January 27, 2015 at 21:12GHOST - gethostbyname () vulnerability in glibc
Qualys experts reported a vulnerability in gethostbyname () and gethostbyname2 () in the GNU
C Library (glibc), which, in at least one case, could lead to remote code execution. The vulnerability allows overwriting up to 4 bytes on 32-bit systems and up to 8 bytes on 64-bit systems in the heap by numbers (0 ... 9), period (.) And NULL character (0x00).
The vulnerability appeared in glibc-2.2 version dated November 10, 2000 and was closed in May 21, 2013 version with glibc-2.18, therefore only Linux LTS distributions are vulnerable: Debian 7, Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7, Ubuntu 12.04.
Vulnerable is the code that is responsible for obtaining the hostname. To overwrite the heap, the host name must satisfy the following conditions:
It should be noted that the operational risk is significantly reduced due to two factors: the gethostbyname () call is outdated due to the lack of IPv6 support, therefore the software uses getaddrinfo () more often than it; calling inet_aton () before gethostbyname () prevents the vulnerability.
Despite these two factors, the Qualys guys managed to remotely execute code in exim4 by overwriting the size of the allocated buffer and using the $ run {} call built into exim4. They promise to soon post an exploit for metasploit.
In other implementations of libc (uclibc, musl), there is no vulnerability. Eglibc is vulnerable.
CVE-2015-0235
Page at qualys.com
Detailed description on the oss-security mailing list
C Library (glibc), which, in at least one case, could lead to remote code execution. The vulnerability allows overwriting up to 4 bytes on 32-bit systems and up to 8 bytes on 64-bit systems in the heap by numbers (0 ... 9), period (.) And NULL character (0x00).
The vulnerability appeared in glibc-2.2 version dated November 10, 2000 and was closed in May 21, 2013 version with glibc-2.18, therefore only Linux LTS distributions are vulnerable: Debian 7, Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7, Ubuntu 12.04.
Vulnerable is the code that is responsible for obtaining the hostname. To overwrite the heap, the host name must satisfy the following conditions:
- Contain only numbers and period
- The first character must be a number
- The last character must not be a period
- Be long enough to overflow the buffer (> 1KB)
It should be noted that the operational risk is significantly reduced due to two factors: the gethostbyname () call is outdated due to the lack of IPv6 support, therefore the software uses getaddrinfo () more often than it; calling inet_aton () before gethostbyname () prevents the vulnerability.
Despite these two factors, the Qualys guys managed to remotely execute code in exim4 by overwriting the size of the allocated buffer and using the $ run {} call built into exim4. They promise to soon post an exploit for metasploit.
In other implementations of libc (uclibc, musl), there is no vulnerability. Eglibc is vulnerable.
CVE-2015-0235
Page at qualys.com
Detailed description on the oss-security mailing list