On Tuesday January 27, 2015, Qualys security researchers discovered the GHOST vulnerability (CVE-2015-0235), a serious weakness in the Linux glibc library, that allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials.
This vulnerability affects the functions gethostbyname() and gethostbyname2() functions originally used to resolve a hostname to an IP address. However, these functions have been deprecated for approximately fifteen years, largely because of their lack of support for IPv6. The superseding function is getaddrinfo() which does support IPv6 and is not affected by this buffer overflow. Programs that still utilize the deprecated gethostbyname() and gethostbyname2() functions may potentially be affected by GHOST.
Note: The GNU C Library or glibc is an implementation of the standard C library and a core part of the Linux operating system. Without this library a Linux system will not function.
For these reasons, also some web application can be exploited! For instance, PHP applications including WordPress use the gethostbyname() function wrapper, so an attacker could leverage this vector to insert a malicious URL that would trigger a buffer overflow bug, server-side, potentially allowing him to gain privileges on the server.
How to check if a Linux server is secure?
Method #1: GHOST.C Glibc Vulnerability Test C Program
Save the script:
/* * GHOST vulnerability check * http://www.openwall.com/lists/oss-security/2015/01/27/9 * Usage: gcc GHOST.c -o GHOST && ./GHOST */ #include #include #include #include #include #define CANARY "in_the_coal_mine" struct { char buffer[1024]; char canary[sizeof(CANARY)]; } temp = { "buffer", CANARY }; int main(void) { struct hostent resbuf; struct hostent *result; int herrno; int retval; /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/ size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1; char name[sizeof(temp.buffer)]; memset(name, '0', len); name[len] = '\0'; retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno); if (strcmp(temp.canary, CANARY) != 0) { puts("vulnerable"); exit(EXIT_SUCCESS); } if (retval == ERANGE) { puts("not vulnerable"); exit(EXIT_SUCCESS); } puts("should not happen"); exit(EXIT_FAILURE); }
Compile it:
gcc -o GHOST GHOST.c
Test it:
./GHOST
Method #2: GHOST-test.sh Vulnerability Test Bash Script
Save the script “GHOST-test.sh”
#!/bin/bash #Version 3 echo "Installed glibc version(s)" rv=0 for glibc_nvr in $( rpm -q --qf '%{name}-%{version}-%{release}.%{arch}\n' glibc ); do glibc_ver=$( echo "$glibc_nvr" | awk -F- '{ print $2 }' ) glibc_maj=$( echo "$glibc_ver" | awk -F. '{ print $1 }') glibc_min=$( echo "$glibc_ver" | awk -F. '{ print $2 }') echo -n "- $glibc_nvr: " if [ "$glibc_maj" -gt 2 -o \ \( "$glibc_maj" -eq 2 -a "$glibc_min" -ge 18 \) ]; then # fixed upstream version echo 'not vulnerable' else # all RHEL updates include CVE in rpm %changelog if rpm -q --changelog "$glibc_nvr" | grep -q 'CVE-2015-0235'; then echo "not vulnerable" else echo "vulnerable" rv=1 fi fi done if [ $rv -ne 0 ]; then cat < Please refer to <https://access.redhat.com/articles/1332213> for remediation steps EOF fi exit $rv
Run script as follows:
bash GHOST-test.sh
Method #3: Vulnerability Test PHP Script
Run script as follows:
php -r '$e="0″;for($i=0;$i<2500;$i++){$e="0$e";} gethostbyname($e);' vulnerable
Obviously, if one of these script returns ‘vulnerable’, you are vulnerable!
According to Qualys, there is a mitigation for this issue that was published May 21, 2013 between patch glibc-2.17 versions and glibc-2.18.
“Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example,” said an advisory from Qualys posted to the OSS-Security mailing list.
And what about Cisco devices?
Actually, few Cisco devices suffer the Ghost vulnerability, but the list can change:
- Endpoint Clients and Client Software
Cisco Jabber Guest 10.0(2) [CSCus69789] - Network and Content Security Devices
Identity Services Engine (ISE) [CSCus68798] - Network Management and Provisioning
Cisco Prime Infrastructure 2.2 [CSCus69495]
Cisco Prime Optical for SPs [CSCus69483] - Routing and Switching – Enterprise and Service Provider
Cisco Connected Grid Routers (CGR) [CSCus69450] - Voice and Unified Communications Devices
Cisco Unified Communications Manager (UCM) 10.0 [CSCus66650]
Cisco Unified Communications Manager Session Management Edition (SME) [CSCus66650]
Cisco Unified Sip Proxy [CSCus69387] - Video, Streaming, TelePresence, and Transcoding Devices
Cisco DCM Series 9900-Digital Content Manager [CSCus69463]
Cisco Edge 300 Digital Media Player [CSCus69651]
Cisco Edge 340 Digital Media Player [CSCus69652]
Cisco Expressway Series [CSCus69558]
Cisco TelePresence Conductor [CSCus69523]
Cisco TelePresence Video Communication Server (VCS) [CSCus69558] - Cisco Hosted Services
Cisco SLIM [CSCus69434]
Remember: The Network Security protection of IPS and NGFW have rules to detect malicious network activity by threat actors attempting to exploit known vulnerable applications.
References: