GHOST: a really serious glibc vulnerability



Recently, RedHat announced on its Bugzilla site a patch for a very serious linux vulnerability.

GHOST

A heap-based buffer overflow was found in glibc’s __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.

On the official announcement on its knowledge base site, RedHat has named the vulnerability ‘GHOST’, and has explained some aspects of this vulnerability:

GHOST is a ‘buffer overflow’ bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application.

and

The gethostbyname() function calls are used for DNS resolving, which is a very common event. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying an invalid hostname argument to an application that performs a DNS resolution.

Since November 10, 2000?

A very interesting fact can be read on this article on OpenWall:

The first vulnerable version of the GNU C Library is glibc-2.2, released on November 10, 2000.

Brrrr… :-)

Possible attack vectors?

Mattias Geniar says:

The gethostbyname() call is probably among the most used ones on a server. That means any kind of DNS resolve can be used to trigger the CVE. The only catch is, you need to control whatever DNS is being resolved.

That could mean:

  • Mailservers using reverse DNS lookups on connecting IPs (DNS Blacklisting, SPF checks, …)
  • Form submits that allow user content which results in a DNS lookup, think URLs, WordPress XML-RPC pingbacks, …
  • MySQL servers doing authentication checks based on hostnames (in MySQL privileges)
  • SSH servers that perform DNS lookups for authentication allow/deny rules

If i want to check my system?

To identify, on your system, what are the programs that refer on glibc, run this command:

$ lsof | grep libc | awk '{print $1}' | sort | uniq

It will list all open files (with lsof) and find the files that refer to the glibc libraries.

Stay tuned, stay updated!


Published: January 29 2015