Ghost - gethostbyname () vulnerability in glibc
Qualys experts have reported a vulnerability in gethostbyname () and gethostbyname2 () in GNU
C Library (glibc), which, at least in one case, can lead to remote code execution. The vulnerability allows overwriting up to 4 bytes on 32-bit systems and up to 8 bytes on 64-bit systems in a heap with numbers (0 ... 9), a period (.) And a NULL-character (0x00).
Vulnerability appeared in the glibc-2.2 version of November 10, 2000 and was closed in the version on May 21, 2013 from glibc-2.18, therefore only Linux LTS distributions are vulnerable: Debian 7, Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7, Ubuntu 12.04.
Vulnerable is the code that is responsible for getting the hostname. To rewrite a heap, the host name must satisfy the following conditions:
It should be noted that the danger of exploitation is significantly reduced due to two factors: the gethostbyname () call is obsolete due to the lack of IPv6 support, therefore the software uses getaddrinfo () more often than its own; calling inet_aton () before gethostbyname () prevents the vulnerability.
Despite these two factors, the guys from Qualys managed to remotely execute the code in exim4, overwriting the size of the allocated buffer and using the call to $ run {} built into exim4. They promise to post an exploit for metasploit soon.
')
In other implementations of libc (uclibc, musl) there is no vulnerability. Eglibc is vulnerable.
CVE-2015-0235
Page on qualys.com
Detailed description in the oss-security newsletter
C Library (glibc), which, at least in one case, can lead to remote code execution. The vulnerability allows overwriting up to 4 bytes on 32-bit systems and up to 8 bytes on 64-bit systems in a heap with numbers (0 ... 9), a period (.) And a NULL-character (0x00).
Vulnerability appeared in the glibc-2.2 version of November 10, 2000 and was closed in the version on May 21, 2013 from glibc-2.18, therefore only Linux LTS distributions are vulnerable: Debian 7, Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7, Ubuntu 12.04.
Vulnerable is the code that is responsible for getting the hostname. To rewrite a heap, the host name must satisfy the following conditions:
- Contain only numbers and period
- The first character must be a digit.
- The last character must not be a period.
- Be long enough to overflow the buffer (> 1KB)
It should be noted that the danger of exploitation is significantly reduced due to two factors: the gethostbyname () call is obsolete due to the lack of IPv6 support, therefore the software uses getaddrinfo () more often than its own; calling inet_aton () before gethostbyname () prevents the vulnerability.
Despite these two factors, the guys from Qualys managed to remotely execute the code in exim4, overwriting the size of the allocated buffer and using the call to $ run {} built into exim4. They promise to post an exploit for metasploit soon.
')
In other implementations of libc (uclibc, musl) there is no vulnerability. Eglibc is vulnerable.
CVE-2015-0235
Page on qualys.com
Detailed description in the oss-security newsletter
Source: https://habr.com/ru/post/249007/
All Articles