10 Feb
Posted by Robert E. Johnson, III as Security
The security community has recently learned of the new security exploit that will allow any normal, non-privileged, user to become the most powerful user on a Linux system - “root”. This elevation of privileges means that you can no longer trust any user on your Linux box if it is running a version of the Linux kernel from 2.6.17 all the way to 2.6.24.1. Any low privileged shell account can now become an attack vector. Just imagine a system where every user is potentially an administrator!
What is affected?
Basically all new Linux kernels built from kernel source from June 17, 2006 when the Linux kernel version 2.6.17 was released, until today. Surely, a fix will be in an upcoming kernel update, but as of today, February 10, 2008, it is not in the production kernel source distribution. It’s possible that up to a million copies of Linux containing this attack vector are in production today.
The proof of concept code is shown at http://www.milw0rm.com/exploits/5092 . This short little chunk of code makes all of this mayhem possible, and is simple enough to be compiled and executed by anyone.
I have seen the potential fix to this problem in Linux. The kernel is missing a simple privilege check. The kernel code is lacking a call to the function “access_ok()” to prevent unauthorized data from being copied from userspace to kernel memory. You can see the potential fix here –> http://git.kernel.org/…
What Now?
Well, there are two challenges:
A) How do we get ALL of these vulnerable machines to a new version of the kernel.
B) What will be the impact on existing applications on critical servers.
Are our servers OK?
We don’t know how long this particular exploit has been in the wild and available to the underground community. That leaves us with the daunting question question, “Has this type of exploit already been executed on our systems? And if so, what did they do?!?” It is becoming increasing important to understand exactly what is changing on our servers and why.
What’s in the future?
Right now, everyone is considering the impact of this exploit from a shell prompt. However, I believe the REAL threat will come in the future. Expect new exploits to be developed using this proof of concept code. Security professionals should be prepared for code that will use a buffer overflow techniques to inject code into servers that will elevate to ‘root’ user/privilege, and perform whatever task the hacker may have in mind. In plain English, it means, that web servers that commonly run under the low privileged account of “nobody”, will be COMPLETELY exploitable by simple buffer overflow techniques.
Hackers will literally go from a “nobody” to a somebody…”root”. Without a doubt, addressing this particular exploit will be a high priority for administrators for the weeks to come.
8 Responses
Thomas
December 30th, 2008 at 3:13 am
1“Yes, it frequently comes along there are numerous bad anti viruses than good one. Knocking off your weighty gained money on a false product is not the simply matter. So I went for exploring the Antiviruses, and I derived one http://www.search-and-destroy.com which has better characteristics than I believe.
Have a Good Day!”
Eremeeff
April 12th, 2009 at 7:35 am
2Greatings,
http://www.robertjohnson.com - da best. Keep it going!
Have a nice day
Eremeeff
KonstantinMiller
July 6th, 2009 at 4:40 pm
3I have been looking looking around for this kind of information. Will you post some more in future? I’ll be grateful if you will.
hotspotshield
August 3rd, 2009 at 11:11 pm
4I now, this is a great article.A successful blog needs unique, useful content that interests the readers
Kouba
October 15th, 2009 at 6:39 am
5Valuable thoughts and advices. I read your topic with great interest.
MoortRoarlmaf
November 1st, 2009 at 8:47 am
6Other variant is possible also
Kylie Batt
April 20th, 2010 at 11:47 pm
7судя по рейтингу можно брать…
This elevation of privileges means that you can no longer trust any user on your Linux box if it is running a version […….
Webmaster
June 10th, 2010 at 2:55 pm
8Hello! Please e-mail me your contacts. I have a question webmaster@bravto.ru” rel=”nofollow”>……
Thank you!!!…
RSS feed for comments on this post · TrackBack URI
Leave a reply
About Me
Robert E. Johnson, III
Technologist
Entrepreneur
Developer
Inventor
Categories
Archives
Security
Technology
Meta
Interesting Bits
Recent Posts
RobertJohnson.com is a personal website. Opinions expressed are not necessarily those of any company for which Mr. Johnson is affiliated with.
Robert E. Johnson, III is proudly powered by WordPress - BloggingPro theme by: Design Disease