GHOST(dot)WEB: The First Blood

The Positive Technologies researchers report there is a working exploit for GHOST vulerability against the popular phpBB forum. The exploit in gethostbyname function allows an attacker to gain full control over an operating system of the vulnerable server.  PhpBB is a well-known forum tool for websites. A quick Google search shows that this system is currently installed in more than 800,000 websites.

Of course, not all of them are vulnerable to GHOST, as it requires that several factors be taken into account. However, rich mechanisms to maintain host identification allow an attacker to create a specially crafted exploit via http and achieve almost 100% success in conducting this attack.

The users of Positive Technologies Application Firewall can take it easy and update their OSs and applications on a scheduled basis, just as they did with the ShellShock and WordPress vulnerabilities. The self-learning mechanism implemented in PT AF detects this attack and blocks it securely (of cause, if blocking is enabled).

What is GHOST

A new vulnerability detected in widespread Linux distributions allows an attacker to remotely gain control of the victim system. It threatens popular distributions like Debian 7 (Wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, and Ubuntu 12.04. Zend Framework v2, WordPress and some other popular applications and services are also vulnerable.

The bug (CVE-2015-0235) in the glibc library (GNU C Library) made its face public in the French news feed. Some experts think that it was leaked by mistake since by the time the patches were not ready yet.

You may find the vulnerability technical details and exploit on Openwall.com and community.Rapid7.com.

Researches who discovered the vulnerability crafted an email message that exploits the vulnerability in the Exim mail server managed by the flawed glibc version. Exim is quite widely spread and used as a default mail server in some operating systems. Attackers may target other applications as well, for example:

  • SSH servers that use DNS queries for allow/deny authentication,
  • mail servers with reverse DNS lookups,
  • multiple web applications that perform DNS lookups based on user input,
  • MySQL DBMSs, which conduct authentication using domain names (MySQL privileges).

The GHOST vulnerability was detected in the gethostbyname() and gethostbyname2() functions of the glibc library, which is a core part of Linux. There aren’t many desktop computers in the world with this OS installed, yet the amount of Linux based servers is quite impressive, which means that the network infrastructure of most process plans might be in danger. Other libc implementations (like uclibc or musl) do not have this flaw.

The error is commonly referred to as ‘GHOST’, which is a wordplay on the names of the vulnerable GetHost functions.

According to one of the versions based on the red ghost logo metadata analysis, experts discovered the bug on or before October 2, 2014, and kept silence following the terms of the nondisclosure agreement while the developers were fixing the error.

GHOST Difference from Heartbleed and Shellshock

Unlike the OpenSSL Heartbleed packet vulnerability, which allowed attackers to read server memory, the GHOST exploit gives control over the compromised operating system via remote code execution (RCE). Since the main target is servers, the vulnerability will not pose a threat to regular users on the same scale as Heartbleed did, yet it greatly endangers the infrastructure of most dot-com companies.

Compared to its notorious counterpart Shellshock, the GHOST exploit is more complicated since it allows for execution of binary instructions, not console commands. That means that before you may do anything, you have to bypass existing Linux core security protections.

How to Protect Yourself

In order to secure your servers, you need to install the patch issued by the Linux distribution vendor. The information about vulnerability first appeared on January 27, so the first patches are expected to come out this week.

In addition, Cyberciti.biz published a guide that explains how to find all the services, applications, and executes in the distribution that rely on the vulnerable GNU C Library and how to fix the error.

The users of Positive Technologies Application Firewall can take it easy and update their OSs and applications on a scheduled basis, just as they did with the ShellShock and WordPress vulnerabilities. The self-learning mechanism implemented in PT AF detects this attack and blocks it securely (of cause, if blocking is enabled).

77 thoughts on “GHOST(dot)WEB: The First Blood

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.