Linux Glibc library critical security vulnerabilities and repair method-vulnerability warning-the black bar safety net

2015-02-02T00:00:00
ID MYHACK58:62201558677
Type myhack58
Reporter 佚名
Modified 2015-02-02T00:00:00

Description

By Linux, the GNU glibc standard library gethostbyname function of the burst buffer overflow vulnerability, vulnerability number CVE-2 0 1 5-0 2 3 5 to. A hacker can through gethostbyname functions to achieve remote code execution, access to the server control and Shell access, and this vulnerability to trigger the pathway, affecting a large range, please everyone's attention and prompt a temporary fix, the follow-up we will update as soon as the mirror repair.

First, the vulnerability release date 2 0 1 5 1 2 7,

Second, has been confirmed to be successful the use of the software and system Glibc 2. 2 to 2. 1 7 (including 2. 2 and 2. 1 7 version)

Third, the vulnerability description GNU glibc standard library gethostbyname function of the burst buffer overflow vulnerability, vulnerability ID: CVE-2 0 1 5-0 2 3 5 to. Glibc is to provide system calls and basic functions of the C library, such as open, malloc, printf, and so on. All the dynamic connection of the program with the Glibc to. A remote attacker could exploit this vulnerability to execute arbitrary code and elevate the user running the application permissions.

Fourth, the vulnerability detection method Please make your own inspection:

|

1

2

3

4

5

6

7

8

9

1 0

1 1

1 2

1 3

1 4

1 5

1 6

1 7

1 8

1 9

2 0

2 1

2 2

2 3

2 4

2 5

2 6

2 7

2 8

2 9

3 0

3 1

3 2

3 3

3 4

3 5

3 6

3 7

3 8

3 9

4 0

|

[[test]]

$ cat > GHOST. c << EOF

include

include

include

include

include

define CANARY"in_the_coal_mine"

struct {

char buffer[1 0 2 4];

char canary[sizeof(CANARY)];

} temp = { "buffer", CANARY };

int main(void) {

struct hostent resbuf;

struct hostent *result;

int herrno;

int retval;

/ strlen (name) = size_needed-sizeof (host_addr) - sizeof (*h_addr_ptrs) - 1; */

size_t len = sizeof(temp. buffer) -16sizeof(unsigned char) - 2sizeof(char *) - 1;

char name[sizeof(temp. buffer)];

memset(name, '0', len);

name[len] = '\0';

retval = gethostbyname_r(name,&resbuf, temp. buffer, sizeof(temp. buffer), &result, &herrno);

if (strcmp(temp. canary, CANARY) != 0) {

puts("vulnerable");

exit(EXIT_SUCCESS);

}

if (retval == ERANGE) {

puts("notvulnerable");

exit(EXIT_SUCCESS);

}

puts("should nothappen");

exit(EXIT_FAILURE);

}

EOF

[test]

$ gcc GHOST. c-o GHOST

[test]

$./ GHOST

vulnerable

---|---

[1] [2] [3] [4] [5] next