Stop Microsoft

Operating Systems => Linux and UNIX => Topic started by: mobrien_12 on 8 January 2005, 08:23

Title: Big kernel hole
Post by: mobrien_12 on 8 January 2005, 08:23: Slashdot Article (http://linux.slashdot.org/linux/05/01/07/2028203.shtml?tid=172&tid=106)

Someone just found a serious root exploit in the Linux kernel, even the latest ones. Basically, if you can log in and run a program, you can crack root.

Hopefully the kernel team will fix it soon... but it didn't look like a simple error to me, and exploit proof of concept code is already out.
Title: Big kernel hole
Post by: Orethrius on 8 January 2005, 21:44: Did I ever mention this site is tech-comedy gold?

"Re:*sits back* (Score:5, Funny)
by darc (532156) (http://slashdot.org/~darc) on Friday January 07, @08:24PM (#11293496 (http://linux.slashdot.org/comments.pl?sid=135324&cid=11293496))
(Last Journal: Friday August 29, @06:09PM (http://slashdot.org/~darc/journal/))

Yeah yeah, that's the responsible thing to say. But responsible stuff is sooooooooo boring. I mean, if we were all responsible people that wanted stability, we'd all be running kernel 2.2, Apache 1.1, many year old revisions of programs patched to all heck, never install any packages that aren't yet at least of legal age, and still tout ISA support as a bleeding edge feature.

Hmm. Wait, I think I just described Debian Stable.

*is hit by a gigantic potato from the debian crowd*

(Yes, I am aware that stable is called Woody, and the last version was called Potato. But if I said "is hit by a gigantic woody..." i'd probably get murdered. Oops.)"

Classic. :D

EDIT: Added URL livelinks. :cool:

[ January 08, 2005: Message edited by: Midnight Candidate/BOB ]
Title: Big kernel hole
Post by: WMD on 8 January 2005, 10:33: Now that you mention Slashdot being comedy gold...here's some more from that thread:

quote:
Re:*sits back* (Score:5, Funny)
by ackthpt (218170) * Alter Relationship on Friday January 07, @04:43PM (#11291506)
(http://www.dragonswest.com/ | Last Journal: Friday October 08, @01:07PM)
*awaits justifications and explanations of why this is nothing like Microsoft*

Because in this case Linus Torvalds is our new overlord, and I for one, welcome him.

And this from an earlier thread about Macexpo:

quote:
Re:Misleading Article (Score:4, Funny)
by northcat (827059) on Friday January 07, @12:56PM (#11289241)
(Last Journal: Thursday January 06, @11:15AM)
How can his post be rated informatve when it isn't true?

You must be new here.
Title: Big kernel hole
Post by: KernelPanic on 8 January 2005, 15:26: Nasty, but judging from LKML there should be a fix in -ac over the weekend.

[ January 08, 2005: Message edited by: Tux ]
Title: Big kernel hole
Post by: Calum on 8 January 2005, 22:11: and for us normal lusers, do you think this will trickle down into the apt repositories etc in a hurry? or should i recompile on my own, when the rectified code appears? (actually slack slapt-get 9.1 repositories)

[ January 08, 2005: Message edited by: Calum is NOT a moderator ]
Title: Big kernel hole
Post by: mobrien_12 on 9 January 2005, 10:08: quote:
Originally posted by Calum is NOT a moderator:
and for us normal lusers, do you think this will trickle down into the apt repositories etc in a hurry? or should i recompile on my own, when the rectified code appears? (actually slack slapt-get 9.1 repositories)

[ January 08, 2005: Message edited by: Calum is NOT a moderator ]

Calum, I think that the fixed kernels will get into the apt-get repositories in less than a week of new code being released.

As far as whether to build from kernel.org ASAP or wait.... that's a question of risk management.

If you have a multiuser box and you don't trust all your users (like in a University environment, for example), this hole is a freaking disaster and has to be fixed as fast as possible.

If you have remote login capabilities, such as sshd running, you still gotta worry about someone trying a brute force attack, or maybe getting a username and password from a keylogger on a compromised remote machine. You can minimize the risk by limiting access with hosts.allow or iptables. This is what I'm relying on right now.

However, I'm freaking paranoid so I'll probably go build it from source when it comes out at kernel.org
Title: Big kernel hole
Post by: KernelPanic on 11 January 2005, 01:45: By the way, we are fixed in the -ac tree for 2.4.28 and 2.6

I wouldn't expect to see the mainstream repo's packaging the -ac tree Calum, but feel free to copy your config and make oldconfig (http://smile.gif)
Linus will put a long term fix into 2.6.11, but who know when that is out. If you are running multiuser I would say compile -ac6 and test it out, because even if there's a bug it will be better than having a comprimised root!
Title: Big kernel hole
Post by: mobrien_12 on 11 January 2005, 08:19: I can't see any -ac patch for the 2.4 series kernel.
The changelog for 2.4.29-rc1 doesn't mention anything about fixing this hole.

I just tested the exploit code on my older 2.4.20 kernel and cracked root. Oh fricken joy.

[ January 10, 2005: Message edited by: M. O'Brien ]
Title: Big kernel hole
Post by: KernelPanic on 11 January 2005, 18:21: I beg your pardon, I meant 2.4.29-rc1 (http://kernel.org/pub/linux/kernel/v2.4/testing/patch-2.4.29-rc1.bz2.)

<snip>
Marcelo Tosatti:
o Changed VERSION to 2.4.29-rc1
o Paul Starzetz: sys_uselib() race vulnerability (CAN-2004-1235)
</snip>

[ January 11, 2005: Message edited by: Tux ]
Title: Big kernel hole
Post by: mobrien_12 on 21 January 2005, 08:09: Well, I just tested 2.4.29-rc3 (hand patched, hand compiled). I haven't been able to crack root on it yet using the sample exploit code.