来源:https://www.openwall.com/lists/oss-security/2015/01/27/9
https://nvd.nist.gov/vuln/detail/CVE-2015-0235
参考:
如何检查并修复GHOST(CVE-2015-0235)漏洞
Linux GHOST vulnerability (CVE-2015-0235) is not as scary as it looks
从2000 开启引入glibc-2.2开始,到2013发布glibc-2.18,此期间的glibc(>=2.2 <=2.17)均受影响。
名字由来:通过gethostbyname()函数触发,所以起了这么个名,跟“幽灵”,即Ghost的中文翻译没半毛钱关系。
详情:可本地执行也可被远程利用。
貌似影响力可媲美Heartbleed 和Shellshock ,然后其被利用的能力受限于一些条件。
利用条件:远程攻击者发送特殊构造的email给开启了smtp服务的受影响主机。
下面是几个受影响(可能存在漏洞)的服务/应用:
procmail
Exim
pppd
clockdiff
检测方法:
查看依赖glibc的运行的进程:
lsof | grep libc | awk '{print $1}' | sort | uniq
本地
php -r '$e="0";for($i=0;$i<2500;$i++){$e="0$e";} gethostbyname($e);'
检测脚本:
[user@...ora-19 ~]$ cat > GHOST.c << EOF
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#define CANARY "in_the_coal_mine"
struct {
char buffer[1024];
char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };
int main(void) {
struct hostent resbuf;
struct hostent *result;
int herrno;
int retval;
/*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
char name[sizeof(temp.buffer)];
memset(name, '0', len);
name[len] = '\0';
retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
if (strcmp(temp.canary, CANARY) != 0) {
puts("vulnerable");
exit(EXIT_SUCCESS);
}
if (retval == ERANGE) {
puts("not vulnerable");
exit(EXIT_SUCCESS);
}
puts("should not happen");
exit(EXIT_FAILURE);
}
EOF
[user@...ora-19 ~]$ gcc GHOST.c -o GHOST
On Fedora 19 (glibc-2.17):
[user@...ora-19 ~]$ ./GHOST
vulnerable
On Fedora 20 (glibc-2.18):
[user@...ora-20 ~]$ ./GHOST
not vulnerable
升级方法:
Centos/RHEL/Fedora 5,6,7 系统
$ sudo yum update glibc
$ sudo restart
Debian/Ubuntu 系统
$ sudo apt-get update
$ sudo apt-get dist-upgrade
$ sudo restart # sudo shutdown -r now