A few days ago, the following exploit was published: http://blog.zx2c4.com/749
Another small step in debunking the myth of linux security. What is also interesting is that this bug was introduced only recently:
In 2.6.39, the protections against unauthorized access to /proc/pid/mem were deemed sufficient, and so the prior #ifdef that prevented write support for writing to arbitrary process memory was removed.
Well, those linux kernel developers sure are geniuses when it comes to writing secure code, aren’t they? And all those eyes that are allegedly inspecting the source code all the time… well, this code was submitted in March 2011. So it took many months to find the bug, and it is now widespread. A fix is available now, but there will obviously be tons of unpatched systems out there (people with a false sense of security… after all, they’re running linux, right?)
Another interesting tidbit is this:
It turns out that su on the vast majority of distros is not compiled with PIE, disabling ASLR for the .text section of the binary!
Yes, really! Which is interesting actually. I recall when I ported some of my CPUInfo code to OS X, that I ran into a problem. It did not allow me to use the EBX register freely. This was because the default build options in OS X are to compile everything position-independent. That is probably related to this: position-independent code enables Address Space Layout Randomization (ASLR). I didn’t have the problem on linux, because I used Ubuntu, which is one of the many distros that does not force PIC. As an aside, Windows relocates code in a slightly different way. Windows calculates the addresses with the PE loader, and patches them into memory. This takes slightly more time during loading of an executable, but it saves time during execution. An interesting difference in tradeoffs between Windows and linux. And as a bonus, Windows binaries don’t need to be compiled with any specific flags for ASLR to work.
So, a few minus points for linux security again: both in the quality of the kernel code, and in the quality of the default configuration of most linux distros.