GHOST - glibc Overflow

Vulnerability Description

A heap-based buffer overflow was found in glibc's __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.

Exposure & Impact

This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application.

Remediation & Mitigation

VERT recommends applying patches from vendors when available.

Detection

ASPL 599 released on 01-28-2015 contains “GHOST glibc Library Vulnerability” that checks for CVE-2015-0235.

VERT has created custom ASPL rules that can be manually added to your VNE to detect vulnerable systems. Caveat: neither of these account for source patched versions from vendors.

Rule 1
#Based on glibc - Update with libc file path
EXECUTE { 

import aspl_sshcore
from version import Version, VersionException

aspl_sshcore.startSSH(rule)

fixed_version = '2.18'

rule.SEND('/lib/x86_64-linux-gnu/libc.so.6| grep -Eo "version.* [0-9]\.[0-9]+"')
rule.waitForData()
try:
    result = rule.buffer.split('\x0a')[0].split(' ')[-1]
except IndexError:
    rule.STOP(False)

try:
    if Version(result) < Version(fixed_version):
        rule.STOP(True)
except VersionException:
    rule.STOP(False)


rule.STOP(False)
}
Rule 2
#Based on LDD which should match the glibc version
EXECUTE { 

import aspl_sshcore
from version import Version, VersionException

aspl_sshcore.startSSH(rule)

fixed_version = '2.18'

rule.SEND('ldd --version | grep -Eo "ldd.* [0-9]\.[0-9]+"')
rule.waitForData()
try:
    result = rule.buffer.split(' ')[-1]
except IndexError:
    rule.STOP(False)

try:
    if Version(result) < Version(fixed_version):
        rule.STOP(True)
except VersionException:
    rule.STOP(False)


rule.STOP(False)
}

 
Detection information for Tripwire Enterprise customers

References

http://www.tripwire.com/state-of-security/latest-security-news/ghost-in-the-linux-machine-cve-2015-0235/
 
http://www.tripwire.com/state-of-security/vulnerability-management/ghost-vulnerability-and-its-patch-history/
 
http://www.tripwire.com/state-of-security/vulnerability-management/dont-be-shellshocked-by-ghost/

https://access.redhat.com/articles/1332213

http://www.openwall.com/lists/oss-security/2015/01/27/9