure here it the gun it's loaded

Windows 9* - Are you ...[BSOD] fatel exception

Windows NT - Are you sure?
- Sure your sure?
- Oh by the way sorry your only admin,
not the SYSTEM account so I can't let
you do that.

I know it's a bit trollish, but I like the ability to over rule what the OS thinks is best for me.

And as previously mentioned you can turn this option on easily enough.

Re:Obligatory Quote (0)

Anonymous Coward | more than 9 years ago | (#11975982)

Without being rude...

J O K E !!!

Re:Obligatory Quote (0)

Anonymous Coward | more than 9 years ago | (#11976015)

I don't quite understand your post. Are you praising *nix because it will let you do it, or are you praising NT because it won't?

And of course, shell access is so easy to get (5, Insightful)

n0dalus (807994) | more than 9 years ago | (#11975915)

On the 3 distros listed as vulnerable, the default settings would stop any remote person from having a chance of getting a shell open on the box to perform the fork attack in the first place.
If a person has enough access to the machine to be able to "forkbomb" it, then there's plenty of other nasty things you could do to it.

Re:And of course, shell access is so easy to get (1)

thrashbluegrass (855748) | more than 9 years ago | (#11976079)

And of course, there exist no cgi scripts which use shells to do something, right? And even if there are, we know how hard it is to find a flaw in 'em, right?

Remember that no exploit exists in a vacuum; it's going to be one of a series of vulnerabilities used to bring your box down/gain root/read data.

And, although you're right that someone could do something much nastier with shell access, if you just wanted to DOS a machine, this seems like a pretty damned simple way to do it.

"Secure By Default"? (3, Interesting)

EXTomar (78739) | more than 9 years ago | (#11975925)

Doesn't OpenBSD still install 'ftpd' by default? Although it is not turned 'on', the fact is it is still on the file system ready for exploit and requires rigoriously patched unless you take steps to remove it. Doesn't this seem like a dubious definition?

I'm all for making special install kernels and distros "out of the box" to be as hardened as possible. I would love see many distros do a "paranoid" configuration. There are plenty of things OpenBSD does right but that does not excuse OpenBSD. Just like Linux and every other operating system out there, they can still strive to do better.

Are you on drugs? (2, Insightful)

Anonymous Coward | more than 9 years ago | (#11975995)

Why is the word on in quotes? Yes, ftpd is part of the system. No, it is not running. No, it is not ready for exploit since as mentioned, its not running, and also, what vulnerabilities does it have? That likes saying openbsd is bad because it ships with popa3d. Its right there waiting to be exploited, if you are root, and start it up, and someone finds an exploit for it.

New Plug Vulnerability found! (5, Funny)

Anonymous Coward | more than 9 years ago | (#11975935)

Unprivileged user can take down entire system by unplugging machine from power socket.

And in other news... (2, Funny)

flumps (240328) | more than 9 years ago | (#11975937)

... some birds fly south for the winter, my belly sometimes makes gurgling noises and jam tastes nice on toast.

So what? Publish the vunerabilities, patch them, move on. Sheesh..

Wanna make a bet? (1)

bird603568 (808629) | more than 9 years ago | (#11975946)

I bet that one of them is Suse. I installed it on a family box trying to ultimetly getting my family to use slack10 by the time i move to college(in june). Suse looks nice but they just had that damn box keep poping up saying update this update that. The "non comercial" distros like Slack, gentoo and debian are perty secure, but its Suse, mandrake nad Red Hat(a lesser extent) which are less sceure and more updating (thats just my personal expericence and listening to other)

Re:Wanna make a bet? (1)

Saeed al-Sahaf (665390) | more than 9 years ago | (#11976018)

The "non comercial" distros like Slack, gentoo and debian are perty secure, but its Suse, mandrake nad Red Hat(a lesser extent) which are less sceure and more updating (thats just my personal expericence and listening to other).

And your proof for this (proof is something you may learn about when you do go away to college) is exactly what? If you are going to take a shot at "comercial" (half decent spelling is another thing that you tend to start using in college) distributions, how about being specific rather than just blathering on like an idiot.

Re:Wanna make a bet? (1)

bird603568 (808629) | more than 9 years ago | (#11976122)

my proof is updates. On the suse box about everyother day there are updates to load. When was the last time you saw a slack security warning? I cant rember. And im calling Suse and Red Hat Commercial becase they sell pro versions.

Re:Wanna make a bet? (0)

Anonymous Coward | more than 9 years ago | (#11976052)

sorry after rereading tfa i found out gentoo was vulnerable

Horrible (0)

Anonymous Coward | more than 9 years ago | (#11975952)

This is unacceptable. However before microsoft uses this in one of their ad campagnes I would like to mention the LAND [slashdot.org] attack

My God, the hypocracy! (5, Insightful)

drsmack1 (698392) | more than 9 years ago | (#11975967)

Looks like everyone out there on slashdot think this is not really a problem. Remember when it was discovered that you could get into a xp installation locally with a win 2000 boot cd? Oh, the howling that was heard.

Here is a issue that can be done remotely with only a user account.

Reminds me of DoS: Pingfork! (4, Interesting)

nullset (39850) | more than 9 years ago | (#11975979)

I came up with the idea of a ping/fork DoS attack (mostly as a joke)

In pseudocode:
while (true) {
ping(target)
fork()
}

I seriously thought of posting this to a few script kiddie sites, so the kiddies could crash themselves long before the pinging does any damage :)

--buddy

Re:Reminds me of DoS: Pingfork! (1)

DrSkwid (118965) | more than 9 years ago | (#11976076)

PING(8) UNIX System Manager's Manual PING(8)

NAME
ping - send ICMP ECHO_REQUEST packets to network hosts

SYNOPSIS
ping [-dfnqrvR] [-c count] [-i wait] [-l preload] [-p pattern] [-s
packetsize]

DESCRIPTION ...

Other options are:

-f Flood ping. Outputs packets as fast as they come back or one
hundred times per second, whichever is more. For every
ECHO_REQUEST sent a period ``.'' is printed, while for ever
ECHO_REPLY received a backspace is printed. This provides a
rapid display of how many packets are being dropped. Only the
super-user may use this option. This can be very hard on a net-
work and should be used with caution.

Re:Reminds me of DoS: Pingfork! (0)

Anonymous Coward | more than 9 years ago | (#11976096)

you would visit kiddie sites, pervert

In the news today (0, Flamebait)

alexandreracine (859693) | more than 9 years ago | (#11975981)


"Some Linux Distros Found Vulnerable By Default documented in a 4 pages document.

Next up, Windows Found Vulnerable By Default with patch, documented in a 100 pages incomplete document. Goerge as the details.

-Yeah, I think I'll go MAD if I ever look at that code again! YAYAYAYAYAAYAYYAAYMOUHAHAHAAHAH."

OMFG, not a user shell! (1)

Cyn (50070) | more than 9 years ago | (#11975997)

If you don't upgrade your system sufficiently before giving our shell accounts, you're an idiot. If you are joe schmoe and using it as a desktop - you're not giving out user accounts.

Yes, it may be sad to find - but honestly people, local shell exploits exist 'out of the box' - period. It's *pretty much* unavoidable even after proper sandboxes and restrictions have been configured.

And, as a Debian user - I am both insulted and disgusted that it was arbitrarily singled out, I assume this was because of its 'speedy' release cycle. If it was the only one of lots of major versions, then I retract the comment.

another way to bring a system to it's knees (2, Informative)

XO (250276) | more than 9 years ago | (#11976008)

while(1) { malloc(1); }

Re:another way to bring a system to it's knees (5, Informative)

tlhIngan (30335) | more than 9 years ago | (#11976150)

while(1) { malloc(1); }

That won't work on modern systems, or systems with a lot of virtual memory available (lots of RAM or large swap).

A modern OS will not actually commit memory until it is actually used, and while malloc() involves some bookkeeping, most of the bookkeeping is very little. It's quite likely you'll actually run out of process RAM (2GB or 3GB, depending on settings on a 32 bit machine) space first before the system starts to strain. On Linux, the recent kernels will kill processes that start hogging RAM when free memory falls below the low-water mark. And each malloc() really allocates 8/16/32 bytes of RAM for even a 1 byte allocation.

Anybody else seen this with mplayer-plugin? (0, Offtopic)

smchris (464899) | more than 9 years ago | (#11976010)

I was apparently getting a new mplayer with every frame or something. Have to quickly VNC from another machine to do a shutdown.

Isn't it friggin' ironic (5, Insightful)

aendeuryu (844048) | more than 9 years ago | (#11976021)

It's funny, isn't it, that on the same day we have a story about Linux distros being insecure by default, EXCEPT Debian, we have another story where Debian is being criticized for not releasing updates more often.

Maybe, and here's a thought, just maybe, it's wise to take a decent, stable distro and perfect it, instead of taking a distro and submerging it in a state of perpetual flux with constant updates.

Just a thought. I might be biased because it's a Debian-based distro that finally put a working Linux on my laptop. But you know what? Every now and then the bias is there for a reason...

Silly exploit (4, Insightful)

SmallFurryCreature (593017) | more than 9 years ago | (#11976031)

As others have already commented this has little to do with security.

Most linux systems are used as desktops, if you use them as a server you don't use the defaults. Now a user being able to crash his own system is nothing new. It ain't nice but as long as it is the user doing it then no problem. Now if this fork could be used to make apache explode and bring down the system THAT would be a boo boo.

Ideally yes the system should not do things that bring it coming crashing down but this is close to blaming a car for allowing me to plow into a wall. Not sure if I want a car/computer telling me what I can and cannot do.

As to how to set the limits on the number of forks. Maybe I got this completly wrong but could it be that this depends entirely on your hardware? Perhaps the latest IBM mainframe can handle a few more then an ancient 386? How the hell is the distro supposed to know what I got?

Security is other people doing stuff on my computer that I don't want and or know about. Me screwing stuff up is my business.

BSD is very solid, this is known. It is also known that BSD has been along long before linux and but has been sucking it exhaust fumes ever since it arrived. For every story about how much more secure BSD is there are a dozen stories about linux actually making a mark on the world. So good. Your BSD survived a forkbomb. But why exactly was the author running a linux desktop then if BSD is so much better?

Another non-story on /. Is the internet going to the way of tv?

All Windows Versions Found Vulnerable By Default (-1, Redundant)

Cyn (50070) | more than 9 years ago | (#11976083)

Insecurity Windows

Posted by cyn on Friday March 18, @11:10AM
from the change-the-operating-system dept.

cyn writes "Security Focus doesn't carry an article about a security compromise found on all major windows versions due to bad design in the Windows kernel, DLLs, vbscript, et. all. 'It's a normal day when an script-kiddie | trojan virus | webpage attack can still take down most of the latest Windows versions', says the writer. The attack was performed by touching the internet from a normal user login. Is interesting to note that Windows ME was not among the versions that fell to the attack - not because it is invulnerable, but because nobody could locate a copy. The writer also doesn't praises the Unix philosophy of not being Windows."

So- (1)

IWantMoreSpamPlease (571972) | more than 9 years ago | (#11976124)

Lots of (and the term "lots" is relative) exploits and vulnerabilites being posted these days about Linux distros.

And yet, I haven't seen any real-world problems, unlike the *endless* (and daily it seems) ones aimed squarely at MS.

So, do Linux users run across the same kinds of problems Windows users encounter on a (near-)daily basis, or is all this just theoretical?

I missed the part..... (2, Interesting)

deathazre (761949) | more than 9 years ago | (#11976138)

... where gentoo had a default kernel

(can we PLEASE not bring genkernel into this? it sucks.)

Why is this surprising? (1)

EdMcMan (70171) | more than 9 years ago | (#11976142)

Mandrake is a user distribution. Often, the user will be running as non-root, but will want many non-root settings (like ulimits). On the other hand, Debian is not mainly a desktop distribution.

The author goes on to praise the BSDs, not bothering to check and see exactly where the "default kernel settings" come from, or that they are "default" at all.

I agree, the kernel developers do not take security seriously (sometimes not even making a new release!). But this is a bad article that should not be on securityfocus or slashdot.

Welcome to Linux (1, Informative)

Anonymous Coward | more than 9 years ago | (#11976143)

#include

main() {
die:
malloc(9999);
printf("welcome to linux\n");
fork();
goto die;
}

Pretty simple, and will bring most boxes down.

Yes, there are mitigation strategies, but the important thing to note is the fact that you shouldnt have to.

A bit OT: fault tolerance among distros (0)

Anonymous Coward | more than 9 years ago | (#11976145)

Are some distros more fault tolerant than others?

I have a laptop with a flaky power connector and a totally useless battery. Every now and then the power fails if someone moves it or bumps the table. I started out with Mandrake 9.1 which got pretty trashed after each incident. In the process of getting it back I used a Knoppix cd. I liked it and installed it as my os. (Knoppix is Debian under the hood.) Now a power failure is a nusance but is relatively easy to recover from.

So the question is: Is the better failure recovery due to a newer version of Linux or is it due to a difference between Mandrake and Debian?

Big whup (1)

puppetluva (46903) | more than 9 years ago | (#11976156)

You can do this on any operating system by default except for some of the the mainframe ones. (Including windows, BSDs, Solaris, BeOS, Linux, etc. etc)

You can prevent this by putting in shell limits in the master profiles, but these are arbitrary restrictions that limit your users and only should be done if you don't trust them.

This must be a slow security newsday for these guys if they are talking about forkbombing or memory eaters.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...