madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Linux kernel vulnerability coughs up superuser rights

By | October 21, 2010, 7:06am PDT

Summary: The open-source Linux operating system contains a serious security flaw that can be exploited to gain superuser rights on a target system.

The open-source Linux operating system contains a serious security flaw that can be exploited to gain superuser rights on a target system.

The vulnerability, in the Linux implementation of the Reliable Datagram Sockets (RDS) protocol, affects unpatched versions of the Linux kernel, starting from 2.6.30, where the RDS protocol was first included.

According to VSR Security, the research outfit that discovered the security hole, Linux installations are only vulnerable if the CONFIG_RDS kernel configuration option is set, and if there are no restrictions on unprivileged users loading packet family modules, as is the case on most stock distributions.
follow Ryan Naraine on twitter

Because kernel functions responsible for copying data between kernel and user space failed to verify that a user-provided address actually resided in the user segment, a local attacker could issue specially crafted socket function calls to write arbritrary values into kernel memory. By leveraging this capability, it is possible for unprivileged users to escalate privileges to root.

The company has released a proof-of-concept exploit to demonstrate the severity of the vulnerability.  The folks at The H Security tested the exploit on Ubuntu 10.04 (64-bit) and successfully opened a root shell.

A fix for this issue has been committed by Linus Torvalds.  VSR Security recommends that users install updates provided by downstream distributions or apply the committed patch and recompile their kernel.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Security Flaw, Security Hole, Linux Kernel, Ryan Naraine, Linux, Open Source, UNIX, Operating Systems, Security, Viruses And Worms, Software

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 174 Talkback(s)

  • Requires local access
    And if you have local access to a computer the game is already over. The different operating systems will put up more or less of a fight, but local access is everything. Hence the big locks on server rooms...
    ZDNet Gravatar
    putt1ck
    21st Oct 2010
  • All of which is lost on Linux advocates when it comes to Windows.
    @putt1ck: Requires local access And if you have local access to a computer the game is already over.

    It sure would be nice if they could offer up some consistency with their arguments.
    ZDNet Gravatar
    ye
    21st Oct 2010
  • No, not a chance
    @ye

    All they want is get hits to their pages, page hits are zdnet's bread and butter.

    There's no chance you will ever find consistency with their arguments against Linux (or yours), all you'll find is material to generate flame wars and consequently page hits.

    P.S. Ubuntu corrected this on October 19 as part of one of it's routine updates. Promptly solved, this is NOT an issue.
    ZDNet Gravatar
    OS Reload
    21st Oct 2010
    • Flagged
  • And do you have any idea what you're talking about? Obviously you have not.
    @ye

    RDS is a protocol used to allow intercommunication between servers that belong to the same cluster so...

    Local access is REQUIRED in a exploit.

    Hope you are able to understand what I wrote above. I'm not betting on it though.
    ZDNet Gravatar
    OS Reload
    21st Oct 2010
    • Flagged
  • When did Linux advocates start writing for ZDNet?
    @OS Reload: All they want is get hits to their pages, page hits are zdnet's bread and butter.

    And it's nice of you to acknowledge Linux advocates aren't interested in the facts.

    There's no chance you will ever find consistency with their arguments against Linux (or yours), all you'll find is material to generate flame wars and consequently page hits.

    Why are you so hard on Linux advocates all of a sudden?

    Ubuntu corrected this on October 19 as part of one of it's routine updates. This is NOT an issue.

    Which is completely irrelevant to the discussion.
    ZDNet Gravatar
    ye
    21st Oct 2010
    • Flagged
  • Do you consider an SSH session with a shell local access?
    @OS Reload: Local access is REQUIRED in a exploit.

    And what of the privilege escalation vulnerabilities on Windows? I don't recall having seen you come to the defense of Windows when the Linux fanboys were faulting Windows for them.
    ZDNet Gravatar
    ye
    21st Oct 2010
  • @ye: I assumed you were including Narayne
    He's the one giving Linux advocates a fair chance to expose not only the security failings of windows but also how flawed are almost all attempts to denigrate Linux.
    ZDNet Gravatar
    OS Reload
    21st Oct 2010
  • RE: Linux kernel vulnerability coughs up superuser rights
    @ye

    Personally I do not see that as a good excuse for either OS. There's always SOMEBODY who needs access to a room or even the computer itself who you do not want having root access even if you do not mind that person having access to the locked down computer. That person may not want to bring down your system, but he may be tempted to take a quick peek at the payroll files if he thought he could get away with it.

    Therefore, I am disappointed in Linux in general for letting this through. Likewise I am disappointed that the fix has been committed 6 days ago and we are just now hearing about it.
    ZDNet Gravatar
    Michael Kelly
    21st Oct 2010
  • I don't see Ryan attempting to denigrate Linux
    @OS Reload: He's the one giving Linux advocates a fair chance to expose not only the security failings of windows but also how flawed are almost all attempts to denigrate Linux.

    What I saw was a reporting of a vulnerability in Linux. Is that what you consitute "denigrating Linux"? If so you've set the bar extremely low.
    ZDNet Gravatar
    ye
    21st Oct 2010
  • @ye: Exactly! Ryan gave us another opportunity
    @ye

    another opportunity to show how silly are those claims against Linux.

    Ryan Narayne is being good to Linux and we appreciate what he's doing.
    ZDNet Gravatar
    OS Reload
    21st Oct 2010
  • I agree.
    @Michael Kelly: Personally I do not see that as a good excuse for either OS.

    Your comment is applicable to the Linux fanboys as they're the one's downplaying it. Especially given Linux is routinely used in a multiuser configuration (something the Linux fanboys seem to have forgotten about all of a sudden).
    ZDNet Gravatar
    ye
    21st Oct 2010
  • RE: Linux kernel vulnerability coughs up superuser rights
    @putt1ck, It is still a HUGE security hole. Not every machine is locked up. Even if it is locked up, there are still ordinary users with xterm access which you do not want to have root privileges.
    ZDNet Gravatar
    david08048
    21st Oct 2010
  • Smoke and mirrors
    @david08048
    You have been deceived. On Linux as on Windows and OS X, local exploit is still severe because anyone who can use an exploit in Firefox (of which there are many, many!) will then run as a local user. So in a blended attack this is very severe. It will easily bypass apparmor etc.

    It is a mistake (deceit) to believe that "local" means that you must have physical access.
    ZDNet Gravatar
    honeymonster
    21st Oct 2010
  • That depends.
    @honeymonster: So in a blended attack this is very severe. It will easily bypass apparmor etc.

    Apparmor provides a high level of security (I haven't reviewed the default profile in detail so I'm not sure what level of protection it offers). The same for Protected Mode in IE. By default Protected Mode prevents IE from being able to write to most parts of the system thus making a blended attack much more difficult.
    ZDNet Gravatar
    ye
    21st Oct 2010
  • Linux apologists are having a major work out
    "Read my lips: No security holes in our Linux system."
    ZDNet Gravatar
    LBiege
    21st Oct 2010
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources