Posted on 12/01/2003 8:10:29 PM PST by yonif
The Debian Project warned on Monday that a flaw in the Linux kernel helped attackers compromise four of the open-software project's development servers.
During several intrusions on Nov. 19, the flaw allowed an attacker who already had access to a server to remove the limitations that protected the system from everyday users. The technique is known as a privilege escalation.
The flaw had been found in September by members of the development team and had been fixed in the latest version of the core Linux software, or kernel. The fix came a bit late, however. The latest version of the kernel, 2.4.23, was released Friday, eight days after the Debian breach.
The Debian Project, which uses only truly open-source software in its make-up, stressed that the breaches hadn't affected the project's code base.
"Fortunately, we require developers to sign the upload (software) digitally," said Martin Schulze, a developer and member of the project. "These files are stored off site as well, which were used as a basis for a recheck."
The development team promised to lock all developer accounts until the flaw had been found and fixed. The team published patches for the flaw on Monday as well, but didn't specify when the accounts would be unlocked.
At least four servers had been compromised by the unknown attacker. The systems--known as master, murphy, gluck and klecker--had maintained the open-source project's bug tracking system, source code database, mailing lists, Web site and security patches.
The attacker gained access to one of the systems by compromising a developer's computer and installing a program to sniff out the characters typed on the developer's keyboard, according to a postmortem analysis published by the team Friday. When the programmer logged into the klecker system, the attacker recorded his password.
Using the September flaw, the attacker gained the same privileges on klecker as the owner. This is frequently referred to as "owning" the system. The flaw--in a part of the kernel that manages memory--allows only users that already have access to the system to raise their privileges. Such flaws are less critical than vulnerabilities that give an outside attacker access to a server and so are fixed less quickly.
The attacks have been the latest leveled at open-source software. In early November, an attacker attempted to corrupt the Linux kernel with a coding error that would have created a flaw that a similar effect to the one used against the Debian Project. A year ago, malicious attackers placed spyware into a popular open-source tool, tcpdump. A handful of other known attacks have been executed against other open-source projects as well.
The latest bug has been fixed in the most recent version of the Linux kernel, 2.4.23, and has also been patched in the next-generation of Linux since 2.6.0-test6, which was released in late September.
Despite a two-month delay in releasing a patch, Ian Murdock, the founder of Debian and the chairman of Linux distribution maintenance provider Progeny, praised the project team.
"All in all, the way the Debian guys handled the situation has been admirable: They have been open with what they found out, and the speed at which they have found things out has been quite quick," he said. Murdock is a developer on the team, but no longer has day-to-day administration duties.
That seems to be all that is available about the hack, even the official debian responses have been limited.
First, a developer's workstation was compromised...
Even how this happened hasn't been disclosed yet, has it?
the article states a memory management bug was used...
Which is probably why system was limping bad enough the admins noticed.
if you can find a package that the kernel depends on it may be possible to get super-user privilage
Which is of course exactly why kernel hacks are the worst, you have full access to all i/o ports and internal calls.
It's a shame that someone with skills enough to root several systems of seemingly high importance doesn't have a good job to keep them busy instead. But if all programmers become open source out-of-jobbies, this problem may grow.
Absolutely right, especially on a project of such high visibility. The bottom line with hackers is simple - you can never underestimate them or the angle they might take. So you have do whatever you can to stop them. Nontheless, ultimately the hackers are always the ones responsible for these incidents, and are IMO the equivalency of rodents.
Apologies to those already on this thread.
Here's some more links:
Infoworld: Bug affects versions of Linux kernel prior to 2.4.23
They say this bug was fixed in September.
The flaw, an integer overflow in the "brk" system call, enabled an attacker to compromise four Debian servers, sniff several passwords and install a root kit used to hit other servers.
Sniffed password used for Debian server compromise
"Somehow they got root on klecker and installed suckit. The same account was then used to log into master and gain root and install suckit there too. They then tried to get to murphy (which runs the mailing lists) with the same account. This failed because murphy is a restricted box that only a small subset of developers can log into," Troup said. "They then used their root access on master to access an administrative account used for backup purposes and used that to gain access to murphy. They got root on murphy and installed suckit there too. The next day they used a password sniffed on master to login into gluck, got root there and installed suckit."
An encrypted program (encrypted using the TESO BurnEye obfuscator) used an overflow in brk() which allowed the user process to get executable access to kernel space. It's a local exploit, which was only possible because a hacker used a stolen password, then escalated the privileges. All passwords on one of the development machines were invalidated.
So was this the last and only remaining security hole in Linux?
Yes or No?
There are some extremists, sure. I make no apologies for Stallman and personally think he's an ass, but it is wrong to paint everybody as a Stallman.
And I'm merely providing much-needed balance.
You forgot the smiley on that. :)
Forgive me if I take that with a grain of salt, considering pretty much your entire career here at FR has been as an anti-Linux advocate.
I'm not even a 'Linux' type. I'm a Java developer, I'm OS agnostic. I like linux for dev use and servers only.
But your high-publicity campaign against Linux here just *screams* fear. As do the 'ankle-biting' responses of those taking glee at a minor slip by a relatively highly secure OS.
Ah. The OS for the rest of us.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.