Bug 634449 (CVE-2010-3301)
| Summary: | CVE-2010-3301 kernel: IA32 System Call Entry Point Vulnerability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | accessdlab, arozansk, awilliam, bhu, bmourelo, davej, degts, fche, fhrbata, jkacur, kmcmartin, lgoncalv, lwang, pmatouse, rcvalle, rh, tcallawa, williams |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-03-28 08:47:51 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 634450, 634451, 634452 | ||
| Bug Blocks: | |||
|
Description
Eugene Teo (Security Response)
2010-09-16 04:51:43 UTC
Statement: This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG, as they do not contain the upstream commit d4d67150 that introduced this flaw. More information can be found in this kbase: https://access.redhat.com/kb/docs/DOC-40330 Public exploit: http://sota.gen.nz/compat2/robert_you_suck.c There is exploit: http://seclists.org/fulldisclosure/2010/Sep/268 work on Red Hat CentOS 5.5 example (same kernel as RHEL 5.5): 2.6.18-194.3.1.el5 #1 SMP Thu May 13 13:08:30 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux [hacky@ks310439 ~]$ id uid=518(hacky) gid=518(hacky) groups=518(hacky) [hacky@ks310439 ~]$ ./a.out Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y $$$ Kallsyms +r $$$ K3rn3l r3l3as3: 2.6.18-194.3.1.el5 ??? Trying the F0PPPPPPPPPPPPPPPPpppppppppp_____ m3th34d $$$ L00k1ng f0r kn0wn t4rg3tz.. $$$ c0mput3r 1z aqu1r1ng n3w t4rg3t... $$$ selinux_ops->ffffffff80327ac0 $$$ dummy_security_ops->ffffffff804b9540 $$$ capability_ops->ffffffff80329380 $$$ selinux_enforcing->ffffffff804bc2a0 $$$ audit_enabled->ffffffff804a7124 $$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - F0PZzzZzZZ/LSD(M) m3th34d $$$ Prepare: m0rn1ng w0rk0ut b1tch3z $$$ Us1ng st4nd4rd s3ash3llz $$$ 0p3n1ng th3 m4giq p0rt4l $$$ bl1ng bl1ng n1gg4 :PppPpPPpPPPpP sh-3.2# id uid=0(root) gid=518(hacky) groups=518(hacky) (In reply to comment #6) > CentOS 5.5 example (same kernel as RHEL 5.5): > > 2.6.18-194.3.1.el5 #1 SMP Thu May 13 13:08:30 EDT 2010 x86_64 x86_64 x86_64 > GNU/Linux > [hacky@ks310439 ~]$ id > uid=518(hacky) gid=518(hacky) groups=518(hacky) > [hacky@ks310439 ~]$ ./a.out > Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y Err, but you pasted them to the wrong bug. Please see CVE-2010-3081 instead. Thanks. Fixed in 2.6.27.54, 2.6.32.22 and 2.6.35.5 Beta's now out, so moving from Beta nice-to-have list to Final nice-to-have list. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers This was already fixed in F14: https://admin.fedoraproject.org/updates/kernel-2.6.35.4-28.fc14 This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html |