During a code audit, researchers at Qualys discovered a critical buffer overflow in the gethostbyname() and gethostbyname2() functions in glibc , dubbed the GHOST vulnerability, that can be exploited both locally and remotely and, if successfully exploited, allows a potential attacker to take control of a system without any prior knowledge of credentials. According to the announcement by Qualys, they were able to create an in-house exploit that executes arbitrary code via the Exim mail server. Qualys researchers were able to bypass well known software exploitation defenses such as ASLR, PIE, and NX on both 32-bit and 64-bit systems.
The gethostbyname() and gethostbyname2() functions in glibc are used on many Unix systems to resolve hostnames. Versions of glibc before version 2.18 are vulnerable. The version of glibc can be checked by issuing the command "ldd --version" (but not all Unix systems that use glibc have ldd installed, and some software is statically compiled with glibc). While the problem was fixed in some versions of glibc, it was originally not recognized as a security vulnerability, and as a result, was not included in older, widely used and supported versions of glibc distributed with popular open source operating systems.
It is recommended to apply patches supplied by the maintainer of the vulnerable Linux/ Unix distribution. Some Windows software, as well as Apple OS X, use glibc as well and may be vulnerable. A Bash shell script to validate the system is no longer vulnerable has been provided by NixCraft at http://www.cyberciti.biz/files/scripts/GHOST-test.sh.txt. If the system still shows vulnerable, restart the server and resume testing. While this vulnerability is serious, there are other vulnerabilities that may require higher priority than that given to this vulnerability. Each administrator of potentially vulnerability environments should assess their risk based upon the prevalence of vulnerable systems and layers of defense to help mitigate the risk of exploitation and judge patching schedules accordingly.
Kristy
During a code audit, researchers at Qualys discovered a critical buffer overflow in the gethostbyname() and gethostbyname2() functions in glibc , dubbed the GHOST vulnerability, that can be exploited both locally and remotely and, if successfully exploited, allows a potential attacker to take control of a system without any prior knowledge of credentials. According to the announcement by Qualys, they were able to create an in-house exploit that executes arbitrary code via the Exim mail server. Qualys researchers were able to bypass well known software exploitation defenses such as ASLR, PIE, and NX on both 32-bit and 64-bit systems.
The gethostbyname() and gethostbyname2() functions in glibc are used on many Unix systems to resolve hostnames. Versions of glibc before version 2.18 are vulnerable. The version of glibc can be checked by issuing the command "ldd --version" (but not all Unix systems that use glibc have ldd installed, and some software is statically compiled with glibc). While the problem was fixed in some versions of glibc, it was originally not recognized as a security vulnerability, and as a result, was not included in older, widely used and supported versions of glibc distributed with popular open source operating systems.
Reference(s):It is recommended to apply patches supplied by the maintainer of the vulnerable Linux/ Unix distribution. Some Windows software, as well as Apple OS X, use glibc as well and may be vulnerable. A Bash shell script to validate the system is no longer vulnerable has been provided by NixCraft at http://www.cyberciti.biz/files/scripts/GHOST-test.sh.txt. If the system still shows vulnerable, restart the server and resume testing. While this vulnerability is serious, there are other vulnerabilities that may require higher priority than that given to this vulnerability. Each administrator of potentially vulnerability environments should assess their risk based upon the prevalence of vulnerable systems and layers of defense to help mitigate the risk of exploitation and judge patching schedules accordingly.
[*] <https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability>
[*] <http://www.openwall.com/lists/oss-security/2015/01/27/9>
[*] <http://www.cyberciti.biz/files/scripts/GHOST-test.sh.txt>