Linux Security Hole

via Slashdot ^ | 03/01/04 | Paul Starzetz

[Salo]

Issue: ======

A critical security vulnerability has been found in the Linux kernel memory management code inside the mremap(2) system call due to missing function return value check. This bug is completely unrelated to the mremap bug disclosed on 05-01-2004 except concerning the same internal kernel function code.

[Salo]

This is from a security bulletin linked at Slashdot.

[Salo]

Pinging.

[Salo]

Enjoy.

[rdb3]

The Penguin Ping.

Wanna be Penguified? Just holla!

Got root?

[lelio]

Looks like the latest 2.4 kernel (2.4.25 according to kernel.org) is safe, but all previous ones, including some 2.6.x versions, are vulnerable.

[Salo]

I wonder if we can sue SCO for this....;-)

[shadowman99]

Fortunately, this is a local exploit, and not a remote one.

Frankly, it's nearly imposible to secure a machine against someone who's sitting right there. It's also far less common for the attacker to have physical access to the box they want to hack.

[zeugma]

It wouldn't appear to me that they need physical access to the box. They just need to have a local account. If you don't have users of questionable integrity this exploit isn't an issue. I'm not going to be worrying about this one on my home boxes as I figure I can generally trust my family not to do malicious things.

Z

[B Knotts]

This one is sorta old, and has already been fixed in the latest kernels AFAIK.

[B Knotts]

Well, now I'm not sure...I thought this was the one fixed in 2.4.25, but 2.4.25 is vulnerable, according to the bulletin. Yet, 2.6.3 is apparently not vulnerable.

I run the openwall patch on my Internet-exposed machines. Hopefully, it already had the fix in 2.4.25-ow1

[B Knotts]

I checked, and, yes, the openwall patch for 2.4.25 does fix this one.

[Bush2000]

Fortunately, this is a local exploit, and not a remote one.

That's nonsense. You're only hoping that it's not a remote exploit:

"Since no special privileges are required to use the mremap(2) system call any process may use its unexpected behavior to disrupt the kernel memory management subsystem."

[Salo]

yeah - you might as well be using outlook for your email client....:-(

[shadowman99]

"Proper exploitation of this vulnerability leads to local privilege escalation giving an attacker full super-user privileges." Go patch your firewall against Mydoom. The grown ups are having a talk.

[Bush2000]

Unless you've done a code review on every networked app that uses this API, you're full of crap. You're vulnerable.

[adam_az]

Unless you've done a code review on every networked app that uses this API, you're full of crap. You're vulnerable.

More FUD from the FUDmeister. Your nickname should be Elmer.

Please, point out one single network aware application that would need to send user input to a memory remapping function. There would be none, because there would be no possible use for such a thing. The real risk with this bug is someone writing a specially crafted exploit program which runs as a normal user, performs the exploit, and allows the local user to assume UID(0) or EUID(0) or whatever.

[Bush2000]

Please, point out one single network aware application that would need to send user input to a memory remapping function. There would be none, because there would be no possible use for such a thing.

You're full of crap. You haven't code reviewed every networking app. You simply don't know whether anybody's using it. And, rather than do the heavy lifting, you just throw out the blanket assertion that "there would be no possible use for such a thing". Nice try. But your reassurances are worthless. Go hit the source trees -- then come back and tell me it's a non-issue. Until then, you're blowing smoke.

[Dinsdale]

It's not a non-issue because you can prove that no network interaction can invoke a correctly incorrect call to the function. The blanket denial while not provable, is common sense.

It's a non-issue because it is already fixed.

[Campion]

I thought this was the one fixed in 2.4.25, but 2.4.25 is vulnerable

No, it isn't. Read the report carefully: 2.2.25 is vulnerable, 2.4.25 is not. Neither is 2.6.3.

[B Knotts]

Doh.