Six-year old Linux bug Eventually FixedBy Partho, Gaea News Network
Friday, August 20, 2010
After six-years of unsuccessful fixing Linux kernel org finally devised a patch for critical privilege escalating bug. This hole could be exploited by hackers to execute code at the root from any GUI application. The flaw was reported on 17 June, and was addressed in two months. But, according to the security blog The H, SUSE Engineers claim that it was reported and patched in for SUSE in September, 2004. Interestingly, the patch was never updated for the kernel.
The critical bug went unnoticed until Rafal Wojtczuk, a Invisible Things Lab (ITL) researcher while working on an open source desktop virtualization tool found it. Moreover, the fix that was devised by Linux Travolds on 13 August was buggy itself. There were more fixes for it.
The kernel group reportedly extended their deadline for disclosure about the hole. According to the kernel org the bug was addressed in versions 220.127.116.11, 18.104.22.168, 22.214.171.124 and 126.96.36.199 of the kernel. Now its upon the distro makers to push the fix into the sites.
Few days later the patches were safely introduced in the new kernel release.
The details of the attack using the hole was written by Joanna Rutkowska
The attack allows a (unpriviliged) user process that has access to the X server (so, any GUI application) to unconditionally escalate to root (but again, it doesn’t take advantage of any bug in the X server!). In other words: any GUI application (think e.g. sandboxed PDF viewer), if compromised (e.g. via malicious PDF document) can bypass all the Linux fancy security mechanisms, and escalate to root, and compromise the whole system. The attack allows even to escape from the SELinux’s “sandbox -X” jail. To make it worse, the attack has been possible for at least several years, most likely since the introduction of kernel 2.6.
To exploit the bug attackers might
- Target a system containing this specific vunerability- most of the server configurations do not run the user-accessible X.
- Attackers might also find another vulnerability on that system, which is exploitable, like via PDF file
- Transmit that file to the target user
- Get users to view it on the target system
There is a debate about the seriousness of the hole among the experts. this was rated on high priority by Red Hat and kernel developer Greg Kroah-Hartman.
A bug is bug afterall, the Microsoft men are repeatedly accused if it takes them too long to fix a bug, so there can be any support to cover up Linux’s goof up.
Tags: kernel org, Linux bug, Linux kernel, Open Source, SUSE, SUSE Linux