Linux "Ghost" Remote Code Execution Vulnerability
Polytropon
freebsd at edvax.de
Thu Jan 29 03:53:48 UTC 2015
On Wed, 28 Jan 2015 20:06:15 -0700, jd1008 wrote:
>
> On 01/28/2015 07:38 PM, Polytropon wrote:
> > On Wed, 28 Jan 2015 14:52:47 -0500, Jerry wrote:
> >> Does this vulnerability affect FreeBSD?
> >>
> >> https://www.us-cert.gov/ncas/current-activity/2015/01/27/Linux-Ghost-Remote-Code-Execution-Vulnerability
> > FreeBSD's gethostbyname() is located in the standard C library,
> > which is libc, not glibc (that Linux is using), so probably
> > FreeBSD is not affected. However, programs linked against
> > glibc and run in the Linux ABI environment might be affected,
> > I assume.
> >
> > You can find a demonstration program here:
> >
> > http://www.openwall.com/lists/oss-security/2015/01/27/9
> >
> > It's in section 4.
> >
> > On my home system, I get this:
> >
> > % cc -Wall -o ghost ghost.c
> > % ./ghost
> > should not happen
> >
> > Surprise: Neither "vulnerable" nor "not vulnerable" is printed.
> > That result is interesting. It might indicate ternary logic.
> > YES, NO, FILE_NOT_FOUND. :-)
> >
> > Note that 4.1 explicitely talks about "The GNU C Library"
> > which FreeBSD does not use (or have). Section 4 mentions
> > other programs (such as mount.nfs, ping, procmail) for
> > further explanation.
> Then you do not have the real mccoy.
I'm a doctor, not a cuckoo clock! :-)
> This is the real Mccoy:
>
> /* ghosttest.c: GHOST vulnerability tester */
> /* Credit: http://www.openwall.com/lists/oss-security/2015/01/27/9 */
> #include <netdb.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <errno.h>
>
> #define CANARY "in_the_coal_mine"
>
> struct {
> char buffer[1024];
> char canary[sizeof(CANARY)];
> } temp = { "buffer", CANARY };
>
> int main(void) {
> struct hostent resbuf;
> struct hostent *result;
> int herrno;
> int retval;
>
> /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof
> (*h_addr_ptrs) - 1; ***/
> size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) -
> 2*sizeof(char *) - 1;
> char name[sizeof(temp.buffer)];
> memset(name, '0', len);
> name[len] = '\0';
>
> retval = gethostbyname_r(name, &resbuf, temp.buffer,
> sizeof(temp.buffer), &result, &herrno);
>
> if (strcmp(temp.canary, CANARY) != 0) {
> puts("vulnerable");
> exit(EXIT_SUCCESS);
> }
> if (retval == ERANGE) {
> puts("not vulnerable");
> exit(EXIT_SUCCESS);
> }
> puts("should not happen");
> exit(EXIT_FAILURE);
> }
Tested with the code from your message (and the one directly
copied from the web page mentioned):
% cc -Wall -o ghosttest ghosttest.c && ./ghosttest
should not happen
But that's maybe because my home system isn't a _current_
FreeBSD version, that's why it offers a 3rd choice... ;-)
--
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
More information about the freebsd-questions
mailing list