Image

Running this code on a system with the vulnerable library as follows triggers the wrong error:#include <netdb.h> #include <errno.h> #include <iostream> int main(int argc, char** argv) { const std::string name=argc==1?"":argv[1]; unsigned int size = DNS_BUFFER_SIZE; char* tmp = new char[size]; struct hostent* res = NULL; hostent buf; int err = 0; int result=0; while( (result=::gethostbyname_r( name.c_str(), &buf, tmp, size, &res, &err )) == ERANGE ) { delete[] tmp; tmp = new char[size*=2]; } delete[] tmp; if (res==0) std::cout << "error: " << result << " (" << hstrerror(result) << ")" << std::endl; return 0; }
$> g++ -W -Wall -DDNS_BUFFER_SIZE=37 dnslookup.cpp -o dnslookup $> ./dnslookup USER_SUPPLIED_HOSTNAME error: 22 (Unknown resolver error)Specifically, the code is returning error number 22 (EINVAL). Changing the argument “-DDNS_BUFFER_SIZE=37” to “-DDNS_BUFFER_SIZE=38” would cause this program to run successfully. So, about 4 months passed after the bug was discovered, then library was fixed and the bug was closed. However, it appears that the issue was not readily viewed as a buffer overflow flaw, and, hence, the bug was not classified (originally) as a security issue. As such, the bug fix did not receive the attention it deserved, especially amongst the bigger Linux distributors such as RedHat, Ubuntu, and Debian. IMPACT There are numerous researchers and blogs [see links below] out there already where experts are agreeing that the bug will have low security impact. For example, Craig Young and I were comparing GHOST to Shellshock. Both of these vulnerabilities have far reaching impact due to the vulnerable code’s pervasiveness. However, GHOST is no Shellshock. Shellshock was not only remotely exploitable across many different services and platforms, but it was also remotely exploitable with virtually the same payload. The same cannot be said for GHOST. Each service that will be vulnerable to GHOST (via calls to the appropriate vulnerable libc functions) will very likely require unique payloads. This will require a lot of development efforts for an attacker. And, as many have pointed out, the resulting return on investment for development of exploits will be low since the bug has been fixed since 2013. PEACE OF MIND Tripwire’s VERT has developed generic vulnerability coverage for GHOST, which will be shipping in ASPL-599 on Wednesday, January 28, 2015. VERT will continue to expand GHOST vulnerability coverage over the next few weeks as more and more vendors ship updates that address the GHOST vulnerability. LINKS
- Ken Westin: https://www.tripwire.com/state-of-security/latest-security-news/ghost-in-the-linux-machine-cve-2015-0235/
- Trend Micro: http://blog.trendmicro.com/trendlabs-security-intelligence/not-so-spooky-linux-ghost-vulnerability/
- Ars Technica: http://arstechnica.com/security/2015/01/highly-critical-ghost-allowing-code-execution-affects-most-linux-systems/
- Dark Reading: http://www.darkreading.com/vulnerabilities---threats/new-ghost-vuln-affecting-linux/d/d-id/1318811