From owner-freebsd-questions@FreeBSD.ORG Thu Jan 29 03:53:48 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E90A7B4B for ; Thu, 29 Jan 2015 03:53:47 +0000 (UTC) Received: from mx02.qsc.de (mx02.qsc.de [213.148.130.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7EE206D9 for ; Thu, 29 Jan 2015 03:53:47 +0000 (UTC) Received: from r56.edvax.de (port-92-195-61-84.dynamic.qsc.de [92.195.61.84]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx02.qsc.de (Postfix) with ESMTPS id BDD5027640; Thu, 29 Jan 2015 04:53:44 +0100 (CET) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id t0T3rh9f002698; Thu, 29 Jan 2015 04:53:43 +0100 (CET) (envelope-from freebsd@edvax.de) Date: Thu, 29 Jan 2015 04:53:43 +0100 From: Polytropon To: jd1008 Subject: Re: Linux "Ghost" Remote Code Execution Vulnerability Message-Id: <20150129045343.59f750ea.freebsd@edvax.de> In-Reply-To: <54C9A3A7.5080202@gmail.com> References: <20150128145247.5086e9a4@scorpio> <20150129033838.810254de.freebsd@edvax.de> <54C9A3A7.5080202@gmail.com> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jan 2015 03:53:48 -0000 On Wed, 28 Jan 2015 20:06:15 -0700, jd1008 wrote: > > On 01/28/2015 07:38 PM, Polytropon wrote: > > On Wed, 28 Jan 2015 14:52:47 -0500, Jerry wrote: > >> Does this vulnerability affect FreeBSD? > >> > >> https://www.us-cert.gov/ncas/current-activity/2015/01/27/Linux-Ghost-Remote-Code-Execution-Vulnerability > > FreeBSD's gethostbyname() is located in the standard C library, > > which is libc, not glibc (that Linux is using), so probably > > FreeBSD is not affected. However, programs linked against > > glibc and run in the Linux ABI environment might be affected, > > I assume. > > > > You can find a demonstration program here: > > > > http://www.openwall.com/lists/oss-security/2015/01/27/9 > > > > It's in section 4. > > > > On my home system, I get this: > > > > % cc -Wall -o ghost ghost.c > > % ./ghost > > should not happen > > > > Surprise: Neither "vulnerable" nor "not vulnerable" is printed. > > That result is interesting. It might indicate ternary logic. > > YES, NO, FILE_NOT_FOUND. :-) > > > > Note that 4.1 explicitely talks about "The GNU C Library" > > which FreeBSD does not use (or have). Section 4 mentions > > other programs (such as mount.nfs, ping, procmail) for > > further explanation. > Then you do not have the real mccoy. I'm a doctor, not a cuckoo clock! :-) > This is the real Mccoy: > > /* ghosttest.c: GHOST vulnerability tester */ > /* Credit: http://www.openwall.com/lists/oss-security/2015/01/27/9 */ > #include > #include > #include > #include > #include > > #define CANARY "in_the_coal_mine" > > struct { > char buffer[1024]; > char canary[sizeof(CANARY)]; > } temp = { "buffer", CANARY }; > > int main(void) { > struct hostent resbuf; > struct hostent *result; > int herrno; > int retval; > > /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof > (*h_addr_ptrs) - 1; ***/ > size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - > 2*sizeof(char *) - 1; > char name[sizeof(temp.buffer)]; > memset(name, '0', len); > name[len] = '\0'; > > retval = gethostbyname_r(name, &resbuf, temp.buffer, > sizeof(temp.buffer), &result, &herrno); > > if (strcmp(temp.canary, CANARY) != 0) { > puts("vulnerable"); > exit(EXIT_SUCCESS); > } > if (retval == ERANGE) { > puts("not vulnerable"); > exit(EXIT_SUCCESS); > } > puts("should not happen"); > exit(EXIT_FAILURE); > } Tested with the code from your message (and the one directly copied from the web page mentioned): % cc -Wall -o ghosttest ghosttest.c && ./ghosttest should not happen But that's maybe because my home system isn't a _current_ FreeBSD version, that's why it offers a 3rd choice... ;-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...