5 year old X+kernel vuln

combuster · 2010-08-18 17:43:59

http://news.softpedia.com/news/Critical … 2678.shtml

The attack allows a (unpriviliged) user process that has access to the X server (so, any GUI application) to unconditionally escalate to root (but again, it doesn't take advantage of any bug in the X server!).
"In other words: any GUI application (think e.g. sandboxed PDF viewer), if compromised (e.g. via malicious PDF document) can bypass all the Linux fancy security mechanisms, and escalate to root, and compromise the whole system," Ms. Rutkowska explains in a post on the company's blog.
The attack and the vulnerability are described in more detail in a paper (PDF) entitled "Exploiting large memory management vulnerabilities in Xorg server running on Linux," authored by Rafal Wojtczuk and published yesterday.
The flaw affects both x86_32 and x86_64 platforms and was reported to the X.org security team on 17 June 2010.

Patch is out there but...

http://git.kernel.org/?p=linux/kernel/g … 5727f4c893

5 year old exploit. Nice... I can't wait to see rootless X !!!

Pyntux · 2010-08-18 18:11:41

Combuster, everything is possible even in Linux world!

combuster · 2010-08-18 18:20:11

I suggest a quick move of 2.6.35.2 from testing or updating 2.6.34.3 to 2.6.34.4 ASAP !

Inxsible · 2010-08-18 18:23:29

if it has not affected you in 5 years, its highly unlikely that it will just because the news came out. the kernel will be upgraded as soon as all the dependent packages are built for it.

combuster · 2010-08-18 18:27:27

Well I'm not that important in the whole matter, i run custom 2.6.35.2 and 2.6.36-rc1. But nevertheless now that the bug details are out, there is a lot more chance of someone playing hax0r with rigged documents.

/edit: And even if it affected me I would hardly notice - first thing I would thought of would be memory leak or something within X. Executing malitiious code from ring0 is not sweet

Last edited by combuster (2010-08-18 18:29:08)

Gullible Jones · 2010-08-19 04:48:33

Ugh. It's beginning to look to me like all software, not just Windows, is like Swiss cheese.

falconindy · 2010-08-19 05:07:19

Gullible Jones wrote:

Ugh. It's beginning to look to me like all software, not just Windows, is like Swiss cheese.

The sky is falling?

One has to wonder how many privilege escalation vulnerabilities were patched in XP's lifetime compared to the number of similar escalation vulnerabilities found in the Linux kernel since its wider acceptance. A piece of software weighing in at over a million lines of code is bound to have a few holes, given someone clever enough and with enough time to find them.

cesura · 2010-08-19 05:41:10

falconindy wrote:

Gullible Jones wrote:
Ugh. It's beginning to look to me like all software, not just Windows, is like Swiss cheese.
The sky is falling?
One has to wonder how many privilege escalation vulnerabilities were patched in XP's lifetime compared to the number of similar escalation vulnerabilities found in the Linux kernel since its wider acceptance. A piece of software weighing in at over a million lines of code is bound to have a few holes, given someone clever enough and with enough time to find them.

IIRC, XP has potential for terrible kernel vulnerabilities because of the fact that all userland applications are running in the same ring as the kernel (or at least have access to kernel memory)!

fsckd · 2010-08-19 05:44:44

itsbrad212 wrote:

IIRC, XP has potential for terrible kernel vulnerabilities because of the fact that all userland applications are running in the same ring as the kernel (or at least have access to kernel memory)!

[citation needed]

PirateJonno · 2010-08-19 06:53:02

itsbrad212 wrote:

IIRC, XP has potential for terrible kernel vulnerabilities because of the fact that all userland applications are running in the same ring as the kernel (or at least have access to kernel memory)!

Yeah, this is not true. On a software level though, it is typical to run as root on XP

IMHO this is not such a big deal. I'm more worried about theft of documents and/or personal information. A server, or most other systems where root access can be dangerous, is not likely to be running X anyway.

kokoko3k · 2010-08-19 07:05:39

From phoronix:

The good news is that this issue is now corrected in the stable 2.6.32.19, 2.6.34.4, and 2.6.35.2 Linux kernel releases (along with the upstream Linux 2.6.36 kernel code)

What about other releases? (2.6.33.x?)

A server, or most other systems where root access can be dangerous, is not likely to be running X anyway.

And also:
I'm actually running a server which gives users (students) remote graphical access via nxserver/nxclient.
Does anybody knows if they are vulnerable too?
And what about ssh -Y ? (X11 forwarding)

Last edited by kokoko3k (2010-08-19 07:06:30)

combuster · 2010-08-19 09:50:44

I think all kernel versions are vulnerable except for 2.6.32.19, 2.6.34.4,,2.6.35.2 and 2.6.36-rc1 wich is in mainline now (so I suggested 2.6.35.2 move to [core]). There it is now and this is imho great reaction from Arch dev's.

You can easily check on kernel.org if this patch is applied to kernel version you are running:

https://www.kernel.org/diff/diffview.cg … 2.bz2;z=87

Patch was out on 13th of August so if kernel is older than that then - no it isn't included but other distro dev's would probably backport this patch if they havent already.

As for the vuln itself, yes - this is something Windows users get on a weekly basis "Apply this software to prevent remote attacker to gain control over your system". I like all the secrecy behind this because security company that found the bug kept silent since early Jun or July (can't remember) and when this was reported to Keith and later on to Linus everybody kept their mouth shut and this haven't leaked to the press untill the moment when patch was created and applied to the several kernel versions. An example of good communication and organization that runs between core Linux developers. I think working on DRM brought them closer together

As for servers, well X generally isn't required to run on servers. Anything that is not needed shouldn't be installed let alone running (more software - bigger chances for security flaw). Where X is needed - well I don't know what server admin would use his server for opening documents downloaded from the net or running fishy software. Desktop users however - hm

Last edited by combuster (2010-08-19 09:51:12)

fsckd · 2010-08-19 17:08:51

uname -rv
2.6.26-2-vserver-amd64 #1 SMP Wed May 12 18:26:35 UTC 2010

*gasp* O_O

no X ^_^

PirateJonno wrote:

itsbrad212 wrote:
IIRC, XP has potential for terrible kernel vulnerabilities because of the fact that all userland applications are running in the same ring as the kernel (or at least have access to kernel memory)!
Yeah, this is not true. On a software level though, it is typical to run as root on XP

Not root but administrator which is less than "root". The actual superuser account is normally not directly accessed by a human user.

cesura · 2010-08-20 03:37:58

fsckd wrote:

itsbrad212 wrote:
IIRC, XP has potential for terrible kernel vulnerabilities because of the fact that all userland applications are running in the same ring as the kernel (or at least have access to kernel memory)!
[citation needed]

Sorry, I was confusing my memory models

Arch Linux

#1 2010-08-18 17:43:59

5 year old X+kernel vuln

#2 2010-08-18 18:11:41

Re: 5 year old X+kernel vuln

#3 2010-08-18 18:20:11

Re: 5 year old X+kernel vuln

#4 2010-08-18 18:23:29

Re: 5 year old X+kernel vuln

#5 2010-08-18 18:27:27

Re: 5 year old X+kernel vuln

#6 2010-08-19 04:48:33

Re: 5 year old X+kernel vuln

#7 2010-08-19 05:07:19

Re: 5 year old X+kernel vuln

#8 2010-08-19 05:41:10

Re: 5 year old X+kernel vuln

#9 2010-08-19 05:44:44

Re: 5 year old X+kernel vuln

#10 2010-08-19 06:53:02

Re: 5 year old X+kernel vuln

#11 2010-08-19 07:05:39

Re: 5 year old X+kernel vuln

#12 2010-08-19 09:50:44

Re: 5 year old X+kernel vuln

#13 2010-08-19 17:08:51

Re: 5 year old X+kernel vuln

#14 2010-08-20 03:37:58

Re: 5 year old X+kernel vuln

Board footer