LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 09-17-2010, 05:25 AM   #1
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,460

Rep: Reputation: 888Reputation: 888Reputation: 888Reputation: 888Reputation: 888Reputation: 888Reputation: 888
linux kernel: 64-bit Compatibility Mode vulns (local root exploit)


FYI:

http://sota.gen.nz/compat1/
http://sota.gen.nz/compat2/

obviously the local root exploit should work also on x86_64 slackware (on -current it does).

let's hope for some up-to-date 2.6.XX.x patches soon

in the meantime, for the brave, I think also git diffs can be used

http://git.kernel.org/?p=linux/kerne...82d27a79a81ea6
http://git.kernel.org/?p=linux/kerne...76c484849a74de
http://git.kernel.org/?p=linux/kerne...492063030b55ac
 
Old 09-17-2010, 05:39 AM   #2
GazL
Senior Member
 
Registered: May 2008
Posts: 3,439

Rep: Reputation: 956Reputation: 956Reputation: 956Reputation: 956Reputation: 956Reputation: 956Reputation: 956Reputation: 956
Yep, I posted about this in the security forum the other day after seeing an article on The Reg about it, and win32sux added an entry to the kernel vulnerabilities thread here
 
1 members found this post helpful.
Old 09-17-2010, 05:49 AM   #3
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,460

Original Poster
Rep: Reputation: 888Reputation: 888Reputation: 888Reputation: 888Reputation: 888Reputation: 888Reputation: 888
thanks for the links GazL, I missed those.
 
Old 09-17-2010, 06:59 AM   #4
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Interesting, so maybe I should just disable 32-bit compat.
 
Old 09-17-2010, 07:15 AM   #5
fskmh
Member
 
Registered: Jun 2002
Location: South Africa
Distribution: Slackware64-current multilib
Posts: 235

Rep: Reputation: 55
I tested it on two boxes running Slack64-13.1 with grsec patched kernels (2.6.34.6) and it didn't work there.
Worked on all the other boxes with 2.6.35.4 though.
 
Old 09-17-2010, 07:21 AM   #6
GazL
Senior Member
 
Registered: May 2008
Posts: 3,439

Rep: Reputation: 956Reputation: 956Reputation: 956Reputation: 956Reputation: 956Reputation: 956Reputation: 956Reputation: 956
Well, if you don't need 32bit it's probably not a bad idea to reduce the attack surface, but it's not just the kernel. I think you're going to have to rebuild things like binutils, to strip out the multilib support.

What about glibc and the compiler? Would they also need doing?
 
Old 09-17-2010, 08:26 AM   #7
fskmh
Member
 
Registered: Jun 2002
Location: South Africa
Distribution: Slackware64-current multilib
Posts: 235

Rep: Reputation: 55
I would think that if ia32_emulation is not enabled then no 32 bit code or malware will run, period.

In the case of this particular exploit, it is precisely the ia32syscall that is being leveraged.
 
Old 09-17-2010, 08:41 AM   #8
Lufbery
Senior Member
 
Registered: Aug 2006
Location: Harrisburg, PA
Distribution: Slackware 64 14.0
Posts: 1,142
Blog Entries: 29

Rep: Reputation: 119Reputation: 119
Hopefully there will be an official patch for the 13.1 kernel. It happened before with Slackware 13.

In the meantime, I'm not too worried. From what I've read, one needs to have a valid account to start the exploit. There are only three valid accounts on my computer: me, my wife, and root, we only have it on in the evenings, and I'm the only one who uses ssh to log in remotely, and that is only on a secured wireless connection.

So while the vulnerability is important and needs to be fixed -- especially for those running huge systems with scores of users -- for our uses I'm okay waiting until an official patch.

Of course. . .

Quote:
Originally Posted by fskmh View Post
I tested it on two boxes running Slack64-13.1 with grsec patched kernels (2.6.34.6) and it didn't work there. Worked on all the other boxes with 2.6.35.4 though.
Did you patch the generic Slackware kernel with the diffs posted above? Perhaps this is a pretty easy fix.

Then again:

Quote:
Originally Posted by GazL View Post
Well, if you don't need 32bit it's probably not a bad idea to reduce the attack surface, but it's not just the kernel. I think you're going to have to rebuild things like binutils, to strip out the multilib support.

What about glibc and the compiler? Would they also need doing?
Perhaps instead of stripping out multi-lib it would be possible to rebuild the multi-lib versions of gcc and glibc with the patched kernel and compat.h header and thereby have a secure multi-lib Slackware64.

Regards,
 
Old 09-17-2010, 08:49 AM   #9
brianL
LQ 5k Club
 
Registered: Jan 2006
Location: Oldham, Lancs, England
Distribution: Slackware & Slackware64 14.1
Posts: 7,043
Blog Entries: 52

Rep: Reputation: Disabled
I was wondering about that too, since the threat could come from a "local user", whether single user setups like mine were safe.
 
Old 09-17-2010, 09:13 AM   #10
fskmh
Member
 
Registered: Jun 2002
Location: South Africa
Distribution: Slackware64-current multilib
Posts: 235

Rep: Reputation: 55
Quote:
Originally Posted by Lufbery View Post
Did you patch the generic Slackware kernel with the diffs posted above? Perhaps this is a pretty easy fix.
No, I didn't see any need to use those diffs because running that exploit on a grsec kernel just causes a kernel oops, no root shell.
 
Old 09-17-2010, 09:26 AM   #11
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,460

Original Poster
Rep: Reputation: 888Reputation: 888Reputation: 888Reputation: 888Reputation: 888Reputation: 888Reputation: 888
just tried to create a patch for 2.6.33.4 and one for 2.6.35 but I still have to test the backporting (hope also formatting is ok)...

Last edited by ponce; 09-17-2010 at 09:44 AM. Reason: small fix in patches
 
Old 09-17-2010, 09:31 AM   #12
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
I just removed 32-bit support, I think that should prevent this working.
 
Old 09-17-2010, 09:40 AM   #13
GazL
Senior Member
 
Registered: May 2008
Posts: 3,439

Rep: Reputation: 956Reputation: 956Reputation: 956Reputation: 956Reputation: 956Reputation: 956Reputation: 956Reputation: 956
Quote:
Originally Posted by Lufbery View Post
In the meantime, I'm not too worried. From what I've read, one needs to have a valid account to start the exploit. There are only three valid accounts on my computer: me, my wife, and root, we only have it on in the evenings,
  1. Evildoer writes webpage that exploit firefox or flashplayer bug that allows arbitrary code execution.
  2. You or your wife visit that website (maybe it was from an adserver or disguised link or a hacked site).
  3. Arbitrary code runs in your web browser process..
  4. Arbitrary code exploits this bug.
  5. Arbitrary code is root and evildoer now owns your system.

The problem with these priv escalation bugs is they allow every other type of bug into become a more serious root compromise.

Last edited by GazL; 09-17-2010 at 09:44 AM.
 
Old 09-17-2010, 10:03 AM   #14
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,460

Original Poster
Rep: Reputation: 888Reputation: 888Reputation: 888Reputation: 888Reputation: 888Reputation: 888Reputation: 888
FYI, just tried the patch for 2.6.35 above and seems to do his job

unfortunately git patches don't apply cleanly...

Last edited by ponce; 09-17-2010 at 10:16 AM.
 
Old 09-17-2010, 10:09 AM   #15
Lufbery
Senior Member
 
Registered: Aug 2006
Location: Harrisburg, PA
Distribution: Slackware 64 14.0
Posts: 1,142
Blog Entries: 29

Rep: Reputation: 119Reputation: 119
Quote:
Originally Posted by GazL View Post
  1. Evildoer writes webpage that exploit firefox or flashplayer bug that allows arbitrary code execution.
  2. You or your wife visit that website (maybe it was from an adserver or disguised link or a hacked site).
  3. Arbitrary code runs in your web browser process..
  4. Arbitrary code exploits this bug.
  5. Arbitrary code is root and evildoer now owns your system.

The problem with these priv escalation bugs is they allow every other type of bug into become a more serious root compromise.
Good points all, especially the part about ad servers.

We run with the Adblock and Noscript plugins for just that reason.

Regards,

Last edited by Lufbery; 09-17-2010 at 10:13 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Root exploit for Linux kernel published LXer Syndicated Linux News 0 07-17-2009 07:30 PM
LXer: Kernel Update to Fix Local Root Exploit LXer Syndicated Linux News 0 02-13-2008 06:10 PM
Linux Kernel 2.6 Local Root Exploit by vmsplice? Inuit-Uprising Slackware 9 02-13-2008 09:41 AM
How to run faillog on 32-bit compatibility mode? Sellina Linux - Newbie 0 10-22-2007 02:34 AM
i need PATCH that protect against local root exploit for kernel 2.2.19 Slackware veenrak Linux - Security 2 10-09-2002 09:23 PM


All times are GMT -5. The time now is 10:38 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration