Bug 634449 (CVE-2010-3301) - CVE-2010-3301 kernel: IA32 System Call Entry Point Vulnerability
Summary: CVE-2010-3301 kernel: IA32 System Call Entry Point Vulnerability
Status: CLOSED ERRATA
Alias: CVE-2010-3301
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20100915,reported=20100916,sou...
Keywords: Security
Depends On: 634450 634451 634452
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-09-16 04:51 UTC by Eugene Teo (Security Response)
Modified: 2019-06-08 13:06 UTC (History)
18 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2012-03-28 08:47:51 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0842 normal SHIPPED_LIVE Important: kernel security and bug fix update 2010-11-22 19:34:20 UTC

Description Eugene Teo (Security Response) 2010-09-16 04:51:43 UTC
Description of problem:
CVE-2007-4573 regression

Reintroduced in v2.6.27-rc1 via commit d4d67150.

Upstream commits:
http://git.kernel.org/linus/36d001c70d8a0144ac1d038f6876c484849a74de
http://git.kernel.org/linus/eefdca043e8391dcd719711716492063030b55ac

References:
http://sota.gen.nz/compat2/

Acknowledgements:

Red Hat would like to thank Ben Hawkes for reporting this issue.

Comment 2 Eugene Teo (Security Response) 2010-09-16 04:56:21 UTC
Statement:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG, as they do not contain the upstream commit d4d67150 that introduced this flaw.

More information can be found in this kbase: https://access.redhat.com/kb/docs/DOC-40330

Comment 3 Eugene Teo (Security Response) 2010-09-16 04:59:06 UTC
Public exploit: http://sota.gen.nz/compat2/robert_you_suck.c

Comment 5 AccessD 2010-09-17 10:31:32 UTC
There is exploit:
http://seclists.org/fulldisclosure/2010/Sep/268
work on Red Hat

Comment 6 AccessD 2010-09-17 10:47:32 UTC
CentOS 5.5 example (same kernel as RHEL 5.5):

2.6.18-194.3.1.el5 #1 SMP Thu May 13 13:08:30 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux
[hacky@ks310439 ~]$ id
uid=518(hacky) gid=518(hacky) groups=518(hacky)
[hacky@ks310439 ~]$ ./a.out
Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y
$$$ Kallsyms +r
$$$ K3rn3l r3l3as3: 2.6.18-194.3.1.el5
??? Trying the F0PPPPPPPPPPPPPPPPpppppppppp_____ m3th34d
$$$ L00k1ng f0r kn0wn t4rg3tz..
$$$ c0mput3r 1z aqu1r1ng n3w t4rg3t...
$$$ selinux_ops->ffffffff80327ac0
$$$ dummy_security_ops->ffffffff804b9540
$$$ capability_ops->ffffffff80329380
$$$ selinux_enforcing->ffffffff804bc2a0
$$$ audit_enabled->ffffffff804a7124
$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - F0PZzzZzZZ/LSD(M) m3th34d
$$$ Prepare: m0rn1ng w0rk0ut b1tch3z
$$$ Us1ng st4nd4rd s3ash3llz
$$$ 0p3n1ng th3 m4giq p0rt4l
$$$ bl1ng bl1ng n1gg4 :PppPpPPpPPPpP
sh-3.2# id
uid=0(root) gid=518(hacky) groups=518(hacky)

Comment 7 Eugene Teo (Security Response) 2010-09-17 11:56:47 UTC
(In reply to comment #6)
> CentOS 5.5 example (same kernel as RHEL 5.5):
> 
> 2.6.18-194.3.1.el5 #1 SMP Thu May 13 13:08:30 EDT 2010 x86_64 x86_64 x86_64
> GNU/Linux
> [hacky@ks310439 ~]$ id
> uid=518(hacky) gid=518(hacky) groups=518(hacky)
> [hacky@ks310439 ~]$ ./a.out
> Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y

Err, but you pasted them to the wrong bug. Please see CVE-2010-3081 instead.

Thanks.

Comment 8 Eugene Teo (Security Response) 2010-09-20 08:57:58 UTC
Kbase: https://access.redhat.com/kb/docs/DOC-40330

Comment 9 Chuck Ebbert 2010-09-21 03:35:10 UTC
Fixed in 2.6.27.54, 2.6.32.22 and 2.6.35.5

Comment 10 Adam Williamson 2010-09-28 01:43:45 UTC
Beta's now out, so moving from Beta nice-to-have list to Final nice-to-have list.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 11 Chuck Ebbert 2010-09-30 21:10:21 UTC
This was already fixed in F14:
  https://admin.fedoraproject.org/updates/kernel-2.6.35.4-28.fc14

Comment 13 errata-xmlrpc 2010-11-10 19:07:46 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html

Comment 14 errata-xmlrpc 2010-11-22 19:34:32 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html


Note You need to log in before you can comment on or make changes to this bug.