Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Issue
- The flaw identified by CVE-2010-3081 (Red Hat Bugzilla bug 634457) describes an issue in the 32/64-bit compatibility layer implementation in the Linux kernel, versions 2.6.26-rc1 to 2.6.36-rc4. The compat_alloc_user_space() function is missing a sanity check on the length argument, and also a check to make sure the pointer to the block of memory in user-space that the process is attempting to write to is valid. This flaw was addressed via the upstream git commit c41d68a5 for the 2.6 Linux kernel.
- This function could be abused in other areas of the Linux kernel if the length argument can be controlled from user-space. A known example of this is the compat_mc_getsockopt() function for MCAST_MSFILTER that was introduced in upstream git commit 42908c69 (v2.6.26-rc1).
- A local, unprivileged user could use this flaw to escalate their privileges.
- Red Hat Enterprise Linux 5
- This issue affects the 64-bit versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5, as they include a backport of the upstream git commit 42908c69, which introduced the compat_mc_getsockopt() function that a local, unprivileged user can use to abuse the compat_alloc_user_space() call to escalate their privileges.
- A public exploit affecting Red Hat Enterprise Linux 5 was released for this issue to the Full Disclosure mailing list: http://www.seclists.org/fulldisclosure/2010/Sep/268
- Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG
- The Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG kernels do not include a backport of the upstream git commit 42908c69; therefore, those kernels do not include compat_mc_getsockopt(). We plan to backport the missing compat_alloc_user_space() sanity checks in future Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG updates.
- Note: Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG are not affected by the publicly-circulated exploit.
- Red Hat Enterprise Linux 3
- Red Hat Enterprise Linux 3 is missing the length argument sanity check, but the code that uses compat_alloc_user_space() and its equivalents do not have a user-controllable length; therefore, Red Hat Enterprise Linux 3 is not affected by this issue.
- Mitigation
- As suggested on the Full Disclosure mailing list, it is possible to temporarily mitigate this issue. However, the steps provided below are only meant for the publicly-circulated exploit - they are insufficient for completely mitigating this vulnerability. As such, we strongly encourage you to install the updated kernel packages for Red Hat Enterprise Linux 5.
- As it is possible for the exploit to leave a backdoor in memory, you may wish to perform a system reboot before following the instructions below, or perform your standard incident handling procedures.
- Run the following echo command as the root user to apply the mitigation. Note that this step is not persistent, and will prevent 32-bit applications from running:
- # echo ':32bits:M::\x7fELF\x01::/bin/echo:' > /proc/sys/fs/binfmt_misc/register
- To make this change persistent, append the above line (without the "#" character) to /etc/rc.local. The echo command above creates the following /proc/sys/fs/binfmt_misc/32bits file:
- # cat /proc/sys/fs/binfmt_misc/32bits
- enabled
- interpreter /bin/echo
- flags:
- offset 0
- magic 7f454c4601
- This mitigation registers a new binary type that matches the '\x7fELF\x01' magic, and invokes /bin/echo each time a 32-bit binary is executed. The magic string '\x7fELF\x01' consists of two parts, the ELF magic number (first 4 bytes) and the class (last byte). '\x01' indicates that it is a 32-bit object, while if you use '\x02', it indicates that it is a 64-bit object.
- If you need to remove the mitigation, run the following command as the root user to restore the default behavior (and remove the above changes to /etc/rc.local if made):
- # echo -1 > /proc/sys/fs/binfmt_misc/32bits
- For more information, refer to http://www.kernel.org/doc/Documentation/binfmt_misc.txt.
- Solution
- This issue has been fixed in Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 5.4 Extended Update Support via the Red Hat Security Advisories RHSA-2010:0704 and RHSA-2010:0705 respectively. Future updates will address this issue for Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG.
- Further Assistance
- If you require assistance with mitigating this issue, or would like to request a hotfix, please contact Red Hat Support: https://access.redhat.com/support/contact/technicalSupport.html.
- Revision History
- 2010-09-17: Article updated with mitigation based on the information provided on the Full Disclosure mailing list.
- 2010-09-20: Article updated to reflect that the provided mitigation steps are only meant for the publicly-circulated exploit, and do not provide complete mitigation of this issue.
- 2010-09-21: Article updated to reflect the release of the Red Hat Security Advisories RHSA-2010:0704 and RHSA-2010:0705, which fix the CVE-2010-3081 flaw for Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 5.4 Extended Update Support. The article was also updated to clarify that the publicly-circulated exploit does not affect Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement