In Linux servers, more than 60 binaries and major services such as SSH, Named, Bash etcrely on the glibc libraries. A heap-based buffer overflow was found in __nss_hostname_digits_dots() and an attacker could use this flaw to execute arbitrary code with the privilege of the users running the application using the function gethostbyname()

 

Check if your server is GHOST vulnerable

If the glibc version in your server is lower than 2.18, then your server is most exposed to this vulnerability.

You can check the glibc version in your server using the command given below.

#ldd –version

Also, you can check if your server is vulnerable to GHOST attack by using a program released by Qualsys.

Note: Use this program at your own risk.

============

#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#define CANARY “in_the_coal_mine”
struct {
char buffer[1024];
char canary[sizeof(CANARY)];
} temp = { “buffer”, CANARY };
int main(void) {
struct hostent resbuf;
struct hostent *result;
int herrno;
int retval;
/*** strlen (name) = size_needed – sizeof (*host_addr) – sizeof (*h_addr_ptrs) – 1; ***/
size_t len = sizeof(temp.buffer) – 16*sizeof(unsigned char) – 2*sizeof(char *) – 1;
char name[sizeof(temp.buffer)];
memset(name, ‘0’, len);
name[len] = ‘\0’;
retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
if (strcmp(temp.canary, CANARY) != 0) {
puts(“vulnerable”);
exit(EXIT_SUCCESS);
}
if (retval == ERANGE) {
puts(“not vulnerable”);
exit(EXIT_SUCCESS);
}
puts(“should not happen”);
exit(EXIT_FAILURE);
}

============

• Save the above program to a file name ghostcheck.c
• Compile the program using the command given below.

#gcc ghostcheck.c -o ghostcheck

• Run the program using the command,

./ghostcheck

If your server is not exposed to risks, you will be notified with a message ‘not vulnerable’ and vice versa upon successful execution of this program.

If you require help, contact SupportPRO Server Admin