next up previous contents
Next: 病毒處理 Up: 漏洞處理 Previous: CVSS: 5.8   Contents

CVE-2015-0235

  1. Linux Glibc GHOST 漏洞 位於 Linux glibc library 中,允許駭客從遠端掌控含有漏洞的系統。在 glibc 的 __nss_hostname_digits_dots() 功能中發現一個緩衝區溢位漏洞,只要是經由本機或遠端各種將網站名稱轉成IP位址的 gethostbyname*() 功能就可觸發該漏洞,駭客可藉以掌控受駭系統,自遠端執行任何程式。由於此一漏洞是經由 GetHOST 功能觸發,因而被簡稱為 GHOST。
  2. 測試系統是否有此漏洞之驗證程式:
    [dywang@dywH security]$ vim ghosttest.c
    

    /* ghosttest.c:  GHOST vulnerability tester */
    /* Credit: http://www.openwall.com/lists/oss-security/2015/01/27/9 */
    #include <netdb.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <errno.h>
    #define CANARY "in_the_coal_mine"
    struct {
    char buffer[1024];
    char canary[sizeof(CANARY)];
    } temp = { "buffer", CANARY };
    int main(void) {
    struct hostent resbuf;
    struct hostent *result;
    int herrno;
    int retval;
    /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
    size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
    char name[sizeof(temp.buffer)];
    memset(name, '0', len);
    name[len] = '\0';
    retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
    if (strcmp(temp.canary, CANARY) != 0) {
    puts("vulnerable");
    exit(EXIT_SUCCESS);
    }
    if (retval == ERANGE) {
    puts("not vulnerable");
    exit(EXIT_SUCCESS);
    }
    puts("should not happen");
    exit(EXIT_FAILURE);
    }
    
  3. 編譯驗證程式
    [dywang@dywH security]$ gcc ghosttest.c -o ghosttest
    
  4. 執行驗證程式,出現 'vulnerable' 表示有此漏洞。
    [dywang@dywH security]$ ./ghosttest 
    vulnerable
    
  5. Solution: DYW Linux 已更新修補 rpm。
    [root@dywH kvm8]# vim /etc/yum.repos.d/dywang.repo
    [dywang]
    name=De-Yu Wang
    baseurl=http://dywang.csie.cyut.edu.tw/centos6/
    gpgcheck=0
    enabled=1
    
  6. 安裝 nscd 套件,系統會連同 glibc 相依套件一起安裝。
    [root@dywH ~]# yum install nscd
    Loaded plugins: fastestmirror, priorities, refresh-packagekit
    Determining fastest mirrors
     * dywang: 
    dywang                                                   | 1.9 kB     00:00 ... 
    dywang/primary                                           | 949 kB     00:00 ... 
    ...............
    Dependencies Resolved
    
    ================================================================================
     Package             Arch         Version                    Repository    Size
    ================================================================================
    Updating:
     nscd                x86_64       2.12-1.149.el6_6.5         dywang       222 k
    Updating for dependencies:
     glibc               x86_64       2.12-1.149.el6_6.5         dywang       3.8 M
     glibc-common        x86_64       2.12-1.149.el6_6.5         dywang        14 M
     glibc-devel         x86_64       2.12-1.149.el6_6.5         dywang       982 k
     glibc-headers       x86_64       2.12-1.149.el6_6.5         dywang       611 k
    
    Transaction Summary
    ================================================================================
    Install       0 Package(s)
    Upgrade       5 Package(s)
    
    Total download size: 20 M
    Is this ok [y/N]: y
    
  7. 再執行驗證程式,出現 'not vulnerable',表示已沒漏洞。
    [dywang@dywH security]$ ./ghosttest 
    not vulnerable
    


2016-06-02