New Zero Day – Linux Kernel

I’ve written repeatedly about the myth that Linux is inherently more secure. It always falls on deaf ears because some people don’t want to be bothered with the truth that all complex software is inherently vulnerable and insecure.

Here’s more proof that Linux has its own share of vulnerabilities.

The latest exploit affects kernel 2.6.30 and earlier versions. Bojan Zdrnja at Sans writes that Brad Spengler of grsecurity discovered this and adds:

Why is it so fascinating? Because a source code audit of the vulnerable code would never find this vulnerability (well, actually, it is possible but I assure you that almost everyone would miss it). However, when you add some other variables into the game, the whole landscape changes.

How so? Spengler writes in the comments to his POC that this vulnerability not only bypasses SELinux but is strengthened by it. Zdrnja explains:

While optimizing the code, the compiler will see that the variable has already been assigned and will actually remove the if block (the check if tun is NULL) completely from the resulting compiled code. In other words, the compiler will introduce the vulnerability to the binary code, which didn’t exist in the source code. This will cause the kernel to try to read/write data from 0x00000000, which the attacker can map to userland – and this finally pwns the box.

Is Linux or gcc to blame? Both/same. How many insist on “GNU/Linux”? Complex code, mutiple layers. So many links that there are bound to be some weak ones even if they’re not readily apparent by looking at the pieces rather than the sum of the whole. As Zdrnja concludes, “Fascinating research… again shows how security depends on every layer.”

Spengler’s solution is for administrators to compile the kernel with fno-delete-null-pointer-checks.

Remember what Linus said about masturbating monkeys? Or how many fanboi and other FSF-type sites raise anecdotal evidence about things like pwn2own as “proof” that Linux is insurmountable to attack or that Linux is more secure than Windows? It’s all bullshit.

Windows is more exploited because it’s prevalent. Linux has enjoyed security through obscurity, which is only obscurity and certainly not security. This isn’t the first or only exploit in the Linux kernel and it sure as hell won’t be the last. It really doesn’t help when so many in the Linux community — including Linus — are either nonplussed by vulnerable code, oblivious to security issues, or even willing to lie about it and spread their FUD that Windows is the only inherently insecure operating system and that Linux is inherently secure.

Time to get serious about security rather than treating it as an afterthought or engaging in deceit, especially if you want greater marketshare on computers, servers, phones, PDAs, DVRs/PVRs, or any other device that can run Linux. Otherwise, you’re a fucking joke.


UPDATE – 18:20 21 July 2009: I found more at Register about this:

The “NULL pointer dereference” bug has been confirmed in versions 2.6.30 and of the Linux kernel, which Spengler said has been incorporated into only one vendor build: version 5 of Red Hat Enterprise Linux that’s used in test environments. The exploit works only when a security extension knows as SELinux, or Security-Enhanced Linux, is enabled. Conversely, it also works when audio software known as PulseAudio is installed.

An exploitation scenario would most likely involve the attack being used to escalate user privileges, when combined with the exploitation of another component – say, a PHP application. By itself, Spengler’s exploit does not work remotely.

With all the hoops to jump through, the exploit requires a fair amount of effort to be successful. Still, Spengler said it took him less than four hours to write a fully weaponized exploit that works on 32- and 64-bit versions of Linux, including the build offered by Red Hat. He told The Register he published the exploit after it became clear Linus Torvalds and other developers responsible for the Linux kernel didn’t regard the bug as a security risk.

With millions of eyeballs, it still takes only two to find what everyone else can’t or won’t see.

Linus wrote that it’s not a Linux problem but a setuid problem, which Rob Graham of Errata Security points out is a “design ‘flaw’ that is inherited from Unix” that is “going to be with us for many years to come.” Ahh, yes. That’s the same ol’ Unix which some ignorant dolts wildly claim is what makes Linux and OSX and so many other things invincible and safer than Windows despite the truth. And ample evidence to the contrary.

Spengler’s beef now, though, is that Linus and his team haven’t clearly disclosed the problem. In complaining about the fact that his POC led to the issue being categorized as DOS, Spengler said, “It kind of makes the vendors think the security is better than it actually is.”

That should set off alarm bells to anyone using Linux, especially if beguiled about its inherent security.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: