CVE-2010-3080 / CVE-2010-3081 F13 status?

[simpfeld]

Does anyone know the status of the Fedora 13 kernel 2.6.34.6-54.fc13.x86_64 for these two exploits?

It looks vulnerable to CVE-2010-3080.

But on CVE-2010-3081 I don't know. The KSplice tool to test for compromised on RHEL5 doesn't seem to run on F13. I get:


% ./diagnose-2010-3081
Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.
(see http://www.ksplice.com/uptrack/cve-2010-3081)

$$$ Kernel release: 2.6.34.6-54.fc13.x86_64
!!! Error in setting cred shellcodes

Not sure what that means...

Not seen any discussion of this anywhere on Fedora, so sorry if a dup.

Any thoughts?

[gilboa]

Sadly enough, the exploit itself -does- work on F13/x86_64. (I rather not post the code in-case someone failed to google for it...)

- Gilboa

[simpfeld]

Just for everyone else as I see "gilboa" you are already on here. There is a bug report open in bugzilla covering CVE-2010-3081 for RHEL but it people are asking if it covers Fedora and the answer seems to be no at this time.

https://bugzilla.redhat.com/show_bug.cgi?id=634457

Hello,

I believe CVE-2010-3080 has been fixed for 2.6.34.7-56.fc13* . You can get this kernel from : http://koji.fedoraproject.org/koji/b...buildID=195413

Hope this helps,
Ky

[leigh123linux]

Code:

[leigh@localhost Desktop]$ chmod +x diagnose-2010-3081
[leigh@localhost Desktop]$ ./diagnose-2010-3081
Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.
(see http://www.ksplice.com/uptrack/cve-2010-3081)

$$$ Kernel release: 2.6.35.4-28.fc14.x86_64
!!! Could not find symbol: per_cpu__current_task

A symbol required by the published exploit for CVE-2010-3081 is not
provided by your kernel.  The exploit would not work on your system.
[leigh@localhost Desktop]$

[price]

simpfeld: That message means that the published exploit would not work on your system. Specifically, your kernel does not provide a certain symbol that the exploit relies on. The current version of the diagnostic tool prints the more helpful message that leigh123linux posted.

Note that there is still a possibility that a sophisticated attacker may have modified the published exploit in order to work on your system.

gilboa: Are you using the exploit for CVE-2010-3081, published by "Ac1dB1tch3z"? It was posted to the fulldisclosure mailing list at http://seclists.org/fulldisclosure/2010/Sep/268 (and widely circulated; there's no additional harm in linking to it.) If the diagnostic tool reports that the exploit would not work, then the public CVE-2010-3081 exploit will not work on that system.

In my testing, the exploit does not work on Fedora 13 kernels (and the diagnostic tool correctly reports that it would not work.) If you have a Fedora 13 system on which the CVE-2010-3081 exploit does work, it would satisfy my personal curiosity if you could show the output of "uname -a" on that system.

Greg Price
Ksplice, Inc.

[gilboa]

$ ./ABftw
Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y
$$$ Kallsyms +r
$$$ K3rn3l r3l3as3: 2.6.34.7-56.fc13.x86_64
$$$ prepare_creds->ffffffff8106b950
$$$ override_creds->ffffffff8106b4cc
$$$ revert_creds->ffffffff8106b6e9
$$$ Kernel Credentials detected
!!! Err0r 1n s3tt1ng cr3d sh3llc0d3z

[price]

Hi gilboa,

Quote:

Originally Posted by gilboa

$ ./ABftw
Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y
$$$ Kallsyms +r
$$$ K3rn3l r3l3as3: 2.6.34.7-56.fc13.x86_64
$$$ prepare_creds->ffffffff8106b950
$$$ override_creds->ffffffff8106b4cc
$$$ revert_creds->ffffffff8106b6e9
$$$ Kernel Credentials detected
!!! Err0r 1n s3tt1ng cr3d sh3llc0d3z

That transcript shows the exploit failing to work. It looks for a symbol it needs, namely per_cpu__current_task, and discovers that the symbol is not provided, so it prints that error message and exits. The diagnostic tool will report the same error if you run it on that system, except that I translated the error message from l33t-speak into normal English. =)

In fact, because you're running the 2.6.34.7-56.fc13 kernel that was released last night, you are not vulnerable to CVE-2010-3081. But note that on any older F13 x86_64 kernel (and almost any other 64-bit Linux kernel from before last week), even though the exploit may error out like this one does, a sophisticated attacker could modify the exploit to still work on your system. The same thing is true of most exploits: a sophisticated attacker can modify them to work on many kernels where the unmodified exploit does not work. So you should never rely on an exploit to determine whether you are vulnerable. In this case, anyone with a 64-bit kernel (on F13 or on nearly any other distro) who has not updated since last week needs to do so.

Greg Price
Ksplice

[gilboa]

I should have pointed out, that I've upgraded to -56 following a suggestion I got from RH people in bugzilla bug report 634457.
I assumed that people followed the link posted above and that a fix is already out.

As for possible future exploits, privilege escalation attacks are nothing new, and will most likely continue to be an issue till the end of time. (As opposed to remote exploits, which are rare and far between).

- Gilboa