Linux「GHost」漏洞！ CVE-2015-0235

Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."


ithome 有詳細說明
http://www.ithome.com.tw/news/93791
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235

如何檢測有無 GHost 漏洞

#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

#define CANARY "in_the_coal_mine"

struct {
  char buffer[1024];
  char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };

int main(void) {
  struct hostent resbuf;
  struct hostent *result;
  int herrno;
  int retval;

  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
  char name[sizeof(temp.buffer)];
  memset(name, '0', len);
  name[len] = '\0';

  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

  if (strcmp(temp.canary, CANARY) != 0) {
    puts("vulnerable");
    exit(EXIT_SUCCESS);
  }
  if (retval == ERANGE) {
    puts("not vulnerable");
    exit(EXIT_SUCCESS);
  }
  puts("should not happen");
  exit(EXIT_FAILURE);
}

這段程式 compiler

$ gcc GHOST.c -o GHOST

$./GHOST
vulnerable   <--表示有漏洞


$./GHOST 
not vulnerable   <--表示無漏洞

參考來源：https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt



CentOS
$ yum upgrade


Debian/Ubuntu
$ apt-get update


Slackware
自行下載更新：
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.1260924


相關網頁：

Linux出現重大「鬼」漏洞！

GHOST glibc Vulnerability Affects WordPress and PHP applications

思科分析Linux鬼漏洞：沒那麼可怕