GHOST glibc gethostbyname() Vulnerability CVE-2015-0235 Johannes B. Ullrich, Ph.D. SANS Technology Institute https://isc.sans.edu.

Slides:



Advertisements
Similar presentations
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Advertisements

Ubiquitous Computing Technology Research Institute Sungkyunkwan University Using Ethereal - Packet Capturing & Analysis Tool Sungkyunkwan University.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
USB Reloaded USB Reloaded: The Teensy Attack Eric Conrad
Vulnerabilities of Windows XP Brock Prince Dana Zottola ECE 578 Spring 2002 C.K. Koc.
Vulnerability Assessments with Nessus 3 Columbia Area LUG January
1 Web Server Administration Chapter 3 Installing the Server.
Nate Olson-Daniel Director of Strategic Development & Principal Engineer The Inevitable Attack.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Linux Basics. What is an Operating System (OS)? An Operating System (OS) is an interface between hardware and user which is responsible for the management.
Identity Management and DNS Services Tianyi XING.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
1 Web Server Administration Chapter 3 Installing the Server.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Guide to Linux Installation and Administration, 2e1 Chapter 3 Installing Linux.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 4 Manage Software for SUSE Linux Enterprise Server.
40m OAN telescope. First experience with ACS Observatorio Astronómico Nacional P. de Vicente, R. BolañoMarch 2004.
A Comparison of Linux vs. Windows Bhargav A. Sorathiya B.E. 4 th C.E. Roll no:6456.
1 Web Server Administration Chapter 3 Installing the Server.
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
SEISLOG Linux presented at the WORKSHOP High Quality Seismic Stations and Networks for Small Budgets Volcan, Panama March, 2004 by Terje Utheim,
IPv6 RA DoS Attacks Sam Bowne gogoNET Live 4 Nov 13, 2013.
Linux Introduction What is Linux? How do you use it?
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
Security monitoring boxes Andrew McNab University of Manchester.
Security. Security Flaws Errors that can be exploited by attackers Constantly exploited.
Buffer Overflow Attack-proofing by Transforming Code Binary Gopal Gupta Parag Doshi, R. Reghuramalingam The University of Texas at Dallas 11/15/2004.
IT320 OPERATING SYSTEM CONCEPTS Unit 3: Welcome to Linux September 2012 Kaplan University 1.
CS2204: Introduction to Unix January 19 th, 2004 Class Meeting 1 * Notes adapted by Christian Allgood from previous work by other members of the CS faculty.
Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
4061 Session 26 (4/19). Today Network security Sockets: building a server.
 Linux Mint is a computer operating system designed to work on most modern systems, including typical x86 and x64 PC’s. Linux Mint can be thought of.
IPv6 Experiment Roque Gagliano The idea  To taste IPv6 by yourself today at the meeting.  30 minutes of IPv6 only content.  We have.
Retina Network Security Scanner
Lecture 13 Page 1 CS 236 Online Major Problem Areas for Secure Programming Certain areas of programming have proven to be particularly prone to problems.
Web Security Firewalls, Buffer overflows and proxy servers.
GHOST 2.0: What you need to know about the glibc getaddrinfo vulnerability (CVE ) Johannes B. Ullrich, Ph.D, SANS
Writing Security Alerts tbird Last modified 2/25/2016 8:55 PM.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Testing Exploits and Malware in an isolated environment Luca Allodi – Fabio Massacci – Vadim Kotov
Cases Study: Code Red. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Case Study: Code Red Author: Jedidiah.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.
Could Haiku ever become a BSD?
Methods of Secure Information System Design
Computer Technology Project Distros Lars Noodén
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Computer Technology Project
GNU and Linux.
WannaCry/WannaCrypt Ransomware
IT320 Operating System Concepts
WannaCry/WannaCrypt Ransomware
Chapter 7. Identifying Assets and Activities to Be Protected
Internet Quarantine: Requirements for Containing Self-Propagating Code
Welcome to Linux Chap#1 Hanin Abdulrahman.
Discussion about 'Shellshock' fixes--Ubuntu and OS X
Intuit has launched QuickBooks File Doctor tool (QBFD) in QuickBooks File Doctor is a tool that has been designed to recover the damaged company.
DHCP, DNS, Client Connection, Assignment 1 1.3
Figure 6-4: Installation and Patching
Case Study: Code Red Author: Jedidiah R. Crandall,
Operating System Security
Linux and TCP/IP Networking
Welcome to Linux Chap#1 Hanin Abdulrahman.
Welcome to Linux Chap#1.
Return-to-libc Attacks
Presentation transcript:

GHOST glibc gethostbyname() Vulnerability CVE Johannes B. Ullrich, Ph.D. SANS Technology Institute

Outline Background: gethostbyname() Who is at risk? How to mitigate the vulnerability? How to detect the attack? Are there exploits available? How soon do I need to patch?

Background: glibc and gethostbyname glibc: GNU C Library Part of Linux Standard Base Available for most (all?) operating systems including Windows gethostbyname() is an (old) standard C/POSIX function implemented by many libraries

gethostbyname() Part of Berkeley Sockets Converts hostname to IPv4 address Replaced by getaddrinfo(), but still widely used Doesn’t fully support IPv6

The Vulnerability Before converting a host name to an IP address, the function checks if the parameter is already an IP address. The function miscalculates the size needed to store the data. As a result, not enough memory is allocated and the buffer overflow happens

Exploit Overly large hostname consisting of numbers and up to 3 ‘.’s Only 4 or 8 bytes can be overwritten These bytes can only be numbers or ‘.’, making exploit development difficult

Who is vulnerable glibc 2.2 (Nov 2000) – glibc 2.17 (May 2013) Debian 7 Red Hat Enterprise Linux 6 & 7 CentOS 6 & 7 Ubuntu (14 uses glibc 2.19) Most BSD variants (FreeBSD, OpenBSD, OS X) are NOT vulnerable

Software using gethostbyname() Any software initiating network connections Log processing Mail/Spam filtering Many servers Exceptions: Software using the more modern getaddrinfo() function

Mitigating the attack Patch! Patches are available for all current Linux distributions $ /lib/libc.so.6 GNU C Library stable release version 2.12, […] Compiled on a Linux system on

CentOS /lib/libc.so.6 Ubuntu /usr/lib/x86_64-linux- gnu/libc.so OS X: not installed by default, but maybe with homebrew/macports find / -name ‘libc.so*’

Detecting an Attack Attack requires a gethostbyname() for an extraordinary long hostname that contains only numbers and up to 3 dots: (typically > 1000 digits, only numbers works too)

Network Detect You may see the lookup on the network IF the attack fails Lookup for “A” record Check recursive name server logs No Snort signature as of now

Likelihood of Exploit Exploit is tricky. Only up to 8 bytes available to execute code Code can only contain digits and. Qualys provided quite a bit of detail in its advisory, showing DoS exploits against various software Claims to have exploit for Exim

Exploit Availability Qualys announced that they will release the Exim exploit “soon” Expect others to work hard on exploit development Lots of detail available Likely some exploit going to be available this week.

Summary This is a critical vulnerability for systems using the glibc function gethostbyname() Detection is possible but tricky Patch affected systems THIS WEEK

Thanks! Questions:

You can find a PDF and PowerPoint file for this presentation at

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.