Cisco's GHOST vulnerability analysis: not so terrible

Cisco's GHOST vulnerability analysis: not so terrible
Cisco's Security Intelligence Research Team Talos Group pointed out that the GHOST vulnerability exposed by Qualys recently allowed hackers to execute arbitrary programs from the remote end. Although it was a major vulnerability, it was not so terrible.

This vulnerability occurs when the host name is converted to the GetHost function of the IP address in the gnu c library (glibc). Therefore, it is referred to as GHOST. Qualys detects a buffer overflow vulnerability in _ nss_hostname_digits_dots (), which may be triggered by the gethostbyname () or gethostbyname2 () function, allows remote attackers to execute arbitrary programs and control the system.


However, Talos Group believes that this major vulnerability is not so terrible. One of the reasons is that these two features did not support IPv6, so they were gradually eliminated about 15 years ago. getaddrinfo (), which supports IPv6 and is used to replace the above features, does not have this vulnerability. Second, you must accept the Host Name and still use the gethostbyname () or gethostbyname2 () function to launch attacks.

In addition, the related functions limit the formats of available host names, except that the host names must be composed of numbers and. in addition to dot, the first character of the host name must be ., but the last character cannot be ., few applications accept input in this data format.

Talos Group indicates that, even if it is a vulnerability that allows remote program attacks, its restriction reduces its threat. Hackers must use one of the functions of gethostbyname () or gethostbyname2, it must comply with strange rules. In actual scenarios, the most likely result is a memory segment error rather than a remote program attack.

Currently, Talos Group has not found any attack reports against the vulnerability, but it is expected that the situation may change after the operator adds the conceptual verification program of the vulnerability to the Metasploit penetration kit.