Re: [rhelv5-list] CVE-2010-3081

Mon, 20 Sep 2010 12:48:21 -0700 


Hey guys.

I just compiled this:

http://seclists.org/fulldisclosure/2010/Sep/268
on a 32 bit machine and indeed, RHEL 5 is affected. (The first exploit code I saw over the weekend did not work but this one did) I compiled on 32 bit kernel and ran on 64 bit kernel (2.6.18-194.11.3.el5) and got root. scary. I've added the workaround on some shared login servers we run until the new kernel has finished testing phase.
The workaround did seem to prevent the exploit from working on another test box. although some behaviors were unusual after running it, I did not have root access. So I'm very glad there is at least a workaround for this monster. 

Gary Gatling      | ITECS Systems

On Mon, 20 Sep 2010, Robert G. (Doc) Savage wrote:


On Mon, 2010-09-20 at 09:08 -0400, Gary Gatling wrote:


Will a new kernel be coming out soon to address CVE-2010-3081?

Thanks,

Gary Gatling      | ITECS Systems


Gary,

I was concerned about this until I read this:

http://isc.sans.edu/diary.html?storyid=9574

I downloaded and ran the "diagnose-2010-3081" binary on my RHEL55 server
and was relieved to see:

       $ ./diagnose-2010-3081
       Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice,
       Inc.
       (see http://www.ksplice.com/uptrack/cve-2010-3081)

       $$$ Kernel release: 2.6.18-194.11.3.el5
       $$$ Backdoor in LSM (1/3): checking...not present.
       $$$ Backdoor in timer_list_fops (2/3): not available.
       $$$ Backdoor in IDT (3/3): checking...not present.

       Your system is free from the backdoors that would be left in
       memory
       by the published exploit for CVE-2010-3081.

I also ran it on my 64-bit F13 laptop and was similiarly relieved:

       $ ./diagnose-2010-3081
       Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice,
       Inc.
       (see http://www.ksplice.com/uptrack/cve-2010-3081)

       $$$ Kernel release: 2.6.34.6-54.fc13.x86_64
       !!! Could not find symbol: per_cpu__current_task

       A symbol required by the published exploit for CVE-2010-3081 is
       not
       provided by your kernel.  The exploit would not work on your
       system.

As long as you are up-to-date with the latest patches (and not the ones
still in updates-testing), it appears you'll have nothing to worry
about.

--Doc Savage, CISSP
 Fairview Heights, IL

_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list



_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list

Reply via email to