Online News Features Blogs RSS Feeds White Papers Conference Videos Departments Administration Infrastructure Security Networking Web Works Programming Desktop Community Resources Current Issue Special Editions Spotlight Reviews Event Calendar Archives Article Code Subscribe Newsletter Contact Partner Links Make your own website WinWeb OnlineOffice Comparing prices of hardware is worth it. Price Comparison UK Linux Jobs What: Where: Country: FranceGermanyItalyThe NetherlandsSpainUnited Kingdom njobs Linux vacatures njobs Linux arbeit njobs Linux jobs njobs Linux lavoro njobs Linux emploi njobs Linux trabajo Admin Magazine Subscribe now and save! ADMIN - Explore the new world of system administration! Special introductory offer! Order by September 30th to save 10% off the regular subscription price! Each issue delivers technical solutions to the real-world problems you face every day. Learn the latest techniques for better: network security system management troubleshooting performance tuning virtualization cloud computing   on Windows, Linux, Solaris, and popular varieties of Unix. http://www.admin-magazine.com/

linux-magazine.com » Online » News » Local Root Exploit in Udev   The udev subsystem allows the Linux kernel, together with a userland program, to manage device nodes dynamically, adding and removing them at will. It has now been revealed that the communication channel between the kernel and program fails to authenticate, so that users can assume root privileges. Local Root Exploit in Udev Apr 16, 2009 The udev subsystem allows the Linux kernel, together with a userland program, to manage device nodes dynamically, adding and removing them at will. It has now been revealed that the communication channel between the kernel and program fails to authenticate, so that users can assume root privileges. The udev subsystem and the udevd daemon communicate in userspace over the netlink interface. Sending KOBJECT_UEVENT messages unfortunately doesn't verify who sent them. The result is that normal users can assume read privileges for a random device. If the device has a major and minor number of the root block device, invasive code can be applied to alter the system. A root exploit could then be quite simple for an attacker. The root exploit was discovered by Sebastian Krahmer of the SUSE Security Team, which had become apprised of the CVE-2009-1185 spoofing exposure. The udev “trickery" exploit also points to another vulnerability in the CVE-2009-1186 stack buffer overflow exposure. Unfortunately, MITRE has not released further details on these vulnerabilities. All larger Linux distros have openly declared to be affected by them, so the distros are now providing updated packages. (Nils Magnus) Comments The udev subsystem allows the Linux kernel, together with a userland program, to manage device nodes dynamically, adding and removing them at will. It has now been revealed that the communication channel between the kernel and program fails to authenticate, so that users can assume root privileges. Related Articles Intel Helps Create Open Data Center Alliance What Means openSUSE? Trademark Guidelines SUSE Studio Builds Images for Amazon EC2 Roadmap: Next openSUSE in November What About openSUSE? OpenSUSE Struggles with Hardware Problems Wherever you go... ...Linux Magazine goes with you! Check out the advantages of a Digital Subscription: Access articles by downloading PDFs, find the Linux solutions you need with an easy keyword search, maintain your own paperless archive... more...

In the US and Canada, Linux Magazine is known as Linux Pro Magazine.

© 2012Linux New Media USA, LLC

Linux New Media Websites
International: [Linux Magazine] [ADMIN Magazine] [Ubuntu User] [Smart Developer] [Linux Magazine Academy]
North America: [Linux Pro Magazine] [ADMIN Magazine] [Ubuntu User] [Smart Developer]
Germany: [Linux-Magazin] [ADMIN Magazin] [LinuxUser] [EasyLinux] [Linux-Community]
[Ubuntu User] [Smart Developer] [Android User] [Linux-Magazin Academy]
Poland: [Linux Magazine] [EasyLinux]
Spain: [Linux Magazine] [Ubunutu User]
Netherlands: [Linux Magazine Academy]
Brazil: [Linux Magazine] [ADMIN Magazine] [Ubuntu User] [Guia de TI]