Incident Response, TDR, Vulnerability Management

‘GHOST’ bug in Linux library enables remote takeover of victim’s system

Researchers with security firm Qualys have identified a buffer overflow vulnerability in the Linux GNU C Library (glibc) that, if exploited, could enable an attacker to remotely take complete control of a victim's system – all without having knowledge of system credentials.

Qualys considers the vulnerability – CVE-2015-0235, named ‘GHOST' because it can be triggered by the ‘GetHOST' functions – to be high in severity, Amol Sarwate, director of engineering with Qualys, told in a Wednesday email correspondence.

“In our tests we were able to get a shell remotely, which may allow attackers to steal files, delete programs, install malware or simply perform any other tasks that a user with valid credentials can perform,” Sarwate said.

Debian 7 (Wheezy), Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7, and Ubuntu 12.04 are among the systems that are affected, Sarwate said, adding that other Linux systems using versions of glibc from 2.2 to before 2.18 are also at risk.

The best way to protect against GHOST is to apply patches from Linux distribution vendors, Sarwate said, explaining that Qualys coordinated the disclosure of the bug with the Linux distribution vendors so that patches are already available.

Sarwate said he does not believe that the GHOST vulnerability has been exploited, although he noted that there is no way to know for sure if individuals are working towards it. He also indicated that a determined and skilled attacker should be able to create an exploit, even if it is not that easy.

As indicated in a Tuesday post, Qualys is not yet releasing an exploit, but Sarwate shared some information regarding the proof-of-concept developed during testing.

“After [we] identified the buffer overflow (__nss_hostname_digits_dots() function), we went about how this issue can be exploited remotely,” Sarwate said. “We quickly found that the overflow can be exploited by calling the gethostbyname*() functions. After that the only task remaining was to find a program to which we can send data and which will call the affected functions.

Sarwate went on to say, “For this attack to be successful, the attacker should be able to send data to a program which calls the affected functions. We were able to achieve this by sending a specially crafted mail to a mail server, which allowed us to take control of the mail server.”

In a statement emailed to on Tuesday, HD Moore, chief research officer with Rapid7, indicated that exploiting the vulnerability is not likely to be simple, but that an “easily-exploitable case” was discovered in the Exim mail server.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.