RootSSV:89237Linux glibc 缓冲区溢出 (幽灵(Ghost))
0.975 High
EPSS
Percentile
100.0%
<p>近日国外安全研究人员披露一个在 Linux Glibc 库上发现的严重的安全问题,它可以让攻击者在本地或者远程获取操作系统的控制权限,编号为#CVE-2015-0235#,命名为幽灵(GHOST)漏洞。</p><p>什么是GHOST?为什么命名为GHOST?</p><p>漏洞最早起源于:</p><p>The first vulnerable version of the GNU C Library is glibc-2.2, released on November 10, 2000.</p><p>“During a code audit performed internally at Qualys, we discovered a buffer overflow in</p><p>the __nss_hostname_digits_dots() function of the GNU C Library (glibc).</p><p>This bug is reachable both locally and remotely via the gethostbyname*() functions, so we decided to analyze it<br>and its impact thoroughly, and named this vulnerability “GHOST”.”</p><p>引用部分大致意思:“漏洞出现在GNU C 函数库(glibc),受影响的函数gethostbyname*(),命名为:GHOST”</p><p><strong>什么是glibc</strong></p><p>glibc 是 GNU 发布的 libc 库,即 c 运行库。glib c是 Linux 系统中最底层的 API,几乎其它任何运行库都会依赖于 glibc。glibc 除了封装 Linux 操作系统所提供的系统服务外,它本身也提供了许多其它一些必要功能服务的实现。glibc 囊括了几乎所有的 UNIX 通行的标准。</p><p><strong>漏洞危害:</strong></p><p>本地与远程都受影响,可以让攻击者在本地或者远程获取操作系统的控制权限。</p><p><strong>受影响版本:</strong></p><p>glibc-2.2 与 glibc-2.17 之间的版本</p><p>glibc 的2.18(发布日期:2013年8月12日)已经已进行了漏洞修复(补丁发布时间:2013年5月21日)</p><p><strong>受影响平台:</strong></p><p><strong> <img src=“http://blog.knownsec.com/wp-content/uploads/2015/01/1.28配图1.jpg” alt=“1.28配图1” width=“580” height=“612”></strong></p><p><strong>对此,知道创宇安全研究团队在第一时间研究并发布了部分修复方案:</strong></p><p><strong>Ubuntu12.04修复方案:</strong></p><p>在/etc/apt/sources.list添加官方安全更新源:</p><p>deb <a href=“http://security.ubuntu.com/ubuntu”>http://security.ubuntu.com/ubuntu</a> precise-security main restricted</p><p>deb-src <a href=“http://security.ubuntu.com/ubuntu”>http://security.ubuntu.com/ubuntu</a> precise-security main restricted</p><p>deb <a href=“http://security.ubuntu.com/ubuntu”>http://security.ubuntu.com/ubuntu</a> precise-security universe</p><p>deb-src <a href=“http://security.ubuntu.com/ubuntu”>http://security.ubuntu.com/ubuntu</a> precise-security universe</p><p>deb <a href=“http://security.ubuntu.com/ubuntu”>http://security.ubuntu.com/ubuntu</a> precise-security multiverse</p><p>deb-src <a href=“http://security.ubuntu.com/ubuntu”>http://security.ubuntu.com/ubuntu</a> precise-security multiverse</p><p>然后执行:</p><p>$ sudo apt-get update</p><p>$ sudo apt-get upgrade</p><p><strong>CentOS 6/7:</strong></p><p>使用官方源,然后执行:</p><p># yum clean all && yum update</p><p> </p><p><strong>参考链接:</strong></p><ul><li><a href=“http://www.openwall.com/lists/oss-security/2015/01/27/9”>http://www.openwall.com/lists/oss-security/2015/01/27/9</a></li><li><a href=“http://d.hatena.ne.jp/Kango/20150128/1422409960”>http://d.hatena.ne.jp/Kango/20150128/1422409960</a></li></ul>
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#define CANARY "in_the_coal_mine"
struct {
char buffer[1024];
char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };
int main(void) {
struct hostent resbuf;
struct hostent *result;
int herrno;
int retval;
/*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
char name[sizeof(temp.buffer)];
memset(name, '0', len);
name[len] = '\0';
retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
if (strcmp(temp.canary, CANARY) != 0) {
puts("vulnerable");
exit(EXIT_SUCCESS);
}
if (retval == ERANGE) {
puts("not vulnerable");
exit(EXIT_SUCCESS);
}
puts("should not happen");
exit(EXIT_FAILURE);
}
#* from http://www.openwall.com/lists/oss-security/2015/01/27/9 */
Related
