Many Millions of Linux are affected by this security hole

[gcmartin]

Reported yesterday.

[eric52]

Thanks GCM, I'm glad I never gave in to the temptation to bank online.

[Scooby]

I tried the reported kernel vulnerability.

Took the addresses from system.map for my kernel
version 4.1.6 for prepare_kernel_cred and commit_creds

It took 37 min to complete

Code: Select all

$ ./cve_2016_0728 PP_KEY
uid=1000, euid=1000
Increfing...
finished increfing
forking...
finished forking
caling revoke...
uid=1000, euid=1000
$ id -u
1000
$ id -un
alpha

I am still not root at the end?

Maybe a bit overestimated this bug?

I couldn't reproduce?

posted at their site about it too but seems like they deleted it?
perhaps they just want publicity?

[Ted Dog]

Thanks GCM, I'm glad I never gave in to the temptation to bank online.

I worked at a top three security documents company and transfer programs between investment group banking and Federal Reserve.. I also do NOT do online banking. There is solid active involvement realtime to stop those problems but I only saw it at the intrabank level

[gcmartin]

Hello all. @Scooby, the "Security" is an Industry unto itself.

Some of the recent years finds are a discovery disclosure for which there have been no known exploits. It does gather our attentions. I have often wondered if its about tooting their own horns or if intending to invite exploit attempts or to make exploiters aware of "open doors" so that they can say "I told you so".

In Corporate meetings over the many years, the Security people use tactics to get financing from top management. I understand that they have a job to do and to protect. This is done in showing value to the organization in some cases. At fiscal end, their report of thwarting potential exploits allows their budgets to remain.

This is NOT always the case, but, raising worldwide awareness of a bug that has no history of exploits make you wonder why it just wasn't closed without the fanfare.

FYI

[rufwoof]

Vulnerability allows restricted users and apps to gain unfettered root access

For Puppy where users run as root anyway ... users gaining access to root isn't a vulnerability ... its a feature. Therefore only if you're running servers is this a issue, otherwise just count it as anti-Linux noise.

[8Geee]

It would appear that one must not be root at the start of the test.
One then becomes root at the end if the bug is present.

[greengeek]

The flaw, which was introduced into the Linux kernel in version 3.8 released in early 2013, resides in the OS keyring

Ha! another reason to stick with Slacko 5.6
Everything after that uses kernels that are well penetrated.

[Daleb]

user jamesbond says this is a troll story

http://www.murga-linux.com/puppy/viewto ... 124#883124

[jamesbond]

user jamesbond says this is a troll story

http://www.murga-linux.com/puppy/viewto ... 124#883124

You must have something wrong on your head Bindee. I did not say that this thread is a troll story; I am saying that you --> "DALEB" <-- is a troll, another sockpuppet from the troll Bindee.

Your first two posts after you registered is:
a) Is Fatdog64 Contributed thread infested with RATs?
b) The just released Fatdog64 702rc has a compromised kernel.
Yet, you are not a Fatdog64 user nor a Puppy user. So why should you care?

You, sir, is a troll. Your presence here in this forum is a disservice to all. You do not belong here. Now go back to where you came from, troll!

[mavrothal]

Would be nice if people bather to look past the headlines and look a bit further.

It’s pretty bad because a user with legitimate or lower privileges can gain root access and compromise the whole machine
...
an attacker would require local access to exploit the vulnerability on a Linux server

Puppy runs as root.
Puppy is NOT multi-user.
Puppy (usually) is not a server.
So, yes this is a kernel bug that can affect servers and multiuser machines given that someone has local access to it.
If someone has local access to your puppy I do not think will require any bug exploit.

Regarding Android, the user must install the malicious app (none know yet)...

[6502coder]

Much ado about not a lot, according to ZDNet:

http://www.zdnet.com/article/how-to-fix ... o-day-flaw

[gcmartin]

Thanks @6502Coder. The article drives home what I shared earlier.

[Scooby]

Much ado about not a lot, according to ZDNet:

http://www.zdnet.com/article/how-to-fix ... o-day-flaw

Okay what I gained from reading the link is that my test to elevate
privileges on kernel 4.1.6 is beause SMEP or SMAP is activated.

SMEP and SMAP seems to be activated by default if CPU supports it?

I cannot however to find any command to check if SMEP or SMAP
is activated for my booted kernel?

Does anyone know?

*EDIT*
Saw some mention that this could verify SMEP

Code: Select all

cat /proc/cpu | grep smep 

also to see if kernel supports SMAP

Code: Select all

> zgrep X86_SMAP /proc/config.gz 
CONFIG_X86_SMAP=y

When searching for SMEP and SMAP with my cpu it seems I have neither


So why does the exploit fail?
.

[starhawk]

Would be nice if people bather to look past the headlines and look a bit further.

It’s pretty bad because a user with legitimate or lower privileges can gain root access and compromise the whole machine
...
an attacker would require local access to exploit the vulnerability on a Linux server

Puppy runs as root.
Puppy is NOT multi-user.
Puppy (usually) is not a server.
So, yes this is a kernel bug that can affect servers and multiuser machines given that someone has local access to it.
If someone has local access to your puppy I do not think will require any bug exploit.

Regarding Android, the user must install the malicious app (none know yet)...

Well put indeed. This is FUD at best... as are most of these supposed 'exploits' or 'flaws'. Linux is about 95+% secure from this crap (assuming you don't run WINE) -- not by design, but because nobody of consequence in any position to create an exploit like that actually cares about Linux anything anywhere. It is wasted time and productivity better spent elsewhere. The few exceptions to this rule (Wikipedia has a page on them) are not really worth mentioning -- a double handful (maybe) of abortive efforts, all at least five years out of date (and I want to say more like fifteen for most). A goodly percentage aren't even in circulation anymore as I understand it. They have been completely eradicated.

Viruses, worms, trojans, etc are about MONEY, just like everything else in this world. Money, and want of it, and greed over it. Think of all the fake antivirus crap that Windows users get, begging them to install backdoor-laden programs that just spew out more of the same. Look at Cryptolocker and its ilk. Not to mention that "FBI" virus that had people mail prepaid Wal*Mart cards to strange addresses. Yes, all of those actually WORKED, at least enough to satisfy their creators.

There is no meaningful market for that trash here on Linux, and there never has been, because not enough people are willing to move here from The Dark Side to make it worthwhile. (Perhaps we should be thankful, particularly given the state of modern computer education...) If M$ ever goes under *and* people don't just shuffle over to That Fruit Company and get their daily dose of bloated disposable crapware from there, then we might at that point have something to talk about.

In the meantime, Shakespeare said it best. "Much ado about nothing." A statement particularly true, in this case, of Puppy Linux as a whole.

[bark_bark_bark]

I'm pretty sure if somebody found a way to make malware coded for linux that can be also be compiled onto Windows and OS X, then we would be in big trouble.

[starhawk]

Yes, and in the distant past there's been one or two of those.

Trouble is, everyone doing it found that targeting Linux is a waste of time... or something to that effect.

The primary point is that all this bellyaching about security "holes" is wasted energy -- almost none of these supposed issues will have actual malware developed to take advantage of them, and for the exceptions that prove the rule there's patching and updates. User doesn't want to install an update? That's their problem, not mine.

Quit bangin' the drum, there's no trouble here...

...unless you WANT the likes of Norton and McAffee trying to make Linux "more secure" with their useless bloated offal...?

[Daleb]

if smartphones can be exploited with malicious apps then why can't desktops be exploited in the same way?? we have a users contributed packages section that doesn't seem to be checked from the strange reply i received

[Scooby]

The exploit POC doesn't work see

https://www.reddit.com/r/linux/comments ... y_patched/


If you want to try there is an easy version at

https://gist.github.com/libcrack/ac371cd9737cbf7997fa

[Mike Walsh]

Would be nice if people bother to look past the headlines and look a bit further.

It’s pretty bad because a user with legitimate or lower privileges can gain root access and compromise the whole machine
...
an attacker would require local access to exploit the vulnerability on a Linux server

Puppy runs as root.
Puppy is NOT multi-user.
Puppy (usually) is not a server.
So, yes this is a kernel bug that can affect servers and multiuser machines given that someone has local access to it.
If someone has local access to your puppy I do not think will require any bug exploit.

Regarding Android, the user must install the malicious app (none know yet)...

Well put indeed. This is FUD at best... as are most of these supposed 'exploits' or 'flaws'. Linux is about 95+% secure from this crap (assuming you don't run WINE) -- not by design, but because nobody of consequence in any position to create an exploit like that actually cares about Linux anything anywhere. It is wasted time and productivity better spent elsewhere. The few exceptions to this rule (Wikipedia has a page on them) are not really worth mentioning -- a double handful (maybe) of abortive efforts, all at least five years out of date (and I want to say more like fifteen for most). A goodly percentage aren't even in circulation anymore as I understand it. They have been completely eradicated.

Viruses, worms, trojans, etc are about MONEY, just like everything else in this world. Money, and want of it, and greed over it. Think of all the fake antivirus crap that Windows users get, begging them to install backdoor-laden programs that just spew out more of the same. Look at Cryptolocker and its ilk. Not to mention that "FBI" virus that had people mail prepaid Wal*Mart cards to strange addresses. Yes, all of those actually WORKED, at least enough to satisfy their creators.

There is no meaningful market for that trash here on Linux, and there never has been, because not enough people are willing to move here from The Dark Side to make it worthwhile. (Perhaps we should be thankful, particularly given the state of modern computer education...) If M$ ever goes under *and* people don't just shuffle over to That Fruit Company and get their daily dose of bloated disposable crapware from there, then we might at that point have something to talk about.

In the meantime, Shakespeare said it best. "Much ado about nothing." A statement particularly true, in this case, of Puppy Linux as a whole.

Very well put, starhawk. Couldn't have put it better myself.

The likes of arstechnica and zdnet have to publish something to get people's attention, and make them want to visit their sites.

'Much Ado About Nothing' indeed, as The Bard himself put it.....

And from another zd.net article about this same subject:-

http://www.zdnet.com/article/how-to-fix ... -day-flaw/

...this quote:-

This, according to another programmer working on mediating the problem, is far from unique. "Security companies are always making a big deal of little problems for their own benefit."

'Nuff said, really.


Mike.