Presentation is loading. Please wait.

Presentation is loading. Please wait.

GHOST glibc gethostbyname() Vulnerability CVE-2015-0235 Johannes B. Ullrich, Ph.D. SANS Technology Institute https://isc.sans.edu.

Published byKarissa Pollock Modified over 9 years ago

Similar presentations

Presentation on theme: "GHOST glibc gethostbyname() Vulnerability CVE-2015-0235 Johannes B. Ullrich, Ph.D. SANS Technology Institute https://isc.sans.edu."— Presentation transcript:

1 GHOST glibc gethostbyname() Vulnerability CVE-2015-0235 Johannes B. Ullrich, Ph.D. SANS Technology Institute https://isc.sans.edu

2 Outline Background: gethostbyname() Who is at risk? How to mitigate the vulnerability? How to detect the attack? Are there exploits available? How soon do I need to patch?

3 Background: glibc and gethostbyname glibc: GNU C Library Part of Linux Standard Base Available for most (all?) operating systems including Windows gethostbyname() is an (old) standard C/POSIX function implemented by many libraries

4 gethostbyname() Part of Berkeley Sockets Converts hostname to IPv4 address Replaced by getaddrinfo(), but still widely used Doesn’t fully support IPv6

5 The Vulnerability Before converting a host name to an IP address, the function checks if the parameter is already an IP address. The function miscalculates the size needed to store the data. As a result, not enough memory is allocated and the buffer overflow happens

6 Exploit Overly large hostname consisting of numbers and up to 3 ‘.’s Only 4 or 8 bytes can be overwritten These bytes can only be numbers or ‘.’, making exploit development difficult

7 Who is vulnerable glibc 2.2 (Nov 2000) – glibc 2.17 (May 2013) Debian 7 Red Hat Enterprise Linux 6 & 7 CentOS 6 & 7 Ubuntu 12.04 (14 uses glibc 2.19) Most BSD variants (FreeBSD, OpenBSD, OS X) are NOT vulnerable

8 Software using gethostbyname() Any software initiating network connections Log processing Mail/Spam filtering Many servers Exceptions: Software using the more modern getaddrinfo() function

9 Mitigating the attack Patch! Patches are available for all current Linux distributions $ /lib/libc.so.6 GNU C Library stable release version 2.12, […] Compiled on a Linux 2.6.32 system on 2015-01-27.

10 CentOS /lib/libc.so.6 Ubuntu /usr/lib/x86_64-linux- gnu/libc.so OS X: not installed by default, but maybe with homebrew/macports find / -name ‘libc.so*’

11 Detecting an Attack Attack requires a gethostbyname() for an extraordinary long hostname that contains only numbers and up to 3 dots: 1212313.1341241234.134234.31341 (typically > 1000 digits, only numbers works too)

12 Network Detect You may see the lookup on the network IF the attack fails Lookup for “A” record Check recursive name server logs No Snort signature as of now

13 Likelihood of Exploit Exploit is tricky. Only up to 8 bytes available to execute code Code can only contain digits and. Qualys provided quite a bit of detail in its advisory, showing DoS exploits against various software Claims to have exploit for Exim

14 Exploit Availability Qualys announced that they will release the Exim exploit “soon” Expect others to work hard on exploit development Lots of detail available Likely some exploit going to be available this week.

15 Summary This is a critical vulnerability for systems using the glibc function gethostbyname() Detection is possible but tricky Patch affected systems THIS WEEK

16 Thanks! Questions: jullrich@sans.edu handlers@isc.sans.edu https://isc.sans.edu/contact.html

17 You can find a PDF and PowerPoint file for this presentation at https://isc.sans.edu/presentations

Download ppt "GHOST glibc gethostbyname() Vulnerability CVE-2015-0235 Johannes B. Ullrich, Ph.D. SANS Technology Institute https://isc.sans.edu."

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Ubiquitous Computing Technology Research Institute Sungkyunkwan University Using Ethereal - Packet Capturing & Analysis Tool 2006. 4. 12 Sungkyunkwan University.

Ubiquitous Computing Technology Research Institute Sungkyunkwan University Using Ethereal - Packet Capturing & Analysis Tool Sungkyunkwan University.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
USB Reloaded USB Reloaded: The Teensy Attack Eric Conrad

USB Reloaded USB Reloaded: The Teensy Attack Eric Conrad
Vulnerabilities of Windows XP Brock Prince Dana Zottola ECE 578 Spring 2002 C.K. Koc.

Vulnerabilities of Windows XP Brock Prince Dana Zottola ECE 578 Spring 2002 C.K. Koc.
Vulnerability Assessments with Nessus 3 Columbia Area LUG January 10 2007.

Vulnerability Assessments with Nessus 3 Columbia Area LUG January
1 Web Server Administration Chapter 3 Installing the Server.

1 Web Server Administration Chapter 3 Installing the Server.
Nate Olson-Daniel Director of Strategic Development & Principal Engineer The Inevitable Attack.

Nate Olson-Daniel Director of Strategic Development & Principal Engineer The Inevitable Attack.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Linux Basics. What is an Operating System (OS)? An Operating System (OS) is an interface between hardware and user which is responsible for the management.

Linux Basics. What is an Operating System (OS)? An Operating System (OS) is an interface between hardware and user which is responsible for the management.
Identity Management and DNS Services Tianyi XING.

Identity Management and DNS Services Tianyi XING.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
1 Web Server Administration Chapter 3 Installing the Server.

1 Web Server Administration Chapter 3 Installing the Server.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Guide to Linux Installation and Administration, 2e1 Chapter 3 Installing Linux.

Guide to Linux Installation and Administration, 2e1 Chapter 3 Installing Linux.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 4 Manage Software for SUSE Linux Enterprise Server.

SUSE Linux Enterprise Server Administration (Course 3037) Chapter 4 Manage Software for SUSE Linux Enterprise Server.
40m OAN telescope. First experience with ACS Observatorio Astronómico Nacional P. de Vicente, R. BolañoMarch 2004.

40m OAN telescope. First experience with ACS Observatorio Astronómico Nacional P. de Vicente, R. BolañoMarch 2004.
A Comparison of Linux vs. Windows Bhargav A. Sorathiya B.E. 4 th C.E. Roll no:6456.

A Comparison of Linux vs. Windows Bhargav A. Sorathiya B.E. 4 th C.E. Roll no:6456.

Similar presentations

Ads by Google