Announcement

Collapse
No announcement yet.

The Xorg large memory attack

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    The Xorg large memory attack

    http://www.invisiblethingslab.com/re...ry-attacks.pdf

    Note that depending on the system configuration, by default local unprivileged users may be able to start an instance of Xorg server that requires no authentication and exploit it. Also if a remote attacker exploits a (unrelated) vulnerability in a GUI application (e.g. web browser), he will have ability to attack X server.

    In case of a local attacker that can use MIT-SHM extension (which is the most likely scenario), the exploit is very reliable.

    Identifier CVE-2010-2240 has been reserved for the underlying issue (Linux kernel not providing stack and heap separation). This issue has been known for at least five years.

    ...

    The Linux kernel versions that include the commit from Linus tree are fixed. Particularly, 2.6.35.2 and 2.6.34.4 are fixed.

    ...

    In response to prevent the described attack (and similar ones), the generic solution implemented in recent Linux kernels is to keep the top page of stack VMA unmapped; in other words, maintain a one-page gap between the stack and the rest of the areas.


    Timeline
    • 17 June 2010 - ITL notifies X.org security team about the vulnerability
    • 20 June 2010 - X.org security team suggests to discuss the issue with Linux kernel developers, as the proper solution should be implemented in the kernel
    • 13 Aug 2010 - the fix is committed to Linus tree [4]
    • 17 Aug 2010 - the paper is published

    Both the local and the remote attacker must be authenticated users. That is, they must be logged into the system "Remote" users are those, for example, that have ssh accounts. Hackers trying to break into ports are not "remote" users. And, x86_64 systems are less vulnerable.

    Basically, it a matter of trust. If you can't trust your users you have other problems. This is probably why, even after five years, an exploit for this has not been seen in the wild.

    I don't know how long it will take the new kernels to filter through the system and reach our boxes, but it wouldn't surprise me to see a 34.4 or 35.2 kernel in the repository within a week. Systems with single users have nothing to worry about. For the rest, don't let your precocious kids log into their accounts.
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    #2
    Re: The Xorg large memory attack

    The bad news is that a vulnerability was found. The good news is that it took 6 years to find it.

    Comment


      #3
      Re: The Xorg large memory attack



      huh.... don't ya got that backwards?

      Actually, as a local exploit that is difficult to do, it had no potential as a threat except for folks who created accounts for untrustworthy individuals. THAT is a security problem that has no physical patch.
      "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
      – John F. Kennedy, February 26, 1962.

      Comment


        #4
        Re: The Xorg large memory attack

        Originally posted by GreyGeek


        huh.... don't ya got that backwards?
        Although I did mean it to be funny, I think I got it right. I just mentioned it that way around as a tease because from the reports it looks like everybody forgot that it works both ways. The digital world is distinctly different from physical reality in that way. You could fall into a hole in the road even if you didn't know it was there, but you couldn't execute a vulnerability without knowing it's existence. A vulnerability doesn't actually exist until someone knows about it. If it was 20 years it would be even better, except of course that it might be harder to fix then.

        Actually, as a local exploit that is difficult to do, it had no potential as a threat except for folks who created accounts for untrustworthy individuals. THAT is a security problem that has no physical patch.
        Wouldn't accounts for untrustworthy individuals be a real issue in large corporations?

        Comment


          #5
          Re: The Xorg large memory attack

          You did get it right. I "thought" I was being funny ... :P

          And, I agree with the rest of your post!

          Corporations who've hired scum bags are in trouble if the dirtbags are smart enough to figure this out before the repositories roll out the fix.
          "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
          – John F. Kennedy, February 26, 1962.

          Comment


            #6
            Re: The Xorg large memory attack

            Originally posted by GreyGeek
            You did get it right. I "thought" I was being funny ... :P
            Oops, sorry.

            Who's on first?

            Comment


              #7
              Re: The Xorg large memory attack

              No, he's on second!
              "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
              – John F. Kennedy, February 26, 1962.

              Comment


                #8
                Re: The Xorg large memory attack

                Duped threads: http://kubuntuforums.net/forums/inde...opic=3113353.0

                Now who's on first?

                Comment


                  #9
                  Re: The Xorg large memory attack

                  Originally posted by dibl
                  Duped threads: http://kubuntuforums.net/forums/inde...opic=3113353.0

                  Now who's on first?
                  OK, I'll see you over there.

                  Comment


                    #10
                    Re: The Xorg large memory attack

                    You realize, don't you, that this can go on for several pages!
                    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                    – John F. Kennedy, February 26, 1962.

                    Comment


                      #11
                      Re: The Xorg large memory attack

                      Let's just declare that MoonRise is on first, and be done.

                      Comment


                        #12
                        Re: The Xorg large memory attack

                        ......but you couldn't execute a vulnerability without knowing it's existence. A vulnerability doesn't actually exist until someone knows about it.
                        Sounds like Schröder's cat to me:
                        http://en.wikipedia.org/wiki/Schr%C3%B6dinger%27s_cat

                        HP Pavilion dv6 core i7 (Main)
                        4 GB Ram
                        Kubuntu 18.10

                        Comment


                          #13
                          Re: The Xorg large memory attack

                          I think sidux already included one of such kernel, either 2.6.34 or 2.6.35. I hope at least 10.10 will include either of them.
                          Multibooting: Kubuntu Noble 24.04
                          Before: Jammy 22.04, Focal 20.04, Precise 12.04 Xenial 16.04 and Bionic 18.04
                          Win XP, 7 & 10 sadly
                          Using Linux since June, 2008

                          Comment


                            #14
                            Re: The Xorg large memory attack

                            I'm already using kernel 2.6.35-14 on my Lucid, which works fine for me
                            https://launchpad.net/~berko-norbert...-stable-kernel

                            2.6.35-14 also works well with the current Ati Catalyst 10.8 installed from the x-swat repo.
                            (Don't use the 2.6.35-17 which is also in the above repo, I had some issues with it.)
                            Shinda Sekai Sensen<br /><br />Kubuntu Maverick RC x64 w/ Kde 4.5.2 (main)<br />Kubuntu 10.04 x64 w/ Kde 4.5.1 to be wiped, no point in keeping it any longer

                            Comment

                            Working...
                            X