Local Root Hole in Linux Kernels 503
xepsilon writes "A local Linux security hole using ptrace has been discovered that allows a potential attacker to gain root privileges. Linux 2.2.25 has been released to correct this security hole, along with a patch for 2.4.20-pre kernels. 2.4.21 ought to contain this fix, once it is released. 2.5 is not believed to be vulnerable to this security hole. See this email from Alan Cox for details, and a patch."
How is Microsoft responsible? (Score:5, Funny)
Re:How is Microsoft responsible? (Score:5, Funny)
Re:How is Microsoft responsible? (Score:5, Funny)
No, Microsoft has a bulletproof way to prevent privilege escalations. They simply make sure the attacker gets all privileges at once, then there is nothing to escalate.
Re:How is Microsoft responsible? (Score:5, Funny)
"Because they're there."
On the other hand, in the words of Voltaire:
"If Microsoft didn't exist it would be necessary to invent them."
However, regarding the current kernel situation I think my deeply missed old granny put it best:
"Oh fuck."
KFG
Re:How is Microsoft responsible? (Score:3, Informative)
Re:How is Microsoft responsible? (Score:2)
Got Root? (Score:5, Funny)
Re:Got Root? (Score:5, Funny)
Re:Got Root? (Score:5, Funny)
I believe you mean "#:)"
Re:Got Root? (Score:3, Funny)
Re:Got Root? (Score:2)
Re:Got Root? (Score:2)
Eek! (Score:2, Interesting)
Holy shit, this could be a problem.
Excuse me while I go patch my servers, which all of my developers have user-level access to, albeit very limited access.
New marketing ploy for TMF: get your security news before the 13-year-old 5<R1p7 <1|)|)135, since they don't have credit cards with which to subscribe.
Jouster
Re:Eek! (Score:4, Insightful)
Not so fast! What if they steal some CC numbers first?
It's Tuesday (Score:5, Funny)
(looks at watch) its monday again... time to go patch my IIS
(looks at watch) its tuesday again... time to go patch linux.
Re:It's Tuesday (Score:3, Funny)
Could someone post the email up? (Score:3)
Re:Could someone post the email up? (Score:5, Informative)
Different mirror [theaimsgroup.com]
I guess these are the same.. haven't read the origial ./ed site, but this is from lklm and guess they're the same...
Re:Could someone post the email up? (Score:2, Informative)
patched it already (Score:5, Interesting)
If you're running Redhat, RHN is a valuable tool that no admin should be without.
Re:patched it already (Score:2)
Re:patched it already (Score:5, Insightful)
Not to say that you haven't done that, but buyer beware. It makes no diff if it were linux, mac os x , windows, commodore 64. Don't randomly update things. Heck, sometimes us programmers create bugs in programs that are fixed by other bugs existing. Closing one may expose a new one.
The Smaller Folks (Score:5, Insightful)
In addition, some small businesses don't have the luxury of a secondary box or even an IT specialist that can put a machine through a high-load test for more than a few hours at a time -- let alone having to patch it at all!
Ideally we would all have a RAID 10 array connected to four boxes each running a different OS. While some companies (!) may have the time and money for this, the small folks like mom-and-pop stores can't afford the expense of time or money.
Re:patched it already (Score:2, Insightful)
Re:patched it already (Score:3, Informative)
I trust Redhat not to slip spyware and weird license agreements into the kernel I'm downloading. I trust that it's an honest to God GPL'd kernel. Why? Because I'm a trusting person, and I haven't had any freakish incidents with Redhat.
I don't trust Microsoft. I don't want code with God knows what hacked in with a license agreement that takes away my first born while installing.
While I'm on the subject, I received an e-mail from Microsoft before I recieved the
Re:patched it already (Score:3, Interesting)
Re:patched it already (Score:5, Insightful)
I much prefer it the way it is. Take Apache/ IIS as examples.
If you're running 1.3.26, you're safe, and you know it.
With IIS, if you're running IIS5, but with patch X, and patch y, and patch z applied before patch q, unless you have the MSSql patch r installed in which case you need patch f for IIS, and patch k for MSSql...
They should do it the other way. Make it simple.
If you're running IIS 5.0.185 then you're OK. Anything else, and you've got problems.
Patches and stuff were OK during floppy disk days, and 28.8k modems. I'd much rather not have to worry about incrememental patches.
Re:patched it already (Score:3, Interesting)
There is no 'hotfixing' or piece patching here. The result of the incremental diff is the same as installing the whole new version, just considerably easier to download. As
Here's the text of Alans post (minus the .diff) (Score:4, Informative)
To: linux-kernel@vger.kernel.org
Subject: Ptrace hole / Linux 2.2.25
From: Alan Cox
Date: Mon, 17 Mar 2003 11:04:35 -0500 (EST)
Sender: linux-kernel-owner@vger.kernel.org
-----------------------
Vulnerability: CAN-2003-0127
The Linux 2.2 and Linux 2.4 kernels have a flaw in ptrace. This hole allows
local users to obtain full privileges. Remote exploitation of this hole is
not possible. Linux 2.5 is not believed to be vulnerable.
Linux 2.2.25 has been released to correct Linux 2.2. It contains no other
changes. The bug fixes that would have been in 2.2.5pre1 will now appear in
2.2.26pre1. The patch will apply directly to most older 2.2 releases.
A patch for Linux 2.4.20/Linux 2.4.21pre is attached. The patch also
subtly changes the PR_SET_DUMPABLE prctl. We believe this is neccessary and
that it will not affect any software. The functionality change is specific
to unusual debugging situations.
We would like to thank Andrzej Szombierski who found the problem, and
wrote an initial patch. Seth Arnold cleaned up the 2.2 change. Arjan van
de Ven and Ben LaHaise identified additional problems with the original
fix.
Alan
IT'S IN ENGLISH!!! (Score:5, Funny)
BTW: If you haven't read, or tried to read, Alan's blog you won't get the joke.
Re:IT'S IN ENGLISH!!! (Score:2)
It was saint paddy's day yesterday, so I wonder how in the hell Mr. Cox could nail a bug today...
I know I couldn't do something like that the day after...
Re:IT'S IN ENGLISH!!! (Score:2)
Re:IT'S IN ENGLISH!!! (Score:3, Funny)
Come one grow up! Anybody that knows about st. paddy uses it as an excuse to get smashed on a monday!
Huh? (Score:3, Funny)
Re:IT'S IN ENGLISH!!! (Score:5, Interesting)
Actually, Welsh has more vowels than English, and is spelt almost entirely phonetically. It's hard for English speakers to read since it uses the same characters to represent different sounds (Yes, I have had to listen to Alan rave about how wonderful Welsh is...). The most confusing thing I find about welsh is the way words 'mutate', that is to say their pronunciation changes depending on the syllable preceding or following them to make the sentence flow more easily.
It is sometimes useful to know a language that no-one else in the room speaks, and I think that this is one of Alan's reasons for learning, but I prefer Latin for this purpose. The structure is more logical.
Tux is Welsh!!! (Score:5, Funny)
Tux, the beloved Linux mascot is Welsh!
It's true! Tux is a penguin..
Penguin is derived from two Welsh words: Pen (head) and Gwynn (white)...
So (besides Alan) there is another link between Wales and Linux.
(That, and I've tripled your knowledge of the Welsh language
Re:Tux is Welsh!!! (Score:3, Funny)
Kinky
dead already? (Score:4, Informative)
Re:dead already? (Score:2)
In other news... (Score:5, Informative)
Love the headline (Score:4, Funny)
I think I saw this in an advertisement for granola.
mmmm... breakfasty
FYI, Red Hat Network Advisory (Score:3, Informative)
Synopsis: Updated 2.4 kernel fixes vulnerability
Advisory ID: RHSA-2003:098-00
Issue date: 2003-03-17
Updated on: 2003-03-17
Product: Red Hat Linux
Keywords: ptrace
Cross references:
Obsoletes: RHSA-2003:025-20 RHBA-2003:069-12
CVE Names: CAN-2003-0127
1. Topic:
Updated kernel packages for Red Hat Linux 7.1, 7.2, 7.3, and 8.0 are now
available. These packages fix a ptrace-related vulnerability that can
lead to elevated (root) privileges.
2. Relevant releases/architectures:
Red Hat Linux 7.1 - athlon, i386, i586, i686
Red Hat Linux 7.2 - athlon, i386, i586, i686
Red Hat Linux 7.3 - athlon, i386, i586, i686
Red Hat Linux 8.0 - athlon, i386, i586, i686
3. Problem description:
The Linux kernel handles the basic functions of the operating system.
A vulnerability has been found in version 2.4.18 of the kernel. This
vulnerability makes it possible for local users to gain elevated (root)
privileges without authorization. This advisory deals with updates to
Red Hat Linux 7.1, 7.2, 7.3, and 8.0.
All users of Red Hat Linux 7.1, 7.2, 7.3, and 8.0 should upgrade to
these errata packages, which contain patches to fix the vulnerability.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied, especially the additional
packages from RHSA-2002:205 and RHSA-2002:206.
The procedure for upgrading the kernel manually is documented at:
http://www.redhat.com/support/docs/howto/kernel
Please read the directions for your architecture carefully before
proceeding with the kernel upgrade.
Please note that this update is also available via Red Hat Network. Many
people find this to be an easier way to apply updates. To use Red Hat
Network, launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system. Note that you need to select the kernel
explicitly on default configurations of up2date.
Hole Found in Linux Server (Score:5, Funny)
Time to patch my IIS^H^H^HKernel (Score:3, Interesting)
Those people willing to shout and hollor at every serious issue, screaming bloody murder because someone got it wrong, really pisses me off. Yes people get it wrong, they write insecure code from time to time. This issue and a number of those before it show that Linux has as many opportunities for exploitation as any other OS.
Re:Time to patch my IIS^H^H^HKernel (Score:2, Insightful)
Too bad this was only exploitable locally. Any secure server would not have local access available to users. I have to agree, but not as a zealot. Bugs will happen but Linux development seems to have them patched instantly, whereas Microsoft's ploy is play dumb until the patch is released, and then act like they did it overnight.
I'm not going to patch. (Score:2, Insightful)
I hate when I choose to reply instead of mod
Re:I'm not going to patch. (Score:5, Insightful)
Re:I'm not going to patch. (Score:4, Funny)
Well, I, ahhh....
Shut up!
Would someone please mod my previous post down as "fingers faster than brain"?
Thank you.
Re:I'm not going to patch. (Score:3, Insightful)
EVERYBODY plays the odds:
FIRST: a user has to exploit *A* remote exploit. Which one? Could be anything. Most exploits are either popular services, or shots in the dark. Patch the popular services, and you've defeated 90% of the scans. Remember, there's safety in numbers, and the vast amount of hosts on the internet just makes it less likely you'll
Re:Time to patch my IIS^H^H^HKernel (Score:2, Offtopic)
Re:Time to patch my IIS^H^H^HKernel (Score:2)
Then we have timescale - the BBC are reporting here [bbc.co.uk] that the US Army were caught out by the Microsoft hole as much as 2 weeks ago, yet a patch didn't turn up until now. Here we have a patch before any known exploi
Hrm (Score:4, Funny)
Ah well
Known exploits? (Score:2)
Rus
Re:Known exploits? (Score:3, Funny)
local users to obtain full privileges. Remote exploitation of this hole is
not possible. Linux 2.5 is not believed to be vulnerable.
It isn't a remote exploit. Anyone who is foolish enough to attempt to h4X0r your b0X0rz with this vulnerability is within the normal attack range of a LART [bofh.net].
Please, do patch any affected machines you have as soon as possible, but don't *ahem* panic.
Soko
ptrace() again? (Score:5, Informative)
This is already at least the second problem somehow connected with ptrace() in the kernel. Kernels prior to 2.2.19 were vulnerable to a race-condition attack, that enabled local users to gain root privilegies. This was one of the most "famous" problems in last years and it's known as the execve/ptrace exploit.
More details:
This vulnerability exploits a race condition in the 2.2.x Linux kernel within the execve() system call. By predicting the child-process sleep() within execve(), an attacker can use ptrace() or similar mechanisms to subvert control of the child process. If the child process is setuid, the attacker can cause the child process to execute arbitrary code at an elevated privilege. There are also other known lesser security issues with Linux kernels prior to 2.2.19 which have been noted as fixed.To all the windows bashers... (Score:5, Interesting)
I hate to say it, but this is kind of refreshing. This ins't a troll, so don't get me wrong...I'm a linux user myself. But after seeing the masses rip into MS yesterday when the thread about the IIS 5.0 hole was posted, I got a tad frustrated. Granted, I hate Microsoft as much as the next guy, but this just goes to show you that it's NOT just Microsoft that falls prey to holes and exploits. If it runs an OS, there's a chance it'll be cracked. Simple as that.
Hell, the linux kernel is without a doubt one of the most audited open source projects out there, and this bug STILL didn't surface until 2.4.20. Of course, I applaud the speed and availibility of patches and workarounds to the bug. Just remember, it happens to everyone.
Linux auditing (Score:4, Insightful)
Linux code gets a fair amount of review. But once it's there, there really isn't any auditing at all.
Re:To all the windows bashers... (Score:4, Insightful)
The IIS hole was a remote exploit including privilege escalation open to abuse by anybody on the Internet, and the kernel one was a local privilege escalation open to abuse by system users with shell access or other capability to run&abuse ptrace(). If you have untrusted local users, you should run them in a UML or vservers/ctx anyway so thay if they escalate privileges, they still can't harm the system.
Plus, the IIS bug was found after US ARMY web sites [internetwk.com] were getting hacked, and the kernel bug was found by a developer that was auditing/working on part of the code and patch available before any bad guy got to it.
Stupid question... (Score:2)
not possible."
Does that mean you have to be at the keyboard, or does that mean you have to have access to the box itself? (a shutdown/restart exploit?)
Re:Stupid question... (Score:5, Informative)
This means that you have to already have an existing user account on the system, running in user space. You cannot exploit the box without having (control of) a user account.
If you are at the keyboard, you can usually get root instantly on Linux. "lilo: linux single"
Re:I don't think so (Score:4, Interesting)
How about with "linux init=/bin/sh"?
Re:Stupid question... (Score:4, Informative)
A local exploit menas that the attacker must be first logged in as a local user (i.e. have a valid account, or have exploited a server daemon to obtain local, unprivildiged access).
Attacks that require you to have physical acess to the box are generally not classified, as these will always exist (through boot disks, etc), and as thus not audited for.
It is a common practice to use an insecure deamon to first get local acess, then to use a local root hole, such as this one.
Hope that helps - the jargon is dense, but useful.
Root Kit (Score:2)
Jason
ProfQuotes [profquotes.com]
Re:Root Kit (Score:5, Informative)
Re:Root Kit (Score:2)
No. Absolutely not.
You could check for specific rootkits which leave traces behind, but there is no way to find arbitrary rootkits.
Re:Root Kit (Score:3, Informative)
Doesn't help much though if the user has developed something of their own that flies below the radar. Chkrootkit doesn't hurt for a bit of peace of mind.
Dangit, Slashdot, mirror things like this (Score:5, Insightful)
Anyway, another copy [iu.edu] of the patch.
- Sam
Another copy of the patch online (Score:2)
This one seems to make a cleaner text patch than the last one I linked to.
- Sam (compiling the kernel as we speak)
Simple workaround (Score:5, Informative)
To prevent the exploit, give the kernel a bogus filename to use as modprobe, like this:
cat
If you only use kmod to load modules at boot time, you might consider having this run after all your other init scripts, say in rc.local.
Pat
Re:Simple workaround (Score:3, Informative)
Oops... While the above also happens to work, what I meant was more like this:
echo "/this/file/aint/there" >
Pat
Question for those who may know... (Score:2)
In the meantime... (Score:5, Funny)
Exploitable? (Score:5, Interesting)
I tried writing an exploit for this flaw, but I couldn't get far enough to inject any code. I managed to ptrace(PTRACE_ATTACH,
I'm not positive this is actually exploitable, but I'm not positive I took the correct approach, either. In any case, the most I've been able to do is spawn a slew of suspended root-owned processes. Not good, but not the end of the world, either. If someone has actually managed to exploit this flaw, I'd love to see some code so that I could see what I did wrong. Conversely, I'm willing to share the code I have upon request. I've only written code up to the current impasse, but once past this problem, the rest should be pretty trivial.
Re:Exploitable? (Score:4, Informative)
An anonymous writer at kerneltrap.org [kerneltrap.org] provided this link for a working exploit:
http://isec.pl/cliph/isec-ptrace-kmod-exploit.c [isec.pl]
Re:Mod Parent Down (Score:3, Informative)
If you'd actually like to read something on-topic, see Ben Pfaff's response to Alan's post. The short of it, "we're [i.e. you're free to do it!] working on a correct fix for all cases, this is just the quick sledgehammer."
http://www.uwsg.iu.edu/hypermail/linux/kernel/0
Patch won't apply to linux-2.4.20 (Score:5, Informative)
cd
mv linux-2.4.20 linux-2.4.20_OLD
bzcat
cd linux-2.4.20
patch -p1
fails at include/linux/sched.h
If you do 'patch -p1 -F 3' instead, it won't fail, but the fuzz factor obviously leads to a patch error, as the compilation breaks [as soon as include/linux/sched.h is included, BTW]
I mean, I appreciate knowing that my system is horribly vulnerable, but a WORKING FIX would sure be nice.
Patch for 2.4.20 from LKML (Score:4, Informative)
this could be a big problem (Score:5, Insightful)
UNIX to Linux switch (Score:3, Insightful)
The beauty of the Linux and open-source worlds is that the code is available right before your very eyes and is subject to scrutiny, day-in and day-out. Commercial offerings are not available to the genera
get over it--your local system isn't secure anyway (Score:5, Insightful)
Of course, it is good that these kinds of bugs get fixed. Some people do run multiuser systems, and it provides an additional barrier against intrusions. But don't lose any sleep over it.
Incidentally, these kinds of exploits are probably rampant on Windows systems; there, people don't even bother looking for them because there are very few multiuser machines and most people have local Administrator privileges anyway. Also note that Microsoft didn't even try to get Windows certified secure for multiuser use.
This and IIS exploit (Score:3, Interesting)
Clean patch against 2.4.20 (Score:3, Informative)
This is probably way too late in the discussion to get seen, but Alan's patch won't apply cleanly to 2.4.20.
A clean patch can be found here:
0 -ptrace.patch [hardrock.org]
http://www.hardrock.org/kernel/2.4.20/linux-2.4.2
Sorry if you get /.ed.
Re:Kernel Patches (Score:3, Informative)
Re:Kernel Patches (Score:2, Funny)
Ummmmm, Ghostbusters?
KFG
Re:Linux disclosure procedures? (Score:5, Informative)
Re:Linux disclosure procedures? (Score:3, Interesting)
2) I think you worry about crackers knowing not hackers, hackers fix problems like this. Also as anyone in a production environment knows just because MS does not publish it does not mean that people dont know before they have a fix. Also the time to deploy a MS patch in production is much longer due to shutdowns and testing.
3) As opposed to almost *ALL* MS updates which requres a restart of every server in your company Woo Hoo
Re:Linux disclosure procedures? (Score:3, Informative)
You will deploy Linux patches on production machines without testing?
Re:Linux disclosure procedures? (Score:3, Insightful)
Re:Linux disclosure procedures? (Score:2, Interesting)
A Windows vulnerability is discovered and it takes a week or more to get it taken care of.
The Linux kernel has a vulnerability and the patch is available immediately.
Re:Huh (Score:4, Funny)
Noone ever said Linux/BSD is perfect (Score:3, Insightful)
And *nix is still a hell of a lot closer to perfect..
Common misconception (Score:3, Insightful)
Re:This has to be erroneus. (Score:3, Funny)
Its bugs from code Billy-boy wrote under a pseudonym
Re:This has to be erroneus. (Score:3, Funny)
Re:No need to panic... (Score:2)
The safest path is not to have anything potentially vulnerable in your servers, because this things will come to light always in the worst possible moment.
Re:No need to panic... (Score:5, Funny)
I run a box with no ethernet connection, no keyboard and no monitor.
When I want to be *extra* careful, I run it without the powercord.
Re:Huh? (Score:3, Funny)
Linux has security problems? I've been reading this site for so long, I thought that was only in Microsoft's domain.
We do want to make Windows users feel at home as they migrate to a Linux desktop. We don't expect 'em to go cold turkey right away.
Re:Don't forget us 2.0.x users. (Score:3, Informative)
Depends on the box. A better question is "what makes 2.2 or 2.4 better for me than 2.0?"
I have a few 2.0.x boxes kicking around that "just work".. they've never been down, there are no known exploits for them, and users would be pissed if I took them down to upgrade them.. so it just makes sense to leave them as is.
If I upgrade them, it's more work, not to mention the inevitable downtime.
If I leave them be, it's less work, with no gain (there's
Re:In Soviet Russia... (Score:3, Informative)
Re:A bug!?!?11 (Score:3, Funny)