I have the full story on that incident. It is actually really funny.<p>If the guy who did it wants to come forward, that is his decision. [edit: I won't name names.]<p>He did provided me the full story. He told me with the understanding that the story would go public, so I will dig it up and post it.<p>I also interviewed the sysadmins who were running the box at the time.<p>1. it was not an NSA operation, it was done by a hacker.<p>2. it was discovered by accident, not because of clever due diligence.<p>Basically, there was a developer who had a flakey connection and one time his commits didn't go through. To detect this in future he had a script that would download the entire tree from the server and compare it against his local copy to make sure that his changes had been committed.<p>It was discovered because of the discrepancy between his local working copy and the upstream copy. Which was checked not for security reasons, but because sometimes the two were out of sync. That's all. Just dumb luck.<p>The sysadmins are still quite bitter about it. I know how it feels when your box is hacked and you really take it personally.<p>The code wasn't added by hacking the CVS, as far as I remember, but rather through a hacked developer with commit rights.<p>that's the story as I was told
Another bit of cleverness not mentioned in the article is that assignment expressions always evaluate to the rvalue. So the expression `current->uid = 0` has the effect of making sure that entire conditional never actually runs (or at least, the return never runs), which means the overall behavior of wait4 doesn't change in an observable way. Very clever if you're trying to pass all of the existing tests
Wasn't this done by Ac1dB1tch3z? See <a href="http://phrack.org/issues/64/15.html" rel="nofollow">http://phrack.org/issues/64/15.html</a> for the CVS exploit from the same time.
it still seems kinda weird to me that all it takes to elevate privileges for a user process to "can arbitrarily write system level memory or disk" is just the clearing of all the bits of a single integer in kernel space which can be done by pretty much any execution path in the kernel.<p>it just seems like there could be a more tamper resistant mechanism around privilege elevations.
We used to use this as a cautionary tale in the CS department security course at the Technion. First, to highlight trust relationships in the "supply chain" (as the notion is now known in contemporary usage). Second, to pose the question of whether open source is inherently more trustworthy.
I think the risk from this type of attack is probably near zero. You can't hack into Github and add a commit to Linux.<p>Probably most of the deliberate backdoors that are present in Linux have been inserted by well funded state sponsored developers performing useful work. Easy to sneak a vulnerability in that way. (There was a controversial incident a few years ago when some researchers proved as much.)
I'm pretty sure there are tons on unreleased and unpublished backdoor exploits for linux and windows likewise. The problem is you can't fix them yourself if the signature keeps unknown to anyone.
> it said "= 0" rather than "== 0"<p>Why do so many programming languages have different equals/assigns operators?<p>There are languages that combine them and apparently don't have any problems. Is it something to do with being strongly vs. weakly typed?
This is a single example of an unsuccessful attempt to backdoor Linux. There were successful attempts too <a href="https://www.bleepingcomputer.com/news/security/nsa-linked-bvp47-linux-backdoor-widely-undetected-for-10-years/" rel="nofollow">https://www.bleepingcomputer.com/news/security/nsa-linked-bv...</a>
While I'm here, does anyone know of a good trustworthy RAT for Windows machines that I can control from my Linux box? I have some relatives for whom I provide technical support. I'd love to just put an EXE on their desktop that would launch a VNC session and connect back to me (since they have the typical NAT + firewall of home users), but I don't want to install a virus on their machines.