- Linux Glibc GHOST 漏洞
位於 Linux glibc library 中,允許駭客從遠端掌控含有漏洞的系統。在 glibc 的
__nss_hostname_digits_dots() 功能中發現一個緩衝區溢位漏洞,只要是經由本機或遠端各種將網站名稱轉成IP位址的 gethostbyname*() 功能就可觸發該漏洞,駭客可藉以掌控受駭系統,自遠端執行任何程式。由於此一漏洞是經由 GetHOST 功能觸發,因而被簡稱為 GHOST。
- 測試系統是否有此漏洞之驗證程式:
[dywang@dywH security]$ vim ghosttest.c
/* ghosttest.c: GHOST vulnerability tester */
/* Credit: http://www.openwall.com/lists/oss-security/2015/01/27/9 */
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#define CANARY "in_the_coal_mine"
struct {
char buffer[1024];
char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };
int main(void) {
struct hostent resbuf;
struct hostent *result;
int herrno;
int retval;
/*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
char name[sizeof(temp.buffer)];
memset(name, '0', len);
name[len] = '\0';
retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
if (strcmp(temp.canary, CANARY) != 0) {
puts("vulnerable");
exit(EXIT_SUCCESS);
}
if (retval == ERANGE) {
puts("not vulnerable");
exit(EXIT_SUCCESS);
}
puts("should not happen");
exit(EXIT_FAILURE);
}
- 編譯驗證程式
[dywang@dywH security]$ gcc ghosttest.c -o ghosttest
- 執行驗證程式,出現 'vulnerable' 表示有此漏洞。
[dywang@dywH security]$ ./ghosttest
vulnerable
- Solution: DYW Linux 已更新修補 rpm。
[root@dywH kvm8]# vim /etc/yum.repos.d/dywang.repo
[dywang]
name=De-Yu Wang
baseurl=http://dywang.csie.cyut.edu.tw/centos6/
gpgcheck=0
enabled=1
- 安裝 nscd 套件,系統會連同 glibc 相依套件一起安裝。
[root@dywH ~]# yum install nscd
Loaded plugins: fastestmirror, priorities, refresh-packagekit
Determining fastest mirrors
* dywang:
dywang | 1.9 kB 00:00 ...
dywang/primary | 949 kB 00:00 ...
...............
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Updating:
nscd x86_64 2.12-1.149.el6_6.5 dywang 222 k
Updating for dependencies:
glibc x86_64 2.12-1.149.el6_6.5 dywang 3.8 M
glibc-common x86_64 2.12-1.149.el6_6.5 dywang 14 M
glibc-devel x86_64 2.12-1.149.el6_6.5 dywang 982 k
glibc-headers x86_64 2.12-1.149.el6_6.5 dywang 611 k
Transaction Summary
================================================================================
Install 0 Package(s)
Upgrade 5 Package(s)
Total download size: 20 M
Is this ok [y/N]: y
- 再執行驗證程式,出現 'not vulnerable',表示已沒漏洞。
[dywang@dywH security]$ ./ghosttest
not vulnerable
