Remote root holes reported as "denial of service"

Posted by Eric Kidd Thu, 30 Apr 2009 12:57:00 GMT

Via LWN.

If you’re a Linux system administrator, you shouldn’t put your faith in security advisories. The kernelbof blog accuses Linux distributors of being too quick to label security bugs as “denial of service” attacks:

I’m wondering why kernel developers (or vendors?) continue to claim that kernel memory corruption are just Denial of Service. Most of the times they _are_ exploitable.

As an example, the author quotes Ubuntu Security Notice 751:

The SCTP stack did not correctly validate FORWARD-TSN packets. A remote attacker could send specially crafted SCTP traffic causing a system crash, leading to a denial of service.

(Emphasis added.)

The author claims, however, to have created an exploit for this bug. He says his exploit allows a remote attacker to gain root access, often on the first attempt. If this is true, it would give him a quick way to gain control over any Linux system which has a process listening to an SCTP socket.

Ubuntu’s security team is not doing system administrators any favors by labeling memory corruption as “denial of service” attacks. If you can corrupt memory, there are some terrifyingly clever ways to run code. And marking memory as non-executable won’t necessarily protect you.

If you administer a Linux system, you should probably aim to patch alleged “denial of service” bugs as quickly as you can.

Tags ,

Yet Another PHP Security Hole

Posted by Eric Mon, 22 Jul 2002 00:00:00 GMT

A new security problem has been discovered in PHP 4.2.x. This is not the first major hole in PHP, and it probably won't be the last.

Even if your PHP runtime is secure, it's really hard to write secure PHP scripts. There's so many things that can go wrong--malicious users setting "internal" global variables, SQL injection attacks, ".inc" files containing passwords, and a whole host of other all-to-common bugs.

Just say no.