Bug in latest Linux gives untrusted users root access
Protections for some, but not all
A software developer has uncovered a bug in most versions of Linux that could allow untrusted users to gain complete control over the open-source operating system.
The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at the moment vulnerable. While attacks can be prevented by implementing a common feature known as mmap_min_addr, the RHEL distribution, short for Red Hat Enterprise Linux, doesn't properly implement that protection, Brad Spengler, who discovered the bug in mid October, told The Register.
What's more, many administrators are forced to disable the feature so their systems can run developer tools or desktop environments such as Wine.
The vulnerability was first reported by Spengler, a developer at grsecurity, a maker of applications that enhance the security of Linux. On October 22, he wrote a proof of concept attack for the local root exploit. Over the past few months, he has emerged as an outspoken critic of security practices followed by the team responsible for the Linux kernel.
"It's interesting to me that I picked it out two weeks before the people whose job it is to find this sort of stuff," he said Tuesday. "They've got entire teams of people and I'm just one person doing this in my free time."
In July, Spengler published a separate Linux exploit that drew considerable notice because it worked even when fully patched versions were running security enhancements. It targeted a separate null pointer dereference bug that was spawned when the OS was running SELinux, or Security-Enhanced Linux.
Spengler at the time criticized principal Linux developer Linus Torvalds for failing to take responsibility for the the critical issue, citing online comments in which he said: "That does not look like a kernel problem to me at all. He's running a setuid program that allows the user to specify its own modules. And then you people are surprised he gets local root?"
Spengler has also taken the Linux kernel developers to task for failing to fully disclose the extent of security bugs when they are patched.
The latest bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature. But to make RHEL compatible with a larger body of applications, that distribution is vulnerable to attack even when the OS shows the feature is enabled, Spengler said.
"They're putting their users at risk," he said. "They're basically the only distribution that's still vulnerable to this class of attack."
A Red Hat spokeswoman said patches for the versions 4 and 5 of RHEL and MRG are available here. An update for RHEL 3 is in testing and should be released soon.
He said many other Linux users are also vulnerable because they run older versions or are forced to turn off the feature to run certain types of applications. ®
local = user can execute commands (a php script can too)
" Did i read right? This is a local exploit. Therefore the hacker needs to be actually at your computer? In that case not too big an issue."
@Loki 1: Pretty silly observation. You are right. It's not an issue until you host your website on a shared host (as most people do), and one of the other 100 users on that server decides he wants to root the box :) Because of this, there isn't much stopping him :)
That, and the fact the even the most innocuous web application vulnerability may lead to total compromise of the box, even though the web server runs on a low priv user (remember now we have a local root exploit :)) Haveing such a hole in your sistem is equivalent with running everything as root, and giving root access to every user/customer. It's something that asks for a deface.
@ Mike Gravgaard, 19:00
> Well Ubuntu 9.10 x64 is set to (...) 0
The problem lies with Wine packages for Ubuntu - they quietly install a new file in /etc/sysctl.d/ which overwrites Ubuntu's default setting (65536 - see another file in the same directory) with a zero... Why it has been done this way, especially given only Win16 applications require this, I've got no idea (being disturbingly familar with dpkg I know for a fact it would be trivial to have the installer ask whether you need to run Win16 applications, possibly explaining it's a potential risk) but it means everyone installing Wine vulnerable.
Solution: in /etc/sysctl.d, copy or move 10-process-security.conf (where the 64-kB limit is set) to something like 9999-process-security.conf. This will make sure that whatever other packages do to mmap_min_addr, the last value to be written there will be non-zero. Deleting files installed by Wine there would also work in the short run but they will likely be reinstalled when Wine is updated.
This is only FUD
I just checked my unpatched Ubuntu box here and that vulnerability isn't there. The guy that "found" this doesn't know what he's talking about.