Linux Users - Kernel Exploit released~~!

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • gumdrop
    Confirmed User
    • Feb 2005
    • 482

    #1

    Linux Users - Kernel Exploit released~~!

    which unfortunately is just about everyone running 64-bit Linux. To make matters worse, in the last day we?ve received many reports of people attacking production systems using an exploit for this vulnerability, so if you run Linux systems, we recommend that you strongly consider patching this vulnerability. (Linux vendors release important security updates every month, but this vulnerability is particularly high profile and people are using it aggressively to exploit systems).
    PLEASE STICKY THIS!

    http://blog.ksplice.com/2010/09/cve-2010-3081/
    I am NOT Godaddy! Most excellent Domains & Cheap Hosting

    “Buy an iPad, kill a Chinaman” - Brendan O’Neill
  • Brujah
    Beer Money Baron
    • Jan 2001
    • 22157

    #2
    It's a very sloppy update too, one of my servers anyway.... /tmp is noexec, and it failed to exec the configs for it as a result.

    Comment

    • gumdrop
      Confirmed User
      • Feb 2005
      • 482

      #3
      Originally posted by Brujah
      It's a very sloppy update too, one of my servers anyway.... /tmp is noexec, and it failed to exec the configs for it as a result.
      There is no update for CenOS yet as of today.
      Last edited by gumdrop; 09-20-2010, 08:14 AM.
      I am NOT Godaddy! Most excellent Domains & Cheap Hosting

      “Buy an iPad, kill a Chinaman” - Brendan O’Neill

      Comment

      • Zyber
        Confirmed User
        • Aug 2001
        • 832

        #4
        thanks for sharing this

        Comment

        • Barry-xlovecam
          It's 42
          • Jun 2010
          • 18083

          #5
          It doesn't even say what kernels are vulnerable ...

          $.uname -a

          I updated the kernel some days ago.

          Comment

          • gumdrop
            Confirmed User
            • Feb 2005
            • 482

            #6
            ALL 64-Bit kernels.
            I am NOT Godaddy! Most excellent Domains & Cheap Hosting

            “Buy an iPad, kill a Chinaman” - Brendan O’Neill

            Comment

            • borked
              Totally Borked
              • Feb 2005
              • 6284

              #7
              why "ALL" 64-bit kernels... it states:

              The flaw identified by CVE-2010-3081 (Red Hat Bugzilla bug 634457) describes an issue in the 32/64-bit compatibility layer implementation in the Linux kernel, versions 2.6.26-rc1 to 2.6.36-rc4.
              2.6.18 looks good to me...

              For coding work - hit me up on andy // borkedcoder // com
              (consider figuring out the email as test #1)



              All models are wrong, but some are useful. George E.P. Box. p202

              Comment

              • ladida
                Confirmed User
                • Nov 2005
                • 2179

                #8
                Rofl. Do you realize how many of these are found each and every day? And how many stay hidden for years? Lol@sticky this
                agentGFY *at* gmail.com

                Comment

                • gumdrop
                  Confirmed User
                  • Feb 2005
                  • 482

                  #9
                  Originally posted by borked
                  why "ALL" 64-bit kernels... it states:



                  2.6.18 looks good to me...
                  NO!

                  The published workarounds that we?ve seen, including the workaround recommended by Red Hat, can themselves be worked around by an attacker to still exploit the system.
                  You can use the test tool:
                  https://www.ksplice.com/uptrack/cve-2010-3081
                  I am NOT Godaddy! Most excellent Domains & Cheap Hosting

                  “Buy an iPad, kill a Chinaman” - Brendan O’Neill

                  Comment

                  • gumdrop
                    Confirmed User
                    • Feb 2005
                    • 482

                    #10
                    Originally posted by ladida
                    Rofl. Do you realize how many of these are found each and every day? And how many stay hidden for years? Lol@sticky this
                    Terrible!
                    LOL@youbeenhackedby this.
                    Last edited by gumdrop; 09-20-2010, 11:59 AM.
                    I am NOT Godaddy! Most excellent Domains & Cheap Hosting

                    “Buy an iPad, kill a Chinaman” - Brendan O’Neill

                    Comment

                    • roly
                      Confirmed User
                      • Aug 2002
                      • 1844

                      #11
                      i use yum to update my kernel but there's no updates showing on any of the repositories that i use yet.

                      Comment

                      • borked
                        Totally Borked
                        • Feb 2005
                        • 6284

                        #12
                        Originally posted by gumdrop
                        NO!



                        You can use the test tool:
                        https://www.ksplice.com/uptrack/cve-2010-3081
                        I don't understand why you say NO!? The exploit says the .26-.34 kernels are affected, and the test from ksplice is simply a tool to see if the system has been exploited....

                        Although this doesn't suggest your system hasn't been compromised already, if exploited, a reboot will close the holes. Kind of like closing the stable door after the horse went for a piss, but still.

                        to me looks like .18 kernels are fine?

                        For coding work - hit me up on andy // borkedcoder // com
                        (consider figuring out the email as test #1)



                        All models are wrong, but some are useful. George E.P. Box. p202

                        Comment

                        • borked
                          Totally Borked
                          • Feb 2005
                          • 6284

                          #13
                          Originally posted by roly
                          i use yum to update my kernel but there's no updates showing on any of the repositories that i use yet.
                          It's takes ages for anything to reach yum if it's a simple patch.

                          Someone released a patch for my kernel -
                          https://bugzilla.redhat.com/show_bug.cgi?id=634457#c20

                          when it gets approved, I'll load it on, whether the .18 kernel is vulnerable or not

                          For coding work - hit me up on andy // borkedcoder // com
                          (consider figuring out the email as test #1)



                          All models are wrong, but some are useful. George E.P. Box. p202

                          Comment

                          • gumdrop
                            Confirmed User
                            • Feb 2005
                            • 482

                            #14
                            If you are using CentOS there has been some progress:

                            http://bugs.centos.org/view.php?id=4518
                            I am NOT Godaddy! Most excellent Domains & Cheap Hosting

                            “Buy an iPad, kill a Chinaman” - Brendan O’Neill

                            Comment

                            • gumdrop
                              Confirmed User
                              • Feb 2005
                              • 482

                              #15
                              Originally posted by borked
                              I don't understand why you say NO!? The exploit says the .26-.34 kernels are affected, and the test from ksplice is simply a tool to see if the system has been exploited....

                              Although this doesn't suggest your system hasn't been compromised already, if exploited, a reboot will close the holes. Kind of like closing the stable door after the horse went for a piss, but still.

                              to me looks like .18 kernels are fine?
                              According to the CentOS team it's not:
                              1) public exploit (with backdoor) for gaining root on a CentOS-5 x86_64 machine
                              2) only x86_64 machine are affected from kernel-2.6.18-164 and onward (CentOS-5.4 too)
                              http://bugs.centos.org/view.php?id=4518
                              I am NOT Godaddy! Most excellent Domains & Cheap Hosting

                              “Buy an iPad, kill a Chinaman” - Brendan O’Neill

                              Comment

                              • zagi
                                Confirmed User
                                • Jan 2004
                                • 1238

                                #16
                                Doesn't look like it affects CentOS that much:


                                $ ./diagnose-2010-3081
                                Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.
                                (see http://www.ksplice.com/uptrack/cve-2010-3081)

                                $$$ Kernel release: 2.6.18-194.11.1.el5xen
                                $$$ Backdoor in LSM (1/3): not available.
                                $$$ Backdoor in timer_list_fops (2/3): not available.
                                $$$ Backdoor in IDT (3/3): checking...not present.

                                Your system is free from the backdoors that would be left in memory
                                by the published exploit for CVE-2010-3081.


                                $ cat /etc/redhat-release
                                CentOS release 5.5 (Final)
                                Managed US/NL Hosting [ [Reality Check Network ]
                                Dell XEON Servers + 1/2/3 TB Packages ICQ: 4-930-562

                                Comment

                                • Klen
                                  • Aug 2006
                                  • 32235

                                  #17
                                  Well this exploit can be resolved simply by adding ip restriction to ssh.

                                  Comment

                                  • signupdamnit
                                    Confirmed User
                                    • Aug 2007
                                    • 6697

                                    #18
                                    https://access.redhat.com/kb/docs/DOC-40265

                                    Note that they need to gain access to a local account before it is of any use to an attacker.

                                    Also:


                                    As suggested on the Full Disclosure mailing list, it is possible to temporarily mitigate this issue. However, the steps provided below are only meant for the publicly-circulated exploit - they are insufficient for completely mitigating this vulnerability. As such, we strongly encourage you to install the updated kernel packages for Red Hat Enterprise Linux 5 when they become available soon.
                                    Last edited by signupdamnit; 09-20-2010, 04:59 PM.

                                    You don't like my posts? Put me on ignore or fuck right off. I'll say what I want.

                                    Comment

                                    • mrsmut
                                      Confirmed User
                                      • Apr 2003
                                      • 121

                                      #19
                                      I've seen today a server with Centos being hacked this way through an old install of oscommerce

                                      as usual, the atacker uploaded a phpshell and downloaded the exploit to gain root, after that defaced all sites on server

                                      Server was running Centos 5 64bit with kernel 2.6.18-194.8.1
                                      attacker overwrote every index* file, when atacker was discovered, tried to rm -rf * whole drive, luckily we caught it on time.

                                      Centos 5 IS vulnerable now

                                      Comment

                                      • borked
                                        Totally Borked
                                        • Feb 2005
                                        • 6284

                                        #20
                                        Originally posted by roly
                                        i use yum to update my kernel but there's no updates showing on any of the repositories that i use yet.
                                        it's now in the repository...

                                        Code:
                                         kernel	x86_64	2.6.18-194.11.4.el5	updates	19 M
                                         kernel-devel	x86_64	2.6.18-194.11.4.el5	updates	5.4 M
                                        2.6.18-194.11.4 closes this flaw
                                        http://lwn.net/Articles/406414/

                                        For coding work - hit me up on andy // borkedcoder // com
                                        (consider figuring out the email as test #1)



                                        All models are wrong, but some are useful. George E.P. Box. p202

                                        Comment

                                        • roly
                                          Confirmed User
                                          • Aug 2002
                                          • 1844

                                          #21
                                          Originally posted by borked
                                          it's now in the repository...

                                          Code:
                                           kernel	x86_64	2.6.18-194.11.4.el5	updates	19 M
                                           kernel-devel	x86_64	2.6.18-194.11.4.el5	updates	5.4 M
                                          2.6.18-194.11.4 closes this flaw
                                          http://lwn.net/Articles/406414/
                                          yes all updated thanks

                                          Comment

                                          • borked
                                            Totally Borked
                                            • Feb 2005
                                            • 6284

                                            #22
                                            Don't forget to reboot after kernel update....

                                            For coding work - hit me up on andy // borkedcoder // com
                                            (consider figuring out the email as test #1)



                                            All models are wrong, but some are useful. George E.P. Box. p202

                                            Comment

                                            • roly
                                              Confirmed User
                                              • Aug 2002
                                              • 1844

                                              #23
                                              Originally posted by borked
                                              Don't forget to reboot after kernel update....
                                              that's what i don't understand when people show uptime on their servers of 1 year or something, i seem to be updating my kernel every 4-6 weeks or so.

                                              Comment

                                              Working...