Threat Level: green Handler on Duty: Brad Duncan

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

CVE-2010-3081 kernel: 64-bit Compatibility Mode Stack Pointer Underflow

Published: 2010-09-19
Last Updated: 2010-09-19 23:25:31 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
4 comment(s)

The Full Disclosure list sponsored by published an exploit regarding the CVE-2010-3081 vulnerability. It is triggered because of a stack pointer underflow regarding the function compat_alloc_user_space() inside arch/x86/include/asm/compat.h. This exploit is in the wild and it is highly recommended to implement the patch located at;a=commit;h=c41d68a513c71e35a14f66d71782d27a79a81ea6.

You might wonder why do I tell you to patch a vulnerability that has been published 12 days ago, right? Two days ago, the operations team of my company noticed a strange behavior on a specific linux system. First thing I did was to review the latest vulnerabilities for the linux distribution installed on the machine and found CVE-2010-3081. Digging a little bit more let me found  an excellent tool made by Ksplice that told me the machine was exposed to the exploit.

Download the tool here: If you want the binary, download it here:

Read the Redhat Bugzilla info associated with CVE-2010-3081 here:

Read about the exploit here:

Read more about the vulnerability description here:

Can't patch right now? Use the following workaround: echo ':32bits:M:0:x7fELFx01::/bin/echo:' > /proc/sys/fs/binfmt_misc/register

-- Manuel Humberto Santander Peláez | | | msantand at isc dot sans dot org

4 comment(s)
Diary Archives