Flaw in Linux kernel allows attack

CNETAsia ^ | December 2 2003 | Robert Lemos

[Liberal Classic]

Windows and Linux are victims of their own success, in the sense that they are popular targets for computer crackers.
I wouldn't call Linux 'behind the times' since it has had the ability to act as a personal firewall for a long time. In my opinion the developer's workstation was improperly configured, such as having services visible to the outside world and firewalling turned off. But yes, it could have been avoided.

[Bush2000]

Then why do MS-only sorts feel the need to 'ankle-bite' like this?

Look in the mirror, pal. You've made it very clear that you hold a grudge against M$ -- and your posts only confirm that.

[Liberal Classic]

So what? Can't have an opinion? You don't have a *cough* grudge *cough* against Linux? ;)

[Bush2000]

So what? Can't have an opinion? You don't have a *cough* grudge *cough* against Linux? ;)

Actually, no, I don't have a grudge against Linux. I have a Redhat box at home that I use on occasion, and I boot Knoppix (nice) whenever I need a quick-and-dirty Linux installation.

James Turner of Linux World magazine summed up my feelings perfectly about the OSS community:

"To sum up, the biggest problem that the Open Source community faces in taking Open Source to the next level is not some legal challenge or Microsoft marketing campaign. It’s the immaturity and insecurity of some of the members of the community. As was once said in Pogo, “We have met the enemy, and he is us.”

They can't merely coexist with the Windows community. They have a rabid need to constantly tear it down. And I'm merely providing much-needed balance.

[Golden Eagle]

Still not a lot of technical information, but this is a general audience article.

That seems to be all that is available about the hack, even the official debian responses have been limited.

First, a developer's workstation was compromised...

Even how this happened hasn't been disclosed yet, has it?

the article states a memory management bug was used...

Which is probably why system was limping bad enough the admins noticed.

if you can find a package that the kernel depends on it may be possible to get super-user privilage

Which is of course exactly why kernel hacks are the worst, you have full access to all i/o ports and internal calls.

It's a shame that someone with skills enough to root several systems of seemingly high importance doesn't have a good job to keep them busy instead. But if all programmers become open source out-of-jobbies, this problem may grow.

[Golden Eagle]

In my opinion the developer's workstation was improperly configured, such as having services visible to the outside world and firewalling turned off.

Absolutely right, especially on a project of such high visibility. The bottom line with hackers is simple - you can never underestimate them or the angle they might take. So you have do whatever you can to stop them. Nontheless, ultimately the hackers are always the ones responsible for these incidents, and are IMO the equivalency of rodents.

[ShadowAce]

Tech Ping

Apologies to those already on this thread.

[Liberal Classic]

Okay, okay. You have a grudge against Harr, then. :P

[Liberal Classic]

You're right that the article doesn't go into detail because Debian hasn't released too many yet. I don't have any inside information and I'm just speculating but I bet money, marbles, and chalk the developer's workstation was the weak link.

Here's some more links:

Infoworld: Bug affects versions of Linux kernel prior to 2.4.23

They say this bug was fixed in September.

SearchEnterpriseLinux.com

The flaw, an integer overflow in the "brk" system call, enabled an attacker to compromise four Debian servers, sniff several passwords and install a root kit used to hit other servers.

Sniffed password used for Debian server compromise

"Somehow they got root on klecker and installed suckit. The same account was then used to log into master and gain root and install suckit there too. They then tried to get to murphy (which runs the mailing lists) with the same account. This failed because murphy is a restricted box that only a small subset of developers can log into," Troup said. "They then used their root access on master to access an administrative account used for backup purposes and used that to gain access to murphy. They got root on murphy and installed suckit there too. The next day they used a password sniffed on master to login into gluck, got root there and installed suckit."

theregister.co.uk

An encrypted program (encrypted using the TESO BurnEye obfuscator) used an overflow in brk() which allowed the user process to get executable access to kernel space. It's a local exploit, which was only possible because a hacker used a stolen password, then escalated the privileges. All passwords on one of the development machines were invalidated.

[Golden Eagle]

Indeed, FR is one of the few places online Linux can even be rationally discussed. Here's an interesting article about how "emotional charged" the recent SCO/IBM courtcase has become, and needless to say who is more fanatical about their choice of operating system.

http://www.internetnews.com/bus-news/article.php/3114961

[dwollmann]

mi2g, the source of this "study" has no credibility, more here, and here.

[js1138]

Or you can download the Red Hat patches, which came out about 12 hours after release of the issue.

So was this the last and only remaining security hole in Linux?

Yes or No?

[Golden Eagle]

Good investigative work. Looks like their intrusion detection software may have helped alert them of the problem, unfortunately not many have that level of protection so you have to wonder who or what else might have already been hacked, or if other co-ordinated attacks took place elsewhere simultaneously.

You never can overestimate hackers, who they are and what their intentions are.

[Bush2000]

mi2g, the source of this "study" has no credibility, more here, and here.

Yet more evidence that the OSS community has a lot of growing up to do. Don't bother to adddress the complaints: Shoot the messenger.

[Liberal Classic]

They [The Open Source community -LC] can't merely coexist with the Windows community. They have a rabid need to constantly tear it down.

There are some extremists, sure. I make no apologies for Stallman and personally think he's an ass, but it is wrong to paint everybody as a Stallman.

And I'm merely providing much-needed balance.

You forgot the smiley on that. :)

[Liberal Classic]

Also they're servers started going "oops" or having kernel panics, which was unusual. They shouldn't be waiting for system problems, but then again we don't live in a perfect world. Something tells me they will be examining their tripwide emails more regularly from now on.

[Golden Eagle]

Maybe, but that first link of yours is to attrition.org, one of the most well known hacker hangouts in existence, I would STRONGLY recommend freepers not surf there.

But for those that are willing, here is a sample of what they will find, such as this commentary peice entitled "The Bush News Network" posted as 'news':

http://www.attrition.org/news/

[krinklyfig]

If you can't compile, you should learn how before you use Linux. It's not really that hard, certainly not any more difficult than making MS OE secure from worms.

[Dominic Harr]

For the record, there is no fear of linux by the well established.

Forgive me if I take that with a grain of salt, considering pretty much your entire career here at FR has been as an anti-Linux advocate.

I'm not even a 'Linux' type. I'm a Java developer, I'm OS agnostic. I like linux for dev use and servers only.

But your high-publicity campaign against Linux here just *screams* fear. As do the 'ankle-biting' responses of those taking glee at a minor slip by a relatively highly secure OS.

[js1138]

If you can't compile, you should learn how before you use Linux. It's not really that hard, certainly not any more difficult than making MS OE secure from worms.

Ah. The OS for the rest of us.