If you're wondering which kernel versions are vulnerable, here's what I found: The exploit affects kernel versions from (including) v5.14 to (including) v6.6, excluding patched branches v5.15.149>, v6.1.76>, v6.6.15>.
I just read this entire write up yesterday, and I was blown away with the thoroughness and complexity of the research. And, it was only found because the author found a bug while trying to do some work. Most people just find another way, this guy found a wild exploit. Very impressive. Cheers to notselwyn
me, a plucky wizards apprentice resetting user passwords and setting up accounts, watching a RU-vid video about dark sorcerers unraveling death itself and warping space and time
@@Dirtyharry70585 there's so many more reasons to want to make exploits than just death and destruction. What about the pure beauty in the exploit itself?
my name is my passport, then only i can be i as good as i... especialy in tron trades of wireless energetic multi androidic communication, were the cyberwar algorithm makes attack due ineffecientcy by having a password different then own name.... entering string linguistic and design of solid state reality... and so on and so forth.... = no pwd, then it is my own PersonalComputer communication fassett!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
It was discovered in January, 2024. And has been patched already. All the rolling distributions would have the patch already installed. Ubuntu has already issued the patch back in Jan.
@@sunilpaul6891 A professional researched bug like this is always patched before it becomes public like this, assume its fixed unless it's mentioned it's not
Hi, this was a slightly unleveled video: It was basic in the beginning with you explaining what the kernel does and about syscalls, and then you explained the whole exploit in less time than that, which was too advanced. I know what the kernel is and that by interfacing with the kernel you are asking the kernel to do stuff. I also understand double-freeing and use after free, but socket buffer freelist/all those page descriptors/modprobe was explained in less than 2 minutes If you spent maybe 2 mins explaining the kernel and syscall basics part and 4-5 mins on the actual exploit, it would have more sense Thanks!
A disadvantage is that a whole bunch of companies "just ship" open source solutions based off of Linux and barely provide any security updates, which are critically important. This is one of the reasons I don't like IoT, because it's extremely susceptible to issues like this.
from my understanding they're not really running or changing that much code inside the kernel, that might be pretty complicated, but they're letting the kernel execute their binary as root by changing a path, that's still not running inside the kernel
@@Sypaka assuming the location of the written information is known. Sure it isn't going to stop your kids from finding it, or Boeing, but it works against the hackers online
Tell me about it. I'm still on Fedora 37 with kernel 5.15 LTS, which I haven't updated in about 6 months because the updates stopped lmao. I might have to jump to the newest Fedora 40 beta.Luckily 99% of my apps are flatpaked, installed with the --user flag, and I have dconf commands to apply all my GNOME settings. So I would barely have to re-setup anything and will have all my apps and userdata once I upgrade.
What's the big deal? As I understand, malicious code running in userland could take advantage of the exploit to run arbitrary code as root? But why would you run malicious code on your computer??? My personal policy is that I don't run anything that I'm not getting from a trusted source. You have javascript on web pages but that runs in its own sandbox in the browser (on Windows as well), and if you have AdBlock installed then that blocks a lot of crud right there. The Internet is more centralized nowadays so most people spend their time on a few websites run by giant corporations. Presumably your personal network is protected with a wifi password and firewall. I mean, if you're a network admin and people can come in and run any kind of code on your network's computers, then maybe that's where it would be warranted to be a bit concerned about such a privilege escalation vulnerability. In olden days everything ran as root in Windows 3.1 (or the Windows analogue of "root"), but you would not become infected if you did not click on malicious .exe files (also best to avoid Internet Explorer and ActiveX). I think that if there is malicious code, which might be inclined to _attempt_ a privlege escalation exploit, running on your machine, then you're already in a bad place. In my opinion, it's not good to have malicious code running, even if it is not escalated up to root...
Really enjoyed this kind of video from you! Admittedly, some of the exploit explanation went over my head and I'll need to do some further research on my end. You might have yourself a little niche here of in-depth explanations of vulnerabilities in an ELI5 manner if you want it. I'd love to see more videos like this with other well-known or new vulnerabilities.
Relatively new here - background is in mechanical engineering but I would really like to learn embedded software development ( for myself and for my job). Really enjoy these types of videos. I will say I always write some of the acronyms from these videos down on stickies to look up later, given my lack of knowledge of the inner workings of computers. TIL what a TLB is. Anyways, looking forward to any and all videos 👍🏼
Analogy, you know how you can have a reference book which has a chapter list at the front, then every chapter has a section list at the start. That's how these work. Another common trick is to say: * Chapter 1 - Pages 100-199 * Chapter 2 - Pages 200-299 etc... Sure there may be some blank pages, but the hardware can be designed to be really really fast.
The poor guy that was tasked to educate me about Linux wasn't allowed to use an updated Linux for education... he had to stick to one (old) version of RedHat, because that's what the book used... It took me 1 Google, 3 potential exploits and 15 minutes to become root of that educational Linux server. (Okay, I was familiar with Linux before they tried to educate me). I just made an extra root account, which was allowed to login via ssh. Could have locked out everyone else... but I was just making a point about using outdated software for education. Netfilter is quite a problem if it can elevate privileges. But at the same time kinda predictable... I'm happy that it's been found, so next iteration will be safer. Worst is how easy it can be used.
Even white hats are being cursed at in corporate setups. A lot of organisations still rely on security by obscurity and doesn't do the mental exercise of "how would I get in if I lost my key"... If you do that well enough, you can't... if it was a physical building of yours you'd probably find the least expensive window to break and pay for that. If you're clever you piggyback on some software that needs root. In that way, it's very difficult to lock out the legitimate admin. Problem is, an experienced hacker would probably also have installed a few back-doors upon arrival. Edit: having physical access to your server is the ultimate security... but so much is virtual today.
Yeah all Linux distributions probably has this patched, but think about all the routers and phones and devices like smart TVs and everything that are connected to the internet and are probably still outdated, like your router if you have an ISP that doesn't allow you to switch it. A lot of these run on Linux and are likely using an outdated version of the kernel.
I love how you keep it short all the time, I don't want to watch through 40 minutes of detailed explanation. This is the perfect overview - thank you very much
Hmmm, what I hear is: NEW android rooting method (possibly) if someone implements this functionality into a su/sudo, someone else might be able to port it on android and we'll have a new way of rooting some of the older phones that either didn't have a way to be rooted or didn't have a big enough user base for someone to find a way to root them. ofc this is only possible if the same exploit is available in the android kernel.
@@vaisakhkm783 eh, if I'm not trying yo completely kill the joke it's more like 3 months. Debian does apply security patches pretty effectively. To kill the joke completely, in reality, the bug is probably patched in latest and LTS kernels by now, it's just up to the distributions at this point, and Debian uses a patched version of the LTS kernel
One thing many folks might not understand is that the attacker needs to have access to the system to exploit/gain this privilege. That being said, it can be used in a process where user xyz is harmlessly (or intentionally) installing something onto the box itself. This doesn't mean that any Linux system sitting idly on a network can be exploited from a pure network means. One of the overcites most folks make is hearing there is an exploit that gains root access means you need to drop everything and patch any and every system running Linux distro version xyz as the exploit affects them immediately. It really depends on the system, it's use, it's broad access, and several other factors. Granted, this is not to say you should not address such a situation, but by all means it doesn't mean the sky is falling either. All the same, very interesting how this one works, and thank you for breaking it down the way you have.
Soooo, what is vulnerable to this? Is this something that can happen if you have a socket based connection? Do you need access before escalating? Itd be nice to know how to protect myself and not just how they do it.
This windows users priorities are not to inform linux users like yourself. It is a local privesc so unless someone accesses your system you're fine. If you install buggy software from GNOME and their diverse programmers you open up more privesc possibilities.
@@lawrencemanningProcess namespaces are enabled by default on most distros. A quick way to check is cat /proc/self/uid_map. If it exists, you have user NS.
as someone who spent his teenage years in the 80’s aligning floppy disks who also had an engineering background - I always found that disks would run far more concentrically if you lowered the disk clamp slowly to give the cone a chance to clamp the disk correctly
Yeah except they don't tell you about it and keep them open on purpose for the NSA, CIA etc. I'm also fairly confident that Bitlocker has a bunch of backdoors as well.
This video was fascinating to listen to as a Linux fan but if I am honest, I have no idea what he is talking about. This is on another level way over my head.
It's impossible to catch exploit like this in closed source software. Libarchive that was modified by the author of the Linux backdoor is actively used in Windows for more than a year. We know this thanks to Linux being Open Source.
I didn't understand a thing after the graph went up, but I hope kernel patches it soon! Did kernel devs found about this exploit "from the news", or maybe they were given a head start into fixing it?
Micro kernel folks are having many last laughs lol. This is the sort of a thing that would let you snoop on network and nothing else on say Minix. In monolithic kernels, once you’re in, you’re really in.
Looks like any unpatched Linux system newer than 3.15 (!!) with USERNS enabled. So... the vast majority of them. A mitigation is to set the sysctl kernel.unprivileged_userns_clone=0
Mac has less exploits than Linux and Windows combined. I'm a dualbooter for Win11Pro and Linux Mint and can confirm. Sounds like you're projecting more than anything. "Bu-but, Windows and Mac also do-" That's cool, but is there a bug to exploit who asked?
@@BlueEyedVibeChecker I mean they're not wrong but the point is that Linux is backed by so many companies like Google, Microsoft, Oracle, Intel, AMD, etc so bugs are fixed extremely fast. The mac kernel is also open source. Windows lags behind
@@BlueEyedVibeChecker Mac has more exploits than Linux. It's based off of BSD. Back in 2007 they proved the point by porting all the old Linux exploits over to BSD. Now it's not even maintained as well as it was back then. BSD also isn't a mandatory access control kernel. So it's at least 20 years out of date. Don't be fooled, you're not as secure.
3:38 for a novice it would have been interesting if you would have elaborated on that matter a bit more. why does pulling certain levers result in a exploit?^^
I think what he's trying to say is that the "only" userspace->kernel interface is syscalls. "Open this file." "Read me 32 bytes from the file." "Now I want to send those bytes to another process running on the same system." In theory, the syscalls are *individually* tested incredibly thoroughly (thanks to tools like Google's Syzkaller project and the tireless efforts of a few heroes in the Linux community) to the point that I'm 99.9999% sure there are no single-syscall bugs in Linux... But a *collection* of them issued in just the right order can make the kernel take a series of steps that leads it into a pitfall, even if each step it took along the way would, in a vacuum, be considered "fine."
So, this information only makes my situation way more puzzling to me. My respect for you guys is beyond comprehensive. I just wish I could cling onto the information and actually put it into play to fix my situation.
LLC has a knack for explaining complicated low level processes in a way noobs can understand, without boring the people that do actually know a bit more. Rare skill.
I get freelist is probably the prime example where to use linked lists over other alternatives, but for sake of argument assume freelist would have been a plain array (or vector). Would that have prevented the abuse from double free? (Yes I know fixing the double-free is the first priority)
There are multiple cases in Windows where the OS or one of the drivers calls a BugCheck the moment something tries to free the same section of memory twice, or tries to write to a freed section of memory. In other words, when this is detected, the system instantly shuts down and bluescreens.
Sweet 'sploit, scary 'sploit. It must have been there for a long time and I wonder what other well resourced adversaries were sitting on it in a zeroday portfolio. Appears to require a local user, but also seems to be the kind of thing that might be projected through a web service bug into a RCE.
Machines run on smoke and magic. All modern computers are just so scientifically advanced you could call it magic, we've taken rock (metal) and sand (silicone) and made it "think" 🎉😂😅
Didn't even notice it. It's about the quality of the content (like the entertainment value it provides). I can care less about technical stuff like if the sound is off, or the quality is 360p, I can care less.
It would most likely be WinDOZE-like slow or boot into a kernel panic every time. A more sensible approach would be a change of mind among the kernel programmers to be more careful, but I don't like to be told this when hacking up something and so won't they. And that's even though I know I could bite my a** every time I break something by not being careful in the first place....
Yea, ms patchguard, isnt hvcl a hypervisor based security feature, i guess its better because you dont need to periodically check structs, you can just catch writes and reads, and block them too!
@@stunnerr Many Win11 machines run with a similar setting enabled by default now (core isolation in the settings). I think newer machines can do it just fine.
Woah the levels this went through. Sometimes I think some of these guys probably put this forward as advertisement for selling exploits or getting hired to develop them lmao.
One of the reasons I love Linux compared to Windows at this point is how bugs and vulnerabilities are discovered and managed. On Windows, things like these are only discovered when Malware is taking advantage of it, take Wannacry as a perfect example. Nobody knew what EternalBlue was until after the damage was done. On Linux however, a bug like that making something like that possible will be discovered by the Kernel devs themselves and nothing malicious will be able to take advantage of it.
Level of discussions on this channel regularly makes my brain hurt in positive sense, but i can’t imagine level of those dudes who actually found this bug and used it. It’s WTF++ or even higher
That's exactly the reason why I'm still rocking on the granddaddy 1.1.0 Linux kernel from '97. These Gen-alpha skibidi toilet vulns be like, "Ew, we only swipe right on the TikTok kernels." They don't even peep this golden oldie. USB drivers, more like USB driers, Bluetooth? more like Blue-toothless. My network's as untouched as a sealed vintage comic book, NSA/FBI/Mossad can't even. Just me, my unshakeable, mouse-less xorg, my dial-up connection, and my CASIO watch. Hackers peep that setup and they're like, "Nah, we ain't touching that with a ten-foot pole." ROFLCOPTER
I bet you this won't happen if kernel is written in javascript Jokes aside, would be interesting to read the buggy code, and learn why a double free wasn't detected for decades by dynamic/static analysis.
for normal computers that aren't servers it shouldn't be that big of a problem. if you install random malware on your computer you have bigger problems to worry about than it exploiting your system
usually i can follow along, but this is very complicated, it makes me wonder if things in the world of exploitation are about to get much more in depth and crazy
its the same bug from 3 years ago. Linus... Also, free does not work but when it works it gives you root access! The linux kernel truly is the kernel of all time.
modprobe? You should sign the module if you are using secure boot, right? Does the exploit work with secure boot? kinda tired to look for my self r8 now :)
Hmm. So would something like this happen if someone accidently ran a Linux tool as root on windows because a confusion with cross compatability. Thinking it would run the windows prompt, honestly. Idk why i thought that. I didn't know a thing then. But I was trying to save all my shit after calling and getting scammed. It's been. A very unfortunate and mind puzzling situation
@@shizeeque You're watching a youtube video about Linux kernel exploits. This is an _incredibly_ niche topic. This isn't walmart, starbucks, or a movie theater. You have to be a very specific kind of person to end up here. Normies don't come here. So who would care? Presumably _everybody_ here.
More and more complexity leads to exponentially more vulnerability ... simplifying does the opposite. Simple is robust, complex is fragile because there are more things to go wrong. 🤔
That is somewhat true. However, if processors and kernels were made dead simple, like they were in 16 bit x86, MSDOS days, people would complain like hell that their computers are so slow. And the security provisions would be totally gone. As they were in 16 bit x86, MSDOS days.