VMWare ESX Kernel Exploit Patch

An exploit called ABftw.c was posted on full disclosure, September 15, 2010, under the title Ac1dB1tch3z Vs Linux Kernel x86_64 0day.

This exploit has been tested very thoroughly over the course of the past few years on many many targets.

Thanks to redhat for being nice enough to backport it into early kernel versions (anything from later August 2008+

That backport comment might be a reference to a CVE-2007-4573 regression (September 24, 2007), which is the cause of the vulnerability.

Mitre’s description of the problem (CVE-2010-3081) from August 20, 2010 says the include/asm/compat.h files in a Linux kernel prior to 2.6.36-rc4-git2 on 64-bit systems had a userspace memory allocation flaw. The 32/64-bit compatibility layer implementation missed a sanity check, so a local, unprivileged user could elevate their privilege level by abusing a length argument.

A couple months have passed as various Linux distributions patched, and now VMware has announced their patch as well.

This patch updates the Service Console kernel to fix a stack pointer underflow issue in the 32-bit compatibility layer.

They appear to rate it as less critical than the other vendors, most likely because local users on ESX Server 4.x have far less exposure to risk than a typical Linux host.

Ksplice offers a tool to detect “the CVE-2010-3081 high-profile exploit”.

Here is sample
output for a system that has not been compromised:

$ wget -N https://www.ksplice.com/support/diagnose-2010-3081
$ chmod +x diagnose-2010-3081
$ ./diagnose-2010-3081
Diagnostic tool for public CVE-2010-3081 exploit — Ksplice, Inc.
(see http://www.ksplice.com/uptrack/cve-2010-3081)

$$$ Kernel release: 2.6.18-194.11.3.el5
$$$ Backdoor in LSM (1/3): checking…not present.
$$$ Backdoor in timer_list_fops (2/3): not available.
$$$ Backdoor in IDT (3/3): checking…not present.

Your system is free from the backdoors that would be left in memory
by the published exploit for CVE-2010-3081.
$

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.