Linux Distributions Vulnerable to GHOST Exploit

Recently a vulnerability has been found in the GNU C Library, also known as glibc, that can affect many Linux distributions. Known as the GHOST vulnerability, this exploit allows a remote attacker to run arbitrary code on a server being used to deliver web pages or e-mail for malicious purposes. The name comes from the source of the exploit which lies in the __nss_hostname_digits_dots() function of the library that is open to buffer overflow when called externally by the gethostbyname() and gethostbyname2() functions. Though only a few bytes can be overwritten, a proof of concept arbitrary code execution was achieved against the Exim mail server, bypassing all of its security protections.

The exploit first surfaced in glibc-2.2 which was released on November 10th, 2000 and persisted until a patch fixed the exploit on May 21st, 2013 in glibc-2.18. However, while it has been patched on updated systems, there are many systems out there running older, but still “stable” versions of the library that are still vulnerable to the exploit. Furthermore, even when patched a server needs to be rebooted to successfully rid itself of the exploit which leads to even more potential vulnerable systems out there right now.

Elvis Perez

Sources:

http://www.openwall.com/lists/oss-security/2015/01/27/9

http://arstechnica.com/security/2015/01/highly-critical-ghost-allowing-code-execution-affects-most-linux-systems/

Advertisements