Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Bug 634457 - CVE-2010-3081 kernel: 64-bit Compatibility Mode Stack Pointer Underflow
Red Hat ^ | 2010-09-16 01:23:13 EDT | Eugene Teo

Posted on 09/21/2010 9:20:58 AM PDT by Ernest_at_the_Beach

Status:

NEW

Aliases:

CVE-2010-3081 (edit)


Product:

Security Response

Component:

vulnerability

(Show Security Response/vulnerability bugs)

Version:

unspecified

Platform: All Linux


(Excerpt) Read more at bugzilla.redhat.com ...


TOPICS: Business/Economy; Computers/Internet
KEYWORDS: 64bitkernel; linux
Navigation: use the links below to view more comments.
first 1-2021-22 next last

1 posted on 09/21/2010 9:21:04 AM PDT by Ernest_at_the_Beach
[ Post Reply | Private Reply | View Replies]

To: ShadowAce
H/T to HardOCP:

Linux Kernel Exploit Wreaking Havoc

2 posted on 09/21/2010 9:22:49 AM PDT by Ernest_at_the_Beach ( Support Geert Wilders)
[ Post Reply | Private Reply | To 1 | View Replies]

From link to HarsOCP;

*********************************************

This vulnerability was introduced into the Linux kernel in April 2008, and so essentially every distribution is affected, including RHEL, CentOS, Debian, Ubuntu, Parallels Virtuozzo Containers, OpenVZ, CloudLinux, and SuSE, among others. A few vendors have released kernels that fix the vulnerability if you reboot, but other vendors, including Red Hat, are still working on releasing an updated kernel.

3 posted on 09/21/2010 9:24:25 AM PDT by Ernest_at_the_Beach ( Support Geert Wilders)
[ Post Reply | Private Reply | To 2 | View Replies]

Typo—— link to HardOCP


4 posted on 09/21/2010 9:25:19 AM PDT by Ernest_at_the_Beach ( Support Geert Wilders)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Ernest_at_the_Beach
Eugene Teo (Security Response) 2010-09-16 01:23:13 EDT
Description of problem:
A vulnerability in the 32-bit compatibility layer for 64-bit systems was
reported. It is caused by insecure allocation of user space memory when
translating system call inputs to 64-bit. A stack pointer underflow can occur
when using the "compat_alloc_user_space" method with an arbitrary length input.

Reference:
http://sota.gen.nz/compat1/

Upstream commit:
http://git.kernel.org/linus/c41d68a513c71e35a14f66d71782d27a79a81ea6

Acknowledgements:

Red Hat would like to thank Ben Hawkes for reporting this issue.

5 posted on 09/21/2010 9:26:53 AM PDT by Ernest_at_the_Beach ( Support Geert Wilders)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Ernest_at_the_Beach
Eugene Teo (Security Response) 2010-09-16 03:17:41 EDT
Exploit: http://seclists.org/fulldisclosure/2010/Sep/268

6 posted on 09/21/2010 9:27:41 AM PDT by Ernest_at_the_Beach ( Support Geert Wilders)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Ernest_at_the_Beach
from the linked article:

Although it might seem self-serving, I do know of one sure way to fix this vulnerability right away on running production systems, and it doesn’t even require you to reboot: you can (for free) download Ksplice Uptrack and fully update any of the distributions that we support (We support RHEL, CentOS, Debian, Ubuntu, Parallels Virtuozzo Containers, OpenVZ, and CloudLinux. For high profile updates like this one, Ksplice optionally makes available an update for your distribution before your distribution officially releases a new kernel). We provide a free 30-day trial of Ksplice Uptrack on our website, and you can use this free trial to protect your systems, even if you cannot arrange to reboot anytime soon. It’s the best that we can do to help in this situation, and I hope that it’s useful to you.

But wait, there's more!

7 posted on 09/21/2010 9:28:23 AM PDT by frogjerk (I believe in unicorns, fairies and pro-life Democrats.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach

Oh Noes! Everyone abandon Linux and go to macs! (/Applephile)

For me, CP/M is the way to go. NO ONE has written a virus for that O/S...


8 posted on 09/21/2010 9:28:51 AM PDT by freedumb2003 (The TOTUS-Reader: omnipotence at home, impotence abroad (Weekly Standard))
[ Post Reply | Private Reply | To 1 | View Replies]

To: rdb3; Calvinist_Dark_Lord; GodGunsandGuts; CyberCowboy777; Salo; Bobsat; JosephW; ...

9 posted on 09/21/2010 9:29:55 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach
Most of the comments @ KSplice complain that the software they want you to download doesn't work.
10 posted on 09/21/2010 9:31:02 AM PDT by frogjerk (I believe in unicorns, fairies and pro-life Democrats.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach

Already got the Update Manager alerts for my Ubuntu and Fedora machines. I believe I hear our NIX team over there bellyaching, but that’s par for the course.

Forget “Patch Tuesdays” from MS. When a problem really needs to be fixed, count on the open source community!


11 posted on 09/21/2010 9:35:34 AM PDT by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach
Before anyone gets worked up about this:

This is a LOCAL exploit. The attack must be launched by an authenticated user that is already logged on.

Unless you are granting shell command access to users, a Linux server is not vulnerable to a remote attack.

If you are using Linux on your desktop, just be aware of what you download and run on your desktop (the same advice I'd give to Windows users)

12 posted on 09/21/2010 9:36:02 AM PDT by justlurking (The only remedy for a bad guy with a gun is a good WOMAN (Sgt. Kimberly Munley) with a gun)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach
Christoph A. 2010-09-16 06:07:35 EDT
public exploit:
http://seclists.org/fulldisclosure/2010/Sep/268
Comment 8 Eugene Teo (Security Response) 2010-09-16 07:07:02 EDT
The Red Hat Security Response Team is aware of this issue. We are working on
updated packages to correct this issue and will release them once they have
been completed and tested.
Comment 12 Eugene Teo (Security Response) 2010-09-17 03:42:54 EDT
Statement:

More information can be found in this kbase:
https://access.redhat.com/kb/docs/DOC-40265.
Comment 13 Petter Reinholdtsen 2010-09-17 03:53:32 EDT
A workaround for this issue is to run this command

  echo ':32bits:M:0:\x7fELF\x01::/bin/echo:' >

/proc/sys/fs/binfmt_misc/register

It disable 32-bit ELF support.  The workaround was written by Terje Malmedal.

[Source: http://seclists.org/fulldisclosure/2010/Sep/273]
Comment 16 Mike McGrath 2010-09-17 17:33:37 EDT
(In reply to comment #13)

> [Source: http://seclists.org/fulldisclosure/2010/Sep/273]

One report suggests this won't always work:

http://www.h-online.com/open/news/forum/S-workaround-DOES-NOT-PREVENT-EXPLOIT/forum-116020/msg-14370942/read/
Comment 17 Nelson Elhage 2010-09-17 17:45:57 EDT
The 'robert_you_suck' exploit mentioned in the post Mike cites is an exploit
for
CVE-2010-3080, which is a distinct issue discovered at the same time as this
issue. RHEL 5 is not affected by that issue.

13 posted on 09/21/2010 9:37:06 AM PDT by Ernest_at_the_Beach ( Support Geert Wilders)
[ Post Reply | Private Reply | To 6 | View Replies]

To: justlurking; ShadowAce

Well....that changes everything....thanks.


14 posted on 09/21/2010 9:38:55 AM PDT by Ernest_at_the_Beach ( Support Geert Wilders)
[ Post Reply | Private Reply | To 12 | View Replies]

To: justlurking

That might be true for desktops, but for Linux servers running any kind of PHP or CGI, all it takes is a hole in the code and you’re rooted.

And if you use a hosting provider who uses a paravirtualized environment like Slicehost or some of the other VPS hosts, I’ve heard that patches are not available yet.


15 posted on 09/21/2010 9:42:03 AM PDT by perfect_rovian_storm (Chuck Norris wears Carl Paladino pajamas.)
[ Post Reply | Private Reply | To 12 | View Replies]

To: freedumb2003
LOL

PIP B:*.* = A:

16 posted on 09/21/2010 9:47:32 AM PDT by Dumpster Baby (Truth is called hate by those who hate the truth.)
[ Post Reply | Private Reply | To 8 | View Replies]

To: justlurking
Reading the comments at HardOCP:

Linux Kernel Exploit Wreaking Havoc

The usual snarky comments from the Gamers....but this was of interest.

************************************EXCERPT************************************

Dragoniz3rn00bie, 2.1 Years

 
Dragoniz3r is offline
Nothing to see here.

This has been tremendously overblown by ksplice in the interest of furthering the sales of their product. It's a local exploit, which means the attacker has to already be logged in to your box. It's not a remote exploit.

Oh, and by the way, after looking for the source code for their "detection tool", there is no way in hell I'm running it. It's copy+paste of the original exploit code, and there are some things in it that are very very difficult to verify the safety of (like embedded machine code)

17 posted on 09/21/2010 10:01:55 AM PDT by Ernest_at_the_Beach ( Support Geert Wilders)
[ Post Reply | Private Reply | To 12 | View Replies]

To: freedumb2003

Flip that dirty old bit.


18 posted on 09/21/2010 10:02:17 AM PDT by ImJustAnotherOkie (zerogottago)
[ Post Reply | Private Reply | To 8 | View Replies]

To: All
And also:

************************************EXCERPT****************************************

Today, 08:41 AM

LibertySycloneGawd, 3.5 Years
 
LibertySyclone is online now
Quote:
Originally Posted by Robstar View Post
How many Linux users here run a multi-user system where the users you allow are not someone you already know?
I have the same question. We leave the horde to f#$k up windows not even come close to our linux machines. We MIGHT have 4 users on our "router"
__________________
Everytime you idiot-proof something, someone invents a better idiot.--SamuraiInBlack

19 posted on 09/21/2010 10:04:41 AM PDT by Ernest_at_the_Beach ( Support Geert Wilders)
[ Post Reply | Private Reply | To 17 | View Replies]

To: All
And also....:

*********************************EXCERPT**************************************

Today, 08:43 AM

pankkaken00bie, 39 Days
 
pankkake is offline
It's not a remote vulnerability, but a privilege escalation. It's not the first one and they have never been "hidden".

Some people are not even affected — most people running with the grsec patchset, 32 bit kernels, and 64 bit kernels without 32 bit compatibility enabled.

20 posted on 09/21/2010 10:08:02 AM PDT by Ernest_at_the_Beach ( Support Geert Wilders)
[ Post Reply | Private Reply | To 19 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-22 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson