GHOST: glibc
vulnerability (CVE-2015-0235)
GHOST is a heap-based buffer overflow
vulnerability triggered by both locally and remotely via all
the gethostbyname*() functions in GNU C library aka glibc .
All versions of glibc shipped with all variants of Red Hat Enterprise Linux are
affected.
Background
Information
GHOST is a 'Heap based buffer overflow' bug affecting the gethostbyname() and gethostbyname2() function
calls in the glibc library. These functions are used for DNS resolving by
various applications. Theoretically, any application that uses these
functions (practically any application that goes online) is at risk of being
exploited. In other words to exploit this vulnerability, an attacker must
trigger a buffer overflow by supplying an invalid hostname argument to an
application that performs a DNS resolution.
Determining
Vulnerability
You can use below C Code to determine Ghost
Vulnerability.
/* ghostvtest.c: GHOST
vulnerability tester */
#define CANARY "in_the_coal_mine"
struct {
int main(void) {
/*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof
(*h_addr_ptrs) - 1; ***/
retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
if (strcmp(temp.canary, CANARY) != 0) {
$ gcc ghostvtest.c -o ghostvtest
$ ./ghostvtest
How
to list packages/applications which depends upon vulnerable Glibc?
Type the following lsof command:
lsof | grep libc | awk '{print $1}' | sort | uniq
|
Affected
Version:
Glibc version 2.18 & before (released August ) is vulnerable, you can check glibc version by typing ldd command in RHEL.
Resolution
To eliminate the possibility of an exploit:
1.
Update the glibc and nscd packages
on your system using the packages released
2.
Reboot the system to let the changes
come into effect.
No comments:
Post a Comment