Date: Thu, 29 Jan 2015 08:34:31 -0600 (CST) From: "Valeri Galtsev" <galtsev@kicp.uchicago.edu> To: "Polytropon" <freebsd@edvax.de> Cc: freebsd-questions@freebsd.org, jd1008 <jd1008@gmail.com> Subject: Re: Linux "Ghost" Remote Code Execution Vulnerability Message-ID: <7617.69.209.237.9.1422542071.squirrel@cosmo.uchicago.edu> In-Reply-To: <20150129045343.59f750ea.freebsd@edvax.de> References: <20150128145247.5086e9a4@scorpio> <20150129033838.810254de.freebsd@edvax.de> <54C9A3A7.5080202@gmail.com> <20150129045343.59f750ea.freebsd@edvax.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, January 28, 2015 9:53 pm, Polytropon wrote: > On Wed, 28 Jan 2015 20:06:15 -0700, jd1008 wrote: >> >> On 01/28/2015 07:38 PM, Polytropon wrote: >> > On Wed, 28 Jan 2015 14:52:47 -0500, Jerry wrote: >> >> Does this vulnerability affect FreeBSD? >> >> >> >> https://www.us-cert.gov/ncas/current-activity/2015/01/27/Linux-Ghost-Remote-Code-Execution-Vulnerability >> > FreeBSD's gethostbyname() is located in the standard C library, >> > which is libc, not glibc (that Linux is using), so probably >> > FreeBSD is not affected. However, programs linked against >> > glibc and run in the Linux ABI environment might be affected, >> > I assume. >> > >> > You can find a demonstration program here: >> > >> > http://www.openwall.com/lists/oss-security/2015/01/27/9 >> > >> > It's in section 4. >> > >> > On my home system, I get this: >> > >> > % cc -Wall -o ghost ghost.c >> > % ./ghost >> > should not happen >> > >> > Surprise: Neither "vulnerable" nor "not vulnerable" is printed. >> > That result is interesting. It might indicate ternary logic. >> > YES, NO, FILE_NOT_FOUND. :-) >> > >> > Note that 4.1 explicitely talks about "The GNU C Library" >> > which FreeBSD does not use (or have). Section 4 mentions >> > other programs (such as mount.nfs, ping, procmail) for >> > further explanation. >> Then you do not have the real mccoy. > > I'm a doctor, not a cuckoo clock! :-) > > > >> This is the real Mccoy: >> >> /* ghosttest.c: GHOST vulnerability tester */ >> /* Credit: http://www.openwall.com/lists/oss-security/2015/01/27/9 */ >> #include <netdb.h> >> #include <stdio.h> >> #include <stdlib.h> >> #include <string.h> >> #include <errno.h> >> >> #define CANARY "in_the_coal_mine" >> >> struct { >> char buffer[1024]; >> char canary[sizeof(CANARY)]; >> } temp = { "buffer", CANARY }; >> >> int main(void) { >> struct hostent resbuf; >> struct hostent *result; >> int herrno; >> int retval; >> >> /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof >> (*h_addr_ptrs) - 1; ***/ >> size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - >> 2*sizeof(char *) - 1; >> char name[sizeof(temp.buffer)]; >> memset(name, '0', len); >> name[len] = '\0'; >> >> retval = gethostbyname_r(name, &resbuf, temp.buffer, >> sizeof(temp.buffer), &result, &herrno); >> >> if (strcmp(temp.canary, CANARY) != 0) { >> puts("vulnerable"); >> exit(EXIT_SUCCESS); >> } >> if (retval == ERANGE) { >> puts("not vulnerable"); >> exit(EXIT_SUCCESS); >> } >> puts("should not happen"); >> exit(EXIT_FAILURE); >> } > > Tested with the code from your message (and the one directly > copied from the web page mentioned): > > % cc -Wall -o ghosttest ghosttest.c && ./ghosttest > should not happen > > But that's maybe because my home system isn't a _current_ > FreeBSD version, that's why it offers a 3rd choice... ;-) > It says "shouldn't happen" because people running systems with non-GNU libc shouldn't test glibc vulnerability, they should sit back and happily drink coffee or tea instead ;-) Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7617.69.209.237.9.1422542071.squirrel>