Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Clever attack exploits fully-patched Linux kernel
07-22-2009, 03:56 AM,
#1
Clever attack exploits fully-patched Linux kernel
By Dan Goodin in San Francisco • Get more from this author

Posted in Security, 17th July 2009 22:32 GMT

Free whitepaper – The starter PKI program

A recently published attack exploiting newer versions of the Linux kernel is getting plenty of notice because it works even when security enhancements are running and the bug is virtually impossible to detect in source code reviews.

The exploit code was released Friday by Brad Spengler of grsecurity, a developer of applications that enhance the security of the open-source OS. While it targets Linux versions that have yet to be adopted by most vendors, the bug has captured the attention of security researchers, who say it exposes overlooked weaknesses.

Linux developers "tried to protect against it and what this exploit shows is that even with all the protections turned to super max, it's still possible for an attacker to figure out ways around this system," said Bas Alberts, senior security researcher at Immunity. "The interesting angle here is the actual thing that made it exploitable, the whole class of vulnerabilities, which is a very serious thing."

The vulnerability is located in several parts of Linux, including one that implements functions known as net/tun. Although the code correctly checks to make sure the tun variable doesn't point to NULL, the compiler removes the lines responsible for that inspection during optimization routines. The result: When the variable points to zero, the kernel tries to access forbidden pieces of memory, leading to a compromise of the box running the OS.

The "NULL pointer dereference" bug has been confirmed in versions 2.6.30 and 2.6.30.1 of the Linux kernel, which Spengler said has been incorporated into only one vendor build: version 5 of Red Hat Enterprise Linux that's used in test environments. The exploit works only when a security extension knows as SELinux, or Security-Enhanced Linux, is enabled. Conversely, it also works when audio software known as PulseAudio is installed.

An exploitation scenario would most likely involve the attack being used to escalate user privileges, when combined with the exploitation of another component - say, a PHP application. By itself, Spengler's exploit does not work remotely.

With all the hoops to jump through, the exploit requires a fair amount of effort to be successful. Still, Spengler said it took him less than four hours to write a fully weaponized exploit that works on 32- and 64-bit versions of Linux, including the build offered by Red Hat. He told The Register he published the exploit after it became clear Linus Torvalds and other developers responsible for the Linux kernel didn't regard the bug as a security risk.

"By the time I wrote the exploit, there was a fix floating around, but it didn't look like it was going to be going into any of the stable releases," he said. "It was just a trivial 'oops' instead of something that could give you arbitrary code execution in the kernel."

Comments that accompany Spengler's exploit code go on to detail statements Torvalds and other developers are said to have made in group emails discussing the bug.

"That does not look like a kernel problem to me at all," Torvalds is quoted as saying in one message. "He's running a setuid program that allows the user to specify its own modules. And then you people are surprised he gets local root?"

On that front, at least one security researcher agreed with the Linux team.

"Setuid is well-known as a chronic security hole," Rob Graham, CEO of Errata Security wrote in an email. "Torvalds is right, it's not a kernel issue, but it is a design 'flaw' that is inherited from Unix. There is no easy solution to the problem, though, so it's going to be with us for many years to come."

The larger point, Spengler said, is that the Linux developers are putting users at risk by failing to clearly disclose when security vulnerabilities have been discovered.

"Why is it that whenever there is an exploitable vulnerability in Linux, it's described as a denial of service?" he said. "It kind of makes the vendors think the security is better than it actually is."

Wherever the fault may lie, the potential damage is very real.

"It's not going to light the world on fire, but it is a very subtle bug and solid exploit," said Ed Skoudis, founder and senior security consultant for InGuardians. "The real story here is how subtle it is, and that the compiler itself introduced it during code optimization."

So far, Torvalds and company have yet to respond to the disclosure. We'll be sure to update this story if they do. ®
What kills me makes me stronger !

No favor asked no quarter given !

Your sitting in your comfort you don't believe I'm real,
You cannot buy protection from the way that I feel.

Reply
07-22-2009, 04:55 AM,
#2
Clever attack exploits fully-patched Linux kernel
Every electronic can be exploited somehow
[Image: Palestinian_Dawn_by_Palestinian_Pride.jpg]
Reply
07-22-2009, 05:13 AM,
#3
Clever attack exploits fully-patched Linux kernel
Quote:Every electronic can be exploited somehow

That's true. If it's built by man, it can be hacked by man.


:puter: :tux::alien:
“Today’s scientists have substituted mathematics for experiments, and they wander off through equation after
equation, and eventually build a structure which has no relation to reality. ” -Nikola Tesla

"When the power of love overcomes the love of power the world will know peace." -Jimi Hendrix
Reply
07-22-2009, 01:58 PM,
#4
Clever attack exploits fully-patched Linux kernel
Agreed but this is like a football field size hole in the hoover dam IMHO.Even hardened to the max it is no trouble to hack the kernel as I understand it but I'm still looking into this.Just have to wait and see.I know one thing trying to lock down the kernel with selinux is going to be a real pain for most.I'm not familiar with apparmor but I would imagine it would be just as bad.
What kills me makes me stronger !

No favor asked no quarter given !

Your sitting in your comfort you don't believe I'm real,
You cannot buy protection from the way that I feel.

Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
  Linux mexika 24 2,266 05-02-2014, 04:56 PM
Last Post: nofunclub
  linux ICS questions JFK 4 712 10-14-2013, 10:47 AM
Last Post: JFK
  Linux Mint: Shipped with "Prism" Firefox profile Doomsticks 6 1,175 07-26-2013, 04:41 AM
Last Post: Doomsticks
Video Linux Appreciation (rock-n-roll style) Doomsticks 0 379 12-14-2012, 09:57 PM
Last Post: Doomsticks
  Linux users targeted by password-stealing 'Wirenet' Trojan Easy Skanking 1 626 09-02-2012, 09:22 AM
Last Post: h3rm35
  Oracle verdict double plus good for Linux movement h3rm35 0 464 06-06-2012, 12:55 AM
Last Post: h3rm35
  Linux talent shortage drives up salaries h3rm35 0 565 02-17-2012, 10:24 PM
Last Post: h3rm35
  Tails 0.10 released, a Linux live OS for privacy Telecaster72 0 875 01-13-2012, 12:48 AM
Last Post: Telecaster72
  Incognito - debian based Linux OS made with privacy in mind. Telecaster72 1 1,886 05-11-2011, 05:56 PM
Last Post: danny0085
  The Linux Chronicles, Pt1: From dot com Linux mania to something that actually works h3rm35 0 538 07-01-2010, 12:07 AM
Last Post: h3rm35

Forum Jump:


Users browsing this thread: 1 Guest(s)