news, security

GHOST Vulnerability: glibc gethostbyname buffer overflow

The GHOST vulnerability was discovered and disclosed by Qualys. It is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.

Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address.

They have developed a full-fledged remote exploit against the Exim mail server that bypasses all existing protections (ASLR, PIE and NX) on both 32-bit and 64-bit machines. They will publish their exploit as a Metasploit module in the near future. Amol Sarwate, Qualys Vulnerability Labs Director, says in this YouTube interview that they will wait and monitor until the vulnerability reaches its half life, so until their data shows that at least half the servers have been patched they will not release the exploit.

The first vulnerable version of the GNU C Library is glib-2.2, released on November 10, 2000 (yes, it was released more than 14 years ago). The interesting thing is that it was fixed on May 21, 2013 but it was not recognised as a security threat so more stable and long-term-support distributions were left exposed (an still are), for example: Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7 and Ubuntu 12.04. A more detailed list of Linux distributions that contains a vulnerable version of the glibc can be found in the Matasano vulnerability overview.

More information and an analysis about GHOST can be found on this advisory.

speak up

Add your comment below, or trackback from your own site.

Subscribe to these comments.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*Required Fields