LINUXGLIBC Ghost Flaw Test and repair method

LINUXGLIBC Ghost Flaw Test and repair method

Simeon

First, Linux glibc Ghost Vulnerability Profile

year 1 months on the internet burst Linux glibc Ghost Vulnerability (glibc gethostbyname buffer overflow, http://seclists.org/oss-sec/2015/q1/274), others call it "20150127GHOST gethostbyname () heap overflow in glibc " the vulnerability number on the CVE is cve-2015-0235. An attacker could exploit this vulnerability to implement a remote attack and take complete control of the target system.

glibc is gnu libc library, i.e. c runtime. glibc is linux bottom of the system api< Span style= "font-family: ' The song Body '; > Almost any other runtime will depend on the glibc In addition to encapsulation Linux system services provided by the operating system, It itself also provides a number of other necessary functional services implementations. glibc includes almost all of the UNIX standard of the pass.

foreign security researchers found that glibc __nss_hostname_digits_dots () system Shell script. In this way, you can bypass the 32 bit, and 64 pie and Nx

style= font-family: ' The song body ';" > The effect of the GNU c The earliest version of the function is in 2000 year 11 Span style= "font-family: ' The song Body '; > month released. This loophole was in the 2013 year 5 month is patched (in Glibc-2.17 glibc-2.18 Red Hat Enterprise Linux 6 & 7 and Ubuntu 12.04 Most well-known

• RHEL (Red Hat Enterprise Linux) version 5.x, 6.x, 7.x

• CentOS Linux 5.x, 6.x & 7.x

• Ubuntu Linux version 10.04, 12.04 LTS

• Debian Linux Version 7.x

• Linux Mint Version 13.0

• Fedora Linux version y anteriores

• SUSE Linux Enterprise-y anteriores

• Arch Linux glibc version <= 2.18-1

according to LINUXGLIBC, the most vulnerable entry for a security company researcher's analysis of the Ghost Vulnerability is the mail server, and the presence of SSRF (server-side Request forgery ) vulnerability of the WEB interface. Fortunately, this vulnerability does not yet expose a generic attack code, which also gives server administrators valuable time to install patches in a timely manner.

Second, Linux glibc Ghost Vulnerability test Method

1. Ubuntu & Debian Check

Ldd–version

(1)Ubuntu affected version (https://launchpad.net/ubuntu/+source/eglibc):

Ubuntu 12.04 lts:2.15-0ubuntu10.10

Ubuntu 10.04 lts:2.11.1-0ubuntu7.20

(2)Debian gibc affected version (https://security-tracker.debian.org/tracker/CVE-2015-0235), Debian 7lts:2.13-38+deb7u7 , etc.

EGLIBC (PTS) Squeeze 2.11.3-4 Vulnerable

EGLIBC wheezy 2.13-38+deb7u6 Vulnerable

Debian GIBC has been repaired version:

Squeeze (LTS) 2.11.3-4+deb6u4

Wheezy (Security) 2.13-38+deb7u7

2. CentOS & RHEL inspection

Execute the "rpm-qglibc" commandon CentOS, shown in 1 , showing glibc version information as glibc-2.5-118.el5_10.2 .

Affected version:

CentOS 5:glibc-2.5-118.el5_10.2

CentOS 6:glibc-2.12-1.149.el6_6.5

CentOS 7:glibc-2.17-55.el7_0.5

RHEL 5:glibc-2.5-123.el5_11.1

RHEL 6:glibc-2.12-1.149.el6_6.5

RHEL 7:glibc-2.17-55.el7_0.5

View all versions of RHEL for more information on this vulnerability, please visit:

https://security-tracker.debian.org/tracker/CVE-2015-0235

3.POC Verification Test

Save the following code as ghost.c, or wget http://www.antian365.com/lab/linux0day/ghost.c

/*

* Ghostvulnerability Check

* HTTP://WWW.ANTIAN365.COM/LAB/LINUX0DAY/GHOST.C

* USAGE:GCC Ghost.c-o Ghost &&./Ghost

*/

#include <netdb.h>

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <errno.h>

#define CANARY "In_the_coal_mine"

struct {

CHARBUFFER[1024];

Charcanary[sizeof (CANARY)];

temp = {"Buffer", CANARY};

int main (void) {

struct HOSTENTRESBUF;

struct Hostent*result;

int Herrno;

int retval;

/*** strlen (name) = Size_needed-sizeof (*host_addr)-sizeof (*H_ADDR_PTRS)-1; ***/

size_t len =sizeof (temp.buffer)-16*sizeof (unsigned char)-2*sizeof (char *)-1;

Charname[sizeof (Temp.buffer)];

memset (name, ' 0 ', Len);

Name[len] = ' + ';

retval =gethostbyname_r (name, &resbuf, Temp.buffer, sizeof (Temp.buffer), &result, &herrno);

if (strcmp (temp.canary, canary)! = 0) {

Puts ("vulnerable");

Exit (exit_success);

}

if (retval ==erange) {

Puts ("not vulnerable");

Exit (exit_success);

}

Puts ("should not happen");

Exit (Exit_failure);

}

directly compiled and executed: gcc ghost.c-o ghost &&./ghost If there is a vulnerability, the "vulnerable"is displayed, as shown in 2 .

You can also execute the following command to detect the presence of a vulnerability

Method One:

rpm-qglibc

Cat/etc/issue

wget http://www.antian365.com/lab/linux0day/ghost.c

GCC ghost.c-o ghost &&./ghost

method Two shows the version information of GLIBC directly:

Wget-oghost-test.sh Http://www.antian365.com/lab/linux0day/GHOST-test.sh.txt

bashghost-test.sh

The results appear as follows:

VULNERABLEGLIBC version <= 2.17-54

VULNERABLEGLIBC version <= 2.5-122

VULNERABLEGLIBC version <= 2.12-1.148

DETECTEDGLIBC version 2.5 revision 118

Thissystem is vulnerable to cve-2015-0235.

Pleaserefer to

Third, repair method:

1. Ubuntu/debian

in the perform the following command on Ubuntu/debian to repair it and reboot is required.

Apt-get Update && apt-get-y install LIBC6

2.Centos

in the After executing "yumupdate glibc" on Centos,there will be a confirmation, enter "y", will probably download 6 installs package, need to restart the computer after the installation is complete.

Resources

1.360 Safe Broadcast http://bobao.360.cn/news/detail/1166.html

2. National Vulnerability Library:http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235

3. http://seclists.org/oss-sec/2015/q1/274

4. Https://www.digitalocean.com/community/tutorials/how-to-protect-your-linux-server

-against-the-ghost-vulnerability

This article is from the "Simeon Technology column" blog, please be sure to keep this source http://simeon.blog.51cto.com/18680/1609466

LINUXGLIBC Ghost Flaw Test and repair method