Qualys researchers discovered a 15 year old Vulnerability in glibc Library of Linux Systems, which is said to be very Critical.
Cyber Security Firm Qualys has recently found a Critical Vulnerability in Linux Systems. The Vulnerability has been dubbed as ‘GHOST': glibc gethostbyname buffer overflow.
The Vulnerability occurred due to a weakness in glibc Library that allows remote attackers to take control of a targeted system without having any of the system credentials, i.e. without any username or password even. The firm wrote in the blog post that they discovered this bug when they were internally auditing some code. They said this Vulnerability is caused by a buffer buffer overflow in the __nss_hostname_digits_dots() function of the GNU C Library i.e. glibc. The bug can be leveraged/exploited both remotely and locally via the gethostbyname*() functions, hence bubbed as “GHOST”. According to the report, the first vulnerable version of GNU C Library is glibc-2.2, released on November 10, 2000.
Technical Details
The Vulnerable function, __nss_hostname_digits_dots(), is called internally by the glibc in a specified .c file. However, the calls are surrounded by a macro defined only in some particular .c files of the library. These files implement the gethostbyname*() family, and hence the only way to reach __nss_hostname_digits_dots() and it buffer overflow. The purpose of this function is to avoid expensive DNS lookups if the hostname argument is already an IPv4 and IPv6 address.
“GHOST poses a remote code execution risk that makes it incredibly easy for an attacker to exploit a machine,” said Wolfgang Kandek, chief technical officer for Qualys, in a statement. “For example, an attacker could send a simple email on a Linux-based system and automatically get complete access to that machine. Given the sheer number of systems based on glibc, we believe this is a high severity vulnerability and should be addressed immediately. The best course of action to mitigate the risk is to apply a patch from your Linux vendor.”
Qualys said that since the patch was already available from early 013, but the bug was not recognized as security threat, therefore the most stable and long-term-support distributions were left exposed including Debian 7 (wheezy), Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7 and Ubuntu 12.04.
Qualys in a joint effort with Linux Vendors has pushed a security fix for this vulnerability as of today so that patches can be applied.
Exploitation
In the testing, Qualys achieved remote code execution against the Exim SMTP mail server, bypassing the NX (No-eXecute) protection and glibc’s malloc hardening.
In other words, A Specially crafted mail is sent to the mail server, which allows a full access to the shell of the Linux System. However, Qualys believes that this exploitation needs thorough technical knowledge and only a skilled attacker can exploit it.
“The success of this exploit depends on an important piece of
information: the address of Exim’s run-time configuration in the heap.
In this section, we describe how we obtain this address, bypassing the
ASLR (Address Space Layout Randomization) and PIE (Position Independent
Executable) protections.” says the report.
Mitigation
As told by the researchers at Qualys, the impact is already reduced significantly due to:
- a patch released in early 2013, and new version released later that year.
- the gethostbyname*() functions are obsolete; with the usage of IPv6.
- Many programs, especially SUID Binaries reachable locally, and hence gethostbyname*() function is to be used in severe cases only.
- Most of other programs, especially servers are reachable remotely, hence gethostbyname*() is not to be used so often.
No comments:
Post a Comment