Ghost vulnerability

Blaine's picture
This security vulnerability is a heap-based buffer overflow. Find out if you're vulnerable to this security threat right now. Security test code included!

Security is no joke

Earlier today, the PR firm used by the security vendor Qualys prematurely leaked vulnerability details regarding a critical vulnerability in the GNU C library. The vulnerability exists in all versions of glibc since 2000.

The vulnerability itself is a heap-based buffer overflow in __nss_hostname_digits_dots(), which is used by the gethostbyname() and gethostbyname2() glibc function call. A remote attacker could use this flaw to execute arbitrary code with the permissions of the user running the application.
Qualys has provided a nice breakdown on their blog to help users better understand the impact and severity.

One important item of note is that Qualys has created a proof-of-concept exploit, which exploits this vulnerability in Exim. At the time of writing, it is understood that Exim is only exploitable if "configured to perform extra security checks on the HELO and EHLO commands ("helo_verify_hosts" or "helo_try_verify_hosts" option, or "verify = helo" ACL)." This simplifies determining whether or not an instance of Exim is exploitable by looking at the Exim configuration file for these settings.

Due to the fact that the vulnerability details were disclosed ahead of time, no patch is currently available for CentOS. A patch is expected to be released today for CentOS and SingleHop is following the planned release of this update very closely. The Debian, Ubuntu, and RHEL distributions have updated their glibc packages with a fix. CentOS (once available) and RHEL users can apply this update by running “yum –y update glibc.” Debian and Ubuntu users can apply the update by running “apt-get upgrade glibc.”

To determine whether or not your system is vulnerable, you can compile the test code provided by Qualys:

1) Save the below code as test.c

#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#define CANARY "in_the_coal_mine"
struct {
  char buffer[1024];
  char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };
int main(void) {
  struct hostent resbuf;
  struct hostent *result;
  int herrno;
  int retval;
  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
  char name[sizeof(temp.buffer)];
  memset(name, '0', len);
  name[len] = '\0';
  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
  if (strcmp(temp.canary, CANARY) != 0) {
  if (retval == ERANGE) {
    puts("not vulnerable");
  puts("should not happen");

2) Lastly from a command prompt, run gcc test.c -o test && ./test

On systems running vulnerable versions of glibc, this program will output “vulnerable,” or alternatively, “not vulnerable"

Credit:

Recent Posts

Have you ever wanted to disable offloading of all your Xen DomU's? How about doing it without having to think... Read more
Video Website Themes It is essential to know how big the video market is. You have a well-operating platform with... Read more
How to create a marketing video that will stand above the rest The business world seems to be advancing every... Read more

Need Support?

Every video, every website, every chatbot, every client - 100% custom products and solutions to make your business run successfully

145 Pine Haven Shores Road #1205 Shelburne, VT

Socialize with us


Go to top