Linux "Ghost" Remote Code Execution Vulnerability
Valeri Galtsev
galtsev at kicp.uchicago.edu
Thu Jan 29 14:34:33 UTC 2015
On Wed, January 28, 2015 9:53 pm, Polytropon wrote:
> On Wed, 28 Jan 2015 20:06:15 -0700, jd1008 wrote:
>>
>> On 01/28/2015 07:38 PM, Polytropon wrote:
>> > On Wed, 28 Jan 2015 14:52:47 -0500, Jerry wrote:
>> >> Does this vulnerability affect FreeBSD?
>> >>
>> >> https://www.us-cert.gov/ncas/current-activity/2015/01/27/Linux-Ghost-Remote-Code-Execution-Vulnerability
>> > FreeBSD's gethostbyname() is located in the standard C library,
>> > which is libc, not glibc (that Linux is using), so probably
>> > FreeBSD is not affected. However, programs linked against
>> > glibc and run in the Linux ABI environment might be affected,
>> > I assume.
>> >
>> > You can find a demonstration program here:
>> >
>> > http://www.openwall.com/lists/oss-security/2015/01/27/9
>> >
>> > It's in section 4.
>> >
>> > On my home system, I get this:
>> >
>> > % cc -Wall -o ghost ghost.c
>> > % ./ghost
>> > should not happen
>> >
>> > Surprise: Neither "vulnerable" nor "not vulnerable" is printed.
>> > That result is interesting. It might indicate ternary logic.
>> > YES, NO, FILE_NOT_FOUND. :-)
>> >
>> > Note that 4.1 explicitely talks about "The GNU C Library"
>> > which FreeBSD does not use (or have). Section 4 mentions
>> > other programs (such as mount.nfs, ping, procmail) for
>> > further explanation.
>> Then you do not have the real mccoy.
>
> I'm a doctor, not a cuckoo clock! :-)
>
>
>
>> This is the real Mccoy:
>>
>> /* ghosttest.c: GHOST vulnerability tester */
>> /* Credit: http://www.openwall.com/lists/oss-security/2015/01/27/9 */
>> #include <netdb.h>
>> #include <stdio.h>
>> #include <stdlib.h>
>> #include <string.h>
>> #include <errno.h>
>>
>> #define CANARY "in_the_coal_mine"
>>
>> struct {
>> char buffer[1024];
>> char canary[sizeof(CANARY)];
>> } temp = { "buffer", CANARY };
>>
>> int main(void) {
>> struct hostent resbuf;
>> struct hostent *result;
>> int herrno;
>> int retval;
>>
>> /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof
>> (*h_addr_ptrs) - 1; ***/
>> size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) -
>> 2*sizeof(char *) - 1;
>> char name[sizeof(temp.buffer)];
>> memset(name, '0', len);
>> name[len] = '\0';
>>
>> retval = gethostbyname_r(name, &resbuf, temp.buffer,
>> sizeof(temp.buffer), &result, &herrno);
>>
>> if (strcmp(temp.canary, CANARY) != 0) {
>> puts("vulnerable");
>> exit(EXIT_SUCCESS);
>> }
>> if (retval == ERANGE) {
>> puts("not vulnerable");
>> exit(EXIT_SUCCESS);
>> }
>> puts("should not happen");
>> exit(EXIT_FAILURE);
>> }
>
> Tested with the code from your message (and the one directly
> copied from the web page mentioned):
>
> % cc -Wall -o ghosttest ghosttest.c && ./ghosttest
> should not happen
>
> But that's maybe because my home system isn't a _current_
> FreeBSD version, that's why it offers a 3rd choice... ;-)
>
It says "shouldn't happen" because people running systems with non-GNU
libc shouldn't test glibc vulnerability, they should sit back and happily
drink coffee or tea instead ;-)
Valeri
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
More information about the freebsd-questions
mailing list