ITSS Information Security Services

On this page:
Summary
Technical Details
Countermeasures
References

Summary

Vulnerabilities in the Linux kernel and in an application used to synchronize files between remote machines have been patched after several public machines were compromised. All users of SULinux, RedHat and Debian are strongly encouraged to update their software quickly to avoid system compromise. There are public exploits available for both vulnerabilities and machines on the Internet are actively being attacked.

For SULinux 9, please type

apt-get update
apt-get install kernel#2.4.20-24.9

Reboot your machine, and be sure it comes up gracefully. Once you've tested the new kernel, run

apt-get remove kernel#2.4.20-20.9

to remove the old kernel.

For SULinux 7.x, please run

apt-get update
apt-get install kernel#2.4.20-24.7
(reboot/test)
apt-get remove kernel#2.4.20-20.7

Support for SULinux 7 ends this month.

The rsync update will need to be installed separately once it's available:

apt-get update && apt-get upgrade

to update rsync and other available applications.

A combination of vulnerabilities in the do_brk() memory management function in the Linux kernel and a heap overflow vulnerability in the rsync daemon permitted unknown attackers to compromise several public servers over the last month.

do_brk() is a Linux kernel function that manages the size of a user process' memory heap. In normal conditions, user processes are allowed access to memory ranging from 0 bytes to a limit of TASK_SIZE bytes; beyond TASK_SIZE bytes memory is not accessible to user processes, and contains kernel code with the associated data structures. Unfortunately, the do_brk() function in unpatched kernels can be used to create arbitrarily large virtual memory, exceeding the amount normally allocated to user processes. Thus, memory that contains kernel code becomes part of the user accessible memory space, allowing the user to execute code within the security context of the kernel itself.

This heap overflow may be triggered in three ways: through the Linux ELF (the Executable and Linking Format) loader, the a.out loader, and the brk(2) syscall. The brk(2) vector can be deterred by limiting the maximum size of user process data, but there are no workarounds for the other two attack vectors.

This allows an unprivileged local user to execute arbitrary code with root privileges.

It appears from investigation of the compromised machines that a heap overflow in rsync was used to establish a local user shell, from which the do_brk() escalation attack was launched. rsync is an application used to efficiently synchronize files across a network. It is not part of the default Linux install, but it's frequently used for source code management or anywhere that efficient file transfer is required.

If you're unsure about whether or not you are running rsync, type the command

netstat -n -a | grep 873

If your machine returns something like

tcp 0 0 0.0.0.0:873 0.0.0.0:* LISTEN

then you are probably running rsync and you should upgrade your server.

All Linux users are strongly encouraged to update their kernels (for the do_brk() vulnerability) immediately. There are no workarounds available to prevent the local root exploit.

Forensic analysis of the compromised machines is not yet complete, but it appears that the rsync vulnerability is only exploitable when rsync is being run in daemon mode (ie. as a server, not as a client), and when the chroot option is disabled (use chroot = no in rsync.conf)

If you are running an rsync server, we strongly recommend leaving chroot enabled, as it is in the default configuration.

[1] Linux kernel do_brk() lacks argument bound checking

[2] http://rsync.samba.org