GHOST Vulnerability Puts Linux Systems at Risk

By Alain Iamburg, Andrew McGregor ·

A critical security vulnerability in the GNU C library, CVE-2015-0235 (a.k.a. “GHOST”), was reported on January 27, 2015. Many Linux systems are vulnerable to remote code execution, including enterprise and Long Term Support distributions.

How serious is the risk?

This is an extremely serious flaw affecting a number of different Linux operating system versions. The vulnerability exists within a popular Linux library and is remotely exploitable for systems and applications that utilize a function common to network programming used to perform a lookup by hostname. Any networked service or application utilizing the function is potentially vulnerable. Exploitation could lead to a complete compromise of the underlying server, negatively impacting the availability, integrity and confidentiality of the system, application and/or data within. This could result in a negative business impact, including, but not limited to, a direct loss of revenue or brand image damage.

What is the flaw?

The vulnerability is due to an insufficient check of a buffer length, allowing for a memory overwrite equal to the size of a char pointer. This equates to a buffer overflow of up to 4 bytes on 32-bit systems and 8-bytes on 64-bit systems. The vulnerability affects the “gethostbyname() and “gethostbyname2()” functions; therefore, networked programs utilizing these function calls and vulnerable libraries are potentially exploitable. Although the overflow is relatively small, security researchers have announced a working proof-of-concept exploit to gain remote code execution on an affected system. A patch was introduced on May 21, 2013.

A patch exists, so what’s the big deal?

Patching glibc is a little different than a library like OpenSSL due to kernel and build tool dependencies. To work around this, vendors often standardize on one version of glibc and then backport the security patches as needed.

Although the bug was fixed in glibc-2.18, it was not categorized as security-related at that time. Therefore, the fix did not make it into most stable and LTS Linux distributions. As a result, many systems are currently unpatched and vulnerable, such as Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7 and Ubuntu 12.04. No public exploit code is currently known; however, Qualys plans on releasing a Metasploit module in the near future.

Am I vulnerable?

Linux systems running glibc-2.2 through glibc-2.17 are affected by the GHOST vulnerability. As mentioned above, the below distributions were identified as being vulnerable. Please note, this should not be considered a comprehensive list but includes the most notable distributions.

  • Debian 7 (wheezy)
  • RHEL 6 & 7
  • CentOS 6 & 7
  • Ubuntu 12.04

Exploiting the vulnerability for remote code execution also depends on other factors like whether the targeted application uses the glibc gethostname*() functions and in what context. Clockdiff, procmail, pppd, Wordpress and the Exim mail server software have been identified as being used as attack vectors to some extent.

Qualys provided the following proof-of-concept source code to test local Linux installations for susceptibility to the GHOST vulnerability:

#include
#include

#include
#include
#include

#define CANARY "in_the_coal_mine"

struct {

  char buffer[1024];
  char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };

int main(void) {
  struct hostent resbuf;
  struct hostent *result;
  int herrno;
  int retval;

  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;

  char name[sizeof(temp.buffer)];
  memset(name, '0', len);
  name[len] = '\0';

  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

  if (strcmp(temp.canary, CANARY) != 0) {
    puts("vulnerable");
    exit(EXIT_SUCCESS);
}
if (retval == ERANGE) {
    puts("not vulnerable");
    exit(EXIT_SUCCESS);
}
    puts("should not happen");
    exit(EXIT_FAILURE);
}

Compile the code with “gcc GHOST.c –o GHOST”, and you should expect to see one of the following messages depending on your version of glibc:

Running on Ubuntu 12.04.5 LTS (glibc-2.15):

$ ./GHOST
vulnerable

Running on Ubuntu 14.04.1 LTS (glibc-2.19):

$ ./GHOST
not vulnerable

Next Steps

Currently, FishNet Security is working with its partners and clients to help detect and remediate the GHOST vulnerability. Our Security Assessments team is offering a GHOST Vulnerability Assessment to help determine whether your system is at risk.

References

https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235