Dirtyfrag: Universal Linux LPE

Posted by flipped 19 hours ago

Dirtyfrag: Universal Linux LPE(www.openwall.com)

705 points | 297 commentspage 5

unethical_ban 19 hours ago||

Here's a general question, are these vulnerabilities hitting Linux more than BSDs due to hit being a larger target or because its architecture is less secure by design?

vsgherzi 18 hours ago||

It’s two things. 1. Less eyes are on the bsds

2. Bsds don’t have the same optimizations that Linux has. Bsds generally try to pursue corrrectness

That being said there were just a bunch of vulnerabilities in freebsd

macOS has had its own dirty cow attack and I know there’s for sure more memory ones just based on the way the xnu kernel works.

So no Linux isn’t really worse per say

staticassertion 19 hours ago|||

Larger target.

golem14 18 hours ago||

in many ways:

- more people are using it (assuming macos is in its own bucket perhaps) - bigger surface areas (esp NetBSD has in my limited understanding just less stuff that can go boom) - more churn, ie more new stuff than can be buggy released more often.

Of course, because of that, more eyes are on Linux, so I'm not sure where that security tradeoff is.

ahartmetz 18 hours ago||

AFAIU, Linux and the BSDs have basically the same architecture - the BSDs just value secure and simple, understandable code more highly than Linux vs features and performance.

angry_octet 17 hours ago||

This is really not a correct statement beyond the fact that both are a type of Unix.

cluckindan 17 hours ago|||

Linux is not Unix: it is not derived from AT&T Unix.

angry_octet 6 hours ago|||

By that definition, nor is BSD. It's kind of their whole raison d'étre.

ahartmetz 16 hours ago|||

Linux 2.2 or 2.4 or so (possibly only Suse Linux) even had a kernel startup message "Unix compliance testing by UNIFIX" or something, back when Unix was considered more prestigious than Linux. It is / was by some official definition "a Unix", though not "UNIX the trademark by AT&T".

cluckindan 16 hours ago||

I’m fairly certain they’re referring to POSIX compatibility, not calling a Linux a Unix.

ahartmetz 15 hours ago||

Oh damn, you are probably right.

ahartmetz 16 hours ago|||

What are the differences? I think of both as Unix-type sytems with macrokernels. I have no practical experience with BSDs.

ahartmetz 2 hours ago||

Jeez, care to reply instead of downvoting? I would really like to know. I do keep an eye on the BSDs as a good example in some areas where Linux is bad.

normie3000 18 hours ago||

So umm... should I rush home and turn off all my computers?

arcfour 18 hours ago||

Are they already vulnerable to RCE as an unprivileged user? Hopefully not.

An LPE only allows an attacker who can already execute code on the system to become root. So, bad, yes, but it doesn't mean you are immediately pwned.

account42 4 hours ago|||

And for a single user desktop, an LPE is almost meaningless as all the really important files are in $HOME and accessible without root.

arcfour 1 hour ago||

Perhaps, unless you want persistence.

hughw 16 hours ago|||

Should I rush to Lambda or ECS and turn off all my containers sharing a host with who the hell knows?

PhilipRoman 7 hours ago|||

AFAIK Lambda and everything else will use micro-VMs. No serious company would use a shared kernel design for workloads in different security contexts. (Personally I wouldn't even use the same hardware host, but sometimes sacrifices have to be made)

tkel 14 hours ago||||

Like others have said, this will get you root inside the container. It isn't a container escape. File/volume mounts shared across containers would be vulnerable.

arcfour 7 hours ago|||

Firecracker is extremely hardened, so I wouldn't worry about Lambda. As for ECS, getting root doesn't necessarily mean you have a container escape. I think you could escape containers with this exploit, but you would need a different payload than what's published. I could be wrong though.

I would assume AWS is pretty on the ball when it comes to handling stuff like this if they didn't have other defenses or mitigations in place already.

dezgeg 16 hours ago||

For home computers, essentially https://xkcd.com/1200/ applies.

7373737373 16 hours ago||

Tanenbaum was right

TZubiri 14 hours ago|

Go on...

7373737373 6 hours ago||

https://youtube.com/watch?v=oS4UWgHtRDw

lyu07282 13 hours ago||

Two distro independent LPEs in such a short time, if only all Linux software could be this portable.

cynicalsecurity 14 hours ago||

Imagine how many undiscovered bugs and exploits exist in Windows.

tap-snap-or-nap 4 hours ago|

Noone has the time given how many windows bugs are already open and active long term.

biennvops 4 hours ago||

[dead]

HollowRidge427 17 hours ago||

[dead]

BoldBrook418 5 hours ago|

[dead]

More comments...