Welcome Guest ( Log In | Register )


 
 Reply to this topicStart new topic
> Linux Stories: Modern Warfare 3 smashes entertainment launch recordsThe GHOST vulnerability - what you need to know
gpanagou
post 31 Jan 2015, 06:52 PM
Post #1


Member
Group Icon

Group: Members
Posts: 40
Joined: 5-September 14
Member No.: 76102
Gender: I'm a 0!
QUOTE
Call of Duty Modern Warfare 3 smashes entertainment launch recordsCall of Duty: Modern Warfare 3 sells more than 6.5m copies within 24 hours of its launch, earning an estimated $400m in sales
The funkily-named bug of the week is GHOST.
Its official moniker is the less catchy CVE-2015-0235, and it's a vulnerability caused by a buffer overflow in a system library that is used in many, if not most, Linux distributions.
A buffer overflow is where you assume, for example, that when you handle a four-byte network number written out as decimal digits, you will never get anything longer than 255.​255.​255.​255.
That takes up 15 characters, so you may decide that you'll never need more than 15 bytes of memory.
So, if you add a spare byte for luck and allocate 16 bytes, you're bound to have enough space.
And then, one day, a malicious user decides to see what happens if he ignores the rules, and uses a network number like, say, 1024.​10224.​102224.​1022224.
That network number is nonsense, of course, but your program might not hold out long enough to reject it.
Your code will probably crash right away, because the attacker's 25 bytes will overflow your 16 bytes of available memory.

GHOST explained


As it happens, the GHOST vulnerability is connected with network names and numbers.
The spooky name comes from the system functions where the vulnerable code was found.
The functions are called gethostby­name() and gethostby­name2(), and they do what the names suggest.
They find the computer-friendly network number of a host (e.g. 93.​184.​216.​34) from its human-friendly name (e.g. example.com).
In other words, these functions do a DNS (domain name system) lookup for you, so your program doesn't need to deal with the intricacies of the DNS protocol.
For example, if you ignore any error checking in your code, you might do this:

And you'd see something like this:

By the way, even if your program doesn't directly call gethostby­name(), you may end up calling it indirectly as a side-effect of doing something, anything, involving a computer name.
For example, if your software looks up email addresses, calls home for updates, retrieves postings from online forums, plays podcasts, or any of a number of perfectly unexceptionable network-related activities, it almost certainly triggers name-to-number lookups at some point.
And if those lookups are based on data received from outside, such as a sender's email address in received email headers, then attackers may very well get to choose what data gets passed to your Linux computer's gethostby­name() function.

The bug


It turns out that gethostby­name() has a clever feature, where it works out whether you called it with name that is already a network number (digits-dot-digits-dot-digits-dot-digits).
In that case, it would be a waste of time to do a DNS lookup, so it doesn't bother.
Unfortunately, the code that runs through the name to see if it's really a network number has a buffer overflow, and if you deliberately send a super-long number laid out just right...
...poof â€“ the GHOST strikes!
So an attacker may be able to rig up messages or network requests that crash your program; and with a bit (or, more likely, a lot) of trial and error, they might be able to trigger that crash in a way that gives them control over your computer.
That's known as a Remote Code Execution (RCE) exploit, similar to the bug recently found in the super-secure Blackphone, though in that case it was a text message that caused the phone's software to trip over itself.

What to do?


The good news is that this bug doesn't exist on every computer.
It actually exists only in some versions of a software module called glibc, short for GNU C library.
In fact, most computers in the world don't have glibc installed, because it's not used by default on Windows, OS X, iOS or Android.
The bad news is that many, if not most, computers running Linux do use glibc, and may be at risk.
In short, therefore, if you have any Linux-based systems, including home firewalls and routers:
  • Check with your vendor, or the maker of your distribution, to see if you need a patch.
  • If you do, make plans to apply the patch as soon as you can.
Oh, and if you are a programmer, you shouldn't really be using the gethostby­name functions anyway.
They were superseded many years ago by the much more flexible and useful function getaddr­info(), which you should use instead.

View the full article
Go to the top of the page
 
Bookmark this: Post to Del.icio.usPost to DiggPost to FacebookPost to GooglePost to SlashdotPost to StumbleUponPost to TechnoratiPost to YahooMyWeb
+Quote Post
« Next Oldest · Tutorials · Next Newest »
 

Reply to this topicStart new topic
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:

 

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

RSS Lo-Fi Version Time is now: 19th April 2024 - 06:22 AM
Skin and Graphics by Dan Ellis and Anubis. Hosting by Forums & More © 2005-2011.
InvisionGames - Your #1 Arcade Games Repository | AllSigs - Signatures for all | Rock Band + Guitar Hero = RockHero ! | The Remoters - Remote Assistance | FileMiners - You ask, We find
Powered By IP.Board © 2024  IPS, Inc.
Licensed to: www.yourforum.gr