September 20th, 2010, 06:49 PM
64b Linux Exploit in the Wild
There is a 64b Linux exploit making its rounds. Details can be found here:
The Full Disclosure list sponsored by secunia.com published an exploit regarding the CVE-2010-3081 vulnerability. It is triggered because of a stack pointer underflow regarding the function compat_alloc_user_space() inside arch/x86/include/asm/compat.h. This exploit is in the wild and it is highly recommended to implement the patch located at http://git.kernel.org/?p=linux/kerne...82d27a79a81ea6
I’m writing this blog post to provide some information and assistance to anyone affected by the recent Linux kernel vulnerability CVE-2010-3081, which unfortunately is just about everyone running 64-bit Linux. To make matters worse, in the last day we’ve received many reports of people attacking production systems using an exploit for this vulnerability, so if you run Linux systems, we recommend that you strongly consider patching this vulnerability. (Linux vendors release important security updates every month, but this vulnerability is particularly high profile and people are using it aggressively to exploit systems).
Ubuntu was patched on the 17th. RH remains unpatched as of 09.20.10 - Not sure about the other distros. There is a utility that you can run to see if this vulnerability has been exploited on one of your machines. It can be found on the SANS page linked above.
This vulnerability was introduced into the Linux kernel in April 2008, and so essentially every distribution is affected, including RHEL, CentOS, Debian, Ubuntu, Parallels Virtuozzo Containers, OpenVZ, CloudLinux, and SuSE, among others.
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
September 21st, 2010, 03:58 AM
Is this the one that was originally patched, then subsequently un-patched that i read about last week?
Bout time *nix got itself some 0-day lovin..
September 21st, 2010, 06:00 AM
Yes it is.......and the author of the exploit code, Ac1db1tch3z, claim it's been in the wild for a few years (RedHat backported it into earlier kernel versions), and they removed from the exploit code the OpenVZ Payload / GRsec bypass.......ZOIKS!
"It is a shame that stupidity is not painful" - Anton LaVey
By gore in forum Operating Systems
Last Post: September 2nd, 2004, 07:14 AM
By NullDevice in forum Operating Systems
Last Post: April 13th, 2004, 08:38 PM
By cleanbash in forum *nix Security Discussions
Last Post: June 18th, 2003, 06:24 AM
By TheFiend in forum AntiOnline's General Chit Chat
Last Post: April 1st, 2003, 10:33 PM
By Rewandythal in forum Other Tutorials Forum
Last Post: December 12th, 2001, 08:29 PM