Nytro Posted January 29, 2015 Report Posted January 29, 2015 Critical “GHOST” Vulnerability ReleasedBy Marc-Alexandre Montpas on January 28, 2015 . 3 CommentsA very critical vulnerability affecting the GNU C Library (glibc) is threatening Linux servers for a remote command execution. This security bug was discovered by Qualys security researchers and will probably cause a lot of headaches to those who won’t update right away.Where does the issue come from?This is a buffer overflow issue in glibc’s function __nss_hostname_digits_dots(), which is itself used by multiple others like gethostbyname() and gethostbyname2(). This is a critical issue as these functions are used in an enormous amount of software and server-level mechanisms. An attacker would need to send a very specific set of bytes to the function in order to trigger the bug and attempt to get command execution privileges on the victim’s server.What does it affect exactly?So far, these applications have been proven to fall to the aforementioned attack:clockdiffprocmail (through its comsat/biff feature)pppdExim mail server (if configured with the “helo_verify_hosts” or “helo_try_verify_hosts” options)We also have good reasons to believe PHP applications might also be affected, through itsgethostbyname() function wrapper. An example of where this could be a big issue is within WordPress itself: it uses a function named wp_http_validate_url() to validate every pingback’s post URL:…and it does so by using gethostbyname(). So an attacker could leverage this vector to insert a malicious URL that would trigger a buffer overflow bug, server-side, potentially allowing him to gain privileges on the server.Update as soon as possible!This is a very critical vulnerability and should be treated as such. If you have a dedicated server (or VPS) running Linux, you have to make sure you update it right away. We know for a fact that Centos/RHEL/Fedora 5,6,7 as vulnerable, as well as some Ubuntu versions.As a quick test, if you run the following PHP code on your terminal:php -r '$e="0";for($i=0;$i<2500;$i++){$e="0$e";} gethostbyname($e);'Segmentation faultAnd get a segmentation fault, it means your server is vulnerable. Be sure to watch for your distribution’s fix for the patch (yum update is your friend).Sursa: Critical “GHOST” Vulnerability Released | Sucuri Blog Quote
Gushterul Posted January 29, 2015 Report Posted January 29, 2015 (edited) php -r '$e="0";for($i=0;$i<2500;$i++){$e="0$e";} gethostbyname($e);'Segmentation faultAm testat pe 5 versiuni diferite de CentOS si nu da nici un php segfault codul de mai sus.Insa merge cel de mai jos: /* * GHOST vulnerability check * http://www.openwall.com/lists/oss-security/2015/01/27/9 * Usage: gcc GHOST.c -o GHOST && ./GHOST */ #include <netdb.h>#include <stdio.h>#include <stdlib.h>#include <string.h>#include <errno.h>#define CANARY "in_the_coal_mine"struct { char buffer[1024]; char canary[sizeof(CANARY)];} temp = { "buffer", CANARY };int main(void) { struct hostent resbuf; struct hostent *result; int herrno; int retval; /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/ size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1; char name[sizeof(temp.buffer)]; memset(name, '0', len); name[len] = '\0'; retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno); if (strcmp(temp.canary, CANARY) != 0) { puts("vulnerable"); exit(EXIT_SUCCESS); } if (retval == ERANGE) { puts("not vulnerable"); exit(EXIT_SUCCESS); } puts("should not happen"); exit(EXIT_FAILURE);}Later edit merge daca maresti la acel PHP $i de la 2600 in plus... Edited January 29, 2015 by Gushterul Quote
