Debian Hack Update (yep, it's a root exploit/kernel issue - get yer patches now)

debian-security-announce@lists.debian.org ^ | 1 Dec 2003 | Wichert Akkerman

[general_re]

Package : kernel-image-2.4.18-1-alpha, kernel-image-2.4.18-1-i386, kernel-source-2.4.18
Vulnerability : userland can access full kernel memory
Problem type : local
Debian-specific: no
CVE Id(s) : CAN-2003-0961

Recently multiple servers of the Debian project were compromised using a Debian developers account and an unknown root exploit. Forensics revealed a burneye encrypted exploit. Robert van der Meulen managed to decrypt the binary which revealed a kernel exploit. Study of the exploit by the RedHat and SuSE kernel and security teams quickly revealed that the exploit used an integer overflow in the brk system call. Using this bug it is possible for a userland program to trick the kernel into giving access to the full kernel address space. This problem was found in September by Andrew Morton, but unfortunately that was too late for the 2.4.22 kernel release.

This bug has been fixed in kernel version 2.4.23 for the 2.4 tree and 2.6.0-test6 kernel tree. For Debian it has been fixed in version 2.4.18-12 of the kernel source packages, version 2.4.18-14 of the i386 kernel images and version 2.4.18-11 of the alpha kernel images.

[general_re]

Follow-up to earlier thread...get yer kernel patches while they're hot...

[general_re]

Once more from the top...

[Orangedog]

Got Root?

[lelio]

Thanks for posting.

[Golden Eagle]

This information is coming out slowly and solely in geekspeak but I think I understand the following things so far:

- This affects more than just Debian versions of Linux, although patches have only been provided for a couple of other versions of Linux so far - http://lwn.net/Alerts/

- They still aren't sure how the orignal "debian developer" account was compromised, best theory is a sniffer although no evidence actually exists of that.

- This vulnerability was not known to exist but until it was exploited, it had been taken out in the newest releases but not because it was determined to be exploitable but rather because it appeared to be buggy.

Despite these still ongoing problems in getting the patches fully developed and distributed it is important to remember that as always the blame for hacks lies solely with the hackers, something the linux fanatics should remember next time they feel the need to bash other operating systems and their users.

[general_re]

There was an earlier post that was akin to the situation you describe - nobody knew much, basically. This latest post appears to resolve the issue, however.

[Golden Eagle]

Which of my issues are you referring to? I understand that the developer account wasn't root capable, and that an at the time unknown exploit raised that account to root, but AFAIK they really have no evidence as to how that local account was first compromised.

If it was actually 'sniffed' as they seem to be guessing, why weren't they encrypting their traffic in the first place?

[boris]

What? But only Microsoft products allow 'exploits'...right?

[general_re]

The way I read this latest post is that they've dropped the sniffing theory for the moment, and are looking at a local compromise - i.e., not a remote exploit at all, but someone with physical access to the machines.

[flashbunny]

No, only microsoft products allow exploits to linger for weeks at a time, while linux generally gets them fixed within days, if not hours.

[Incorrigible]

Linking other thread:

Flaw in Linux kernel allows attack

[general_re]

...linux generally gets them fixed within days, if not hours.

If they know about it. Hate to say it, but if this rootkit hadn't started barfing all over the place, it'd still be sitting there, silent as the grave, watching everything. And it wouldn't have made a difference if the Deb folks had patched the machines after the fact, because at that point, the damage is done, and there's no need for the attacker to repeat the feat of gaining entry - he's already in. They got lucky, plain and simple.

[Bush2000]

Linux/UNIX is as Vulnerable as Windows