Ksplice

NOTE

Please note that this tool is no longer being made available, and that this documentation exists only to support legacy users of the tool.


Detecting the CVE-2010-3081 high-profile exploit

The public CVE-2010-3081 exploit leaves behind one of several backdoors that attackers can later use to gain root on the system, even after the vulnerability is patched. We've created a tool that looks for these backdoors, as a way of determining whether or not your systems have been compromised.

Using the tool

The tool is designed to be run as a normal user. The binary is compiled for RHEL 5/CentOS 5, but it works correctly on a number of other platforms including Debian Lenny and Ubuntu. The source will work correctly on all platforms on which the unmodified exploit works. Here is sample output for a system that has not been compromised:

$ chmod +x diagnose-2010-3081
$ ./diagnose-2010-3081
Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.
(see http://www.ksplice.com/uptrack/cve-2010-3081)

$$$ Kernel release: 2.6.18-194.11.3.el5
$$$ Backdoor in LSM (1/3): checking...not present.
$$$ Backdoor in timer_list_fops (2/3): not available.
$$$ Backdoor in IDT (3/3): checking...not present.

Your system is free from the backdoors that would be left in memory
by the published exploit for CVE-2010-3081.
$

The tool is only necessary on 64-bit systems, because 32-bit systems are immune to the vulnerability.

If your system has not been compromised

We recommend immediately patching your system against this vulnerability. Ksplice users can do so by running uptrack-upgrade -y

Note that the diagnostic tool applies only to the original, published exploit. Even if the tool reports that the backdoors are not present, or that the original exploit would not work on your kernel, there is still a possibility that a sophisticated attacker could have produced a modified exploit and compromised your system. A sophisticated attacker could also modify the exploit to remove the in-memory backdoors after gaining privileged access, evading detection. We currently believe that the great majority of attacks in the wild are made with the unmodified exploit.

If your system has already been compromised

Please use your normal procedure for dealing with compromised systems.

Troubleshooting the checker

I got a "cannot execute binary" error when running the checker binary. What's wrong?
You get this error if you run the checker on a 32-bit system. It is only compiled for 64-bit systems because only 64-bit systems are vulnerable.