Attempted attack on Linux kernel foiled

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-7355_3-5103670.html

By Robert Lemos 
Staff Writer, CNET News.com
November 6, 2003

An unknown intruder attempted to insert a Trojan horse program into 
the code of the next version of the Linux kernel, stored at a publicly 
accessible database. 

Security features of the source-code repository, known as BitKeeper, 
detected the illicit change within 24 hours, and the public database 
was shut down, a key developer said Thursday. The public database was 
used only to provide the latest beta, or test version, of the Linux 
kernel to users of the Concurrent Versions System (CVS), a program 
designed to manage source code. 

The changes, which would have introduced a security flaw to the 
kernel, never became a part of the Linux code and, thus, were never a 
threat, said Larry McVoy, founder of software company BitMover and 
primary architect of the source code database BitKeeper. 

"This never got close to the development tree," he said. "BitKeeper is 
really paranoid about integrity, and it turns out that was key to 
finding this Trojan horse." 

Linus Torvalds, the original creator of Linux and the lead developer 
of the kernel, uses BitKeeper to keep track of changes in the core 
software for the operating system. On a daily basis, the software 
exports those changes to public and private databases other developers 
use. 

An intruder apparently compromised one server earlier, and the 
attacker used his access to make a small change to one of the source 
code files, McVoy said. The change created a flaw that could have 
elevated a person's privileges on any Linux machine that runs a kernel 
compiled with the modified source code. However, only developers who 
used that database were affected--and only during a 24-hour period, he 
added. 

"The first thing we did was fix the difference," he said. "It took me 
five minutes to find the change." 

When BitKeeper exports the source code to other servers, it checks the 
integrity of every file, matching a digital fingerprint of its 
official version of the file with the version on the remote machine. 
That comparison caught the change to the code stored on the server. 

The changes looked like they were made by another developer, but that 
programmer said he hadn't submitted them, McVoy said. 

The recent incident raises questions about the security of open-source 
development methods, particularly how well a development team can 
guarantee that any changes are not introducing intentional security 
flaws. While Microsoft code has had similar problems, closed 
development is widely considered to be harder to exploit in that way. 

Linus Torvalds addressed the issue in a post to the Linux kernel 
mailing list. 

"A few things do make the current system fairly secure," he stated. 
"One of them is that if somebody were to actually access the 
(BitKeeper) trees (software repositories) directly, that would be 
noticed immediately." 

A critical security flaw was found in CVS in January, but it's unknown 
whether the attacker used the vulnerability to gain access to the CVS 
database. 

BitKeeper's McVoy hopes the current incident will quash objections 
raised by some members of the development who don't want to add a new 
feature that would require all changes to be digitally signed. 

Even so, he said, the open-source development model likely would have 
quickly turned up any security flaws. 

"A Trojan horse is just a bug that a person has put into the system 
deliberately," he said. "The open-source security model is that 
everyone is using this stuff, so bugs get found and get fixed. That's 
one of the reasons that you are not hearing me freak about this." 

McVoy said the disk from the compromised server has been saved for 
later analysis, but any decision to contact law enforcement belongs to 
Torvalds and others. Torvalds could not be immediately reached for 
comment. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.