A security researcher has released zero-day code for a flaw in the Linux kernel, saying that it bypasses security protections in the operating system.
The source code for the exploit was made available last week by researcher Brad Spengler on the Dailydave mailing list. According to the researcher, the code exploits a vulnerability in Linux version 2.6.30, and 2.6.18, and affects both 32-bit and 64-bit versions. The 2.6.18 kernel is used in Red Hat Enterprise Linux 5.
The exploit bypasses null pointer de-reference protection in the mainline kernel, which could allow an attacker to gain root control of a system, Spengler wrote.
It also uses arbitrary code execution to disable security features such as auditing, Security-Enhanced Linux (SELinux), AppArmor and Linux Security Module, while making the applications running outside the kernel believe that SELinux is still operating.
In the notes for his source code, Spengler said the exploit is strengthened if SELinux is applied to the operating system. SELinux is a set of modifications that can be applied to the kernel to harden it, by providing a set of security policies.
"Having SELinux enabled actually weakens system security for these kinds of exploits," he wrote.
Security training organization the Sans Institute called the exploit "fascinating." In a blog post on Friday, Sans Institute incident handler Bojan Zdrnja said that the exploit uses the Linux compiler to overcome the security features.
"The compiler will introduce the vulnerability to the binary code, which didn't exist in the source code," wrote Zdrnja. "This will cause the kernel to try to read/write data from 0x00000000, which the attacker can map to userland--and this finally pwns the box."
In his notes on the source code, Spengler said that a workaround would be for administrators to compile the kernel with fno-delete-null-pointer-checks.
Tom Espiner of ZDNet UK reported from London.
Sarah Palin
(Credit: Alaska governor's office)A grand jury in Chattanooga, Tenn., investigating who hacked Republican vice presidential candidate Sarah Palin's Yahoo e-mail ended its meeting on Tuesday without indicting a Tennessee lawmaker's son.
Speculation on the Internet has centered on 20-year-old David Kernell, a University of Tennessee student.
On the Internet forum 4Chan.org, where the e-mail break-in was first announced, posts attributed to someone named "Rubico" more or less described how the Yahoo account had been compromised using the password recovery feature. The e-mail address used for Rubico has been linked to Kernell.
Kernell's father, Democratic Tennessee state representative Mike Kernel, further fueled speculation last week when he confirmed his son was the subject of the investigation. On Saturday, investigators searched David Kernell's campus apartment.
Justice Department spokeswoman Laura Sweeney told the
There are mixed reports on Friday whether or not the son of a Tennessee state representative has been contacted by the FBI or Secret Service in connection with Sarah Palin's hacked Yahoo Mail account.
The father, Democratic Rep. Mike Kernell has told Knoxville News Sentinel and The Tennessean that despite a lot of online chatter, no formal contact has been made.
The person who gained access to Palin's e-mail account did so by guessing details of her life, then changed the e-mail password to "popcorn."
Using the online nickname Rubico, someone posted details of the hack to a forum on the 4Chan.org Web site starting on Tuesday. Password-protected zip files containing the contents of the now-deleted e-mail account once belonging to the Republican vice-presidential candidate have also been posted to the forum.
Subsequent posts by Rubico to the /b/ board over the last few days have provided additional insight into how the hack was carried out, although many of the posts have now been deleted.
Ubuntu on Tuesday became the latest Linux vendor to patch a vulnerability in the open-source operating system's kernel that could have left the door open for hackers to find their way into users' machines.
In an e-mail sent overnight, the Linux vendor warned users to update all machines running recent versions of Ubuntu, ranging from 6.06, which was released back in mid-2006, to version 8.04, which came out earlier this year. The problem also applied to other versions of Ubuntu such as Kubuntu, Edubuntu, and Xubuntu.
"It was discovered that there were multiple NULL-pointed function de-references in the Linux kernel terminal handling code," wrote Ubuntu administrators in the e-mail. "A local attacker could exploit this to execute arbitrary code as root, or crash the system, leading to a denial of service."
The e-mail also detailed a number of other bugs that could be exploited by an attacker who already had some level of access to a computer running Ubuntu.
A number of other Linux vendors including Novell have recently released similar patches to address the problems.
Renai LeMay of ZDNet Australia reported from Sydney.
- prev
- 1
- next
