Flaw in Linux kernel allows attack

CNETAsia ^ | December 2 2003 | Robert Lemos

[yonif]

The Debian Project warned on Monday that a flaw in the Linux kernel helped attackers compromise four of the open-software project's development servers.

During several intrusions on Nov. 19, the flaw allowed an attacker who already had access to a server to remove the limitations that protected the system from everyday users. The technique is known as a privilege escalation.

The flaw had been found in September by members of the development team and had been fixed in the latest version of the core Linux software, or kernel. The fix came a bit late, however. The latest version of the kernel, 2.4.23, was released Friday, eight days after the Debian breach.

The Debian Project, which uses only truly open-source software in its make-up, stressed that the breaches hadn't affected the project's code base.

"Fortunately, we require developers to sign the upload (software) digitally," said Martin Schulze, a developer and member of the project. "These files are stored off site as well, which were used as a basis for a recheck."

The development team promised to lock all developer accounts until the flaw had been found and fixed. The team published patches for the flaw on Monday as well, but didn't specify when the accounts would be unlocked.

At least four servers had been compromised by the unknown attacker. The systems--known as master, murphy, gluck and klecker--had maintained the open-source project's bug tracking system, source code database, mailing lists, Web site and security patches.

The attacker gained access to one of the systems by compromising a developer's computer and installing a program to sniff out the characters typed on the developer's keyboard, according to a postmortem analysis published by the team Friday. When the programmer logged into the klecker system, the attacker recorded his password.

Using the September flaw, the attacker gained the same privileges on klecker as the owner. This is frequently referred to as "owning" the system. The flaw--in a part of the kernel that manages memory--allows only users that already have access to the system to raise their privileges. Such flaws are less critical than vulnerabilities that give an outside attacker access to a server and so are fixed less quickly.

The attacks have been the latest leveled at open-source software. In early November, an attacker attempted to corrupt the Linux kernel with a coding error that would have created a flaw that a similar effect to the one used against the Debian Project. A year ago, malicious attackers placed spyware into a popular open-source tool, tcpdump. A handful of other known attacks have been executed against other open-source projects as well.

The latest bug has been fixed in the most recent version of the Linux kernel, 2.4.23, and has also been patched in the next-generation of Linux since 2.6.0-test6, which was released in late September.

Despite a two-month delay in releasing a patch, Ian Murdock, the founder of Debian and the chairman of Linux distribution maintenance provider Progeny, praised the project team.

"All in all, the way the Debian guys handled the situation has been admirable: They have been open with what they found out, and the speed at which they have found things out has been quite quick," he said. Murdock is a developer on the team, but no longer has day-to-day administration duties.

[Incorrigible]

[Golden Eagle]

Whoever these hackers are they are completely to blame for exploiting the Debian Linux servers, but there are still some issues for Debian and the Linux "community" to work out:

- One of the lead programmer's workstation was rooted, how did this happen?

- The workstation break ultimately resulted in several of the core servers supporting a mainstream version of Linux to be owned by outsiders who could have covered their tracks or left misleading info.

- The security hole was not known to be a security problem until the breach, and was simply thought by the developers to be buggy, but not exploitable which is why the fix wasn't backported.

- The hole is actually in the kernel itself, not a subsystem or application.

- The hole is in many other versions of Linux, but only 3 of the countless distros have yet released a patch.

Again, IMO the hackers always deserve near 100% of the blame in these attacks. Funny how Linux crowd probably agrees, THIS TIME.

[Joe Bonforte]

Sometimes I despair of making Microsoft systems completely secure, but man... those Linux guys eat their own. At least in the Microsoft world, the battle lines are a bit clearer.

[twntaipan]

This cannot be correct. My Linux using friends swear to me that Linux is secure.

[yonif]

This may be of interest...

[DeathAngel]

LOL! I hadn't seen that one.

[lelio]

The hole is in many other versions of Linux, but only 3 of the countless distros have yet released a patch.

What do you mean by that? You can download the source for the 2.4.23 kernel for the past week and compile yourself.

[toupsie]

Now Linux an really compete against Windows! :)

[ryanjb2]

"This cannot be correct. My Linux using friends swear to me that Linux is secure."

Yes, I also doubt that this security problem is true. I have been told by Linux users of the vast superiority of their operating system.

But what do I know, I am a lowly Windows user, my mind cannot fathom the operating system/religion that is Linux.

[honeygrl]

ping

[Golden Eagle]

Just what I said, only 3 distros have so far released a patch for the vulnerable users who don't care for a full kernel upgrade, for whatever their personal reasons may be.

http://lwn.net/Alerts/

[Delta 21]

[RnMomof7]

bump

[Bush2000]

What do you mean by that? You can download the source for the 2.4.23 kernel for the past week and compile yourself.

Everyone, be sure to pass this on to your mom, dad, siblings, cousins, etc. Get compiling, everyone, compile!

[Bush2000]

Linux/UNIX is as Vulnerable as Windows

[tubavil]

MS-pantload.

[Ramius]

boy... lucky for me I hide my linux servers behind a firewall... just like all my other servers.

Lucky me.

[Robert_Paulson2]

you forget the ms addicts...
they are looking for a patch that you pay for, and push a button.

the idea of typing in the code by hand, hurts their sense of addiction, nobody to "fix" it for them ya know... and they don't have to "wait" for their "supplier" to get them a "fix" for their problem... what would they do?

the concept of actually commenting out offending lines of source code, replacing them with the "fix" by hand... and recompiling...
brings on a panic attack "What if I type it in wrong?"

roflmao...
"update my kernel myself? you gotta be kidding! gasp!"

[Robert_Paulson2]

allowed an attacker who already had access to a server to remove the limitations

Imagine that, someone with prior "root access" was able to attack the computer system he already had access to, operating it in a malicious way, and wasa even able to give equal access to other people not previously allowed into the system!

roflmao...

Geeze, I guess if I can crash my own unix box, using root access, or let others in to do it using my access permissions, I have found a REAL hole in the program.

kinda like this?

Yeah I found zillions of those "holes" in root user security when I used Microslop... crashed my own machine, a couple dozen times a week... little did I know I had found a viable security exploit!