What is the 'libc gethostbyname buffer overflow' and how can I protect myself from it

Solution 1:

According to the Ubuntu Security Notices, this affects 10.04 and 12.04 among the currently supported versions of Ubuntu.

How can I protect myself?

Upgrade.

sudo apt-get update
sudo apt-get upgrade

Or, specifically:

sudo apt-get update
sudo apt-get install libc6

Check the currently installed version using apt-cache policy libc6:

  • For 12.04, it should be 2.15-0ubuntu10.10, or higher.
  • For 10.04, it should be 2.11.1-0ubuntu7.20, or higher.

Restart.

libc is a core package. You should restart to be sure nothing on your system is using the old version.

At the least, restart every service running on your system.

What is it?

The team who discovered this vulnerability has published an advisory (posted in the mailing list referred), examining the code involved and case studies. It includes a C program to detect if the system is vulnerable.

Essentially, look-ups of IPv4-style addresses (those involving numbers and dots) can cause this trigger.

[The] hostname must have one of the following forms: "a.b.c.d", "a.b.c", "a.b", or "a", where a, b, c, d must be unsigned integers, at most 0xfffffffful, converted successfully (ie, no integer overflow) by strtoul() in decimal or octal (but not hexadecimal, because 'x' and 'X' are forbidden).

This is due to a miscalculation in the size of a buffer needed, where the size is a bit short, allowing a strcpy down the line to write past the end of the buffer by a limited amount (4 bytes on 32-bit machines, or 8 bytes on 64-bit machines).

An exploit has been written by the team against the Exim mail server, but the code has not been released yet.

The list of services affected include, but is not limited to:

MySQL servers, Secure Shell servers, form submission apps, and other types of mail servers. ... Apache, Cups, Dovecot, GnuPG, isc-dhcp, lighttpd, mariadb/mysql, nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd, pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers, vsftpd, and xinetd.


Apparently the test code is available on the University of Chicago website. Therefore you can do:

wget https://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c
gcc GHOST.c -o GHOST
./GHOST

The final output would be vulnerable or not vulnerable.