Clever attack exploits fully-patched Linux kernel

For discussions about security.
Post Reply
Message
Author
User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

Clever attack exploits fully-patched Linux kernel

#1 Post by Lobster »

Hi Guys
Been keeping my eyes open so our warrior worriers
have something to get their energy into :wink:
http://www.theregister.co.uk/2009/07/17 ... l_exploit/

Not sure if it is applicable
but may be of interest . . .
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

This is real, if you allow attackers to get that far.

#2 Post by prehistoric »

The null-pointer de-reference vulnerability has been around for ages. The compiler optimization which removes the code which checks for this illustrates the serious problem of preserving semantics during optimization.

If you look for errors in preserving semantics, you can find them. Many optimizations could be characterized as "I hope this makes things faster without breaking anything". The surprise is not that he found such, it is the size of the class of vulnerabilities exposed.

In addition to actual problems of preserving well-defined semantics, there is the problem that many people writing code do not understand the precise semantics of the constructs they are using. This leads to another class of vulnerabilities, which might be classed as psychological. (Here's an example: if an integer is equal to its negation, it must be zero. Right?)

Linus is right in saying that no one should be surprised about attackers gaining root privileges if you let them make arbitrary kernel calls. He is off in a dreamworld if he doesn't recognize that running a LAMP installation (Linux, Apache, MySql, PHP) is a very common practice which can allow malicious programs from the web to do exactly that.

I'm convinced that a series of attacks on Puppy-related sites gained entry through PHP vulnerabilities.

User avatar
abushcrafter
Posts: 1418
Joined: Fri 30 Oct 2009, 16:57
Location: England
Contact:

#3 Post by abushcrafter »

This is a disaster! Is puppy at risk?

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

are you at risk?

#4 Post by prehistoric »

abushcrafter wrote:This is a disaster! Is puppy at risk?
Are you running a web server supporting PHP as root? In general, Puppy is careful not to allow remote exploits, because it expects the person operating it to be running as root.

For cases where it runs a server, there is a special, limited-privilege user named spot. The default HTML server is Hiawatha, not Apache. If you are careful to set up a default firewall before you go on-line, you should be browsing in "stealth" mode. For most purposes, a remote program can't even tell if your ports exist.

An attacker who expends the hours of highly-skilled time required to crack a Puppy system will be dismayed to learn the exploit has a very limited target population. An exploit which works on 4.3.1 probably won't work on many puplets. A straightforward economic analysis suggests he would be far better off cracking Ubuntu systems. As for Windows, consider the following.

If you think this is "a disaster" you must not know the current state of internet security. A recent study found 48% of computers already infected. In this case, there is no need to "crack" these systems, they are already cracked. (There is an underground economy on which system crackers might sell such systems to those who exploit them for perhaps 10 cents apiece. How much skilled time can you buy with 10 cents?) A study by other security researchers, using a different methodology, could probably go back and find infected systems that report missed.

User avatar
abushcrafter
Posts: 1418
Joined: Fri 30 Oct 2009, 16:57
Location: England
Contact:

#5 Post by abushcrafter »

Yes, your right I don't know much on this stuff at all :oops:.

User avatar
Sit Heel Speak
Posts: 2595
Joined: Fri 31 Mar 2006, 03:22
Location: downwind

The Pulse Audio / SELinux null pointer dereferencing exploit

#6 Post by Sit Heel Speak »

@Lobster: thanks very much for posting this.

From the source code to Mr. Spengler's exploit.c:
The kernel should be compiled with -fno-delete-null-pointer-checks
to remove the possibility of these kinds of vulnerabilities
turning exploitable in the future which would be impossible to spot
at the source level without this knowledge.

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

getting close to Ken Thompson's idea

#7 Post by prehistoric »

This problem introduced by compiler optimization brings us closer to a nightmare possibility Ken Thompson described in his Reflections on Trusting Trust. N.B. At the time he wrote this, M$ was working for IBM. The famous 1984 Apple MacIntosh ad was aimed at IBM.

User avatar
SirDuncan
Posts: 829
Joined: Sat 09 Dec 2006, 20:35
Location: Ohio, USA
Contact:

#8 Post by SirDuncan »

I always knew pointers were evil. Sure, they act like they're your friend, building linked lists and passing variables without wasting time and space allocating new memory. As soon as your project deadline approaches, however, they start writing over some other program's memory space and getting accidentally set to NULL.
Be brave that God may help thee, speak the truth even if it leads to death, and safeguard the helpless. - A knight's oath

User avatar
tasmod
Posts: 1460
Joined: Thu 04 Dec 2008, 13:53
Location: North Lincolnshire. UK
Contact:

#9 Post by tasmod »

If you read later post details on that site you will see that this bug and the wi-fi bug have been solved in the newer kernel.
Rob
-
The moment after you press "Post" is the moment you actually see the typso 8)

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#10 Post by nooby »

which Puppies use that older kernel then? How does the newbie know about such?
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
Sit Heel Speak
Posts: 2595
Joined: Fri 31 Mar 2006, 03:22
Location: downwind

#11 Post by Sit Heel Speak »

tasmod wrote:If you read later post details on that site you will see that this bug and the wi-fi bug have been solved in the newer kernel.
Well...it is solved for the particular instance in which it was found in the /devices/net/tun device setup source...but that is not to say that a similar null pointer vulnerability might not be introduced in code for some other device elsewhere in the kernel source, now and in the future.

So, if compiling the kernel with gcc, and if using the usual Puppy kernel-compile sequence of

make distclean
make clean
(or, in lieu of the above, make mrproper)
make menuconfig
make
make modules_install

...the -fno-delete-null-pointer-checks CFLAG should be invoked, by appending it to the line which sets HOSTCFLAGS in the top-level kernel Makefile--for example, in 2.6.31.6, changing the line in /usr/src/linux-2.6.31.6/Makefile from

Code: Select all

HOSTCFLAGS  = -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer
to

Code: Select all

HOSTCFLAGS  = -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
. This will prevent (knock on wood) *any* similarly-introduced null pointer problem from opening the vulnerability (heh...famous last words...)

User avatar
Kirby
Posts: 52
Joined: Mon 28 Dec 2009, 07:33
Location: Oregon, US

#12 Post by Kirby »

AAAArgh
I was feeling all smug this morning because I was thinking I was Mostly safe from Malware and such. Last night I downloaded a small "Free" piece of software on my Puppy to install on my Old XP box to try and network my new Ancient IBM Thinkpad running win95 to XP . I have to do this because it's now the only way to transfer files over to it via a Direct Cable Connection. Well Low and behold soon as I executed the file it installed a nasty Virus on the XP box. At least it had the decency to inform me right away! LOL I am reformatting it as I write this.

I came on here to see if there were any Puplets made just for Virus scanning and such when I saw the new thread on Rootkits in Puppy! I quickly ran to the Out house for my colander and neatly wrapped it in tin foil to prepare for battle!

After much reading in here I guess it just comes down to playing it safe with some preparation and luck. If I had virgin hardware, plenty of software protection and never let my computer get on the net or swap files with another, perhaps I would be at very low risk. But Life is only fun when there is some risk involved so I guess it goes with the territory to some extent.

This exploit on the Kernel brings up another question for me now. Does the feature "Trim the Fat" when installing Pets also create this vulnerability as well?

PS. Would it be safer to use an IBM mainframe from the mid 60's using only a card reader to get on the net? Or would they use the Y2k Bug to "Poke Holes" in it too?

Kirby
"When you come to your cross roads, step off the road and go down the path of your own making".
~Bohemian proverb~

*edit* "When you're lost in the woods from straying from the road, Always be sure to carry a Flashlight!"
~Improved Bohemian Proverb~

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#13 Post by Lobster »

I quickly ran to the Out house for my colander and neatly wrapped it in tin foil to prepare for battle!
That's the spirit.
Puppy is at the stage were it has to consider the security aspects
and we may have to create a wiki page on custom building
a colander.

Anybody use Wardog - or is telling us a security risk?
http://greylodge.org/gpc/?cat=145
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

Post Reply