I just heard about this exploit) and it really sounds scary but my kernel is immune to it because I have disabled 32bit emulation almost a year ago.
Here is a good post about it and a exploit code in this post1. You can download a test tool1 on Ksplice. The output I got from those:
% ./diagnose-2010-3081
Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.
(see http://www.ksplice.com/uptrack/cve-2010-3081)
$$$ Kernel release: 2.6.34-gentoo-r6-1
!!! Error in setting cred shellcodes
% ./robert_you_suck
symbol table not available, aborting!
Process finished
A quick workaround is to run if you don’t know how to patch:
echo ':32bits:M:0:x7fELFx01::/bin/echo:' > /proc/sys/fs/binfmt_misc/register
Note
Gentoo’s gentoo-sources already have fixed that 3 days ago.
The best way is to disable 32bit emulation in kernel permanently, less you have less exposed surface you get. There are still many propriety programs don’t have 64-bit build, but I have managed to live without them.
Updated on 2010-09-21: Ksplice updated1 the tool because the error message was unclear, now I get:
% ./diagnose-2010-3081
Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.
(see http://www.ksplice.com/uptrack/cve-2010-3081)
$$$ Kernel release: 2.6.34-gentoo-r6-1
!!! Could not find symbol: prepare_creds
A symbol required by the published exploit for CVE-2010-3081 is not
provided by your kernel. The exploit would not work on your system.
[1] | (1, 2, 3) http://www.h-online.com/open/news/item/Hole-in-Linux-kernel-provides-root-rights-1081317.html, http://blog.ksplice.com/2010/09/cve-2010-3081/, and https://www.ksplice.com/uptrack/cve-2010-3081 are gone |
Sadly, disabling 32-bit emulation as above doesn't cut it. It only prevents the kernel from starting 32-bit binaries, it doesn't stop it from emulating it in ptrace() calls. Note e.g. that the "robert_you_suck" binary is a 64-bit binary.
ReplyDeleteThe wordaround above is to disable 32-bit ELF, not the 32-bit emulation, which I meant to compile kernel without 32-bit emulation (IA32). But I might still be mistaken. However, you make a point, that workaround is really a workaround.
ReplyDelete