Security researchers have uncovered a critical bug in the GNU C Library (glibc), a key component of Linux and some other operating systems, which could render countless machines vulnerable to remote code execution attacks.
An attacker who successfully exploits the flaw can potentially gain complete control over an affected machine without any prior knowledge of system logins or passwords.
The exploit doesn't attack the library directly. Rather, because so much software relies on the functions found in glibc, any number of programs running on affected machines could potentially be vulnerable.
The problem lies in the glibc code leading up to this C statement:
resbuf->h_name = strcpy (hostname, name);
strcpy() is dangerous and an obvious target in an audit because it blindly copies the entire contents of a zero-terminated buffer into another memory buffer without checking the size of the target buffer.
name can end up containing more bytes than
hostname expects to hold, allowing a heap overflow to occur. This, according to Qualys, can be exploited to achieve code execution despite
malloc hardening to protect against heap attacks, and no-execute defenses in the CPU to stop unexpected execution of instructions.
The specific exploit disclosed by Qualys can be used against the Exim mail server, which is the default mail transfer agent on Debian Linux systems.
"During our testing, we developed a proof-of-concept in which we send a specially created e-mail to a mail server and can get a remote shell to the Linux machine," Qualys CTO Wolfgang Kandek wrote in a blog post on Tuesday. "This bypasses all existing protections (like ASLR, PIE and NX) on both 32-bit and 64-bit systems."
The vulnerability affects versions of glibc as far back as glibc-2.2, which was released in 2000.
Qualys posted complete details of the flaw on Tuesday, including snippets of code from applications that make use of the affected library routines, but only after working closely with several Linux vendors to patch the bug and offer a coordinated response.
According to Qualys, GHOST is not as widespread as it could be. The buggy routines in question are outdated and are no longer used by much software. Where they are used, they typically aren't called in a way meets the criteria for the exploit.
Qualys says it has tested a number of other applications and servers that make use of the affected functions and has determined that they are not vulnerable, including apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql, nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd, pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers, vsftpd, and xinetd.
What's more, patches that mend the flaw have actually been available since May 2013. Because they were not marked as security fixes, however, they weren't incorporated into stable and long-term support versions of several distros. Among the affected versions are CentOS 6 and 7, Debian 7 ("wheezy"), Red Hat Enterprise Linux 6 and 7, and Ubuntu 12.04 LTS.
Qualys says the routines are definitely exploitable and that it has already developed proof-of-concept exploit code, which will soon be incorporated into a Metasploit plugin. But it's holding off on making the attack code public, it says, until the vulnerability is no longer an immediate threat.
"We want to give everyone enough time to patch," Qualys said. "According to our data once the vulnerability has reached its half-life we will release the exploit. Half-life is the time interval measuring a reduction of a vulnerability’s occurrence by half. Over time, this metric shows how successful efforts have been to eradicate vulnerability." ®