Clever attack exploits fully-patched Linux kernel

[DaBees-Knees]

http://www.theregister.co.uk/2009/07/17/linux_kernel_exploit/

NULL pointer' bug plagues even super max versions

A recently published attack exploiting newer versions of the Linux kernel is getting plenty of notice because it works even when security enhancements are running and the bug is virtually impossible to detect in source code reviews.

The exploit code was released Friday by Brad Spengler of grsecurity, a developer of applications that enhance the security of the open-source OS. While it targets Linux versions that have yet to be adopted by most vendors, the bug has captured the attention of security researchers, who say it exposes overlooked weaknesses.


Linux developers "tried to protect against it and what this exploit shows is that even with all the protections turned to super max, it's still possible for an attacker to figure out ways around this system," said Bas Alberts, senior security researcher at Immunity. "The interesting angle here is the actual thing that made it exploitable, the whole class of vulnerabilities, which is a very serious thing."

The vulnerability is located in several parts of Linux, including one that implements functions known as net/tun. Although the code correctly checks to make sure the tun variable doesn't point to NULL, the compiler removes the lines responsible for that inspection during optimization routines. The result: When the variable points to zero, the kernel tries to access forbidden pieces of memory, leading to a compromise of the box running the OS.

The "NULL pointer dereference" bug has been confirmed in versions 2.6.30 and 2.6.30.1 of the Linux kernel, which Spengler said has been incorporated into only one vendor build: version 5 of Red Hat Enterprise Linux that's used in test environments. The exploit works only when a security extension knows as SELinux, or Security-Enhanced Linux, is enabled. Conversely, it also works when audio software known as PulseAudio is installed.

An exploitation scenario would most likely involve the attack being used to escalate user privileges, when combined with the exploitation of another component - say, a PHP application. By itself, Spengler's exploit does not work remotely.

With all the hoops to jump through, the exploit requires a fair amount of effort to be successful. Still, Spengler said it took him less than four hours to write a fully weaponized exploit that works on 32- and 64-bit versions of Linux, including the build offered by Red Hat. He told The Register he published the exploit after it became clear Linus Torvalds and other developers responsible for the Linux kernel didn't regard the bug as a security risk.

"By the time I wrote the exploit, there was a fix floating around, but it didn't look like it was going to be going into any of the stable releases," he said. "It was just a trivial 'oops' instead of something that could give you arbitrary code execution in the kernel."

Comments that accompany Spengler's exploit code go on to detail statements Torvalds and other developers are said to have made in group emails discussing the bug.

"That does not look like a kernel problem to me at all," Torvalds is quoted as saying in one message. "He's running a setuid program that allows the user to specify its own modules. And then you people are surprised he gets local root?"

On that front, at least one security researcher agreed with the Linux team.

"Setuid is well-known as a chronic security hole," Rob Graham, CEO of Errata Security wrote in an email. "Torvalds is right, it's not a kernel issue, but it is a design 'flaw' that is inherited from Unix. There is no easy solution to the problem, though, so it's going to be with us for many years to come."

The larger point, Spengler said, is that the Linux developers are putting users at risk by failing to clearly disclose when security vulnerabilities have been discovered.

"Why is it that whenever there is an exploitable vulnerability in Linux, it's described as a denial of service?" he said. "It kind of makes the vendors think the security is better than it actually is."

Wherever the fault may lie, the potential damage is very real.

"It's not going to light the world on fire, but it is a very subtle bug and solid exploit," said Ed Skoudis, founder and senior security consultant for InGuardians. "The real story here is how subtle it is, and that the compiler itself introduced it during code optimization."

So far, Torvalds and company have yet to respond to the disclosure. We'll be sure to update this story if they do.

A heads up for Linux users.  

[Forested665]

I would like to point out that previously mentioned in the article the only Operating system with a precompiled binary is RHEL5 this means centos 5 users are also affected as downstream users.

I spent most of yesterday compiling this kernel and null pointers can be disabled in the kernel config menu though im not sure what adverse affects it would have.

accessing a forbidden section of memory usually leads to a kernel panic and a shut down so you will know if you are affected. Upon installation of those distrobutions you are presented with a first boot configuration menu where you can disable SELinux if you wish.

For alternatives to pulseaudio you can try one of these
Alsa http://www.alsa-project.org/main/index.php/Main_Page
ESD http://ftp.gnome.org/pub/gnome/sources/esound/0.2/
OSS http://www.opensound.com/
NAS http://nas.sourceforge.net/
arts daemon http://www.arts-project.org/
or jack http://jackaudio.org/

[ñòóKýçrÕôK]

Anything to do with code, be it linux or windws can have an exploit. Granted this is the first I've heard of for linux. I bet it won't be the last. As more users migrate to linux to eascape the monotony of windows machines it's inevitable that more n more hacks will surface in order to break these OSes as well as windows OSes.

[Forested665]

This attacks werent intentional nooks. And the problem is due to an error on the devs at kernel.org who imo have butchered the kernel ever since 2.6.17 concentrating on defualt feature modules instead of the performance that brought linux to fame.

[ñòóKýçrÕôK]

NULL pointer' bug plagues even super max versions

With all the hoops to jump through, the exploit requires a fair amount of effort to be successful. Still, Spengler said it took him less than four hours to write a fully weaponized exploit that works on 32- and 64-bit versions of Linux, including the build offered by Red Hat. He told The Register he published the exploit after it became clear Linus Torvalds and other developers responsible for the Linux kernel didn't regard the bug as a security risk.

"By the time I wrote the exploit, there was a fix floating around, but it didn't look like it was going to be going into any of the stable releases," he said. "It was just a trivial 'oops' instead of something that could give you arbitrary code execution in the kernel."


The larger point, Spengler said, is that the Linux developers are putting users at risk by failing to clearly disclose when security vulnerabilities have been discovered.

"Why is it that whenever there is an exploitable vulnerability in Linux, it's described as a denial of service?" he said. "It kind of makes the vendors think the security is better than it actually is."

It was very much intentional to show that there was an exploit. Read it again. It states it in black n white there with the reason and what I said is very much true. As more users migrate to linux, more exploits will be found. Everyone knows this to be true and people have been saying it for years.

[Forested665]

Also if you note the devs knew of the bug before it was ever exploited.

he published the exploit after it became clear Linus Torvalds and other developers responsible for the Linux kernel didn't regard the bug as a security risk.

If you stick with software from your repository you should be safe, Most distrobutions test packaged software extensively before it is uploaded to a repo for users to install.
If you are compiling from source then you should know the risk anyways.

[ñòóKýçrÕôK]

Regardless, it was intentional, as I said. I'm sure this is not the first exploit in linux, just the first I've known of. I'm almost positive there have been more before and will be more after. No software is safe. If it's written by a person another person can break it. As we have seen here.

[Forested665]

Its not hard to exploit linux at all nook, the devs just did some minor work. There are several projects deleted from sourceforge each day because of malicous code. And there are virus scanners for linux. The only difference is that these exploits dont just happen without the user installing these items. You cant go to a web page or download the program and it corrupt your system.

[ñòóKýçrÕôK]

Its not hard to exploit linux at all nook,

I was pretty sure of that in my first post about it

There are several projects deleted from sourceforge each day because of malicous code.

As with any software written pretty much anywhere.

The only difference is that these exploits dont just happen without the user installing these items. You cant go to a web page or download the program and it corrupt your system.

As I said. Not yet. BUT, as more users migrate to linux, it will most definately be targeted more from more areas. Not just controlled environments. LUCKILY that's all it was was a controlled environment. You know you can make your arguement all day long but my original post said the same thing I just said in this post. It was true then and it's true now and nothing you've said since your original reply to my post has changed any of that. If the person who found this exploit by installing the softwares they did could find it that way, then it stands to reason someone else eventually would have also.

[Forested665]

but you dont grasp my point.
even if someone else found the bug you cant install it on someone elses system.

You can get the file sinto someone elses pc the same way virsuses are put into windows but it cant execute. and if it did somehow work as a binary it would be in usermode and wouldnt have the required access levels to affect the system without the owner going into terminal typing the command "sudo <name of malicious bug>" and then entering the password.
I can go install pulse audio but without root access it wont affect the system.

You can call this malicous and a target but i dont see any evidence of linux being targetted here. The man simple stated that pulse audio and SELinux trigger a bug in the kernels code. This is hardly a virus or an exploit. I know you have heard of the upper filters bug where the dvd drive disappears in xp and vista but iis not labelled as a virus or an exploit.

[ñòóKýçrÕôK]

Spengler said it took him less than four hours to write a fully weaponized exploit that works on 32- and 64-bit versions of Linux,

Then what do you call what he did? I would imagine by weaponized it means it did it itself?

[White Stripes]

there -are- quite a few hoops to jump through if someone with ill intent were to install something as root on a linux box without there being a -serious- kernel flaw;

first the browser then an app thats set uid root or other flaw that will let you get out of userspace and gain root privelages... you would need to -know- both or all you can do is,  trash the users home directory.... doable? yes... but harder... (dont forget all those servers out there running linux that have been hacked... then patched then hacked another way then patched... so user linux has a server history to fall back on... its by far not starting from scratch...)

the good? now for the flip side of the coin; windows as far back as the original NT can be protected this way too.... how? create two seperate accounts.... one thats 'administrator' and one thats a 'limited user' (original NT may call it something different)....

the bad part? you have to install apps as administrator since the limited user wouldnt be able to.... the 'program files' directory would be read only to that user...... so they would have to run it in the folders owned by them...

the ugly part? winamp winmx and who knows how many other programs out there that expect to be able to write to the same directory that they were installed in (drive:\program files\program directory) instead of using the directory ment for such use which is 'documents and settings' or 'user' (its set as an environment variable so they can find the users directory wherever it is)... many of these apps also dont give the options to create icons or a start menu entries for 'everyone or just me' (i know youve seen that question asked... -those- are the apps written properly... and theres no excuse for them not to be since the seperation for mainstream windows was planned and mapped out as far back as windows 98SE)... so you have to basically have to just 'hope' it works as a user.... (winmx doesnt... thats why it has to be run with admin rights in vista)

the plain nasty? once again that title goes to IE.... since its part of the system and not standalone you can pretty much go anywhere with a drive by download flaw unless, like in vista, IEs components are 'sandboxed' while surfing the web.... (and lets hope that sandbox doesnt spill)

unfortunatly vistas methods arent a full fix (tho granted a big step for windows) and are more of a 'lets hold the user by the hand and hope we dont trip' annoyance...

[White Stripes]

Then what do you call what he did? I would imagine by weaponized it means it did it itself?

possibly... but only if SELinux is enabled or pulseaudio installed... else it would do nothing or a kernel panic (kernel panic is linux bsod)

[Forested665]

and even then the user has to install it and give it permissions

[ñòóKýçrÕôK]

first the browser then an app thats set uid root or other flaw that will let you get out of userspace and gain root privelages... you would need to -know- both or all you can do is,  trash the users home directory.... doable? yes... but harder... (dont forget all those servers out there running linux that have been hacked... then patched then hacked another way then patched... so user linux has a server history to fall back on... its by far not starting from scratch...)

Say what you want John, it is possable, as I said. For the life of me I cannot figure why you keep wanting to argue the same points over n over again. I get what you said. You're not getting what I said. It CAN happen. It DOES happen. It WILL happen MORE in the future. How hard is that to grasp?

[White Stripes]

An exploitation scenario would most likely involve the attack being used to escalate user privileges, when combined with the exploitation of another component - say, a PHP application. By itself, Spengler's exploit does not work remotely.

it could hitch a ride on a program that was suid root (remember the mpg123 overflow that allowed for self-deleting mp3s?) to get root else it just gets user permissions... as in the php script example... usually the user 'nobody'.... (i hope to hell the php script is running as 'nobody' or a similar style account).... but then use the null pointer to ride on the linux kernel itself without causing a kernel panic somehow (getting into 'theory territory' here)...

i think this spengler guy is just after some attention cos it would take some serious creativity to effectively use this particular bug to get root.... (if im reading the article right anyway)

[ñòóKýçrÕôK]

I just wish I could get a little more detail as to what he meant weaponized. I would hardly consider "weaponized" giving a program access yourself on your own kernel system to try and prove a point. If that is the case it makes everything John says exactly true. If it is the case he made it do it to another users kernel then what I said is exactly true. I do however realize that we're both right in a way but I would like to see something definitive on it.

**oh and I'm inclined to agree with you on dude looking for attention.

[Forested665]

Looks like your starting to understand nook. This guy is giving himself a BSOD on purpose to tell the devs to fix a bug. bugs like this happen in every release but its nearly impossible to infect another users system with it. What he is ultimately doing is preventing distrobutions from updating to the new kernel. Quite a few do use SELinux and a handfull use pulseaudio by defualt so this could leave thousands of users with a useless system after they compile the updates.

I think an email is in order here to answer a few questions.
A) If he modified the SELinux code or the pulse audio code.
B) How this new code would acquire the privledges it needs to execute on another system  -  Abusing setuid... somehow
C) how he plans to get it into another system

[ñòóKýçrÕôK]

It doesn't say he did it to himself or someone else and I've understood all along. So you are mistaken in thinking I didn't. Perhaps if said what he actually did we could figure it out. I for one am very curious as to what he did exactly. Weaponized means to have equipped it to attack, so all I can assume by that is that he made it to go into other users machines. We need details.

[Forested665]

Thats why i sent him an email.
But it seems stripes is leading down a better road, upon looking at his site.
http://grsecurity.net/

He has what is basically UAC for setuid for download on the front page, but Alot of its "features" look to cause greater instability then this bug.