Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
GNU is Not Unix Open Source Software

Serious Network Function Vulnerability Found In Glibc 211

An anonymous reader writes: A very serious security problem has been found and patched in the GNU C Library (Glibc). A heap-based buffer overflow was found in __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to make an application call to either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the program. The vulnerability is easy to trigger as gethostbyname() can be called remotely for applications that do any kind of DNS resolving within the code. Qualys, who discovered the vulnerability (nicknamed "Ghost") during a code audit, wrote a mailing list entry with more details, including in-depth analysis and exploit vectors.
This discussion has been archived. No new comments can be posted.

Serious Network Function Vulnerability Found In Glibc

Comments Filter:
  • by BaronM ( 122102 ) on Tuesday January 27, 2015 @03:06PM (#48917463)

    The libc -> glibc switch was so much fun, that I think we should do it again in reverse!

  • From TFA (Score:5, Informative)

    by Cola Junkee ( 255516 ) on Tuesday January 27, 2015 @03:23PM (#48917611) Homepage
    " - We identified a number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example. "

    So it's actually already been fixed. All that's needed here is for some distributions to push the fix out.
    • by OzPeter ( 195038 )

      So it's actually already been fixed. All that's needed here is for some distributions to push the fix out.

      But .. but now it has a CVE number and everything - so it must be scary

      • Re:From TFA (Score:5, Informative)

        by XXeR ( 447912 ) on Tuesday January 27, 2015 @03:39PM (#48917751)

        But .. but now it has a CVE number and everything - so it must be scary

        Written by somebody who clearly neither manages a large amount of hosts exposed to the Internet nor manages multiple environments in which there are some new hosts that are luckily patched along side other older hosts that have to run *slightly* older releases of distro's for one reason or another.

        This IS a big deal.

    • Ubuntu has a newer LTS release, 14.04, which uses glibc 2.19.

      Unfortunately, the rest of them all use older GLIBC versions in their current stable, even the ones whose current stable was released in the middle of last year.

    • Re:From TFA (Score:4, Informative)

      by msobkow ( 48369 ) on Tuesday January 27, 2015 @04:18PM (#48918077) Homepage Journal

      I just installed glibc updates for Debian, so I presume the fix has been pushed.

    • Here's a better explanation of the flaw. [openwall.com] It's actually a fairly limited vulnerability:

      At most sizeof(char *) bytes can be overwritten (ie, 4 bytes on 32-bit machines, and 8 bytes on 64-bit machines). Bytes can be overwritten only with digits ('0'...'9'), dots ('.'), and a terminating null character ('\0').

      With only being able to overwrite 4 bytes max, you would think not much could be done, and indeed, mostly they were only able to make things crash. Most servers don't do dns lookup of a remotely supplied address, but mail-servers can, to verify the sender is correct.

      Astonishingly, even without being able to write assembly shell-code, they were able to get the Exim mail server to execute arbitrary remote commands. That is

  • by tlhIngan ( 30335 ) <slashdot&worf,net> on Tuesday January 27, 2015 @03:33PM (#48917689)

    The affected call is gethostbyname() and friends, which have been deprecated by the more protocol-transparent getaddrinfo()/getnameinfo() set of APIs. If you use IPv6, getaddrinfo() is the only way (gethostbyname() and friends are AF_INET (IPv4) functions only), but they're protocol transparent ways to do DNS lookups (they can return AF_INET, AF_INET6 and any other valid address supported by the system and DNS).

    Deep down, if you look closely, they mention that code using getaddrinfo() is not vulnerable to the bug.

    Shortly after learning about getaddrinfo() I stuck to using it - far easier to use than gethostbyname() and less messy in the end. The only complication is having to call freeaddrinfo() when you're done.

    • However, it's not like gethostbyname() is a rare call. I suspect that well over 99% of net-aware applications are still using it. This affects just about everything that's talking over the internet.

      • by tlhIngan ( 30335 )

        However, it's not like gethostbyname() is a rare call. I suspect that well over 99% of net-aware applications are still using it. This affects just about everything that's talking over the internet.

        True, but gethostbyname() is ancient and if the program wants to support IPv6, you can't use gethostbyname(). So I think the number of programs actually vulnerable is far lower. Remember, gethostbyname() only works with AF_INET - while getaddrinfo() works with AF_INET, AF_INET6 and any other protocol that uses so

      • by spitzak ( 4019 )

        As pointed out in the article, the program must use gethostbyname() on a name supplied by the attacker.

        A much more mitigating factor is that the bug is only exercised if the name looks like a numerical id, and according to their search most software first checks this using inet_aton() and only calls gethostbyname() if this fails, thus avoiding the bug.

  • by Rinikusu ( 28164 ) on Tuesday January 27, 2015 @03:38PM (#48917737)

    Don't be so glib, see?

    I'll be here all night folks. Tip your servers. Make sure they're bolted in, though.

  • Accidental bugs? (Score:1, Interesting)

    by Nightlight3 ( 248096 )

    I don't think so. There are just too many of these buffer overflow security holes in commercial and open source software to be a chance. In over two decades of programming in every language and platform that came along, from Z8, x86 assembly, then FORTRAN, C, Pascal,... Java, Javascript, Python, awk, objective C, ... from embedded coding on routers, switches and misc. controllers, to numerous versions of MS DOS, Windows, Linux and iPhones, I have yet to have one such buffer overflow bug in my code. It's th

    • There must be agencies seeding these projects, commercial and open source, with toxic contributors injected there to deliberately contaminate the code with such bugs. The further fact that one never sees responsible persons identified, removed and blacklisted suggests that contamination is top down.

      Or, you are yourself a toxic seed planted by The Man in order to foment FUD and make good people not want to be part of these projects. Or something like that. Give it a rest with the absurd conspiracy crap.

    • Never attribute to malice that which is adequately explained by stupidity.

      There are too many stupid people in the world. Stupidity isn't necessarily a permanent thing: it could be caused by time constraints, personal problems or even lack of/too much caffeine. Or just because one doesn't think of the problem from start to finish.

      But then this could be what "they" want you to believe :)

    • " I have yet to have one such buffer overflow bug in my code."

      Can't decide: Satirical troll post or somebody that's actually that egomaniacal (and in need of a pink slip if his employer is rational).

      • Well, everyone who's ever called gethostbyname() has an overflow bug in their code, so my guess is he doesn't know what he's talking about.
    • I have yet to have one such buffer overflow bug in my code.

      That you know of. Besides, I'm sure you've had many that you've caught during the standard code -> compile -> run -> segfault -> debug cycle, but the more subtle ones are harder to trigger.

      It's the most basic rule to check for buffer boundaries that even beginner programmer learns it quickly.

      Depending on what the code is doing and what kind of legacy cruft you're dealing with it's not always trivial.

      There must be agencies seeding these projects, commercial and open source, with toxic contributors injected there to deliberately contaminate the code with such bugs. The further fact that one never sees responsible persons identified, removed and blacklisted suggests that contamination is top down.

      More likely the other devs feel like it's bad form to drag the names of past contributors through the mud in public. Particularly when the reviewers missed the bug as well.

    • by spitzak ( 4019 )

      I have yet to have one such buffer overflow bug in my code

      Yea, right. You know the authors of this function probably thought that too. They had no counter examples until now, just like you and your code.

  • The article lists a long string of mitigating factors tat make it not as dangerous as it might first appear. Someone else already mentioned that it doesn't effect applications that are IPv6-ready; both IPv4 and IPv6 addresses are resolved with the same (safe) function in most software that's IPv6-capable.

    Also, at 4 bytes can be overwritten on 32-bit, 8 bytes 64-bit, and they can only be overwritten with ascii digits 0-9, dots, and must have a terminating null. (So really three bytes on 32 bit, 7 bytes on 6

  • This has me more concerned than some of the other recent bugs, primarily because it's so easy to exploit by script kiddies.

    Plus, there are huge, vast, barely conceivable numbers of network-attached embedded devices that use the gethostbyname() call. What percentage of these are remotely update-able? What percentage of these will have their firmware re-flashed?

    This one seems like it gives black-hats the ideal way to get a swarm army of (relatively) weak and/or dumb devices. Yet even these weak, dumb devices

    • And do such devices actually use glibc anymore? I thought that stuff like uClibc or musl has become common in that area. Plus like a few other people here, I'm surprised that gethostbyname is still being used. I concluded that its use was dangerous even in principle something like seven years ago.
  • According to the second link, the buffer overflow occurs when using a strcpy;

    resbuf->h_name = strcpy (hostname, name);

    In my (admittedly limited) recent c coding I've used strlcpy rather than strcpy. Is there a good reason not to use this (or strncpy) in place of strcpy?

    resbuf->h_name = strlcpy (hostname, name, sizeof(hostname));

    (OK, you may get an error due to a truncated copy, but isn't that is easier to spot and deal with than a potential buffer overflow?)
    • Actually, the most logical choice would have been to used mempcy because they already called strlen(name) earlier.
      Basically, they are doing the following:
      - compute the size required to store 2 pointers (THAT SHOULD BE 3) followed by strlen(name)+1 characters
      - check that the buffer is large enough and reallocate it if needed
      - store 3 pointers followed by name in the buffer.

      In that case, the obvious value for the additionnal size argument passed to memcpy, strlcpy or strncpy is strlen(

  • Raspbian vulnerable (Score:5, Informative)

    by redelm ( 54142 ) on Tuesday January 27, 2015 @04:30PM (#48918175) Homepage

    According to directions side-thread, glibc versions prior to 2.19 are vulnerable. Checking my machines, Slackware-current and Lubuntu-14.10 are fine. Only my poor tiny Raspberry Pis are vulnerable (2.13). But they run slowly enough I can watch the gethostbyname() lookups myself :)

    • this IS a bummer. upgrading libc is not usually an easy and simple thing; its too central and everything touches it.

      so, this means that the pi is not really safe to be on a public net, now, is it?

      wonder when raspian will upgrade this pkg. hope they do it soon.

  • In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18).
    Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example.

  • A very serious security problem has been found and patched in the GNU C Library (Glibc). A heap-based buffer overflow was found in __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() function calls.

    In all legal ways to use the function, recognizing PATH_MAX == 256, is there a problem? So, it is a potential problem.

    So, some library code was found that does not check for potential overrun. By broadcasting the routine name, hackers or ganifs will attempt to break i

Whoever dies with the most toys wins.

Working...