GHOST: glibc: buffer overflow

Anderson Alfaro | January 30, 2015

0 Flares 0 Flares ×

A serious vulnerability was discovered, and was baptized GHOST in GNU/Linux. It’s present in all Red Hat Enterprise Linux versions, (CentOS etc.), and Debian systems.

Affected versions:
RHEL(Red Hat Enterprise Linux) version 6.x and 7.x
CentOS Linux version 6.x & 7.x
Ubuntu Linux version 10.04, 12.04 LTS
Debian Linux version 7.x
Linux Mint version 13.0
SUSE Linux Enterprise 11 and older (also OpenSuse Linux 11 or older versions).
Arch Linux glibc version <= 2.18-1

It’s strongly recommended update glibc

What services are using this library?

Run this command to discover all complete affected services
# lsof | grep libc | awk ‘{print $1}’ | sort | uniq

How to know if I’m vulnerable?

Copy this content into ghost.c

#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

#define CANARY "in_the_coal_mine"

struct {

  char buffer[1024];

  char canary[sizeof(CANARY)];

} temp = { "buffer", CANARY };

 

int main(void) {

  struct hostent resbuf;

  struct hostent *result;

  int herrno;

  int retval;

 

  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/

  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;

  char name[sizeof(temp.buffer)];

  memset(name, '0', len);

  name[len] = '\0';

 

  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

 

  if (strcmp(temp.canary, CANARY) != 0) {

    puts("vulnerable");

    exit(EXIT_SUCCESS);

  }

  if (retval == ERANGE) {

    puts("not vulnerable");

    exit(EXIT_SUCCESS);

  }

  puts("should not happen");

  exit(EXIT_FAILURE);

}

#include <netdb.h>

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <errno.h>

#define CANARY "in_the_coal_mine"

struct {

char buffer[1024];

char canary[sizeof(CANARY)];

} temp = { "buffer", CANARY };

int main(void) {

struct hostent resbuf;

struct hostent *result;

int herrno;

int retval;

/*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/

size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;

char name[sizeof(temp.buffer)];

memset(name, '0', len);

name[len] = '\0';

retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

if (strcmp(temp.canary, CANARY) != 0) {

puts("vulnerable");

exit(EXIT_SUCCESS);

}

if (retval == ERANGE) {

puts("not vulnerable");

exit(EXIT_SUCCESS);

}

puts("should not happen");

exit(EXIT_FAILURE);

}

COMPILE

# gcc ghost.c -o ghost

RUN
#./ghost

HOW TO FIX?

# yum update glibc

And reboot the system because many services are using this library

Anderson Alfaro

I am passionate for knowledge of Cloud technologies and reading the Bible as both make sense to me, but this last one keeps me on the ground and not in the cloud. Prov 16:18
VCP - MCSA - MCTS - RHCSA - RHCE - RHCVA

IF YOU WANT TO WRITE HERE AS A SPONSOR, PLEASE SEND ME AN EMAIL
Note: I am in the process of learning English, if you notice some mistakes, please let me know. I'll appreciate that. Thank you

Security No Comments »

« Checking vSphere Flash Read Cache (Previous News)

(Next News) All OUs in this domain should be protected from accidental deletion »

Create an Account

Titpro

Technologies for IT Professionals

GHOST: glibc: buffer overflow

Related News

VMware Esxi firewall commands

Leave a Reply Cancel Reply