Ghost vulnerability

Blaine's picture
This security vulnerability is a heap-based buffer overflow. Find out if you're vulnerable to this security threat right now. Security test code included!

Security is no joke

Earlier today, the PR firm used by the security vendor Qualys prematurely leaked vulnerability details regarding a critical vulnerability in the GNU C library. The vulnerability exists in all versions of glibc since 2000.

The vulnerability itself is a heap-based buffer overflow in __nss_hostname_digits_dots(), which is used by the gethostbyname() and gethostbyname2() glibc function call. A remote attacker could use this flaw to execute arbitrary code with the permissions of the user running the application.
Qualys has provided a nice breakdown on their blog to help users better understand the impact and severity.

One important item of note is that Qualys has created a proof-of-concept exploit, which exploits this vulnerability in Exim. At the time of writing, it is understood that Exim is only exploitable if "configured to perform extra security checks on the HELO and EHLO commands ("helo_verify_hosts" or "helo_try_verify_hosts" option, or "verify = helo" ACL)." This simplifies determining whether or not an instance of Exim is exploitable by looking at the Exim configuration file for these settings.

Due to the fact that the vulnerability details were disclosed ahead of time, no patch is currently available for CentOS. A patch is expected to be released today for CentOS and SingleHop is following the planned release of this update very closely. The Debian, Ubuntu, and RHEL distributions have updated their glibc packages with a fix. CentOS (once available) and RHEL users can apply this update by running “yum –y update glibc.” Debian and Ubuntu users can apply the update by running “apt-get upgrade glibc.”

To determine whether or not your system is vulnerable, you can compile the test code provided by Qualys:

1) Save the below code as test.c

#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#define CANARY "in_the_coal_mine"
struct {
  char buffer[1024];
  char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };
int main(void) {
  struct hostent resbuf;
  struct hostent *result;
  int herrno;
  int retval;
  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
  char name[sizeof(temp.buffer)];
  memset(name, '0', len);
  name[len] = '\0';
  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
  if (strcmp(temp.canary, CANARY) != 0) {
    puts("vulnerable");
    exit(EXIT_SUCCESS);
  }
  if (retval == ERANGE) {
    puts("not vulnerable");
    exit(EXIT_SUCCESS);
  }
  puts("should not happen");
  exit(EXIT_FAILURE);
}

2) Lastly from a command prompt, run gcc test.c -o test && ./test

On systems running vulnerable versions of glibc, this program will output “vulnerable,” or alternatively, “not vulnerable"

Credit: Read more at http://www.singlehop.com/blog/security-alert-ghost-vulnerability/#smpOTQEkGsUpOSkD.99

Recent Posts

Video Marketing for Business: Here is what the experts are saying If you are an entrepreneur in this era, you... Read more
Brand Yourself for Web Marketing It's time to talk about the feature that will set you apart from your competition... Read more
Time to Make your Presence on the Web Felt: How Much you Should invest? You know what you want to... Read more

Need Support?


Every video, every website, every chatbot, every client - 100% custom products and solutions to make your business run successfully

145 Pine Haven Shores Road #1205 Shelburne, VT

Recent Tweets

  • This needs to end... Senseless violence all for what? https://t.co/mNMP0uMnJN 2 weeks 6 hours ago
  • RT : My warmest condolences and sympathies to the victims and families of the terrible Las Vegas shooting. God bless you! 2 weeks 6 hours ago
  • RT : Michelle & I are praying for the victims in Las Vegas. Our thoughts are with their families & everyone enduring another senseless tragedy. 2 weeks 6 hours ago
  • RT : Las Vegas update: - At least 400 wounded taken to hospitals, per police - Gunman found dead in hotel room https://t.co/5EOndn2tkj 2 weeks 6 hours ago
  • RT : Keep us in your thoughts - its a very difficult and tragic evening for a lot of people ,… https://t.co/mf7x29rD9Y 2 weeks 6 hours ago

Socialize with us

               


Go to top