Linux is being haunted by a G-G-G-GHOST vulnerability

ghost

Guys,

There is a new remote vulnerability in glibc under CVE-2015-0235. The bug is in __nss_hostname_digits_dots() function, which is used by the gethostbyname().

This vulnerability in GNU C Library (glibc), allows remote or local actors to execute arbitrary code under the privilege of user running the function gethostbyname(). Qualsys, who reported the bug was able to remotely exploit this bug in an Exim mail server.

All the glibc updates for CentOS 5, 6 and 7 have now been released and are currently being distributed to mirrors.

If your glibc version is lower than 2.18, you should assume that your server is vulnerable. You can check the version as given below:

[root@linux5 ~]# find /lib/ -name libc.so.*
/lib/libc.so.6

[root@linux5 ~]# /lib/libc.so.6
GNU C Library stable release version 2.12, by Roland McGrath et al.
Copyright (C) 2010 Free Software Foundation, Inc.

Alternatively, you can use the below vulnerability test program released by Qualsys. (Disclaimer: Use this program at your own risk. We execute these programs under a restricted environment.)

——–
Save the following into a file named ghost.c

#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

#define CANARY “in_the_coal_mine”

struct {
char buffer[1024];
char canary[sizeof(CANARY)];
} temp = { “buffer”, CANARY };

int main(void) {
struct hostent resbuf;
struct hostent *result;
int herrno;
int retval;

/*** strlen (name) = size_needed – sizeof (*host_addr) – sizeof (*h_addr_ptrs) – 1; ***/
size_t len = sizeof(temp.buffer) – 16*sizeof(unsigned char) – 2*sizeof(char *) – 1;
char name[sizeof(temp.buffer)];
memset(name, ‘0’, len);
name[len] = ”;
retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

if (strcmp(temp.canary, CANARY) != 0) {
puts(“vulnerable”);
exit(EXIT_SUCCESS);
}
if (retval == ERANGE) {
puts(“not vulnerable”);
exit(EXIT_SUCCESS);
}
puts(“should not happen”);
exit(EXIT_FAILURE);
}

Compile it using:
# gcc ghost.c -o ghost

Run it using:
# ./ghost

You’ll see an output saying “vulnerable” if your server is affected by the bug.
——–

It is quite maddening to think this vulnerability has existed for over 14 years. Even crazier is that it was fixed in 2013, but not properly categorized as a security issue, leaving it to haunt some distributions.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s