64b Linux Exploit in the Wild
There is a 64b Linux exploit making its rounds. Details can be found here:
http://isc.sans.edu/diary.html?storyid=9574
Quote:
The Full Disclosure list sponsored by secunia.com published an exploit regarding the CVE-2010-3081 vulnerability. It is triggered because of a stack pointer underflow regarding the function compat_alloc_user_space() inside arch/x86/include/asm/compat.h. This exploit is in the wild and it is highly recommended to implement the patch located at
http://git.kernel.org/?p=linux/kerne...82d27a79a81ea6.
and here:
http://blog.ksplice.com/2010/09/cve-2010-3081/
Quote:
I’m writing this blog post to provide some information and assistance to anyone affected by the recent Linux kernel vulnerability CVE-2010-3081, which unfortunately is just about everyone running 64-bit Linux. To make matters worse, in the last day we’ve received many reports of people attacking production systems using an exploit for this vulnerability, so if you run Linux systems, we recommend that you strongly consider patching this vulnerability. (Linux vendors release important security updates every month, but this vulnerability is particularly high profile and people are using it aggressively to exploit systems).
Quote:
This vulnerability was introduced into the Linux kernel in April 2008, and so essentially every distribution is affected, including RHEL, CentOS, Debian, Ubuntu, Parallels Virtuozzo Containers, OpenVZ, CloudLinux, and SuSE, among others.
Ubuntu was patched on the 17th. RH remains unpatched as of 09.20.10 - Not sure about the other distros. There is a utility that you can run to see if this vulnerability has been exploited on one of your machines. It can be found on the SANS page linked above.