LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-02-2003, 02:26 PM   #1
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,310
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
WARN: kernel local vuln.: upgrade to 2.4.23 or 2.6.0-test6


From http://cve.mitre.org/cgi-bin/cvename...=CAN-2003-0961 :
a "flaw in bounds checking" in the do_brk function for Linux kernel 2.4.22 and earlier allows local users to gain root privileges.

From http://isec.pl/vulnerabilities/isec-0012-do_brk.txt :
Successful exploitation of do_brk() leads to full compromise of vulnerable system, including gaining full uid 0 privileges, possibility of kernel code and data structures modification as well as kernel-level (ring0) code execution. Tested and successfully exploited kernel versions include:
2.4.20-18.9 as shipped with RedHat 9.0, 2.4.22 (vanila), 2.4.22 with grsecurity patch
There is no known reliable workaround for this vulnerability except. We recommend upgrading to the most recent kernel version (so far the 2.4.23 kernel) on all vulnerable systems.

Also see: Debian Security Advisory DSA-403-1, http://www.debian.org/security/


So watch your vendors security bulletins for vendor-specific kernel releases or upgrade to kernel 2.4.23. Kudos to Chort who warned first here: http://www.linuxquestions.org/questi...hreadid=121868
 
Old 12-03-2003, 02:54 AM   #2
Config
Member
 
Registered: Jan 2001
Location: Switzerland
Distribution: Gentoo
Posts: 376

Rep: Reputation: 30
In case anybody is interested: here is a more detailed description on what happened - i found it quite interesting to read:
http://kerneltrap.org/node/view/1717
 
Old 12-03-2003, 08:35 PM   #3
zaphodiv
Member
 
Registered: Oct 2003
Distribution: Slackware
Posts: 388

Rep: Reputation: 30
Slackware security advisory and kernel upgrade instructions
 
Old 12-04-2003, 10:51 AM   #4
Pcghost
Senior Member
 
Registered: Feb 2003
Location: The Real Washington
Distribution: Ubuntu, Debian, SuSE, UnSlung, Android
Posts: 1,819

Rep: Reputation: 46
What I don't get is if we are supposed to upgrade the kernel past the 2.4.23 build, why is RedHat releasing new kernel rpms based on the 2.4.20-24 kernel? Should I go with the RedHat RPMs (all my RH machines are production machines) or compile the 2.4.23 kernel from http://www.kernel.org ?
 
Old 12-04-2003, 11:03 AM   #5
zaphodiv
Member
 
Registered: Oct 2003
Distribution: Slackware
Posts: 388

Rep: Reputation: 30
I assume redhat has fixed the security problem in their 2.4.20 based kernel.
I'd use the redhat kernel.
 
Old 12-04-2003, 11:15 AM   #6
Config
Member
 
Registered: Jan 2001
Location: Switzerland
Distribution: Gentoo
Posts: 376

Rep: Reputation: 30
Quote:
Originally posted by Pcghost
What I don't get is if we are supposed to upgrade the kernel past the 2.4.23 build, why is RedHat releasing new kernel rpms based on the 2.4.20-24 kernel? Should I go with the RedHat RPMs (all my RH machines are production machines) or compile the 2.4.23 kernel from http://www.kernel.org ?
I just want to add, that the fix for this problem is really a 2-liner:
Code:
--- 1.31/mm/mmap.c      Fri Sep 12 06:44:06 2003
+++ 1.32/mm/mmap.c      Thu Oct  2 01:18:19 2003
@@ -1041,6 +1041,9 @@
        if (!len)
                return addr;
 
+       if ((addr + len) > TASK_SIZE || (addr + len) < addr)
+               return -EINVAL;
+
        /*
         * mlock MCL_FUTURE?
         */
So you could even patch 2.4.18 if you want to
 
Old 12-04-2003, 04:06 PM   #7
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
Gentoo's server got compromised because of the same vulnerability. I assume there will be a target search in the next time. Secure your boxes, configure AIDE & more...
 
Old 12-04-2003, 04:15 PM   #8
Config
Member
 
Registered: Jan 2001
Location: Switzerland
Distribution: Gentoo
Posts: 376

Rep: Reputation: 30
Geez - why didn't they upgrade the kernel already? They had the time...
I just like Gentoo but this kinda stinks... imho....
 
Old 12-04-2003, 11:12 PM   #9
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
It may have already been compromised and they just now discovered it. You have to think that the same people who compromised Debian were running wild all over the place since no one knew about it.
 
Old 12-05-2003, 06:15 AM   #10
Config
Member
 
Registered: Jan 2001
Location: Switzerland
Distribution: Gentoo
Posts: 376

Rep: Reputation: 30
I just hope you're right - but shouldn't one discover it more or less instantly? If any file gets altered, you should get a warning - may be the Gentoo servers didn't have such a tight security than the Debian ones...
 
Old 12-06-2003, 07:35 AM   #11
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
Debian used AIDE on 2 servers for monitoring filesystem changes. Well regarding details you may take a look at http://isec.pl/papers/linux_kernel_do_brk.pdf, like outlined in VulnWatch.
 
Old 12-09-2003, 12:42 PM   #12
sopiaz57
Member
 
Registered: Apr 2003
Distribution: RH 8
Posts: 246

Rep: Reputation: 30
config can you explain this to me further, thanks!

--- 1.31/mm/mmap.c Fri Sep 12 06:44:06 2003
+++ 1.32/mm/mmap.c Thu Oct 2 01:18:19 2003
@@ -1041,6 +1041,9 @@
if (!len)
return addr;

+ if ((addr + len) > TASK_SIZE || (addr + len) < addr)
+ return -EINVAL;
+
/*
* mlock MCL_FUTURE?
*/
 
Old 12-09-2003, 06:03 PM   #13
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
It's a diff patch for the kernel memory management code.
 
Old 12-10-2003, 12:30 PM   #14
Config
Member
 
Registered: Jan 2001
Location: Switzerland
Distribution: Gentoo
Posts: 376

Rep: Reputation: 30
Quote:
Originally posted by sopiaz57
config can you explain this to me further, thanks!
--- 1.31/mm/mmap.c Fri Sep 12 06:44:06 2003
+++ 1.32/mm/mmap.c Thu Oct 2 01:18:19 2003


This tells which file gets patched and the new version number etc.

Code:
@@ -1041,6 +1041,9 @@
        if (!len)
                return addr;

This is really only for locating the place where the new code is supposed to go


Code:
+       if ((addr + len) > TASK_SIZE || (addr + len) < addr)
+               return -EINVAL;
+
Now these are the actual changes - the '+' in front means, that these lines are added, a '-' is used, if you want to remove some code within a patch. You see, that this code checks if addr+len isn't larger than TASK_SIZE or smaller than addr. Without this check, the kernel would be vulnerable.

Code:
/*
         * mlock MCL_FUTURE?
         *
Don't know what this is good for - may be to make locating the place to insert the code even easier. I don't know - i'm not an expert

Hope this clears things up

Last edited by Config; 12-10-2003 at 12:32 PM.
 
Old 12-27-2003, 12:37 PM   #15
thebell
LQ Newbie
 
Registered: Dec 2003
Distribution: Gentoo
Posts: 25

Rep: Reputation: 15
Quote:
Originally posted by Config
Code:
/*
         * mlock MCL_FUTURE?
         *
Don't know what this is good for - may be to make locating the place to insert the code even easier. I don't know - i'm not an expert

Hope this clears things up
It's basically there as a failsafe in case other lines have been inserted above those since the diff was made. So, if the patch program can't apply the diff at the right line numbers, it looks for a place which fits with the 'context' lines given.

Back on topic, the 2.4.20-gentoo-r9 kernel has fixes this. (gentoo-sources-2.4.20-r9 package)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
WARN: Kernel vuln: MCAST_MSFILTER (2.4.22/2.6.1) unSpawn Linux - Security 5 05-04-2004 12:41 PM
WARN: Major kernel vuln: affects 2.6.x + 2.4.x + 2.2.x chort Linux - Security 31 02-18-2004 06:15 PM
WARN: Kernel 2.6/Samba privilage escalation vuln chort Linux - Security 0 02-15-2004 04:27 AM
Upgrade to 2.4.23 or 2.6.0-test6 matt3333 Slackware 6 12-08-2003 01:55 PM
2.4.0-test6 Kernel jeremy Linux - General 3 11-10-2003 06:44 PM


All times are GMT -5. The time now is 10:06 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration