Linux "Ghost" Remote Code Execution Vulnerability

Thu Jan 29 03:53:48 UTC 2015

On Wed, 28 Jan 2015 20:06:15 -0700, jd1008 wrote:
> 
> On 01/28/2015 07:38 PM, Polytropon wrote:
> > On Wed, 28 Jan 2015 14:52:47 -0500, Jerry wrote:
> >> Does this vulnerability affect FreeBSD?
> >>
> >> https://www.us-cert.gov/ncas/current-activity/2015/01/27/Linux-Ghost-Remote-Code-Execution-Vulnerability
> > FreeBSD's gethostbyname() is located in the standard C library,
> > which is libc, not glibc (that Linux is using), so probably
> > FreeBSD is not affected. However, programs linked against
> > glibc and run in the Linux ABI environment might be affected,
> > I assume.
> >
> > You can find a demonstration program here:
> >
> > http://www.openwall.com/lists/oss-security/2015/01/27/9
> >
> > It's in section 4.
> >
> > On my home system, I get this:
> >
> > 	% cc -Wall -o ghost ghost.c
> > 	% ./ghost
> > 	should not happen
> >
> > Surprise: Neither "vulnerable" nor "not vulnerable" is printed.
> > That result is interesting. It might indicate ternary logic.
> > YES, NO, FILE_NOT_FOUND. :-)
> >
> > Note that 4.1 explicitely talks about "The GNU C Library"
> > which FreeBSD does not use (or have). Section 4 mentions
> > other programs (such as mount.nfs, ping, procmail) for
> > further explanation.
> Then you do not have the real mccoy.

I'm a doctor, not a cuckoo clock! :-)

> This is the real Mccoy:
> 
> /* ghosttest.c:  GHOST vulnerability tester */
> /* Credit: http://www.openwall.com/lists/oss-security/2015/01/27/9 */
> #include <netdb.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <errno.h>
> 
> #define CANARY "in_the_coal_mine"
> 
> struct {
>    char buffer[1024];
>    char canary[sizeof(CANARY)];
> } temp = { "buffer", CANARY };
> 
> int main(void) {
>    struct hostent resbuf;
>    struct hostent *result;
>    int herrno;
>    int retval;
> 
>    /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof 
> (*h_addr_ptrs) - 1; ***/
>    size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 
> 2*sizeof(char *) - 1;
>    char name[sizeof(temp.buffer)];
>    memset(name, '0', len);
>    name[len] = '\0';
> 
>    retval = gethostbyname_r(name, &resbuf, temp.buffer, 
> sizeof(temp.buffer), &result, &herrno);
> 
>    if (strcmp(temp.canary, CANARY) != 0) {
>      puts("vulnerable");
>      exit(EXIT_SUCCESS);
>    }
>    if (retval == ERANGE) {
>      puts("not vulnerable");
>      exit(EXIT_SUCCESS);
>    }
>    puts("should not happen");
>    exit(EXIT_FAILURE);
> }

Tested with the code from your message (and the one directly
copied from the web page mentioned):

	% cc -Wall -o ghosttest ghosttest.c && ./ghosttest
	should not happen

But that's maybe because my home system isn't a _current_
FreeBSD version, that's why it offers a 3rd choice... ;-)

-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...