LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-18-2009, 09:24 AM   #1
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Exclamation New Linux Flaw Enables Null Pointer Exploits


I refrained from posting this in the Kernel Vulns thread earlier, due to its zero-day status. But now that the issue has been Slashdotted, there's no use in keeping us from publicly discussing this vulnerability. The link to the article (from which I quote below) is here. Brad Spengler's original announcement on the Dailydave mailing list is here.
Quote:
A researcher has published exploit code for a new vulnerability he discovered in the Linux kernel. The vulnerability is an especially interesting one in that the researcher who discovered it, Brad Spengler, has demonstrated that he can use the weakness to defeat many of the add-on security protections offered by SELinux and AppArmor.

Last edited by win32sux; 07-18-2009 at 11:34 AM. Reason: Spelling/grammar.
 
Old 07-18-2009, 12:47 PM   #2
{BBI}Nexus{BBI}
Senior Member
 
Registered: Jan 2005
Location: Nottingham, UK
Distribution: Mageia 4
Posts: 4,297

Rep: Reputation: 205Reputation: 205Reputation: 205
Read about this on the Register. In that report he claims it took him less than 4 hours to write an exploit.
Quote:
Still, Spengler said it took him less than four hours to write a fully weaponized exploit that works on 32- and 64-bit versions of Linux, including the build offered by Red Hat.
In the article you point to it says 2 hours.. Somewhere between the two there's the true facts. Aparrently Linus says this is not a kernel problem but something inherited from Unix.

Last edited by {BBI}Nexus{BBI}; 07-18-2009 at 12:49 PM.
 
Old 07-18-2009, 01:13 PM   #3
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
What I find amazing is the role which the compiler plays in this.

As someone in the Slashdot discussion said, this is literally a GNU/Linux vulnerability.
 
Old 07-18-2009, 02:30 PM   #4
GazL
Senior Member
 
Registered: May 2008
Posts: 3,392

Rep: Reputation: 917Reputation: 917Reputation: 917Reputation: 917Reputation: 917Reputation: 917Reputation: 917Reputation: 917
Quote:
Originally Posted by win32sux View Post
What I find amazing is the role which the compiler plays in this.
It is an interesting one isn't it. Though to be fair to the compiler, it looks like bad code caused it to make a bad decision.

Here's the code in question:
Code:
struct sock *sk = tun->sk; // initialize sk with tun->sk

if (!tun)
        return POLLERR; // if tun is NULL return error
If there's a possibility of tun being NULL then initialising *sk from it before checking for NULL is clearly a dubious operation regardless of whether you check it afterwards.

Surely it's common sense that you should check it before you use it.

Code:
if (!tun)
        return POLLERR; // if tun is NULL return error

struct sock *sk = tun->sk; // initialize sk with tun->sk
But then, I'm just a novice C coder, so I may be missing something in the details.
 
Old 07-19-2009, 03:26 PM   #5
Robhogg
Member
 
Registered: Sep 2004
Location: Old York, North Yorks.
Distribution: Debian 7 (mainly)
Posts: 653

Rep: Reputation: 85
"Interesting" exploitable kernel vulnerability found...

From the SANS Internet Storm Center:

Quote:
Source code for a exploit of a Linux kernel vulnerability has been posted by Brad Spengler (Brad is the author of grsecurity). I have to tell you right now – this was one of the most fascinating bugs I've read about lately.

Why is it so fascinating? Because a source code audit of the vulnerable code would never find this vulnerability (well, actually, it is possible but I assure you that almost everyone would miss it). However, when you add some other variables into the game, the whole landscape changes. more...
No update down the pipeline from Debian yet...

Updated to add:
Sorry, just noticed the sticky thread on this subject

Last edited by Robhogg; 07-19-2009 at 03:30 PM. Reason: Embarrassment
 
Old 07-19-2009, 03:37 PM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by Robhogg View Post
Sorry, just noticed the sticky thread on this subject
No problem, I've merged your post into the sticky.
 
Old 07-19-2009, 03:42 PM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by Robhogg View Post
No update down the pipeline from Debian yet...
What about upstream? Has anyone heard anything? Or are they still pointing fingers at each other?

Last edited by win32sux; 07-19-2009 at 03:43 PM.
 
Old 07-21-2009, 04:53 AM   #8
GazL
Senior Member
 
Registered: May 2008
Posts: 3,392

Rep: Reputation: 917Reputation: 917Reputation: 917Reputation: 917Reputation: 917Reputation: 917Reputation: 917Reputation: 917
It's in 2.6.27.27 and also in .30.2 by the looks of it.
 
Old 07-28-2009, 03:59 PM   #9
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Ubuntu issued USN-807-1 today, yet no mention of CVE-2009-1897. What's up with that?

EDIT: Nevermind, not even the latest Ubuntu release (at the time of this post) uses a 2.6.30.y kernel.

Last edited by win32sux; 07-29-2009 at 01:41 AM.
 
Old 07-30-2009, 10:12 PM   #10
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Thread unstickied (we've given it enough airtime). Replying to reset decay.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NULL is not a pointer? superluser Programming 5 09-22-2006 10:07 AM
kernel NULL pointer problem branden_burger Linux - General 0 04-06-2005 09:57 AM
NULL pointer dereference error Mercman2000 Linux - General 1 03-21-2005 09:36 PM
freeConfModules called with NULL pointer... opioid Linux - Software 1 10-31-2004 09:04 PM
Null Pointer vijeesh_ep Programming 3 08-13-2004 02:51 PM


All times are GMT -5. The time now is 01:02 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration