• Damage@feddit.it
    5 hours

    Ok this is the first time I try one of these exploits and it works on my system, I’m currently very spooked.

    On the other hand, this may allow me to root my LG WebOS TV?

  • monovergent@lemmy.ml
    15 hours

    Can’t wait for one that’ll work on Android so I can maybe root some otherwise useless old phones

    • rabber@lemmy.caEnglish
      10 hours

      What would you use the old phones for out of curiosity?

      • nyan@sh.itjust.works
        1 hour

        I’ve encountered a couple of people who use them as remote cameras to observe their 3D printers. That suggests a bunch of other possibilities for things you want to be able to watch or listen to without standing over them and without buying an extra webcam to cover what might be a temporary need.

      • lengau@midwest.social
        10 hours

        I’m not the person you replied to, but I would love to have more ARM hardware for running tests on. A lot of what I write needs to be separately tested on each architecture.

  • shirro@aussie.zoneEnglish
    14 hours

    In the 90s I compiled all my kernels at home from source with just the drivers I needed. Only installed the packages I needed. Only enabled the services I needed. The Unix way. When the kernel added modules I was still only compiling a subset and generally loading them manually.

    Obviously that doesn’t work for most users and distros sensibly started shipping with modules compiled for practically every need. Usually when I view distro security alerts they are for packages I don’t install. But I have all these damn kernel modules just waiting to automatically load. I know I can blacklist them individually but I wonder if there is a way to profile the modules I use and use a deny all/whitelist approach instead?

    • mlfh@lm.mlfh.orgEnglish
      9 hours

      https://wiki.archlinux.org/title/Modprobed-db can create a profile of the kernel modules that get loaded by your system over time. You can feed that directly into make localmodconfig to build a kernel that only includes those modules, or use the data to build a modprobe whitelist.

      • MonkderVierte@lemmy.zip
        4 hours

        Hm? Somehow, lemmy.zip messed up the proxying, (clickable link)? Good thing you’ve pasted it plaintext.

    • MNByChoice@midwest.social
      11 hours

      Clearly you know of lot about this. Here are some comments for the next human.

      Deny all modules seems more possible than a whitelist approach. To deny all, the command is likely “sysctl kernel.modules_disabled=1”.

      Whitelisting is harder. One could store a list of all loaded modules on a working system. Store a list of all kernel modules currently installed on the system. Compare the lists and remove from the “all” list the “running” list (grep will do this) and write it to the blacklist file.

      The problem with the Whitelisting approach is that it needs to run after every kernel module install (which is doable).

      If the above is the case, then someone must have automated this already, but I cannot find it quickly. (I checked Debian’s package repository.)

      • shirro@aussie.zoneEnglish
        10 hours

        Clearly you know of lot about this.

        Nah, that is the problem. It all got so dynamic and easy I don’t really know how the hundreds of active modules on my desktop are loaded, why or in what order anymore. The days when I could list a handful of modules to load at boot are long gone I think unless its an embedded device or perhaps a simple server.

        Setting modules_disabled might be viable for a relatively static system. I have seen that one when looking at hardening servers in the past but thought it was a bit extreme. Perhaps not.

  • inari@piefed.zipEnglish
    16 hours

    Good to see these exploits being found and worked on

  • the_weez@midwest.social
    16 hours

    Well shit. I wonder if all Linux systems are affected, the testing in the repo doesn’t cover Arch for instance. For now I’d assume the answer is yes.

    • CodenameDarlen@lemmy.world
      16 hours

      Yea it works on arch, I just tested on my own PC:

      OS: Arch Linux x86_64
Kernel: Linux 7.0.3-arch1-2

      ❯ ./exp
[root@arch dirtyfrag]# ls
README.md  assets  exp  exp.c
[root@arch dirtyfrag]# whoami
root

      I updated it last week.

      Edit: I just ran yay -Suy to update everything and still works.

    • Remus86@lemmy.zip
      15 hours

      I also just verified it worked on my Arch install. But running the mitigation command and rebooting effectively blocked it, and I’m on the Arch LTS kernel. I think the disabled modules are related to IPSec, which most desktop users don’t really need.

    • CameronDev@programming.dev
      16 hours

      Its a kernel exploit, so probably. But I just checked my arch installs,and I don’t have any of the kernel modules loaded. Loading requires root anyway, so I think this may be fairly limited in reality?

      • adarza@lemmy.caEnglish
        14 hours

        don’t see 'em loaded here, either. trixie (dietpi) server, aurora (f44) desktop

  • Bronstein_Tardigrade@lemmygrad.ml
    8 hours

    Funny that just after Microsoft commits suicide with Winders 11, Linux “exploits” start popping up like Whack-A-Moles. Makes one wonder if they were inserted by MS engineers.

    • flying_sheep@lemmy.ml
      8 hours

      Nah, people just started using LLM assisted vuln discovery workflows and having early successes with them.

      There will be diminishing returns.

    • KianaTabion@lemmy.today
      10 hours

      I’m pretty sure it does; as secureblue, an immutable atomic distro that’s hardened by default, required this commit to mitigate it once and for all.

      While Bazzite and its atomic brethren do provide some additional protection against attacks, it’s often very overstated 😅. Hence, it’s unsurprising that it doesn’t provide any defense against this assault.

  • CodenameDarlen@lemmy.world
    15 hours

    What’s up with all these vulnerabilities?

    Kind of worried to be honest, two in like a week? Pretty scary.

    I’m very dumb about Linux technical stuff but I feel like root access is way too easy to be accessed.

    Is there any way to make it harder? I mean let’s say similar to Android, you need to unlock the boot loader first, flash a recovery and flash Magisk or something, that’s a good layer before root access.

    At least for Linux Desktop, maybe make it so we can get root access only via a bootable USB with a correct password? Just for sporadic system changes.

    Is there anything like that?

    • Dingaling@lemmy.mlEnglish
      7 hours

      It’s a positive thing, don’t be worried.

      These vulns already existed. It’s possible the bad guys were already using them. This gets them out in the open and on their way to being resolved.

      Just keep patches up to date with any modern and maintained distro and you’ll be grand.

    • wampus@lemmy.caEnglish
      11 hours

      With AI enabled bug hunting, you’re likely to see a blitz of vulnerabilities, followed by a significant reduction in vulnerabilities.

      Yes, malicious folks are usin em – heck, Kali’s had AI integrations for a while on a bunch of its tools even, for pen testing. But devs writing code get em too, and those are the people we need to see using these sorts of workflows as it lets them clip a bunch of zero days.

      I think Mozilla, as an example, had a recent patch that cleaned up something like 271 zero days? Anthropic taking their Mythos stuff to banks/govt was largely just a publicity thing to try and shut people up who were mocking claudes code, but also potentially because it’d found govt-placed backdoors that they wanted the gov to know were about to be exposed / patched. The USA’s alleged ability to “shut off” tech assets during raids in Venezuela and Iran, gets trickier if AI is exposing their back doors. Likely also why the US Administration is now saying they want to review AIs before they get released. Mythos definitely isn’t the only game in town for this sort of stuff – but the general idea that the dev teams will be shifting to using these tools for QA / writing more secure apps in the near future, is fairly valid. So I wouldn’t go too tinfoil hat-y on that front… though it is a period where we’ll see a need to patch aggressively, and to double check security configs etc.

    • superglue@lemmy.dbzer0.comEnglish
      14 hours

      This exploit appears to be inspired by the copy fail.

      Should you be worried? Nah, You should not be installing untrusted software on your device. This isnt even the type of exploit that scares me. Your device gas to already be compromised for this exploit to succeed.

      Supply chain attacks are what scare me.

      • corsicanguppy@lemmy.caEnglish
        12 hours

        Supply chain attacks are what scare me.

        As a former OS security pro, this is the right answer. Not because of the exploit itself, but because young (unmentored) coders readily trust some really bad patterns of pulling in random junk from the web and running it. THIS is how the LPE becomes essentially an RCE-level problem.

    • idriss@lemmy.ml
      15 hours

      if somebody has user access to your computer, they are already 95% there, so I am not worried about these priv escalation part of the last 5%

      • CodenameDarlen@lemmy.world
        14 hours

        If you refer to physical access I wouldn’t say that, I’ve encrypted partition.

        But if you’re saying just access to my main user inside the OS, then I’d really like if you could elaborate with real examples how can user access do any harm to my system without root access. Real examples please not speculation or theory. Something I can run here right away to see by myself.

        • TechLich@lemmy.world
          9 hours

          Your user account can run applications and read and write to a lot of locations on the disk.

          So it can be used to run malware (cryptominers, ransomware, RATs etc.) Exfiltrate the data your account has access to, download or plant malicious or illegal data, use your internet connection to attack other systems with DOS or similar, use any logged in social media accounts to attack or spam your contacts, steal saved passwords and credentials from your web browsers, use your peripherals or connected devices (printers cameras microphone speakers), pivot to access other services on your local network (smart devices, IoT, TVs, home lab) etc.

          There are comparatively few things an attacker wants on a desktop that actually require root access. It’s mostly just system files, package management and settings changes that require root to mess with. Eg. You would need root to dump a shadow file or stuff like luks encryption keys from kernel memory, but if an attacker has your logged in user account, the disk is already decrypted and account is already logged in.

          • idriss@lemmy.ml
            5 hours

            Most systems also use single user, you normally give yourself docker group access (I use docker for work) and that alone is equivalent to root access. It’s not the 90s anymore where universities gave user access to all students, priv escalation was a big security threat, now it almost doesn’t mean anything, nobody shares the same machine anymore the way they used to do.

        • Corngood@lemmy.ml
          13 hours

          For me the scariest thing someone could do on my pc is exfiltrate all the data from my home directory which is readable by my user account.

          Maybe I’m misunderstanding you, but that’s harm to me without root access.

    • favoredponcho@lemmy.zip
      12 hours

      There is an LLM called mythos from Anthropic that is very good at finding vulnerabilities.

    • HiddenLayer555@lemmy.mlEnglish
      8 hours

      Not really. Proprietary software have just as many if not more vulnerabilities. Linux is just more honest and open about reporting them so it seems like they have more.

      • fartsparkles@lemmy.world
        11 hours

        Linux also shows up more in CVE databases etc because many distributions also assign their own CVEs for the same bugs.

    • viking@beehaw.org
      11 hours

      Not sure the term applies here. Enshittification is about companies making products worse on purpose for profit.