Feeds

Clever attack exploits fully-patched Linux kernel

'NULL pointer' bug plagues even super max versions

The essential guide to IT transformation

A recently published attack exploiting newer versions of the Linux kernel is getting plenty of notice because it works even when security enhancements are running and the bug is virtually impossible to detect in source code reviews.

The exploit code was released Friday by Brad Spengler of grsecurity, a developer of applications that enhance the security of the open-source OS. While it targets Linux versions that have yet to be adopted by most vendors, the bug has captured the attention of security researchers, who say it exposes overlooked weaknesses.

Linux developers "tried to protect against it and what this exploit shows is that even with all the protections turned to super max, it's still possible for an attacker to figure out ways around this system," said Bas Alberts, senior security researcher at Immunity. "The interesting angle here is the actual thing that made it exploitable, the whole class of vulnerabilities, which is a very serious thing."

The vulnerability is located in several parts of Linux, including one that implements functions known as net/tun. Although the code correctly checks to make sure the tun variable doesn't point to NULL, the compiler removes the lines responsible for that inspection during optimization routines. The result: When the variable points to zero, the kernel tries to access forbidden pieces of memory, leading to a compromise of the box running the OS.

The "NULL pointer dereference" bug has been confirmed in versions 2.6.30 and 2.6.30.1 of the Linux kernel, which Spengler said has been incorporated into only one vendor build: version 5 of Red Hat Enterprise Linux that's used in test environments. The exploit works only when a security extension knows as SELinux, or Security-Enhanced Linux, is enabled. Conversely, it also works when audio software known as PulseAudio is installed.

An exploitation scenario would most likely involve the attack being used to escalate user privileges, when combined with the exploitation of another component - say, a PHP application. By itself, Spengler's exploit does not work remotely.

With all the hoops to jump through, the exploit requires a fair amount of effort to be successful. Still, Spengler said it took him less than four hours to write a fully weaponized exploit that works on 32- and 64-bit versions of Linux, including the build offered by Red Hat. He told The Register he published the exploit after it became clear Linus Torvalds and other developers responsible for the Linux kernel didn't regard the bug as a security risk.

"By the time I wrote the exploit, there was a fix floating around, but it didn't look like it was going to be going into any of the stable releases," he said. "It was just a trivial 'oops' instead of something that could give you arbitrary code execution in the kernel."

Comments that accompany Spengler's exploit code go on to detail statements Torvalds and other developers are said to have made in group emails discussing the bug.

"That does not look like a kernel problem to me at all," Torvalds is quoted as saying in one message. "He's running a setuid program that allows the user to specify its own modules. And then you people are surprised he gets local root?"

On that front, at least one security researcher agreed with the Linux team.

"Setuid is well-known as a chronic security hole," Rob Graham, CEO of Errata Security wrote in an email. "Torvalds is right, it's not a kernel issue, but it is a design 'flaw' that is inherited from Unix. There is no easy solution to the problem, though, so it's going to be with us for many years to come."

The larger point, Spengler said, is that the Linux developers are putting users at risk by failing to clearly disclose when security vulnerabilities have been discovered.

"Why is it that whenever there is an exploitable vulnerability in Linux, it's described as a denial of service?" he said. "It kind of makes the vendors think the security is better than it actually is."

Wherever the fault may lie, the potential damage is very real.

"It's not going to light the world on fire, but it is a very subtle bug and solid exploit," said Ed Skoudis, founder and senior security consultant for InGuardians. "The real story here is how subtle it is, and that the compiler itself introduced it during code optimization."

So far, Torvalds and company have yet to respond to the disclosure. We'll be sure to update this story if they do. ®

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?