Security
An ancient kernel hole is closed
A longstanding bug in the Linux kernel—quite possibly since the first 2.6 release in 2003—has been fixed by a recent patch, but the nearly two-month delay between the report and the fix is raising some eyebrows. It is a local privilege escalation flaw that can be triggered by malicious X clients forcing the server to overrun its stack.
The problem was discovered by Rafal Wojtczuk of Invisible Things Lab (ITL) while working on Qubes OS, ITL's virtualization-based, security-focused operating system. ITL's CEO Joanna Rutkowska describes the flaw on the company's blog and Wojtczuk released a paper [PDF] on August 17 with lots more details. In that paper, he notes that he reported the problem to the X.org security team on June 17, and by June 20 the team had determined that it should be fixed in the kernel. But it took until August 13 before that actually happened.
In addition, the description in the patch isn't terribly forthcoming about the security implications of the bug. That is in keeping with Linus Torvalds's policy of disclosing security bugs via code, but not in the commit message, because he feels that may help "script kiddies" easily exploit the flaw. There have been endless arguments about that policy on linux-kernel, here at LWN, and elsewhere, but Torvalds is quite adamant about his stance. While some are calling it a "silent" security fix—and to some extent it is—it really should not come as much of a surprise.
The bug is not in the X server, though the fact that it runs as root on most distributions makes the privilege escalation possible. Because Linux does not separate process stack and heap pages, overrunning a stack page into an adjacent heap page is possible. That means that a sufficiently deep stack (from a recursive call for example) could end up using memory in the heap. A program that can write to that heap page (e.g. an X client) could then manipulate the return address of one of the calls to jump to a place of its choosing. That means that the client can cause the server to run code of its choosing—arbitrary code execution—which can be leveraged to gain root privileges.
Evidently, this kind of exploit has been known for five years or more as Wojtczuk's paper points to a presentation [PDF] by Gaël Delalleau at CanSecWest in 2005 describing the problem, and pointing out that Linux was vulnerable to it. Unfortunately it would seem that the information didn't reach the kernel security team until it was rediscovered recently.
The X server has some other attributes that make it an ideal candidate to exploit the kernel vulnerability. Most servers run with the MIT shared memory extension (MIT-SHM) which allows clients to share memory with the server to exchange image data. An attacker can cause the X server to almost completely exhaust its address space by creating many shared memory segments to share with the server. 64-bit systems must allocate roughly 36,000 32Kx32K pixmaps in the server before creating the shared memory to further reduce the address space. One of the shared memory segments will get attached by the server in the "proper" position with respect to the server's stack.
Once that is done, the client then causes the X server to make a recursive function call. By looking through the shared memory segments for non-zero data, the client can figure out which of the segments is located adjacent to the stack. At that point, it spawns another process that continuously overwrites that segment with the attack payload and triggers the recursion again. When the recursion unwinds, it will hit the exploit code and jump off to do the attacker's bidding—as root.
It is possible that other root processes or setuid programs are vulnerable to the kernel flaw, and X servers with MIT-SHM disabled may be as well. All of those cases are, as yet, hypothetical, and are likely to be much harder to exploit.
X.org hacker Keith Packard described how the fix progressed within the X team. He said that they tried several fixes in the X server, including using resource limits to reduce the address space allowed to the server and limiting recursion depth while ensuring adequate stack depth. None of those were deemed complete fixes for the problem, though.
Andrea Arcangeli and Nick Piggin worked on a fix on the kernel side,
but it was not accepted by Torvalds because it
"violated some internal VM rules
", Packard said. As the
deadline for disclosure neared—after being extended from its original
August 1 date—Torvalds implemented his own solution which
fixed the problem. Overall, Packard was pleased with the response:
It should also be noted that Torvalds's original fix had a bug, which he has since fixed. The new patch, along with a fix for a user-space-visible change to the /proc/<pid>/maps file are out for stable kernel review at the time of this writing. So, a full correct fix for the problem is not yet available except for those running development kernels or patching the fix in on their own.
All of the "fancy security mechanisms
" in Linux were not able
to stop this particular exploit, Rutkowska said. She also pointed out that
the "sandbox -X"
SELinux compartmentalization would not stop this exploit. While
it isn't a direct remote exploit, it only takes one vulnerable X client
(web browser, PDF viewer, etc.) to turn it into something that is remotely
exploitable. Given the number of vulnerable kernels out there, it could
certainly be a bigger problem in the future.
The most unfortunate aspect of the bug is the length of time it took to fix. Not just the two months between its discovery and fix, but also the five years since Delalleau's presentation. We need to get better at paying attention to publicly accessible security reports and fixing the problems they describe. One has to wonder how many attackers took note of the CanSecWest presentation and have been using that knowledge for ill. There have been no reports of widespread exploitation—that would likely have been noticed—but smaller, targeted attacks may well have taken advantage of the flaw.
Brief items
Security quotes of the week
How the open source community could save your life (opensource.com)
On opensource.com, Ruth Suehle writes about medical device security based on a LinuxCon talk from Karen Sandler of the Software Freedom Law Center. As with all software, there are likely to be significant bugs in the code in devices that may be implanted in our bodies, and those bugs could have life-threatening consequences. "And because they don't review it, the FDA generally doesn't even ask for source code unless they have reason to think that something is wrong. That means that in large part, it's left up to the device manufacturer to choose what to report to the FDA, giving them a lot of leeway about what testing needs to be done. Moreover, because of Riegel vs. Medtronic, patients are pre-empted from challenging the effectiveness or safety of a medical device approved by the FDA."
Morris: Linux Security Summit 2010 Wrapup
James Morris has a good summary of the Linux Security Summit (LSS) on his blog. LSS was held just prior to LinuxCon and had presentations and discussions on a wide variety of Linux security concerns. "Mobile security was one of the core issues discussed at LSS (and during the rest of the week), with the year of the Linux desktop now apparently permanently canceled due to smartphones and similar devices. There are certainly many very difficult and exciting challenges to be met in this area over the coming years, and it was great to be able to have the MeeGo security folk present on their work."
Schneier: Hacking Cars Through Wireless Tire-Pressure Sensors
Bruce Schneier reports on yet another worrisome attack against systems we rarely consider when looking at security problems: automobile "safety" systems. He quotes from two articles that cover a recent paper [PDF] about the vulnerability, including this from an article at The H: "Now, Ishtiaq Rouf at the USC and other researchers have found a vulnerability in the data transfer mechanisms between CANbus controllers and wireless tyre pressure monitoring sensors which allows misleading data to be injected into a vehicle's system and allows remote recording of the movement profiles of a specific vehicle. The sensors, which are compulsory for new cars in the US (and probably soon in the EU), each communicate individually with the vehicle's on-board electronics. Although a loss of pressure can also be detected via differences in the rotational speed of fully inflated and partially inflated tyres on the same axle, such indirect methods are now prohibited in the US."
New vulnerabilities
cabextract: denial of service
| Package(s): | cabextract | CVE #(s): | CVE-2010-2800 | ||||||||||||||||||||||||||||
| Created: | August 13, 2010 | Updated: | September 28, 2010 | ||||||||||||||||||||||||||||
| Description: | From the Pardus advisory: The MS-ZIP decompressor in cabextract before 1.3 allows remote attackers to cause a denial of service (infinite loop) via a malformed MSZIP archive in a .cab file during a (1) test or (2) extract action, related to the libmspack library. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
drupal: multiple vulnerabilities
| Package(s): | drupal | CVE #(s): | |||||||||
| Created: | August 16, 2010 | Updated: | August 18, 2010 | ||||||||
| Description: | From the Fedora advisory:
Multiple vulnerabilities and weaknesses were discovered in Drupal.
| ||||||||||
| Alerts: |
| ||||||||||
flash-plugin: multiple vulnerabilities
| Package(s): | flash-plugin | CVE #(s): | CVE-2010-0209 CVE-2010-2213 CVE-2010-2214 CVE-2010-2215 CVE-2010-2216 | ||||||||||||||||||||||||||||||||||||
| Created: | August 12, 2010 | Updated: | January 21, 2011 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: Multiple security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2010-0209, CVE-2010-2213, CVE-2010-2214, CVE-2010-2216) A clickjacking flaw was discovered in flash-plugin. A specially-crafted SWF file could trick a user into unintentionally or mistakenly clicking a link or a dialog. (CVE-2010-2215) | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
freetype: arbitrary code execution
| Package(s): | freetype | CVE #(s): | CVE-2010-2805 CVE-2010-2806 CVE-2010-2807 CVE-2010-2808 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 13, 2010 | Updated: | January 20, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Pardus advisory: CVE-2010-2805, CVE-2010-2806, CVE-2010-2807, CVE-2010-2808: Memory corruption flaws were found in the way FreeType font rendering engine processed certain Adobe Type 1 Mac Font File (LWFN) fonts. An attacker could use this flaw to create a specially-crafted font file that, when opened, would cause an application linked against libfreetype to crash, or, possibly execute arbitrary code. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
httpd: denial of service
| Package(s): | httpd | CVE #(s): | CVE-2010-1452 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 16, 2010 | Updated: | September 6, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
The (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server 2.2.x before 2.2.16 allow remote attackers to cause a denial of service (process crash) via a request that lacks a path. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
java: multiple vulnerabilities
| Package(s): | java-1.6.0-openjdk | CVE #(s): | |||||
| Created: | August 16, 2010 | Updated: | August 18, 2010 | ||||
| Description: | Multiple vulnerabilities have been fixed in icedtea6-1.8.1. The Fedora advisory does not clearly indicate which of the fixes are security related, however, nor are there any CVE numbers listed. The only clear security mention is:
Fix security flaw in NetX that allows arbitrary unsigned apps to set any java property. | ||||||
| Alerts: |
| ||||||
kernel: multiple vulnerabilities
| Package(s): | kernel kernel-pae | CVE #(s): | CVE-2010-2226 CVE-2010-2537 CVE-2010-2538 CVE-2010-2798 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 13, 2010 | Updated: | March 3, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Pardus advisory: CVE-2010-2226: A flaw was found in the handling of the SWAPEXT IOCTL in the Linux kernel XFS file system implementation. A local user could use this flaw to read write-only files, that they do not own, on an XFS file system. This could lead to unintended information disclosure. CVE-2010-2537: The BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls should check whether the donor file is append-only before writing to it. CVE-2010-2538: The BTRFS_IOC_CLONE_RANGE ioctl appears to have an integer overflow that allows a user to specify an out-of-bounds range to copy from the source file (if off + len wraps around). CVE-2010-2798: The problem was in the way the gfs2 directory code was trying to re-use sentinel directory entries. A local, unprivileged user on a gfs2 mounted directory can trigger this issue, resulting in a NULL pointer dereference. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel-rt: privilege escalation
| Package(s): | kernel-rt | CVE #(s): | CVE-2010-2240 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 17, 2010 | Updated: | March 21, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
when an application has a stack overflow, the stack could silently overwrite another memory mapped area instead of a segmentation fault occurring, which could lead to local privilege escalation on 64-bit systems. This issue is fixed with an implementation of a stack guard feature. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libmikmod: arbitrary code execution
| Package(s): | libmikmod | CVE #(s): | CVE-2010-2971 | ||||||||||||||||
| Created: | August 16, 2010 | Updated: | January 20, 2011 | ||||||||||||||||
| Description: | From the CVE entry:
loaders/load_it.c in libmikmod, possibly 3.1.12, does not properly account for the larger size of name##env relative to name##tick and name##node, which allows remote attackers to trigger a buffer over-read and possibly have unspecified other impact via a crafted Impulse Tracker file, a related issue to CVE-2010-2546. NOTE: this issue exists because of an incomplete fix for CVE-2009-3995. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
libsndfile: denial of service
| Package(s): | libsndfile | CVE #(s): | CVE-2009-4835 | ||||||||
| Created: | August 16, 2010 | Updated: | July 29, 2011 | ||||||||
| Description: | From the Mandriva advisory:
The (1) htk_read_header, (2) alaw_init, (3) ulaw_init, (4) pcm_init, (5) float32_init, and (6) sds_read_header functions in libsndfile 1.0.20 allow context-dependent attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted audio file. | ||||||||||
| Alerts: |
| ||||||||||
lxr-cvs: cross-site scripting
| Package(s): | lxr-cvs | CVE #(s): | CVE-2010-1625 CVE-2010-1738 CVE-2010-1448 CVE-2009-4497 | ||||
| Created: | August 18, 2010 | Updated: | August 18, 2010 | ||||
| Description: | The lxr-cvs tool fails to properly sanitize user input in a number of places, leading to several cross-site scripting vulnerabilities. | ||||||
| Alerts: |
| ||||||
mipv6-daemon: multiple vulnerabilities
| Package(s): | mipv6-daemon | CVE #(s): | CVE-2010-2522 CVE-2010-2523 | ||||||||||||||||
| Created: | August 17, 2010 | Updated: | October 25, 2010 | ||||||||||||||||
| Description: | From the Fedora advisory:
This update fixes two security problems in mipv6-daemon: I) CVE-2010-2522: The origin of netlink messages sent to mipv6-daemon was not verified, allowing for local users to spoof netlink messages and thus influence the behaviour of mipv6-daemon. II) CVE-2010-2523: A specially crafted ND_OPT_PREFIX_INFORMATION or ND_OPT_HOME_AGENT_INFO packet could be used to exploit a buffer overflow in mipv6-daemon. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
openjdk: arbitrary file access
| Package(s): | openjdk-6 | CVE #(s): | CVE-2010-2548 CVE-2010-2783 | ||||||||||||||||
| Created: | August 16, 2010 | Updated: | August 26, 2010 | ||||||||||||||||
| Description: | From the Ubuntu advisory:
It was discovered that the IcedTea plugin did not correctly check certain accesses. If a user or automated system were tricked into running a specially crafted Java applet, a remote attacker could read arbitrary files with user privileges, leading to a loss of privacy. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
rekonq: cross-site scripting
| Package(s): | rekonq | CVE #(s): | CVE-2010-2536 | ||||||||||||
| Created: | August 13, 2010 | Updated: | September 3, 2010 | ||||||||||||
| Description: | From the CVE entry: Multiple cross-site scripting (XSS) vulnerabilities in rekonq 0.5 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) a URL associated with a nonexistent domain name, related to webpage.cpp, aka a "universal XSS" issue; (2) unspecified vectors related to webview.cpp; and the about: views for (3) favorites, (4) bookmarks, (5) closed tabs, and (6) history. References | ||||||||||||||
| Alerts: |
| ||||||||||||||
squirrelmail: denial of service
| Package(s): | squirrelmail | CVE #(s): | CVE-2010-2813 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 12, 2010 | Updated: | January 14, 2013 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the SquirrelMail advisory: A bug has been identified in SquirrelMail that poses a denial of service risk. The problem exists in SquirrelMail versions up through 1.4.20 wherein an attacker can submit random login attempts with 8-bit characters in the password. This will cause SquirrelMail to temporarily accept the login (further actions will all fail; user is never *actually* logged in) and create a preferences file (if one does not already exist) for the given username. An attacker could continue to use random usernames with the same password until enough preference files are created that the server runs out of hard disk space. We consider this a relatively low-risk problem, but it nevertheless has been fixed in SquirrelMail version 1.4.21. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
ssmtp: denial of service
| Package(s): | ssmtp | CVE #(s): | |||||||||
| Created: | August 16, 2010 | Updated: | August 18, 2010 | ||||||||
| Description: | From the Red
Hat bugzilla:
a deficiency in the way ssmtp removed trailing '\n' sequence by processing lines beginning with a leading dot. A local user, could send a specially-crafted e-mail message via ssmtp send-only sendmail emulator, leading to ssmtp executable denial of service (exit with: ssmtp: standardise() -- Buffer overflow). Different vulnerability than CVE-2008-3962. | ||||||||||
| Alerts: |
| ||||||||||
wireshark: arbitrary code execution
| Package(s): | wireshark | CVE #(s): | CVE-2010-2995 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 12, 2010 | Updated: | April 19, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: Multiple buffer overflow flaws were found in the Wireshark SigComp Universal Decompressor Virtual Machine (UDVM) dissector. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2010-2287, CVE-2010-2995) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
znc: denial of service
| Package(s): | znc | CVE #(s): | CVE-2010-2812 CVE-2010-2934 | ||||||||
| Created: | August 12, 2010 | Updated: | August 18, 2010 | ||||||||
| Description: | From the Red Hat bugzilla entry: An out-of-range flaw was found in znc where if it received a "PING" from a client without an argument, std::string would throw a std::out_of_range exception which killed znc. Some unsafe substr() calls were fixed as well. These are of lesser impact because a valid login is required in order to cause a std::out_of_range exception. | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>