The Full Disclosure list sponsored by secunia.com published an exploit regarding the CVE-2010-3081 vulnerability. It is triggered because of a stack pointer underflow regarding the function compat_alloc_user_space() inside arch/x86/include/asm/compat.h. This exploit is in the wild and it is highly recommended to implement the patch located at http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c41d68a513c71e35a14f66d71782d27a79a81ea6. You might wonder why do I tell you to patch a vulnerability that has been published 12 days ago, right? Two days ago, the operations team of my company noticed a strange behavior on a specific linux system. First thing I did was to review the latest vulnerabilities for the linux distribution installed on the machine and found CVE-2010-3081. Digging a little bit more let me found an excellent tool made by Ksplice that told me the machine was exposed to the exploit. Download the tool here: https://www.ksplice.com/support/diagnose-2010-3081.c. If you want the binary, download it here: https://www.ksplice.com/support/diagnose-2010-3081. Read the Redhat Bugzilla info associated with CVE-2010-3081 here: https://bugzilla.redhat.com/show_bug.cgi?id=634457. Read about the exploit here: http://seclists.org/fulldisclosure/2010/Sep/268. Read more about the vulnerability description here: http://sota.gen.nz/compat1/. Can't patch right now? Use the following workaround: echo ':32bits:M:0:x7fELFx01::/bin/echo:' > /proc/sys/fs/binfmt_misc/register -- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org |
Manuel Humberto Santander Pelaacuteez 194 Posts ISC Handler Sep 19th 2010 |
Thread locked Subscribe |
Sep 19th 2010 1 decade ago |
Manuel, thanks for the writeup.
First, a disclaimer: I work for Ksplice. We've got a bit more detail about the exploit detection tool at: <https://www.ksplice.com/uptrack/cve-2010-3081> As far as the workaround is concerned: it's sufficient to stop the high-profile exploit example that's been circulating out there, but it doesn't actually fix the problem; a fairly straightforward modification to the exploit will allow it to continue working even with that workaround in place. Additionally, the workaround disables 32-bit ELF support, so you won't be able to run 32-bit programs -- which could be a problem, depending on your environment. The only ways to fix it are to: 1) Reboot into a patched kernel (but unfortunately, RHEL/CentOS has yet to release one), or; 2) Use Ksplice to hotpatch your kernel, to apply the patch without rebooting. We have a 30-day free trial at <https://www.ksplice.com/signup>, which will let you install that patch. It's at the very least a way of weathering the storm, if nothing else. |
Anonymous |
Quote |
Sep 20th 2010 1 decade ago |
wdaher: I've downloaded the binary from Ksplice to check to see if we are vulnerable and I get "cannot execute binary". The permissions on the file are set properly, and I've even tried using sh to run the program but I get the same error. I've tried running it as both root and a regular user.
How do you run the precompiled binary on RHEL/CentOS systems? |
Anonymous |
Quote |
Sep 20th 2010 1 decade ago |
Steve: A "cannot execute binary" error probably means that you're running the tool on a 32-bit system. The binary on the website is built as a 64-bit binary, and so doesn't run on 32-bit systems (where aren't vulnerable anyway).
|
Anonymous |
Quote |
Sep 20th 2010 1 decade ago |
Advisory: RHSA-2010:0704-1
kernel-2.6.18-194.11.4 released that addresses this issue See https://rhn.redhat.com/errata/RHSA-2010-0704.html for details |
Karl 14 Posts |
Quote |
Sep 21st 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!