Fedora Linux Support Community & Resources Center
  #1  
Old 20th September 2010, 09:26 AM
simpfeld Offline
Registered User
 
Join Date: Jan 2008
Posts: 21
linuxchrome
CVE-2010-3080 / CVE-2010-3081 F13 status?

Does anyone know the status of the Fedora 13 kernel 2.6.34.6-54.fc13.x86_64 for these two exploits?

It looks vulnerable to CVE-2010-3080.

But on CVE-2010-3081 I don't know. The KSplice tool to test for compromised on RHEL5 doesn't seem to run on F13. I get:


% ./diagnose-2010-3081
Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.
(see http://www.ksplice.com/uptrack/cve-2010-3081)

$$$ Kernel release: 2.6.34.6-54.fc13.x86_64
!!! Error in setting cred shellcodes

Not sure what that means...

Not seen any discussion of this anywhere on Fedora, so sorry if a dup.

Any thoughts?
Reply With Quote
  #2  
Old 20th September 2010, 02:56 PM
gilboa Offline
Registered User
 
Join Date: Jun 2004
Posts: 86
linuxfedorafirefox
Re: CVE-2010-3080 / CVE-2010-3081 F13 status?

Sadly enough, the exploit itself -does- work on F13/x86_64. (I rather not post the code in-case someone failed to google for it...)

- Gilboa
__________________
DEV: Intel S2600C0, 2xE52658V2, 32GB, 4x2TB, GTX680, F20/x86_64, Dell U2711.
SRV: Intel S5520SC, 2xX5680, 36GB, 4x2TB, GTX550, F20/x86_64, Dell U2412..
BACK: Tyan Tempest i5400XT, 2xE5335, 8GB, 3x1.5TB, 9800GTX, F20/x86-64.
LAP: ASUS N56VJ, i7-3630QM, 16GB, 1TB, 635M, F20/x86_64.

Last edited by gilboa; 20th September 2010 at 03:01 PM.
Reply With Quote
  #3  
Old 20th September 2010, 03:19 PM
simpfeld Offline
Registered User
 
Join Date: Jan 2008
Posts: 21
linuxfedorafirefox
Re: CVE-2010-3080 / CVE-2010-3081 F13 status?

Just for everyone else as I see "gilboa" you are already on here. There is a bug report open in bugzilla covering CVE-2010-3081 for RHEL but it people are asking if it covers Fedora and the answer seems to be no at this time.

https://bugzilla.redhat.com/show_bug.cgi?id=634457
Reply With Quote
  #4  
Old 20th September 2010, 07:30 PM
kyryder
Guest
 
Posts: n/a
linuxfirefox
Re: CVE-2010-3080 / CVE-2010-3081 F13 status?

Hello,

I believe CVE-2010-3080 has been fixed for 2.6.34.7-56.fc13* . You can get this kernel from : http://koji.fedoraproject.org/koji/b...buildID=195413

Hope this helps,
Ky
Reply With Quote
  #5  
Old 20th September 2010, 08:44 PM
leigh123linux
Guest
 
Posts: n/a
linuxfedorafirefox
Re: CVE-2010-3080 / CVE-2010-3081 F13 status?

Code:
[leigh@localhost Desktop]$ chmod +x diagnose-2010-3081
[leigh@localhost Desktop]$ ./diagnose-2010-3081
Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.
(see http://www.ksplice.com/uptrack/cve-2010-3081)

$$$ Kernel release: 2.6.35.4-28.fc14.x86_64
!!! Could not find symbol: per_cpu__current_task

A symbol required by the published exploit for CVE-2010-3081 is not
provided by your kernel.  The exploit would not work on your system.
[leigh@localhost Desktop]$
Reply With Quote
  #6  
Old 21st September 2010, 02:10 AM
price Offline
Registered User
 
Join Date: Sep 2010
Posts: 2
macosfirefox
Re: CVE-2010-3080 / CVE-2010-3081 F13 status?

simpfeld: That message means that the published exploit would not work on your system. Specifically, your kernel does not provide a certain symbol that the exploit relies on. The current version of the diagnostic tool prints the more helpful message that leigh123linux posted.

Note that there is still a possibility that a sophisticated attacker may have modified the published exploit in order to work on your system.

gilboa: Are you using the exploit for CVE-2010-3081, published by "Ac1dB1tch3z"? It was posted to the fulldisclosure mailing list at http://seclists.org/fulldisclosure/2010/Sep/268 (and widely circulated; there's no additional harm in linking to it.) If the diagnostic tool reports that the exploit would not work, then the public CVE-2010-3081 exploit will not work on that system.

In my testing, the exploit does not work on Fedora 13 kernels (and the diagnostic tool correctly reports that it would not work.) If you have a Fedora 13 system on which the CVE-2010-3081 exploit does work, it would satisfy my personal curiosity if you could show the output of "uname -a" on that system.

Greg Price
Ksplice, Inc.
Reply With Quote
  #7  
Old 21st September 2010, 07:40 AM
gilboa Offline
Registered User
 
Join Date: Jun 2004
Posts: 86
linuxfedorafirefox
Re: CVE-2010-3080 / CVE-2010-3081 F13 status?

$ ./ABftw
Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y
$$$ Kallsyms +r
$$$ K3rn3l r3l3as3: 2.6.34.7-56.fc13.x86_64
$$$ prepare_creds->ffffffff8106b950
$$$ override_creds->ffffffff8106b4cc
$$$ revert_creds->ffffffff8106b6e9
$$$ Kernel Credentials detected
!!! Err0r 1n s3tt1ng cr3d sh3llc0d3z
__________________
DEV: Intel S2600C0, 2xE52658V2, 32GB, 4x2TB, GTX680, F20/x86_64, Dell U2711.
SRV: Intel S5520SC, 2xX5680, 36GB, 4x2TB, GTX550, F20/x86_64, Dell U2412..
BACK: Tyan Tempest i5400XT, 2xE5335, 8GB, 3x1.5TB, 9800GTX, F20/x86-64.
LAP: ASUS N56VJ, i7-3630QM, 16GB, 1TB, 635M, F20/x86_64.
Reply With Quote
  #8  
Old 21st September 2010, 05:29 PM
price Offline
Registered User
 
Join Date: Sep 2010
Posts: 2
macosfirefox
Re: CVE-2010-3080 / CVE-2010-3081 F13 status?

Hi gilboa,

Quote:
Originally Posted by gilboa View Post
$ ./ABftw
Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y
$$$ Kallsyms +r
$$$ K3rn3l r3l3as3: 2.6.34.7-56.fc13.x86_64
$$$ prepare_creds->ffffffff8106b950
$$$ override_creds->ffffffff8106b4cc
$$$ revert_creds->ffffffff8106b6e9
$$$ Kernel Credentials detected
!!! Err0r 1n s3tt1ng cr3d sh3llc0d3z
That transcript shows the exploit failing to work. It looks for a symbol it needs, namely per_cpu__current_task, and discovers that the symbol is not provided, so it prints that error message and exits. The diagnostic tool will report the same error if you run it on that system, except that I translated the error message from l33t-speak into normal English. =)

In fact, because you're running the 2.6.34.7-56.fc13 kernel that was released last night, you are not vulnerable to CVE-2010-3081. But note that on any older F13 x86_64 kernel (and almost any other 64-bit Linux kernel from before last week), even though the exploit may error out like this one does, a sophisticated attacker could modify the exploit to still work on your system. The same thing is true of most exploits: a sophisticated attacker can modify them to work on many kernels where the unmodified exploit does not work. So you should never rely on an exploit to determine whether you are vulnerable. In this case, anyone with a 64-bit kernel (on F13 or on nearly any other distro) who has not updated since last week needs to do so.

Greg Price
Ksplice
Reply With Quote
  #9  
Old 22nd September 2010, 09:56 AM
gilboa Offline
Registered User
 
Join Date: Jun 2004
Posts: 86
linuxfedorafirefox
Re: CVE-2010-3080 / CVE-2010-3081 F13 status?

I should have pointed out, that I've upgraded to -56 following a suggestion I got from RH people in bugzilla bug report 634457.
I assumed that people followed the link posted above and that a fix is already out.

As for possible future exploits, privilege escalation attacks are nothing new, and will most likely continue to be an issue till the end of time. (As opposed to remote exploits, which are rare and far between).

- Gilboa
__________________
DEV: Intel S2600C0, 2xE52658V2, 32GB, 4x2TB, GTX680, F20/x86_64, Dell U2711.
SRV: Intel S5520SC, 2xX5680, 36GB, 4x2TB, GTX550, F20/x86_64, Dell U2412..
BACK: Tyan Tempest i5400XT, 2xE5335, 8GB, 3x1.5TB, 9800GTX, F20/x86-64.
LAP: ASUS N56VJ, i7-3630QM, 16GB, 1TB, 635M, F20/x86_64.

Last edited by gilboa; 22nd September 2010 at 10:07 AM.
Reply With Quote
Reply

Tags
cve, f13, status

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Kismet 2010-07-R1 motnahp00 Using Fedora 2 5th August 2010 04:17 PM
Mandriva 2010 Spring (2010.1) mh3rn4nd3z3 Linux Chat 1 9th July 2010 01:47 AM
Summer Coding 2010 daniel_I_l Fedora Focus 1 20th April 2010 04:39 PM
GNOME 3.0 May Not Come Until September 2010 Demz Linux Chat 10 10th November 2009 04:55 PM
Roadtrip 2010 JN4OldSchool Wibble 3 15th September 2009 02:45 PM


Current GMT-time: 13:43 (Saturday, 20-12-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
...Creek Side - Stockholm-Arlanda Airport (ARN) Travel Photos on Instagram - Marina of Koper Travel Photos - Te Whiti Park Instagram Photos - Texas State Fair Photos on Instagram