回答我的问题,来自Qualys:
在测试过程中,我们开发了一个概念证明,其中我们将特殊创建的电子邮件发送到邮件服务器,并可以将远程Shell传递到Linux机器。这会绕过 32位和64位系统上的所有现有保护(如ASLR,PIE和NX)。
我在下面针对其他任何人的汇编研究:
免责声明
尽管许多其他线程/博客可能会告诉您什么,但我建议不要在没有彻底测试这些glibc
更新的情况下立即盲目更新您拥有的每个操作系统。据报道,glibc更新已引起大量的应用程序段错误,迫使人们将其glibc更新回滚到以前的版本。
没有测试就不会简单地大规模更新生产环境。
背景资料
GHOST是一个“缓冲区溢出”错误,会影响glibc库中的gethostbyname()和gethostbyname2()函数调用。利用此漏洞,远程攻击者能够对这两个功能之一进行应用程序调用,并在运行该应用程序的用户许可下执行任意代码。
影响力
gethostbyname()函数调用用于DNS解析,这是非常常见的事件。要利用此漏洞,攻击者必须通过向执行DNS解析的应用程序提供无效的主机名参数来触发缓冲区溢出。
当前受影响的Linux发行版列表
RHEL(Red Hat Enterprise Linux)版本5.x,6.x和7.x
RHEL 4 ELS fix available ---> glibc-2.3.4-2.57.el4.2
Desktop (v. 5) fix available ---> glibc-2.5-123.el5_11.1
Desktop (v. 6) fix available ---> glibc-2.12-1.149.el6_6.5
Desktop (v. 7) fix available ---> glibc-2.17-55.el7_0.5
HPC Node (v. 6) fix available ---> glibc-2.12-1.149.el6_6.5
HPC Node (v. 7) fix available ---> glibc-2.17-55.el7_0.5
Server (v. 5) fix available ---> glibc-2.5-123.el5_11.1
Server (v. 6) fix available ---> glibc-2.12-1.149.el6_6.5
Server (v. 7) fix available ---> glibc-2.17-55.el7_0.5
Server EUS (v. 6.6.z) fix available ---> glibc-2.12-1.149.el6_6.5
Workstation (v. 6) fix available ---> glibc-2.12-1.149.el6_6.5
Workstation (v. 7) fix available ---> glibc-2.17-55.el7_0.5
CentOS Linux版本5.x,6.x和7.x
CentOS-5 fix available ---> glibc-2.5-123.el5_11
CentOS-6 fix available ---> glibc-2.12-1.149.el6_6.5
CentOS-7 fix available ---> glibc-2.17-55.el7_0.5
Ubuntu Linux版本10.04、12.04 LTS
10.04 LTS fix available ---> libc6-2.11.1-0ubuntu7.20
12.04 LTS fix available ---> libc6-2.15-0ubuntu10.10
Debian Linux版本6.x,7.x
6.x squeeze vulnerable
6.x squeeze (LTS) fix available ---> eglibc-2.11.3-4+deb6u4
7.x wheezy vulnerable
7.x wheezy (security) fix available ---> glib-2.13-38+deb7u7
Linux Mint版本13.0
Mint 13 fix available ---> libc6-2.15-0ubuntu10.10
Fedora Linux版本19(或更旧的版本应升级)
Fedora 19 - vulnerable - EOL on Jan 6, 2014 (upgrade to Fedora 20/21 for patch)
SUSE Linux Enterprise
Server 10 SP4 LTSS for x86 fix available ---> glibc-2.4-31.113.3
Server 10 SP4 LTSS for AMD64 and Intel EM64T fix available ---> glibc-2.4-31.113.3
Server 10 SP4 LTSS for IBM zSeries 64bit fix available ---> glibc-2.4-31.113.3
Software Development Kit 11 SP3 fix available ---> glibc-2.11.3-17.74.13
Server 11 SP1 LTSS fix available ---> glibc-2.11.1-0.60.1
Server 11 SP2 LTSS fix available ---> glibc-2.11.3-17.45.55.5
Server 11 SP3 (VMware) fix available ---> glibc-2.11.3-17.74.13
Server 11 SP3 fix available ---> glibc-2.11.3-17.74.13
Desktop 11 SP3 fix available ---> glibc-2.11.3-17.74.13
openSUSE(11之前的版本应升级)
11.4 Evergreen fix available ---> glibc-2.11.3-12.66.1
12.3 fix available ---> glibc-2.17-4.17.1
哪些软件包/应用程序仍在使用已删除的glibc?
(归功于Gilles)
对于CentOS / RHEL / Fedora / Scientific Linux:
lsof -o / | awk '
BEGIN {
while (("rpm -ql glibc | grep \\\\.so\\$" | getline) > 0)
libs[$0] = 1
}
$4 == "DEL" && $8 in libs {print $1, $2}'
对于Ubuntu / Debian Linux:
lsof -o / | awk '
BEGIN {
while (("dpkg -L libc6:amd64 | grep \\\\.so\\$" | getline) > 0)
libs[$0] = 1
}
$4 == "DEL" && $8 in libs {print $1, $2}'
我的Linux系统使用什么C库(glibc)版本?
检查版本号的最简单方法是运行以下命令:
ldd --version
RHEL / CentOS Linux v6.6的示例输出:
ldd (GNU libc) 2.12
Copyright (C) 2010 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
Ubuntu Linux 12.04.5 LTS的示例输出:
ldd (Ubuntu EGLIBC 2.15-0ubuntu10.9) 2.15
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
Debian Linux v7.8的示例输出:
ldd (Debian EGLIBC 2.13-38+deb7u6) 2.13
Copyright (C) 2011 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
GHOST漏洞检查
芝加哥大学托管以下脚本,可轻松下载:
$ wget https://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c
[OR]
$ curl -O https://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c
$ gcc GHOST.c -o GHOST
$ ./GHOST
[responds vulnerable OR not vulnerable ]
/* ghosttest.c: GHOST vulnerability tester */
/* Credit: http://www.openwall.com/lists/oss-security/2015/01/27/9 */
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#define CANARY "in_the_coal_mine"
struct {
char buffer[1024];
char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };
int main(void) {
struct hostent resbuf;
struct hostent *result;
int herrno;
int retval;
/*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
char name[sizeof(temp.buffer)];
memset(name, '0', len);
name[len] = '\0';
retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
if (strcmp(temp.canary, CANARY) != 0) {
puts("vulnerable");
exit(EXIT_SUCCESS);
}
if (retval == ERANGE) {
puts("not vulnerable");
exit(EXIT_SUCCESS);
}
puts("should not happen");
exit(EXIT_FAILURE);
}
编译并运行如下:
$ gcc ghosttester.c -o ghosttester
$ ./ghosttester
[responds vulnerable OR not vulnerable ]
红帽访问实验室:GHOST工具不要使用此工具,它的报告错误,来自Qualys的漏洞检查程序是准确的。
打补丁
CentOS / RHEL / Fedora /科学Linux
sudo yum clean all
sudo yum update
现在重新启动以生效:
sudo reboot
另外,如果您的镜像不包含最新软件包,则只需手动下载它们即可。*注:对于更高级的用户
CentOS的5
http://mirror.centos.org/centos/5.11/updates/x86_64/RPMS/
CentOS的6
mkdir ~/ghostupdate
cd ~/ghostupdate
wget http://mirror.centos.org/centos/6.6/updates/x86_64/Packages/glibc-devel-2.12-1.149.el6_6.5.x86_64.rpm
wget http://mirror.centos.org/centos/6.6/updates/x86_64/Packages/glibc-common-2.12-1.149.el6_6.5.x86_64.rpm
wget http://mirror.centos.org/centos/6.6/updates/x86_64/Packages/nscd-2.12-1.149.el6_6.5.x86_64.rpm
wget http://mirror.centos.org/centos/6.6/updates/x86_64/Packages/glibc-static-2.12-1.149.el6_6.5.x86_64.rpm
wget http://mirror.centos.org/centos/6.6/updates/x86_64/Packages/glibc-headers-2.12-1.149.el6_6.5.x86_64.rpm
wget http://mirror.centos.org/centos/6.6/updates/x86_64/Packages/glibc-utils-2.12-1.149.el6_6.5.x86_64.rpm
wget http://mirror.centos.org/centos/6.6/updates/x86_64/Packages/glibc-2.12-1.149.el6_6.5.x86_64.rpm
wget http://mirror.centos.org/centos/6.6/updates/x86_64/Packages/glibc-static-2.12-1.149.el6_6.5.i686.rpm
wget http://mirror.centos.org/centos/6.6/updates/x86_64/Packages/glibc-devel-2.12-1.149.el6_6.5.i686.rpm
wget http://mirror.centos.org/centos/6.6/updates/x86_64/Packages/glibc-2.12-1.149.el6_6.5.i686.rpm
yum localupdate *.rpm [OR] rpm -Uvh *.rpm
Ubuntu / Debian Linux
sudo apt-get clean
sudo apt-get update
sudo apt-get dist-upgrade
重新开始:
sudo reboot
SUSE Linux Enterprise
要安装此SUSE安全更新,请使用YaST online_update。或根据您的版本使用以下命令:
SUSE Linux企业软件开发套件11 SP3
zypper in -t patch sdksp3-glibc-10206
适用于VMware的SUSE Linux Enterprise Server 11 SP3
zypper in -t patch slessp3-glibc-10206
SUSE Linux Enterprise Server 11 SP3
zypper in -t patch slessp3-glibc-10206
SUSE Linux Enterprise Server 11 SP2 LTSS
zypper in -t patch slessp2-glibc-10204
SUSE Linux Enterprise Server 11 SP1 LTSS
zypper in -t patch slessp1-glibc-10202
SUSE Linux Enterprise Desktop 11 SP3
zypper in -t patch sledsp3-glibc-10206
最后,针对所有SUSE linux版本运行,以使您的系统最新:
zypper patch
OpenSUSE Linux
要查看可用更新的列表,包括OpenSUSE Linux上的glibc,请输入:
zypper lu
要使用更新的可用版本简单地更新已安装的glibc软件包,请运行:
zypper up
您的计算机上几乎所有运行的程序都使用glibc。您需要重新启动所有使用glibc的服务或应用,以确保补丁生效。因此,建议重新启动。
如何在不重新启动或不影响系统的情况下重新启动init?
telinit u
'man telinit'-U或u请求init(8)守护程序重新执行自身。不建议这样做,因为Upstart当前无法保存其状态,但是在升级系统库时是必需的。
要立即以有限的方式缓解威胁,是通过在所有面向公众的服务中禁用反向DNS检查。例如,您可以禁用通过设置SSH反向DNS检查UseDNS
到no
你/etc/ssh/sshd_config
。
来源(以及更多信息):
- https://access.redhat.com/articles/1332213
- http://www.cyberciti.biz/faq/cve-2015-0235-patch-ghost-on-debian-ubuntu-fedora-centos-rhel-linux/
- http://www.openwall.com/lists/oss-security/2015/01/27/9
- /security/80210/ghost-bug-is-there-a-simple-way-to-test-if-my-system-is-secure
- http://bobcares.com/blog/ghost-hunting-resolving-glibc-remote-code-execution-vulnerability-cve-2015-0235-in-centos-red-hat-ubuntu-debian-and-suse-linux-伺服器
- https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability
- https://security-tracker.debian.org/tracker/CVE-2015-0235