Linux Users - Kernel Exploit released~~! - GoFuckYourself.com

gumdrop · 09-20-2010, 08:46 AM

Quote:

which unfortunately is just about everyone running 64-bit Linux. To make matters worse, in the last day we?ve received many reports of people attacking production systems using an exploit for this vulnerability, so if you run Linux systems, we recommend that you strongly consider patching this vulnerability. (Linux vendors release important security updates every month, but this vulnerability is particularly high profile and people are using it aggressively to exploit systems).

PLEASE STICKY THIS!

http://blog.ksplice.com/2010/09/cve-2010-3081/

Brujah · 09-20-2010, 09:07 AM

It's a very sloppy update too, one of my servers anyway.... /tmp is noexec, and it failed to exec the configs for it as a result.

gumdrop · 09-20-2010, 09:11 AM

Quote:

Originally Posted by Brujah

It's a very sloppy update too, one of my servers anyway.... /tmp is noexec, and it failed to exec the configs for it as a result.

There is no update for CenOS yet as of today.

Zyber · 09-20-2010, 09:19 AM

thanks for sharing this

Barry-xlovecam · 09-20-2010, 09:23 AM

It doesn't even say what kernels are vulnerable ...

Quote:

$.uname -a

I updated the kernel some days ago.

gumdrop · 09-20-2010, 11:49 AM

ALL 64-Bit kernels.

borked · 09-20-2010, 12:42 PM

why "ALL" 64-bit kernels... it states:

Quote:

The flaw identified by CVE-2010-3081 (Red Hat Bugzilla bug 634457) describes an issue in the 32/64-bit compatibility layer implementation in the Linux kernel, versions 2.6.26-rc1 to 2.6.36-rc4.

2.6.18 looks good to me...

ladida · 09-20-2010, 12:44 PM

Rofl. Do you realize how many of these are found each and every day? And how many stay hidden for years? Lol@sticky this

gumdrop · 09-20-2010, 12:50 PM

Quote:

Originally Posted by borked

why "ALL" 64-bit kernels... it states:

2.6.18 looks good to me...

NO!

Quote:

The published workarounds that we?ve seen, including the workaround recommended by Red Hat, can themselves be worked around by an attacker to still exploit the system.

You can use the test tool:
https://www.ksplice.com/uptrack/cve-2010-3081

gumdrop · 09-20-2010, 12:53 PM

Quote:

Originally Posted by ladida

Rofl. Do you realize how many of these are found each and every day? And how many stay hidden for years? Lol@sticky this

Terrible!
LOL@youbeenhackedby this.

roly · 09-20-2010, 01:11 PM

i use yum to update my kernel but there's no updates showing on any of the repositories that i use yet.

borked · 09-20-2010, 01:27 PM

Quote:

Originally Posted by gumdrop

NO!

You can use the test tool:
https://www.ksplice.com/uptrack/cve-2010-3081

I don't understand why you say NO!? The exploit says the .26-.34 kernels are affected, and the test from ksplice is simply a tool to see if the system has been exploited....

Although this doesn't suggest your system hasn't been compromised already, if exploited, a reboot will close the holes. Kind of like closing the stable door after the horse went for a piss, but still.

to me looks like .18 kernels are fine?

borked · 09-20-2010, 01:29 PM

Quote:

Originally Posted by roly

i use yum to update my kernel but there's no updates showing on any of the repositories that i use yet.

It's takes ages for anything to reach yum if it's a simple patch.

Someone released a patch for my kernel -
https://bugzilla.redhat.com/show_bug.cgi?id=634457#c20

when it gets approved, I'll load it on, whether the .18 kernel is vulnerable or not

gumdrop · 09-20-2010, 03:16 PM

If you are using CentOS there has been some progress:

http://bugs.centos.org/view.php?id=4518

gumdrop · 09-20-2010, 03:19 PM

Quote:

Originally Posted by borked

I don't understand why you say NO!? The exploit says the .26-.34 kernels are affected, and the test from ksplice is simply a tool to see if the system has been exploited....

Although this doesn't suggest your system hasn't been compromised already, if exploited, a reboot will close the holes. Kind of like closing the stable door after the horse went for a piss, but still.

to me looks like .18 kernels are fine?

According to the CentOS team it's not:

Quote:

1) public exploit (with backdoor) for gaining root on a CentOS-5 x86_64 machine
2) only x86_64 machine are affected from kernel-2.6.18-164 and onward (CentOS-5.4 too)

http://bugs.centos.org/view.php?id=4518

zagi · 09-20-2010, 04:28 PM

Doesn't look like it affects CentOS that much:

$ ./diagnose-2010-3081
Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.
(see http://www.ksplice.com/uptrack/cve-2010-3081)

$$$ Kernel release: 2.6.18-194.11.1.el5xen
$$$ Backdoor in LSM (1/3): not available.
$$$ Backdoor in timer_list_fops (2/3): not available.
$$$ Backdoor in IDT (3/3): checking...not present.

Your system is free from the backdoors that would be left in memory
by the published exploit for CVE-2010-3081.

$ cat /etc/redhat-release
CentOS release 5.5 (Final)

Klen · 09-20-2010, 05:05 PM

Well this exploit can be resolved simply by adding ip restriction to ssh.

signupdamnit · 09-20-2010, 05:57 PM

https://access.redhat.com/kb/docs/DOC-40265

Note that they need to gain access to a local account before it is of any use to an attacker.

Also:

Quote:

As suggested on the Full Disclosure mailing list, it is possible to temporarily mitigate this issue. However, the steps provided below are only meant for the publicly-circulated exploit - they are insufficient for completely mitigating this vulnerability. As such, we strongly encourage you to install the updated kernel packages for Red Hat Enterprise Linux 5 when they become available soon.

mrsmut · 09-20-2010, 09:25 PM

I've seen today a server with Centos being hacked this way through an old install of oscommerce

as usual, the atacker uploaded a phpshell and downloaded the exploit to gain root, after that defaced all sites on server

Server was running Centos 5 64bit with kernel 2.6.18-194.8.1
attacker overwrote every index* file, when atacker was discovered, tried to rm -rf * whole drive, luckily we caught it on time.

Centos 5 IS vulnerable now

borked · 09-21-2010, 11:57 PM

Quote:

Originally Posted by roly

i use yum to update my kernel but there's no updates showing on any of the repositories that i use yet.

it's now in the repository...

Code:

 kernel	x86_64	2.6.18-194.11.4.el5	updates	19 M
 kernel-devel	x86_64	2.6.18-194.11.4.el5	updates	5.4 M

2.6.18-194.11.4 closes this flaw
http://lwn.net/Articles/406414/

roly · 09-22-2010, 01:09 AM

Quote:

Originally Posted by borked

it's now in the repository...

Code:

 kernel	x86_64	2.6.18-194.11.4.el5	updates	19 M
 kernel-devel	x86_64	2.6.18-194.11.4.el5	updates	5.4 M

2.6.18-194.11.4 closes this flaw
http://lwn.net/Articles/406414/

yes all updated thanks

borked · 09-22-2010, 02:15 AM

Don't forget to reboot after kernel update....

roly · 09-22-2010, 06:22 AM

Quote:

Originally Posted by borked

Don't forget to reboot after kernel update....

that's what i don't understand when people show uptime on their servers of 1 year or something, i seem to be updating my kernel every 4-6 weeks or so.

09-20-2010, 09:07 AM	#2
Brujah Beer Money Baron Industry Role: Join Date: Jan 2001 Location: brujah / gmail Posts: 22,157	It's a very sloppy update too, one of my servers anyway.... /tmp is noexec, and it failed to exec the configs for it as a result. __________________ Free Premium Domain Lists and Tools at Clickmojo.com For Sale: Obscenity.com

09-20-2010, 11:49 AM	#6
gumdrop Confirmed User Join Date: Feb 2005 Posts: 482	ALL 64-Bit kernels. __________________ I am NOT Godaddy! Most excellent Domains & Cheap Hosting “Buy an iPad, kill a Chinaman” - Brendan O’Neill

09-20-2010, 12:44 PM	#8
ladida Confirmed User Join Date: Nov 2005 Posts: 2,167	Rofl. Do you realize how many of these are found each and every day? And how many stay hidden for years? Lol@sticky this __________________ agentGFY at gmail.com

09-20-2010, 03:16 PM	#14
gumdrop Confirmed User Join Date: Feb 2005 Posts: 482	If you are using CentOS there has been some progress: http://bugs.centos.org/view.php?id=4518 __________________ I am NOT Godaddy! Most excellent Domains & Cheap Hosting “Buy an iPad, kill a Chinaman” - Brendan O’Neill

09-20-2010, 04:28 PM	#16
zagi Confirmed User Join Date: Jan 2004 Posts: 1,238	Doesn't look like it affects CentOS that much: $ ./diagnose-2010-3081 Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc. (see http://www.ksplice.com/uptrack/cve-2010-3081) $$$ Kernel release: 2.6.18-194.11.1.el5xen $$$ Backdoor in LSM (1/3): not available. $$$ Backdoor in timer_list_fops (2/3): not available. $$$ Backdoor in IDT (3/3): checking...not present. Your system is free from the backdoors that would be left in memory by the published exploit for CVE-2010-3081. $ cat /etc/redhat-release CentOS release 5.5 (Final) __________________ Managed US/NL Hosting [ [Reality Check Network ] Dell XEON Servers + 1/2/3 TB Packages ICQ: 4-930-562

09-20-2010, 09:19 AM	#4
Zyber Confirmed User Industry Role: Join Date: Aug 2001 Posts: 832	thanks for sharing this

09-20-2010, 01:11 PM	#11
roly Confirmed User Join Date: Aug 2002 Posts: 1,844	i use yum to update my kernel but there's no updates showing on any of the repositories that i use yet.

09-20-2010, 05:05 PM	#17
Klen Industry Role: Join Date: Aug 2006 Location: Little Vienna Posts: 32,235	Well this exploit can be resolved simply by adding ip restriction to ssh.

09-20-2010, 09:25 PM	#19
mrsmut Confirmed User Join Date: Apr 2003 Posts: 121	I've seen today a server with Centos being hacked this way through an old install of oscommerce as usual, the atacker uploaded a phpshell and downloaded the exploit to gain root, after that defaced all sites on server Server was running Centos 5 64bit with kernel 2.6.18-194.8.1 attacker overwrote every index* file, when atacker was discovered, tried to rm -rf * whole drive, luckily we caught it on time. Centos 5 IS vulnerable now

09-22-2010, 02:15 AM	#22
borked Totally Borked Industry Role: Join Date: Feb 2005 Posts: 6,284	Don't forget to reboot after kernel update.... __________________ For coding work - hit me up on andy // borkedcoder // com (consider figuring out the email as test #1) All models are wrong, but some are useful. George E.P. Box. p202