January 29, 2015

GHOST(dot)WEB: The First Blood

The Positive Technologies researchers report there is a working exploit for GHOST vulerability against the popular phpBB forum. The exploit in gethostbyname function allows an attacker to gain full control over an operating system of the vulnerable server.  PhpBB is a well-known forum tool for websites. A quick Google search shows that this system is currently installed in more than 800,000 websites.



Of course, not all of them are vulnerable to GHOST, as it requires that several factors be taken into account. However, rich mechanisms to maintain host identification allow an attacker to create a specially crafted exploit via http and achieve almost 100% success in conducting this attack.

The users of Positive Technologies Application Firewall can take it easy and update their OSs and applications on a scheduled basis, just as they did with the ShellShock and WordPress vulnerabilities. The self-learning mechanism implemented in PT AF detects this attack and blocks it securely (of cause, if blocking is enabled).




What is GHOST

A new vulnerability detected in widespread Linux distributions allows an attacker to remotely gain control of the victim system. It threatens popular distributions like Debian 7 (Wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, and Ubuntu 12.04. Zend Framework v2, Wordpress and some other popular applications and services are also vulnerable.

The bug (CVE-2015-0235) in the glibc library (GNU C Library) made its face public in the French news feed. Some experts think that it was leaked by mistake since by the time the patches were not ready yet.

You may find the vulnerability technical details and exploit on Openwall.com and community.Rapid7.com.

Researches who discovered the vulnerability crafted an email message that exploits the vulnerability in the Exim mail server managed by the flawed glibc version. Exim is quite widely spread and used as a default mail server in some operating systems. Attackers may target other applications as well, for example:

  • SSH servers that use DNS queries for allow/deny authentication,
  • mail servers with reverse DNS lookups,
  • multiple web applications that perform DNS lookups based on user input,
  • MySQL DBMSs, which conduct authentication using domain names (MySQL privileges).

The GHOST vulnerability was detected in the gethostbyname() and gethostbyname2() functions of the glibc library, which is a core part of Linux. There aren’t many desktop computers in the world with this OS installed, yet the amount of Linux based servers is quite impressive, which means that the network infrastructure of most process plans might be in danger. Other libc implementations (like uclibc or musl) do not have this flaw.

The error is commonly referred to as ‘GHOST’, which is a wordplay on the names of the vulnerable GetHost functions.

According to one of the versions based on the red ghost logo metadata analysis, experts discovered the bug on or before October 2, 2014, and kept silence following the terms of the nondisclosure agreement while the developers were fixing the error.

GHOST Difference from Heartbleed and Shellshock

Unlike the OpenSSL Heartbleed packet vulnerability, which allowed attackers to read server memory, the GHOST exploit gives control over the compromised operating system via remote code execution (RCE). Since the main target is servers, the vulnerability will not pose a threat to regular users on the same scale as Heartbleed did, yet it greatly endangers the infrastructure of most dot-com companies.

Compared to its notorious counterpart Shellshock, the GHOST exploit is more complicated since it allows for execution of binary instructions, not console commands. That means that before you may do anything, you have to bypass existing Linux core security protections.

How to Protect Yourself

In order to secure your servers, you need to install the patch issued by the Linux distribution vendor. The information about vulnerability first appeared on January 27, so the first patches are expected to come out this week.

In addition, Cyberciti.biz published a guide that explains how to find all the services, applications, and executes in the distribution that rely on the vulnerable GNU C Library and how to fix the error.

The users of Positive Technologies Application Firewall can take it easy and update their OSs and applications on a scheduled basis, just as they did with the ShellShock and WordPress vulnerabilities. The self-learning mechanism implemented in PT AF detects this attack and blocks it securely (of cause, if blocking is enabled).


77 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. This comment has been removed by a blog administrator.

      Delete
    2. This comment has been removed by a blog administrator.

      Delete
    3. This comment has been removed by a blog administrator.

      Delete
    4. This comment has been removed by a blog administrator.

      Delete
    5. This comment has been removed by a blog administrator.

      Delete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. This comment has been removed by a blog administrator.

      Delete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. This comment has been removed by a blog administrator.

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete
  8. This comment has been removed by a blog administrator.

    ReplyDelete
  9. This comment has been removed by a blog administrator.

    ReplyDelete
  10. This comment has been removed by a blog administrator.

    ReplyDelete
  11. This comment has been removed by a blog administrator.

    ReplyDelete
  12. This comment has been removed by a blog administrator.

    ReplyDelete
  13. This comment has been removed by a blog administrator.

    ReplyDelete
  14. This comment has been removed by a blog administrator.

    ReplyDelete
  15. This comment has been removed by a blog administrator.

    ReplyDelete
  16. This comment has been removed by a blog administrator.

    ReplyDelete
  17. This comment has been removed by a blog administrator.

    ReplyDelete
  18. This comment has been removed by a blog administrator.

    ReplyDelete
  19. This comment has been removed by a blog administrator.

    ReplyDelete
  20. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. This comment has been removed by a blog administrator.

      Delete
  21. This comment has been removed by a blog administrator.

    ReplyDelete
  22. This comment has been removed by a blog administrator.

    ReplyDelete
  23. This comment has been removed by a blog administrator.

    ReplyDelete
  24. This comment has been removed by a blog administrator.

    ReplyDelete
  25. This comment has been removed by a blog administrator.

    ReplyDelete
  26. This comment has been removed by a blog administrator.

    ReplyDelete
  27. This comment has been removed by a blog administrator.

    ReplyDelete
  28. This comment has been removed by a blog administrator.

    ReplyDelete
  29. This comment has been removed by a blog administrator.

    ReplyDelete
  30. This comment has been removed by a blog administrator.

    ReplyDelete
  31. This comment has been removed by a blog administrator.

    ReplyDelete
  32. This comment has been removed by a blog administrator.

    ReplyDelete
  33. This comment has been removed by a blog administrator.

    ReplyDelete
  34. This comment has been removed by a blog administrator.

    ReplyDelete
  35. This comment has been removed by a blog administrator.

    ReplyDelete
  36. This comment has been removed by a blog administrator.

    ReplyDelete
  37. This comment has been removed by a blog administrator.

    ReplyDelete
  38. This comment has been removed by a blog administrator.

    ReplyDelete
  39. This comment has been removed by a blog administrator.

    ReplyDelete
  40. This comment has been removed by a blog administrator.

    ReplyDelete
  41. This comment has been removed by a blog administrator.

    ReplyDelete
  42. This comment has been removed by a blog administrator.

    ReplyDelete
  43. This comment has been removed by a blog administrator.

    ReplyDelete
  44. This comment has been removed by a blog administrator.

    ReplyDelete
  45. This comment has been removed by a blog administrator.

    ReplyDelete
  46. This comment has been removed by a blog administrator.

    ReplyDelete
  47. This comment has been removed by a blog administrator.

    ReplyDelete
  48. This comment has been removed by a blog administrator.

    ReplyDelete
  49. This comment has been removed by a blog administrator.

    ReplyDelete
  50. This comment has been removed by a blog administrator.

    ReplyDelete
  51. This comment has been removed by a blog administrator.

    ReplyDelete
  52. This comment has been removed by a blog administrator.

    ReplyDelete
  53. This comment has been removed by a blog administrator.

    ReplyDelete
  54. This comment has been removed by a blog administrator.

    ReplyDelete
  55. This comment has been removed by a blog administrator.

    ReplyDelete
  56. This comment has been removed by a blog administrator.

    ReplyDelete
  57. This comment has been removed by a blog administrator.

    ReplyDelete
  58. This comment has been removed by a blog administrator.

    ReplyDelete
  59. This comment has been removed by a blog administrator.

    ReplyDelete
  60. This comment has been removed by a blog administrator.

    ReplyDelete
  61. This comment has been removed by a blog administrator.

    ReplyDelete
  62. This comment has been removed by a blog administrator.

    ReplyDelete
  63. This comment has been removed by a blog administrator.

    ReplyDelete
  64. This comment has been removed by a blog administrator.

    ReplyDelete
  65. This comment has been removed by a blog administrator.

    ReplyDelete
  66. This comment has been removed by a blog administrator.

    ReplyDelete
  67. This comment has been removed by a blog administrator.

    ReplyDelete
  68. This comment has been removed by a blog administrator.

    ReplyDelete
  69. This comment has been removed by a blog administrator.

    ReplyDelete
  70. This comment has been removed by a blog administrator.

    ReplyDelete