The Full Disclosure list sponsored by secunia.com published an exploit regarding the CVE-2010-3081 vulnerability. It is triggered because of a stack pointer underflow regarding the function compat_alloc_user_space() inside arch/x86/include/asm/compat.h. This exploit is in the wild and it is highly recommended to implement the patch located at http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c41d68a513c71e35a14f66d71782d27a79a81ea6.
You might wonder why do I tell you to patch a vulnerability that has been published 12 days ago, right? Two days ago, the operations team of my companynoticed a strange behavior ona specific linux system. First thing I did was to review the latest vulnerabilities for the linux distribution installed on the machine and found CVE-2010-3081. Digginga little bit more let me foundan excellent tool made by Ksplice that told me the machine was exposed to the exploit.
Download the tool here: https://www.ksplice.com/support/diagnose-2010-3081.c. If you want the binary, download it here: https://www.ksplice.com/support/diagnose-2010-3081.
Read the Redhat Bugzilla info associated with CVE-2010-3081 here: https://bugzilla.redhat.com/show_bug.cgi?id=634457.
Read about the exploit here: http://seclists.org/fulldisclosure/2010/Sep/268.
Read more about the vulnerability description here: http://sota.gen.nz/compat1/.
Can't patch right now? Use the following workaround: echo ':32bits:M:0:x7fELFx01::/bin/echo:' /proc/sys/fs/binfmt_misc/register
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.