soulshepard
Verified User
- Joined
- Feb 7, 2008
- Messages
- 128
It appears we have yet another sleepy crawly creepy bug lurking in the depths of our linux boxes..
A Gblic bug that was not identified as a security bug, perhaps a true y2k bug is effecting us now..
Possible exim.. and more.. in any case a remote execution possibility for many systems...
I guess it is time to emergency patch all the server again as soon as the patches come available.
As i read all distros are releasing / building patches for it.
source: http://www.openwall.com/lists/oss-security/2015/01/27/9
source: http://www.zdnet.com/article/critical-linux-security-hole-found/
[table="width: 800"]
[tr]
[td]
--[ 1 - Summary ]-------------------------------------------------------------
During a code audit performed internally at Qualys, we discovered a
buffer overflow in the __nss_hostname_digits_dots() function of the GNU
C Library (glibc). This bug is reachable both locally and remotely via
the gethostbyname*() functions, so we decided to analyze it -- and its
impact -- thoroughly, and named this vulnerability "GHOST".
Our main conclusions are:
- Via gethostbyname() or gethostbyname2(), the overflowed buffer is
located in the heap. Via gethostbyname_r() or gethostbyname2_r(), the
overflowed buffer is caller-supplied (and may therefore be located in
the heap, stack, .data, .bss, etc; however, we have seen no such call
in practice).
- At most sizeof(char *) bytes can be overwritten (ie, 4 bytes on 32-bit
machines, and 8 bytes on 64-bit machines). Bytes can be overwritten
only with digits ('0'...'9'), dots ('.'), and a terminating null
character ('\0').
- Despite these limitations, arbitrary code execution can be achieved.
As a proof of concept, we developed a full-fledged remote exploit
against the Exim mail server, bypassing all existing protections
(ASLR, PIE, and NX) on both 32-bit and 64-bit machines. We will
publish our exploit as a Metasploit module in the near future.
- The first vulnerable version of the GNU C Library is glibc-2.2,
released on November 10, 2000.
- We identified a number of factors that mitigate the impact of this
bug. In particular, we discovered that it was fixed on May 21, 2013
(between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it
was not recognized as a security threat; as a result, most stable and
long-term-support distributions were left exposed (and still are):
Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7,
Ubuntu 12.04, for example.
Read more...
[/td]
[/tr]
[/table]
Other sources :
https://threatpost.com/ghost-glibc-...ulnerability-affects-all-linux-systems/110679
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235
A Gblic bug that was not identified as a security bug, perhaps a true y2k bug is effecting us now..
Possible exim.. and more.. in any case a remote execution possibility for many systems...
I guess it is time to emergency patch all the server again as soon as the patches come available.
As i read all distros are releasing / building patches for it.
source: http://www.openwall.com/lists/oss-security/2015/01/27/9
source: http://www.zdnet.com/article/critical-linux-security-hole-found/
[table="width: 800"]
[tr]
[td]
--[ 1 - Summary ]-------------------------------------------------------------
During a code audit performed internally at Qualys, we discovered a
buffer overflow in the __nss_hostname_digits_dots() function of the GNU
C Library (glibc). This bug is reachable both locally and remotely via
the gethostbyname*() functions, so we decided to analyze it -- and its
impact -- thoroughly, and named this vulnerability "GHOST".
Our main conclusions are:
- Via gethostbyname() or gethostbyname2(), the overflowed buffer is
located in the heap. Via gethostbyname_r() or gethostbyname2_r(), the
overflowed buffer is caller-supplied (and may therefore be located in
the heap, stack, .data, .bss, etc; however, we have seen no such call
in practice).
- At most sizeof(char *) bytes can be overwritten (ie, 4 bytes on 32-bit
machines, and 8 bytes on 64-bit machines). Bytes can be overwritten
only with digits ('0'...'9'), dots ('.'), and a terminating null
character ('\0').
- Despite these limitations, arbitrary code execution can be achieved.
As a proof of concept, we developed a full-fledged remote exploit
against the Exim mail server, bypassing all existing protections
(ASLR, PIE, and NX) on both 32-bit and 64-bit machines. We will
publish our exploit as a Metasploit module in the near future.
- The first vulnerable version of the GNU C Library is glibc-2.2,
released on November 10, 2000.
- We identified a number of factors that mitigate the impact of this
bug. In particular, we discovered that it was fixed on May 21, 2013
(between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it
was not recognized as a security threat; as a result, most stable and
long-term-support distributions were left exposed (and still are):
Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7,
Ubuntu 12.04, for example.
Read more...
[/td]
[/tr]
[/table]
Other sources :
https://threatpost.com/ghost-glibc-...ulnerability-affects-all-linux-systems/110679
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235
Last edited: