Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Ancient Fork Bomb Attack Takes Down Linux...
SecurityFocus.com ^ | Mar 16 2005 03:43PM PT | Jason Miller

Posted on 03/19/2005 6:59:08 PM PST by Bush2000

Linux Kernel Security, Again
by Jason Miller, SecurityFocus.com

It's a sad day when an ancient fork bomb attack can still take down most of the latest Linux distributions.

While investigating some reports of recent Unix compromises, I ran into a message from the SecurityFocus Incidents mailing list that was forwarded to me by the moderator, Daniel Hanson. It was a lengthy post detailing the compromise of a Linux machine. The post contained an awkward IRC-based discussion between the server administrator and the guy who had broke into the machine.

Reading through this discussion, I discovered the following exchange which immediately piqued my interest:

[15:16:53] <@darks> but I mean, I could have killed ur box
[15:17:04] <+IronBar> no, you couldn't have.

[15:17:08] <@darks> wanna bet ?

[15:17:27] <@darks> forkbomb it

I'll admit that I thought his statement was pretty funny. How did this guy expect to bring down a Linux machine by fork bombing it as a non-root user? Not being as intimately familiar with the various Linux distributions as I am with the three BSDs, I figured that I'd have a quick peek into his claim and see what happens.

I wrote up a very simple bourne shell script on my work machine, which runs Mandrake Linux, and executed it under my non-privileged account. Within seconds, the machine was brought to its knees -- totally crippled and unusable. I stared at my screen in disbelief for a few moments, totally stunned with what had just happened.

After the deer-in-headlights look had left my face, I gave my head a shake and started to question my belief that none of the BSD machines that I administer were susceptible to this truly ancient attack. I'll admit that I held my breath for a few seconds as I keyed the script into my NetBSD laptop, and then ran it. I was pleasantly surprised when the attack had no effect, confirming that I wasn't losing my mind after all -- limits had been put in place to prevent a normal user from crippling the entire system. Exactly as one would expect.



"...I hope that anyone out there running Linux is just as surprised as I was that this ancient attack still works on the default installation of so many high profile Linux distributions."

I then proceeded to fork bomb every Unix machine I could get my hands on. My FreeBSD server at home shrugged it off (even after inviting other connected users to try), as did my OpenBSD gateway. This, too, is exactly what I expected to happen.

Next, I asked several my associates who use Linux to try it out on their machines, and we didn't have to go far to find more Linux distributions that succumbed to the same painfully effective fork bomb attack. Both Gentoo and Red Hat followed in the footsteps of Mandrake, and each died quicker than you can say "unreasonable default settings." I'll quickly mention here that Debian did not suffer the same fate as the others; congrats to the Debian development team.

For those who are not aware, let me briefly explain the cause of fork bombing. First, the shell must be configured to operate with what I consider to be unreasonable limits. This itself has nothing to do with the kernel. Second, the kernel must allow many more processes to be created than should be. Since shells often default to the maximum number of processes supported by the kernel, together we have a problem.

While the fork bomb example clearly isn't a kernel-specific problem, it is a Linux problem -- and it's something that the kernel could certainly haved prevented.

For the record, I hope that anyone out there running Linux is just as surprised as I was that this ancient attack still works on the default installation of so many high profile Linux distributions. I personally don't understand how usability can supersede security when the consequences are so grave.



Why the kernel is so important

When you look at the security of an operating system, everything relies on the kernel. If you can compromise the kernel, the game is over. If you look at security as a game of chess, check-mating your opponent would be analogous to a root-level compromise; in other words, you just lost. However, in keeping with our analogy, a kernel-level compromise would mean the attacker can wipe the entire board away with just one of his pawns, should he choose to do so. That's pretty bad.

For this reason, the kernel is a special case in security, and it needs special attention from the developers to ensure that it's not susceptible to tampering.

Security is not a product

I said it in my last article, but I need to say it again. Security must be a part of the kernel, not something that gets added in by a select few who probably have the least use for it. There are so many great projects that add security to the Linux kernel. GRSecurity and PaX come to mind immediately. But these products could do so much more if they, or at least some portions of their technology, were included in the base Linux kernel.

Many features of PaX are already present in OpenBSD (W^X), and NetBSD has started to support non-executable pages. Again I must ask, why are products like GRSecurity and PaX, or at a minimum their non-intrusive features, not ending up in the base Linux kernel?

Please, we must make security a priority and not something that has to be patched into the kernel. The whole idea of having to patch in security features, many of which are perfect candidates for inclusion in the base distribution in the first place,is ridiculous.

Make proactive security a priority

According to the SecurityFocus vulnerability database, there have been 21 vulnerabilities reported in the Linux kernel in 2005. I don't want to use this as a metric of security, because as we know, vulnerabilities happen. But where do we draw the line? Twenty-one vulnerabilities in the kernel in less than 3 months? Am I the only one who thinks this is excessive? When will we understand that even though vulnerabilities happen, it doesn't mean that we have to let them happen? The point is, some of these vulnerabilities could have been avoided with a proactive approach to secure programming.

Sometimes it seems like developers are giving up the security battle far too easily. Just as people should not rely on chroot() for security, any given implementation of chroot should not be escapable in some trivial way either. Even though a local user should be somewhat trusted, that doesn't mean you should hand them a silver platter with the ability to take down the entire machine. This attitude that there is any one panacea really bothers me. All of these issues I mentioned should be legitimate concerns.

There are kernel-specific issues and there are issues specific to individual distributions that are not clearly kernel developer problems. But from my perspective as a security analyst and researcher, all of these issues work together to become an operating system, and they have negatively affected my perspective of "Linux security."

Don't get me wrong. Linux doesn't suck. But I do believe that the Linux kernel team (and some of the Linux distributions that are still vulnerable to fork bombing) need to take proactive security a little more seriously. I'm griping for a reason here -- things need to be change.

Let's end things on a positive note, though. In case you had any doubt: if I had to maintain a large critical server infrastructure, you can bet I'd still choose Linux over Windows any day of the week.


TOPICS: Business/Economy; Technical
KEYWORDS: linux; lowqualitycrap; microsoft; secureitaint; shill
Navigation: use the links below to view more comments.
first 1-2021-4041-48 next last
Repeat after me: Open source provides better security ... and a million monkeys typing will produce works of Shakespeare ... BWAHAHAHAHAHAHAHAHAHAHAHAHAHA!!!
1 posted on 03/19/2005 6:59:08 PM PST by Bush2000
[ Post Reply | Private Reply | View Replies]

To: Bush2000

I hate Linux.


2 posted on 03/19/2005 7:08:31 PM PST by jwalburg (Those buried included children still clutching toys)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000

There's no such thing as a free lunch...you just haven't been charged for it yet. Similarly, there's no such thing as attack-proof software (or hardware)...it just hasn't attracted the attention of the world class hackers yet.


3 posted on 03/19/2005 7:09:14 PM PST by E=MC<sup>2</sup> (...And on the 666th day, satan created the demonrat party.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: jwalburg

You prefer Windows?


4 posted on 03/19/2005 7:11:31 PM PST by Spktyr (Overwhelmingly superior firepower and the willingness to use it is the only proven peace solution.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Bush2000

It's better than Microsoft's security through obscurity. And with open software, you can hire your own programmer to fix the problem instead of waiting months to years for the vendor to provide a patch, if ever. (Hello, Microsoft?)


5 posted on 03/19/2005 7:12:56 PM PST by Spktyr (Overwhelmingly superior firepower and the willingness to use it is the only proven peace solution.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
I crashed all of my Linux machines in the same way back in 1996. Great job on the stability, goombs.

For the record, this exploit has never once affected a single one of my BSD boxes. Har de har har.

6 posted on 03/19/2005 7:15:23 PM PST by detsaoT (insert hot-button issue here.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
No, no, no, this cannot be true. EVERYONE knows that Microsoft, and ONLY Microsoft systems are vulnerable to attacks like this. Open Source is invicible! Open Source Pwns! Open Source Rules, baby! Linux rules the world! This is a lie! It's not true! It must be a Microsoft PR trick. Is Karl Rove involved? Sun spots! That's what it is! (cough cough) It sucks when the ivory tower you've built falls apart, doesn't it?

Well, no need for open-source fanatics or Microsoft haters to prepare lunch for tomorrow. Crow all around! Eat hearty, boys and girls, then hurry and fix your systems.

7 posted on 03/19/2005 7:18:06 PM PST by Jokelahoma (Animal testing is a bad idea. They get all nervous and give wrong answers.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000

This is not possible. Everyone knows Linux is un-hackable, and Microsoft is full of holes.


8 posted on 03/19/2005 7:20:52 PM PST by Uncle Miltie (Impotent [birthrates] Lazy [unemployment %] Cowardly [Militarily Unprepared] Euroweenies!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
This is a really dumb article.

The fork() command is NOT an exploit. It's just a unix system call that anyone who has done any unix system programming knows about.

To say that this is a linux security flaw is as ridiculous as claiming that the "del" command in Windows's dos box is a security flaw. Anyone can bring down a Windows machine by typing something like "del \windows\*.exe" or something like that. Does this mean Windows has a serious security flaw? Of course not.

And what makes it even more absurd is the fact that the fork system call exists in Windows too! (because Windows is posix-compliant). So everything claimed in this article about linux applies to Windows.

Anyways, any sysadmin worth a dime knows not to allow non-privileged users to run fork() in an infinite loop or anything similar.

9 posted on 03/19/2005 7:30:55 PM PST by Decombobulator
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
Not to discount the flaw here but very few Linux boxes on the net allow shell access. There's no need for it with Web Servers, Mail servers, Firewalls, File Servers or the like. Any Network Administrator/Engineer that gives shell access to someone without knowing them (and their bank account # :) ought to have his job and title pulled immediately.

Let's end things on a positive note, though. In case you had any doubt: if I had to maintain a large critical server infrastructure, you can bet I'd still choose Linux over Windows any day of the week.

10 posted on 03/19/2005 7:58:04 PM PST by ohCompGk
[ Post Reply | Private Reply | To 1 | View Replies]

To: Decombobulator
The thing is, on a default Windows install (I think -- been a while), a user can't del C:\windows because he doesn't have permission. Any user on Linux, however, can type :(){ :&:;};: into the terminal and bomb his machine. (Imagine BillG or Steve Ballmer doing this at the Longhorn release gala to demonstrate the superiority of their OS.) The admin will come down on him with the wrath of God, but he can do it. If Osama gets a shell account on a CIA computer, but doesn't have read or write access to any files, and can't get out of a chroot jail, he can still bomb it.

I assume he can also do it on Windows, but it would probably take a bit more work than typing one line at a command prompt. Either a crazy batch file or a binary.

The issue, I think, is that most Linux distributions don't have sane ulimits set, or don't have an easy way for them to be set during the install process. Given the message traffic on the Redhat list and Linux websites -- consisting mostly of, "It's the admin's fault, man ulimit, hurr hurr hurr," -- this won't be fixed, or if it is, very quietly.

11 posted on 03/19/2005 8:00:46 PM PST by Caesar Soze
[ Post Reply | Private Reply | To 9 | View Replies]

To: Bush2000

I've been running Debian since 2000. Looks like I chose wisely.


12 posted on 03/19/2005 9:45:05 PM PST by B Knotts
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000

The other thing is...this is pretty dumb. It assumes shell access, and non-existent administration.

I know that if I was going to have shell users, I'd pay a lot closer attention to /etc/security/limits.conf.


13 posted on 03/19/2005 9:47:55 PM PST by B Knotts
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000

14 posted on 03/19/2005 9:51:52 PM PST by Hank Rearden (Never allow anyone who could only get a government job attempt to tell you how to run your life.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000

My,my! This can really "fork" up a person's computer. If it happens to you, you can say you have just been "forked."


15 posted on 03/20/2005 2:54:12 AM PST by DH
[ Post Reply | Private Reply | To 1 | View Replies]

To: Caesar Soze
But most people use linux as nothing more than a desktop OS so there is no reason for linux to come with all the security measures out of the box which would just make everything more complicated.

There are lots of ways to bring Windows down by typing a single command at the dos prompt. This is not unique to Linux.

16 posted on 03/20/2005 7:43:56 AM PST by Decombobulator
[ Post Reply | Private Reply | To 11 | View Replies]

To: Decombobulator
How to tell if your son is a computer hacker:

Is your son obsessed with "Lunix"?

BSD, Lunix, Debian and Mandrake are all versions of an illegal hacker operation system, invented by a Soviet computer hacker named Linyos Torovoltos, before the Russians lost the Cold War. It is based on a program called "xenix", which was written by Microsoft for the US government. These programs are used by hackers to break into other people's computer systems to steal credit card numbers. They may also be used to break into people's stereos to steal their music, using the "mp3" program. Torovoltos is a notorious hacker, responsible for writing many hacker programs, such as "telnet", which is used by hackers to connect to machines on the internet without using a telephone.

Your son may try to install "lunix" on your hard drive. If he is careful, you may not notice its presence, however, lunix is a capricious beast, and if handled incorrectly, your son may damage your computer, and even break it completely by deleting Windows, at which point you will have to have your computer repaired by a professional.

If you see the word "LILO" during your windows startup (just after you turn the machine on), your son has installed lunix. In order to get rid of it, you will have to send your computer back to the manufacturer, and have them fit a new hard drive. Lunix is extremely dangerous software, and cannot be removed without destroying part of your hard disk surface.

Has your child asked for new hardware?

Computer hackers are often limited by conventional computer hardware. They may request "faster" video cards, and larger hard drives, or even more memory. If your son starts requesting these devices, it is possible that he has a legitimate need. You can best ensure that you are buying legal, trustworthy hardware by only buying replacement parts from your computer's manufacturer.

If your son has requested a new "processor" from a company called "AMD", this is genuine cause for alarm. AMD is a third-world based company who make inferior, "knock-off" copies of American processor chips. They use child labor extensively in their third world sweatshops, and they deliberately disable the security features that American processor makers, such as Intel, use to prevent hacking. AMD chips are never sold in stores, and you will most likely be told that you have to order them from internet sites. Do not buy this chip! This is one request that you must refuse your son, if you are to have any hope of raising him well.

Are you finding programs on your computer that you don't remember installing?

Your son will probably try to install some hacker software. He may attempt to conceal the presence of the software in some way, but you can usually find any new programs by reading through the programs listed under "Install/Remove Programs" in your control panel. Popular hacker software includes "Comet Cursor", "Bonzi Buddy" and "Flash".

The best option is to confront your son with the evidence, and force him to remove the offending programs. He will probably try to install the software again, but you will be able to tell that this is happening, if your machine offers to "download" one of the hacker applications. If this happens, it is time to give your son a stern talking to, and possibly consider punishing him with a grounding.

17 posted on 03/20/2005 7:52:04 AM PST by Decombobulator
[ Post Reply | Private Reply | To 9 | View Replies]

To: ShadowAce

Sincerely interested in your thoughts on this.


18 posted on 03/20/2005 8:04:56 AM PST by clyde asbury (Out on the road today, I saw a DEADHEAD sticker on a Cadillac.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
For those who don't know what a fork bomb is an want a simple explanation

The takeaway here is you can't just thow any OS out there without securing it.

19 posted on 03/20/2005 8:10:13 AM PST by Doohickey ("This is a hard and dirty war, but when it's over, nothing will ever be too difficult again.”)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Caesar Soze
Nor can a user "rm -fr /" on a Linux box, for lack of permissions. You're comparing (eating) bricks to oranges. There's a difference between removing system files from the disk, and forcing a reboot. The former is much more destructive to most configurations.

Compare the length of the list of Windows DOS exploits (99), to the length of the list of Linux DOS exploits (22), at the Denial of Service Database, before you waste too much time trying to claim that Linux is seriously deficient in comparison to Windows, on this matter.

20 posted on 03/20/2005 11:11:42 AM PST by ThePythonicCow (To err is human; to moo is bovine)
[ Post Reply | Private Reply | To 11 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-4041-48 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson