Bug in latest Linux gives untrusted users root access
Protections for some, but not all
A software developer has uncovered a bug in most versions of Linux that could allow untrusted users to gain complete control over the open-source operating system.
The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at the moment vulnerable. While attacks can be prevented by implementing a common feature known as mmap_min_addr, the RHEL distribution, short for Red Hat Enterprise Linux, doesn't properly implement that protection, Brad Spengler, who discovered the bug in mid October, told The Register.
What's more, many administrators are forced to disable the feature so their systems can run developer tools or desktop environments such as Wine.
The vulnerability was first reported by Spengler, a developer at grsecurity, a maker of applications that enhance the security of Linux. On October 22, he wrote a proof of concept attack for the local root exploit. Over the past few months, he has emerged as an outspoken critic of security practices followed by the team responsible for the Linux kernel.
"It's interesting to me that I picked it out two weeks before the people whose job it is to find this sort of stuff," he said Tuesday. "They've got entire teams of people and I'm just one person doing this in my free time."
In July, Spengler published a separate Linux exploit that drew considerable notice because it worked even when fully patched versions were running security enhancements. It targeted a separate null pointer dereference bug that was spawned when the OS was running SELinux, or Security-Enhanced Linux.
Spengler at the time criticized principal Linux developer Linus Torvalds for failing to take responsibility for the the critical issue, citing online comments in which he said: "That does not look like a kernel problem to me at all. He's running a setuid program that allows the user to specify its own modules. And then you people are surprised he gets local root?"
Spengler has also taken the Linux kernel developers to task for failing to fully disclose the extent of security bugs when they are patched.
The latest bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature. But to make RHEL compatible with a larger body of applications, that distribution is vulnerable to attack even when the OS shows the feature is enabled, Spengler said.
"They're putting their users at risk," he said. "They're basically the only distribution that's still vulnerable to this class of attack."
A Red Hat spokeswoman said patches for the versions 4 and 5 of RHEL and MRG are available here. An update for RHEL 3 is in testing and should be released soon.
He said many other Linux users are also vulnerable because they run older versions or are forced to turn off the feature to run certain types of applications. ®