GHOST: glibc gethostbyname buffer overflow

Posted on February 5, 2015 Comments

The glibc exploit has been known about a week a half now. I patched immediately, but hadn’t taken the time to examine the flaw closely.  In the advisory, it states the following:

– The gethostbyname*() functions are obsolete; with the advent of IPv6, recent applications use getaddrinfo() instead.

The gethostby* functions have been deprecated for a very long time now. This has lead some to believe that “up to date” software isn’t exploitable. When I saw this, however, I immediately wondered and was worried if PHP’s gethostbyname() is vulnerable to this exploit. Unfortunately, it is. Despite this function being deprecated, it’s often used to resolve hostnames in forums or other software. I found that you can verify if your installation is vulnerable by running this command:

php -r '$x = "0"; for($i = 0; $i < 3000; $i++){ $x = "0$x"; } gethostbyname($x);'

If you get a “Segmentation Fault” response from the console, then your system is vulnerable.

Can this be exploited in the real-world, however, to cause damage through a script that allows unfiltered input into gethostbyname()?  I don’t have any proof of concepts so I am not going to say yes or no, but I believe you would need to pass a long string to it in order to accomplish that. With most webservers, at least, there is a limitation on how much data you can send through GET and POST requests; so at least this may be an added safeguard to those who allow any and all data to be passed to gethostbyname() through their PHP script unfiltered.

Word of warning: after you update, you’ll have to reboot or at the very least restart services that could be vulnerable. This means restarting apache/nginx if you use mod_php or the like, otherwise you are still vulnerable. To get a list of everything using libc to determine if you need to restart it, you use this command:

lsof | grep -E '(^COMMAND|/libc-)'

You won’t be able to restart everything without a reboot. But individual applications which are forward-facing to the internet and using libc absolutely should be restarted until a full reboot can be scheduled. When you’re done, to fully verify that your system is not vulnerable anymore, you can run the provided by Red Hat.




Leave a Reply