On January 27th, Qualys discovered an interesting bug in the _nss_hostname_digits_dots( ) function of the GNU C Library which resulted in a buffer overflow. The GNU C Library is primarily designed to be a portable and high performance C library and was originally written by the Free Software Foundation (FSF) back in the late 1980’s. When FSF released glibc 2.0 in 1997 it was highly compliant, multilingual, portable and compatible with both 32 and 64 bit data access. Today, the GNU C Library is managed by a community driven development process with a few projects stewards who organize the community.
The bug is reachable both locally and remotely via the gethostbyname*() functions. One thing to keep in mind is that the bug can only be exploited using the current user credentials, meaning that the attacker may not have access to use root access, depending on how you architected your identity management. The bug itself was actually fixed in glib-2.18 released in August 2014, but the security implications were not yet known.
During the process of analysis, Qualys was able to determine that via the gethostbyname( ) or gethostbyname2( ) the overflowed buffer is located in the heap, stack, .data, /bss, etc; although they have not seen such calls in practice. Sizeof)Char*) bytes can be overwritten. Arbitrary code execution can be achieved as Qualys was able to show by building a POC (Proof of Concept) exploit code to test its findings.
They are quoted as saying, “We identified a number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example.”
This was a very interesting bug that can execute remote code, which then can lead to compromised data integrity and availability. Great job by the Qualys team for the analysis and disclosure of this bug. If you need instruction for detecting and updating your systems. There is a great post and conversation going on at http://www.cyberciti.biz/faq/cve-2015-0235-patch-ghost-on-debian-ubuntu-fedora-centos-rhel-linux/.
To read more on the vulnerability visit: