This week a new Linux vulnerability called GHOST (CVE-2015-0235) has been published and subsequently patched, including an update to Acunetix, which can now detect the vulnerability in both its online and on-premises forms, via network scan or web application scan. While some cited GHOST as being as dangerous as Shellshock or Heartbleed, in fact, the potential for hacker exploit is much lower, however, this is still a serious vulnerability due to the millions of systems running Linux.

The problem actually originates from a heap-based buffer overflow found in the __nss_hostname_digits_dots() function in glibc. This function is especially invoked by the gethostbyname() and gethostbyname2() function calls.

According to the researchers, a remote attacker has the ability to call either of these functions which could allow them to exploit the vulnerability in an effort to execute arbitrary code with the permissions of the user running the application.

The gethostbyname() function calls are used for DNS resolving, which is a very common event. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying an invalid hostname argument to an application that then calls gethostbyname().

What Applications Does It Affect?

The GNU C Library is the base for a lot of software running on Linux and the gethostbyname() functions are even used for frequent events such as DNS resolution and general name resolution. At the time of writing, Exim mail server and WordPress and PHPbb are applications can contain exploitation vectors triggering the GHOST vulnerability remotely.

The Impact of GHOST on Web Applications

It has become clear that web applications could also be an entry point for systems vulnerable to the GHOST vulnerability. Like the notorious Shellshock bug, given the right conditions, a PHP web application could also be affected.

PHP includes a gethostbyname() function which simply calls the gethostbyname() from glibc.

An example of where this could be an issue is within the massively popular WordPress software. WordPress calls PHP’s gethostbyname() function inside of its own function named wp_http_validate_url() in the wp-includes\http.php file. This is done to validate every pingback’s post URL as part of WordPress’ XML-RPC support.

Therefore, the GHOST vulnerability can be exploited with a request to XML-RPC pingback by controlling the value that gets into the wp_http_validate_url() function.

An HTTP request to WordPress XML-RPC that is specially crafted to cause PHP to crash, yields the following in the Apache Server logs (/var/log/apache2/error.log)

[Fri Jan 30 01:25:49 2015] [notice] child pid 18469 exit signal Aborted (6)
[Fri Jan 30 01:25:49 2015] [notice] child pid 18474 exit signal Segmentation fault (11)
[Fri Jan 30 01:25:49 2015] [notice] child pid 18478 exit signal Segmentation fault (11)
*** glibc detected *** /usr/sbin/apache2: malloc(): memory corruption: 0x00007fde2b9d7470 ***
======= Backtrace: =========

Finding GHOST

Acunetix has been updated to detect web applications and servers that are affected by the GHOST vulnerability (CVE-2015-0235). An Acunetix web application scan will detect when the vulnerability is present in WordPress. Acunetix users will need to “Download and Install Updates” from Acunetix WVS > Help > Check for Updates.

In addition, a network scan from Acunetix will also detect the GHOST vulnerability on unpatched servers. Existing Acunetix customers would need to run a network scan on their existing scan targets. New Acunetix Online users can launch up to 2 network scans for free as part of the trial period. Acunetix has already been updated so that new web and network scans will identify the GHOST vulnerability.

Patching GHOST

The GHOST vulnerability affects Linux systems that make use of a version of the GNU C Library prior to glibc-2.18. Therefore, systems making use of unpatched versions of glibc from versions 2.2 to 2.17 are at risk.

Linux distributions including, but not limited to, the following could be vulnerable to GHOST and should be patched immediately.

  • CentOS 6
  • CentOS 7
  • Debian 7
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Ubuntu 10.04
  • Ubuntu 12.04

It is highly recommended that you update and reboot all of your affected Linux servers.

For CentOS, Red Hat, Fedora, and other Red Hat based distributions.

$ yum clean all && yum update

For Debian, Ubuntu, and derivatives.

$ apt-get clean && apt-get update && apt-get upgrade

If you are unable to reboot your servers, you should at least restart applications and services that might be affected, i.e. that rely on the glibc libraries. In order to find which services make use of the glibc library, run the following command. This command will list all open files and find the files that refer to the glibc libraries.

$ lsof | grep libc | awk '{print $1}' | sort | uniq

This is no Shellshock but any vulnerability is one vulnerability too many so be sure to get patched as quickly as possible.

Ian Muscat

Ian Muscat used to be a technical resource and speaker for Acunetix. More recently, his work centers around cloud security and phishing simulation.