[plug] More on the kernel flaw and Debian attack

Wed Dec 3 10:40:31 WST 2003

For those that don't see these ZDNet emails, here is todays:

==================================================================
ZDNet Australia Internet Security -- Wednesday December 3, 2003.
Powered by TechRepublic
==================================================================

Flaw in Linux kernel allows attack
Robert Lemos, Special to ZDNet

The Debian Project warned on Monday that a flaw in the Linux kernel helped
attackers compromise four of the open-source software project's development
servers. 

During several intrusions Nov. 19, the flaw enabled an attacker who already
had access to a server to remove the limitations that protected the system
from everyday users. The technique is known as a privilege escalation. 

Members of the development team found the flaw in September and fixed the
latest version of the core Linux software, or kernel. The fix came a bit
late, however. The latest version of the kernel, 2.4.23, was released
Friday, eight days after the Debian breach.

The Debian Project, which uses only truly open-source software in its
make-up, stressed that the breaches hadn't affected the project's code
base. 

"Fortunately, we require developers to sign the upload (software)
digitally," said Martin Schulze, a developer and member of the project.
"These files are stored off-site as well, which were used as a basis for a
recheck." 

The development team promised to lock all developer accounts until the flaw
had been found and fixed. The team published patches for the flaw on Monday
as well but didn't specify when the accounts would be unlocked. 

The unknown attacker compromised at least four servers. The systems--known
as Master, Murphy, Gluck and Klecker--had maintained the open-source
project's bug tracking system, source code database, mailing lists, Web
site and security patches. 

The attacker gained access to one of the systems by compromising a
developer's computer and installing a program to sniff out the characters
typed on the developer's keyboard, according to a postmortem analysis the
team published Friday. When the programmer logged into the klecker system,
the attacker recorded his password. 

Using the September flaw, the attacker gained owner privileges on Klecker.
This is frequently referred to as "owning" the system. The flaw--in a part
of the kernel that manages memory--allows only users that already have
access to the system to raise their privileges. Such flaws are less
critical than vulnerabilities that give an outside attacker access to a
server and so are fixed less quickly. 

The attacks have been the latest levelled at open-source software. In early
November, an attacker attempted to corrupt the Linux kernel with a coding
error that would have created a flaw similar to the one that affected the
Debian Project. A year ago, malicious attackers placed spyware into a
popular open-source tool, Tcpdump. Several other known attacks have also
been executed against other open-source projects. 

The latest bug has been fixed in the most recent version of the Linux
kernel, 2.4.23, and has also been patched in the next generation of Linux
since 2.6.0-test6, which was released in late September. 

Despite a two-month delay in releasing a patch, Ian Murdock, the founder of
Debian and the chairman of Linux distribution maintenance provider Progeny,
praised the project team. 

"All in all, the way the Debian guys handled the situation has been
admirable: They have been open with what they found out, and the speed at
which they have found things out has been quite quick," he said. Murdock is
a developer on the team but no longer has day-to-day administration duties.

Ryan