Linux kernel vulnerability coughs up superuser rights

Linux kernel vulnerability coughs up superuser rights

Summary: The open-source Linux operating system contains a serious security flaw that can be exploited to gain superuser rights on a target system.

SHARE:

The open-source Linux operating system contains a serious security flaw that can be exploited to gain superuser rights on a target system.

The vulnerability, in the Linux implementation of the Reliable Datagram Sockets (RDS) protocol, affects unpatched versions of the Linux kernel, starting from 2.6.30, where the RDS protocol was first included.

According to VSR Security, the research outfit that discovered the security hole, Linux installations are only vulnerable if the CONFIG_RDS kernel configuration option is set, and if there are no restrictions on unprivileged users loading packet family modules, as is the case on most stock distributions. follow Ryan Naraine on twitter

Because kernel functions responsible for copying data between kernel and user space failed to verify that a user-provided address actually resided in the user segment, a local attacker could issue specially crafted socket function calls to write arbritrary values into kernel memory. By leveraging this capability, it is possible for unprivileged users to escalate privileges to root.

The company has released a proof-of-concept exploit to demonstrate the severity of the vulnerability.  The folks at The H Security tested the exploit on Ubuntu 10.04 (64-bit) and successfully opened a root shell.

A fix for this issue has been committed by Linus Torvalds.  VSR Security recommends that users install updates provided by downstream distributions or apply the committed patch and recompile their kernel.

Topics: Software, Linux, Open Source, Operating Systems, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

174 comments
Log in or register to join the discussion
  • Requires local access

    And if you have local access to a computer the game is already over. The different operating systems will put up more or less of a fight, but local access is everything. Hence the big locks on server rooms...
    putt1ck
    • All of which is lost on Linux advocates when it comes to Windows.

      @putt1ck: [i]Requires local access And if you have local access to a computer the game is already over.[/i]

      It sure would be nice if they could offer up some consistency with their arguments.
      ye
      • No, not a chance

        @ye <br><br>All they want is get hits to their pages, page hits are zdnet's bread and butter.<br><br>There's no chance you will ever find consistency with their arguments against Linux (or yours), all you'll find is material to generate flame wars and consequently page hits.

        P.S. Ubuntu corrected this on October 19 as part of one of it's routine updates. Promptly solved, <b>this is NOT an issue</b>.
        OS Reload
      • And do you have any idea what you're talking about? Obviously you have not.

        @ye

        RDS is a protocol used to allow intercommunication between servers that belong to the same cluster so...

        <b>Local access is REQUIRED in a exploit.</b>

        Hope you are able to understand what I wrote above. I'm not betting on it though.
        OS Reload
      • When did Linux advocates start writing for ZDNet?

        @OS Reload: [i]All they want is get hits to their pages, page hits are zdnet's bread and butter.[/i]

        And it's nice of you to acknowledge Linux advocates aren't interested in the facts.

        [i]There's no chance you will ever find consistency with their arguments against Linux (or yours), all you'll find is material to generate flame wars and consequently page hits.[/i]

        Why are you so hard on Linux advocates all of a sudden?

        [i]Ubuntu corrected this on October 19 as part of one of it's routine updates. This is NOT an issue.[/i]

        Which is completely irrelevant to the discussion.
        ye
      • Do you consider an SSH session with a shell local access?

        @OS Reload: [i]Local access is REQUIRED in a exploit.[/i]

        And what of the privilege escalation vulnerabilities on Windows? I don't recall having seen you come to the defense of Windows when the Linux fanboys were faulting Windows for them.
        ye
      • @ye: I assumed you were including Narayne

        He's the one giving Linux advocates a fair chance to expose not only the security failings of windows but also how flawed are almost all attempts to denigrate Linux.
        OS Reload
      • RE: Linux kernel vulnerability coughs up superuser rights

        @ye

        Personally I do not see that as a good excuse for either OS. There's always SOMEBODY who needs access to a room or even the computer itself who you do not want having root access even if you do not mind that person having access to the locked down computer. That person may not want to bring down your system, but he may be tempted to take a quick peek at the payroll files if he thought he could get away with it.

        Therefore, I am disappointed in Linux in general for letting this through. Likewise I am disappointed that the fix has been committed 6 days ago and we are just now hearing about it.
        Michael Kelly
      • I don't see Ryan attempting to denigrate Linux

        @OS Reload: [i]He's the one giving Linux advocates a fair chance to expose not only the security failings of windows but also how flawed are almost all attempts to denigrate Linux.[/i]

        What I saw was a reporting of a vulnerability in Linux. Is that what you consitute "denigrating Linux"? If so you've set the bar extremely low.
        ye
      • @ye: Exactly! Ryan gave us another opportunity

        @ye

        another opportunity to show how silly are those claims against Linux.

        Ryan Narayne is being good to Linux and we appreciate what he's doing.
        OS Reload
      • I agree.

        @Michael Kelly: <i>Personally I do not see that as a good excuse for either OS.</i><br><br>Your comment is applicable to the Linux fanboys as they're the one's downplaying it. Especially given Linux is routinely used in a multiuser configuration (something the Linux fanboys seem to have forgotten about all of a sudden).
        ye
    • RE: Linux kernel vulnerability coughs up superuser rights

      @putt1ck, It is still a HUGE security hole. Not every machine is locked up. Even if it is locked up, there are still ordinary users with xterm access which you do not want to have root privileges.
      david08048
      • Smoke and mirrors

        @david08048
        You have been deceived. On Linux as on Windows and OS X, <i>local exploit</i> is still severe because anyone who can use an exploit in Firefox (of which there are many, many!) will then run <i>as a local user</i>. So in a blended attack this is very severe. It will easily bypass apparmor etc.

        It is a mistake (deceit) to believe that "local" means that you must have physical access.
        honeymonster
      • That depends.

        @honeymonster: <i>So in a blended attack this is very severe. It will easily bypass apparmor etc.</i><br><br>Apparmor provides a high level of security (I haven't reviewed the default profile in detail so I'm not sure what level of protection it offers). The same for Protected Mode in IE. By default Protected Mode prevents IE from being able to write to most parts of the system thus making a blended attack much more difficult.
        ye
      • Linux apologists are having a major work out

        "Read my lips: No security holes in our Linux system."
        LBiege
      • Re: HUGE security hole

        @david08048:
        yes it is. But, unlike the usual situation with "secret sauce" Windows OS, in which you must wait for Microsoft to provide a patch, instruction to shut down RDF on unpatched systems are provided right in the VSR advisory. I've just typed the textfile into my box-- and I'm about to restart.

        My thanks to VSecurity, and the Linux team guys who worked with them!
        Rick S._z
    • No, you're thinking of "physical access".

      @putt1ck

      Physical access is "Game Over". Local access is an unprivileged user.
      Zogg
      • Unprivileged user will be able to escalate right on the machine he is using

        @Zogg

        No remote exploits are possible. A malicious unprivileged user must already be an authorized user on that same machine.

        Physical access is a <b>NECESSARY CONDITION</b> for a successful exploit.
        OS Reload
      • No, it is not.

        @OS Reload: [i]Physical access is a NECESSARY CONDITION for a successful exploit.[/i]

        All that's necessary is to have a shell account which can be accessed remotely. Do you even understand UNIX?
        ye
      • @ye: Meaning you must be an AUTHORIZED user of that machine to start with

        That's the definition of local user. Do you even understand computers?
        OS Reload