HomeBlogjlmeredith's blog

Doom and Gloom! Oh My! Linux Kernal in Trouble?

Fri, 02/15/2008 - 10:18 — jlmeredith

[img_assist|nid=86|title=|desc=|link=none|align=right|width=178|height=320]Nothing like a little doom and gloom to start the morning! The folks over at PC World think the sky is falling. It is being reported that there is a major exploitable bug in the Linux Kernal. Apparently, the bug is said to affect all versions of the Linux kernel up to version 2.6.24.1. According to PC World, distributions such as Ubuntu, Turbolinux, SuSE, Red Hat, Mandriva, Debian and others are affected. The problems are within three functions in the system call fs/splice.c

At first I as taken by surprise with this news, but then, fortunately a very witty commenter by the name of Evildave came to the rescue.

I read the comment by Evildave and my world view returned to normal. The sky is not in fact falling and all is well in the nix world. It is always funny to see how things are spun in the glorious publishing world. I wonder how much Microsoft paid PC World for this post.

Quote:
Here’s the operative bit: “They could be exploited by malicious, *local* users to cause denial of service attacks, disclose potentially sensitive information or gain “root” privileges, according “to security experts.” So, if someone sneaks into your house when you’re not there and boots up the computer, logs in with a VALID user account with privileges to compile code, they could get access to your computer… Ooh, scary!

Of course, the same evil user could just put a ‘Live’ CD in your CD drive, boot off it, then mount your hard drive and get your data that way. They could open the easy slide off-side of your computer, plug a USB adapter into your drive and mount it with a notebook, too. Failing all of that, they could pick up your whole computer and walk off with it. These techniques work equally well for any OS, and don’t really require any security exploit. The currently released Ubuntu 7.10 kernel is 2.6.22-14. The first version that the exploit affects is 2.6.23, and the last one it affects is 2.6.24. What’s this mean? It means it _doesn’t affect Ubuntu_ unless you downloaded an unsupported non-release kernel for it, presumably to fix some driver issue. The next time Ubuntu does a kernel patch it will probably leapfrog this ‘problem’ version.

This is not as scary as the PCWorld article is irresponsibly making it out to be. Even the code on milw0rm.com just demonstrates that the application can get root (assuming a user already is logged in and has privileges to build and execute code), and doesn’t do anything but give a test bed to verify you got root, demonstrating the problem. Goody, another ‘rootkit’ that can be used on one computer in thousands. Yay.

Added… I also like the quotes about one exploit per 1000 lines of open source code, and how many fewer exploits can be found in Microsoft’s code. Perhaps ‘Secunia’ just isn’t as good at finding Microsoft exploits as the malware writers are? Or maybe it’s just because anybody who can operate ‘Google’ can find exploits in open source code because so many other people out there publish when they find it. I have a great idea. Let’s make Microsoft’s code ‘Open Source’ and see if we can’t find any more holes than in other open source software. Oops, my mistake, there’s another similar exploit that affects 2.6.17 - 2.6.24. I know I’ll lose SO MUCH SLEEP over it, too… right after I take a nap.