Kernel Exploit Cause Of Debian Compromise

mbanck writes "The cause of the recent Debian Project server compromise has been published by the Debian security team: 'Forensics revealed a burneye encrypted exploit. Robert van der Meulen managed to decrypt the binary which revealed a kernel exploit. Study of the exploit by the RedHat and SuSE kernel and security teams quickly revealed that the exploit used an integer overflow in the brk system call. Using this bug it is possible for a userland program to trick the kernel into giving access to the full kernel address space'. This issue has been fixed in 2.4.23. Thus, the Linux kernel compromise was not Debian specific."

A shift of focus

It's fun to see how security research shifted from applications to kernels lately.

Re:A shift of focus

It's fun to see how security research shifted from applications to kernels lately.

Fun!? You must be Klingon.

Re:A shift of focus

"Fun!? You must be Klingon."

Today is a good day to get rooted.

Re:A shift of focus

The "nice" thing about kernel exploits (from a cracker's perspective, of course), is that it doesn't matter what sort of userland software is running on the machine -- if you can get local access, by whatever means, it is very easy to boost yourself to root.

Traditional local root exploits are all based on overflowing a setuid application or server. But if the box doesn't have any vulnerable apps installed, the attacker is SOL. However, if the kernel itself is exploitable, it no longer matters whether those setuid programs are present. All you need is to somehow acquire local access, and wham, you are root.

To summarize, kernel exploits are very convenient for turning local user account compromises into full-blown root compromises.

Re:A shift of focus

what i want to know is...

does this code belong to sco?

Re:A shift of focus

The "nice" thing about kernel exploits (from a cracker's perspective, of course), is that it doesn't matter what sort of userland software is running on the machine -- if you can get local access, by whatever means, it is very easy to boost yourself to root.

We should point out that you're talking about common kernels like Linux today, not that this must apply to any OS kernel. For example, if the kernel verifies the binaries it runs using digital signatures, then it can refuse to run unsigned binaries. The cracker's problem then becomes how to get an existing userland program (compiled by the trusted administrator) to issue the kernel call that results in the exploit, which is a much harder problem. A program may not ever make that system call, or may check its input so that you can't make it do the system call with (presumably) invalid parameters. In most cases, I expect that this means you have to insert a backdoor into a common program and wait for the trusted administrator to compile it for you.

This sort of security is probably overkill and too tedious for a desktop box, but not unreasonable for a server which should only have a few programs installed and running anyway.

Re:A shift of focus

That's why all the smart admins have been migrating their servers over to the best platform for the job: XBox.

Re:A shift of focus

That's a silly reason for plugging DRM. Simply mount all user-writable space with option "noexec" and you have the same level of security.

Life is more complicated than that. Regular binaries can be run as: /lib/ld-linux.so /noexeced_path/myprog

Even locking this out, any available program that is itself an interpreter (e.g. Perl, etc.) can be used to run code. Assume that any attacker (or their scripts) know this and will leverage it.

I'm seriously beginning to think that we won't be able to achieve secure systems that reliably push the security problem to the social boundary until ground-up designs such as the Extremely Reliable Operating System [eros-os.org] mature.

Re:A shift of focus

Seems like a stupid security hole.

This thread [debian.org] on the Debian mailing lists talks about this issue, and a poster in this thread notes that SE Linux is capable of closing this hole (with example). I don't recall offhand what tools are available in grsecurity (www.grsecurity.net) to address this issue; check out the grsec mailing lists for more info.

Re:A shift of focus

With Linux Desktops being most popular in corporate settings, it's going to start being targetted by professional black hats, if it's not already. Security is a concern, even local exploits.

A desktop system is exposed to tons of potentially hostile data. Strings are like acid, and a complex language like HTML is just asking for trouble.

Don't get me wrong, OpenBSD is waaay into diminishing returns territory as far as security goes, but there's a few things that could be done to get 90% of the benefits, eg propolice in the kernel and W^X.

Re:A shift of focus

For example, if the kernel verifies the binaries it runs using digital signatures, then it can refuse to run unsigned binaries.

It's also possible to use SELinux [nsa.gov]. With this module you can in details give permissions to any object in the system. A web server would not be able for example to run /bin/sh ... it would be blocked by the kernel. It's also possible to tell what syscalls are allowed for a program.

Kicking it up a notch.

And they call Windows unsecure. How does crow taste, Slashdot?

Pretty good if you know how to spice it right. The trick is, knowing you've got crow to eat. How's that mystery meat you're chewing on?

(there's a joke about feeding trolls to be made in this somewhere)

Shows the dangers of C

If the kernel was coded in visual basic, this wouldn't be happening.

Well then they'd better get some help

CLIPPY:
You appear to be trying to write a kernel. Do you want to:

• Automatically make sure the Visula Basic DLL is included in your program?
• Answer some questions and have me generate a nice windows kernel for you?
• Straigten me, and turn me into a very attractive piece of modern art?

Re:Shows the dangers of C

By 'this' do you mean the exploit wouldn't be happening? Or the Kernel?

Re:Shows the dangers of C

Why not Brainfuck [muppetlabs.com]

If you can't read your own code who else can..

what kind of person...

What kind of person spends that much time trying to find exploits in operating system kernels? Likewise, why do I spend so much time on www.thinkgeek.com/fortune.shtml? We are a sad people.

Re:what kind of person...

What kind of person?
spammers [bbc.co.uk]

People who expect to make money by hacking systems and using them to send millions of unsolicited emails.

Re:what kind of person...

The kind who only has to read through LKML to realise that a potential root bug was discovered in september, but wasn't fixed in 2.4.22, and doesn't appear to have been backported to the kernel?

ashridah

Re:what kind of person...

What kind of person spends that much time trying to find exploits in operating system kernels?

The kernel developers, i.e., Andrew Morton. Good for him, too.

There *was* a patch before the Debian systems were compromised. Hopefully in the future these things will be given more attention before they blow up.

Re:Well, well, well...

Perhapse you would like to add a point to copy-and-pasting the Linux Security advisory page? Maybe some context? Some sign of understanding what you're reading?

A couple of points...

1) Note that of the 15 listed advisories:

5 are the same BIND DOS vulnerability

2 (or 3 if you count Turbolinux's mega-update) are the same Ethereal vulnerability (DOS, possible arbitrary code)

2 are the same stunnel hijacking vulernability
2) None of these vulnerabilities lead to a remote exploit (although it could be argued one might be able to create a favorable condition with the ethereal issue)

Sure - Linux runs buggy code too. If that's your point, make it. But this hardly seems to be a suitable response to the parent's (semi-trollish) comment on MS' run of remote exploits.

What Crow?

Exactly what crow is that?

Would that be that a legitamate error was found verified and fixed in public in just about two weeks with no hiding or spin?

If Windows had a memory allocation error (application memory space being the thing controled by brk) of this sort would they allow it to be publicized?

Once they made the "patch" available, would you be able to apply it to every past version of Windows?

Would you be able to verify that the patch was applied to windows?

If Debain's FTP server had been running IIS and windows, what kind of forensic annalysis would have been done, and how LIKELY is it that the *SINGLE* *INCIDENT* compromise would have lead to a complete and detailed report from Microsoft, and a fix?

The "linux is more secure" argument is not (truthfully) based on the idea that linux is inherently error free. It is based on the idea that the persons experiencing the problems can determine what those probems actually are; come up with a fix; have that fix reviewed [and installed] (by all who care) *WITHOUT* needing to waking some sleeping-bear corporations nacient interest in the suffering of their lowly surfs... er... "customers".

Re:Well, well, well...

The worst Linux exploit of the year: an obscure kernel vulnerability that allowed one person to gain control of one box, disrupting one small OS group for a few days.

The worst Windows exploit of the year: a hole in the RPC services (which you can't turn off) that allowed a worm to gain control of millions of Windows boxes, disrupting the entire internet.

How does this make Linux equally bad as Windows, then?

Re:Well, well, well...

1) It's not obscure anymore
2) You don't know how many persons used this exploit to take over Linux servers
3) You don't know how many Linux servers were taken over by this exploit
4) Yes, When an exploit hits Windows, it hits many more machines, because there's many more Windows boxes than Linux
5) You obviously have missed all the remote exploits affecting tons of server software on Linux this year(openssh, apache, etc...), any of these could lead to owning the whole machine when used with this local exploit

Re:Well, well, well...

Um no.

First the exploit compromised one of the largest linux distribution and potentially they could have put trojan horses in all our packages and we would really be up shit river when that happens.

Secondly, we are no longer getting package updates so they have successfully stopped Debian development while they patch all this.

Although it's not in the scale of windows, if GNU/Linux had larger marketshare this would have been a big deal.

sri

Oh...

Fark. This seems to be a local exploit though. Whose the naughty one that did it? We can't have rogue members in our proud Debian society now can we? Come on, take it like a man.

Userland exploits

The evidence mounts: users should be eliminated.

Yup

Just like Nancy Reagan said: Users are Losers.

Re:Userland exploits

No really, a user account is as good as root on almost all systems. If you need security, don't have user accounts on the system.

Re:Hmm, Methinks I've Heard this theme before

Several million others that I missed, which courteous slashdotters will point out.

I'm sorry Dave, I can't do that...

Hurray for the Debian Security Team!

And thus, a previously unknown kernel exploit is discovered and patched! (Now how many more exist?)

Hats off to the Debian Security Team.

Re:Hurray for the Debian Security Team!

Hats off to the Debian Security Team.

And to the RedHat and SuSE security teams for helping them to track it down. In other words, hats off to the whole Free Software Community for collaborating when desaster strikes.

Re:Hurray for the Debian Security Team!

The bug had been found by Andrew Morton before, and was already fixed in 2.4.23. Thus, it wasn't unknown. It might even the because it was known that it was exploited aswell, I assume.

Quoting the Bugtraq post:

This problem was found in September by Andrew Morton, but unfortunately that was too late for the 2.4.22 kernel release.

Re:Hurray for the Debian Security Team!

This had been rumoured for several days before the actual announcement was made.
I'm guessing it was found and corrected, as a bug, but not thought to be exploitable, therefore no security announcement[0]. Later on, when debian.org got cracked, someone put two and two together and made the security announcement. I must admit, it seemed fairly weird to me for a long time, and I thought up a few lovely conspiracy theories, but in the end I think the simple oversight scenario is the most likely.

[0] After all, plenty of bugs get fixed in the kernel without being specially announced. If it was subtle someone probably just overlooked the fact that this particular bug was more problematic than any of the others fixed in that patch.

How did they get in to run a userspace util?

Using this bug it is possible for a userland program to trick the kernel into giving access to the full kernel address space'. This issue has been fixed in 2.4.23. Thus, the Linux kernel compromise was not Debian specific

That still doesn't get you into the box; you still need to run something in userspace- and thus I think claiming(based solely upon the evidence presented in the /. story) that the compromise was not Debian specific to be premature. Has it been established how access was obtained into the machine in the first place?

Re:How did they get in to run a userspace util?

I believe an earlier article said that it appeared that he sniffed a password to the box.

Or perhaps "she" sniffed a password?

I refuse to believe that the really hot, Debian-using, password-sniffing, root-exploiting geek girl is a myth.

RTFA

Recently multiple servers of the Debian project were compromised using a Debian developers account and an unknown root exploit. Forensics revealed a burneye encrypted exploit. Robert van der Meulen managed to decrypt the binary which revealed a kernel exploit. Study of the exploit by the RedHat and SuSE kernel and security teams quickly revealed that the exploit used an integer overflow in the brk system call. Using this bug it is possible for a userland program to trick the kernel into giving access to the full kernel address space. This problem was found in September by Andrew Morton, but unfortunately that was too late for the 2.4.22 kernel release.

This bug has been fixed in kernel version 2.4.23 for the 2.4 tree and 2.6.0-test6 kernel tree. For Debian it has been fixed in version 2.4.18-12 of the kernel source packages, version 2.4.18-14 of the i386 kernel images and version 2.4.18-11 of the alpha kernel images.

How does this compare...

to the winodows hole found the other day. Has anybody heard if that was fixed yet(not sure if it has been 48 hours yet). Technically this hole was fixed before it was found. It looks like another win for open source.

Re:How does this compare...

This story is about how great the Open Source Community is for fixing an exploit. The Microsoft story was about how incompetent Microsoft is for having an exploit.

Actually the Windows story was about how Microsoft had not patched an exploit they had known about for months.

This Linux exploit had ALREADY been patched.