A critical vulnerability in glibc, a core Linux library, can be exploited remotely through WordPress and likely other PHP applications to compromise Web servers.
The buffer overflow vulnerability, dubbed Ghost, was reported Tuesday by researchers from security vendor Qualys. It is identified as CVE-2015-0235 in the Common Vulnerabilities and Exposures database.
The bug is located in the gethostbyname*() functions of the glibc (GNU C Library) version 2.17 and older. It was fixed in glibc-2.18, released in May 2013, but it wasn’t flagged as a security vulnerability at the time.
As a result, some Linux distributions, especially those developed for long-term support, did not backport the patch and were still using vulnerable glibc versions when the Qualys researchers identified the security implications of the bug during a code audit.
The buffer overflow in glibc was found in the __nss_hostname_digits_dots() function; that particular function is used by the _gethostbyname function call. PHP applications such as WordPress also use the gethostbyname() function wrapper, which expands the scope of the vulnerability even as Linux distributions roll out patches.
“An example of where this could be a big issue is within WordPress itself: it uses a function named wp_http_validate_url() to validate every pingback’s post URL,” wrote Sucuri research Marc-Alexandre Montpas in an advisory published Wednesday. “And it does so by using gethostbyname(). So an attacker could leverage this vector to insert a malicious URL that would trigger a buffer overflow bug, server-side, potentially allowing him to gain privileges on the server.”
Until now, the only a proof-of-concept was built against the Exim mail transfer agent (MTA). Experts agree that such an exploit would have to climb some significant hurdles.
“The exploitation depends on being able to convince a program to perform a DNS lookup of a host name provided by the attacker,” said researcher Michal Zalewski said. “The lookup has to be done in a very particular way and must lack a couple of commonly-employed (but certainly not mandatory) sanity checks.”
The vulnerability affects glibc 2.2 through 2.17, but was patched in May 2013, though the patch was not labeled a security vulnerability and as a result may not have been widely deployed. Several other mitigations have been made public. Exim, clockdiff, procmail and pppd have been identified as vulnerable to Ghost exploits.
“This is a very critical vulnerability and should be treated as such,” Montpas said. “If you have a dedicated server or VPN running Linux, you have to make sure you update it right away.”
Montpas provided test PHP code admins can run on a server terminal; if the code returns a segmentation fault, the Linux server is vulnerable to Ghost:
php -r ‘$e=”0″;for($i=0;$i<2500;$i++){$e=”0$e”;} gethostbyname($e);’
Segmentation fault
Patching Ghost in Linux systems figures to be a bit more streamlined than the Bash vulnerability affecting Linux, UNIX and Mac OS X systems last fall, with experts suggesting that patches from the respective Linux distributions followed by a system reboot should take care of the issue. So far, Debian 7, Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7 and Ubuntu 12.04 were running vulnerable versions glibc; all have released updates.
“To be clear, this is NOT the end of the Internet as we know it, nor is it another Heartbleed. In a general sense, it’s not likely to be an easy bug to exploit,” said Rapid7 CSO and Metasploit creator HD Moore. “Still, it could potentially be nasty if exploited so we strongly recommend immediate patching and rebooting. Without a reboot, services using the old library will not be restarted.”