From owner-freebsd-questions@FreeBSD.ORG Thu Jan 29 14:34:32 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D5E90588 for ; Thu, 29 Jan 2015 14:34:32 +0000 (UTC) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.52.97]) by mx1.freebsd.org (Postfix) with ESMTP id 925C91E0 for ; Thu, 29 Jan 2015 14:34:32 +0000 (UTC) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id 821F8CB8C9D; Thu, 29 Jan 2015 08:34:31 -0600 (CST) Received: from 69.209.237.9 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Thu, 29 Jan 2015 08:34:31 -0600 (CST) Message-ID: <7617.69.209.237.9.1422542071.squirrel@cosmo.uchicago.edu> In-Reply-To: <20150129045343.59f750ea.freebsd@edvax.de> References: <20150128145247.5086e9a4@scorpio> <20150129033838.810254de.freebsd@edvax.de> <54C9A3A7.5080202@gmail.com> <20150129045343.59f750ea.freebsd@edvax.de> Date: Thu, 29 Jan 2015 08:34:31 -0600 (CST) Subject: Re: Linux "Ghost" Remote Code Execution Vulnerability From: "Valeri Galtsev" To: "Polytropon" Reply-To: galtsev@kicp.uchicago.edu User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-questions@freebsd.org, jd1008 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jan 2015 14:34:33 -0000 On Wed, January 28, 2015 9:53 pm, Polytropon wrote: > On Wed, 28 Jan 2015 20:06:15 -0700, jd1008 wrote: >> >> On 01/28/2015 07:38 PM, Polytropon wrote: >> > On Wed, 28 Jan 2015 14:52:47 -0500, Jerry wrote: >> >> Does this vulnerability affect FreeBSD? >> >> >> >> https://www.us-cert.gov/ncas/current-activity/2015/01/27/Linux-Ghost-Remote-Code-Execution-Vulnerability >> > FreeBSD's gethostbyname() is located in the standard C library, >> > which is libc, not glibc (that Linux is using), so probably >> > FreeBSD is not affected. However, programs linked against >> > glibc and run in the Linux ABI environment might be affected, >> > I assume. >> > >> > You can find a demonstration program here: >> > >> > http://www.openwall.com/lists/oss-security/2015/01/27/9 >> > >> > It's in section 4. >> > >> > On my home system, I get this: >> > >> > % cc -Wall -o ghost ghost.c >> > % ./ghost >> > should not happen >> > >> > Surprise: Neither "vulnerable" nor "not vulnerable" is printed. >> > That result is interesting. It might indicate ternary logic. >> > YES, NO, FILE_NOT_FOUND. :-) >> > >> > Note that 4.1 explicitely talks about "The GNU C Library" >> > which FreeBSD does not use (or have). Section 4 mentions >> > other programs (such as mount.nfs, ping, procmail) for >> > further explanation. >> Then you do not have the real mccoy. > > I'm a doctor, not a cuckoo clock! :-) > > > >> This is the real Mccoy: >> >> /* ghosttest.c: GHOST vulnerability tester */ >> /* Credit: http://www.openwall.com/lists/oss-security/2015/01/27/9 */ >> #include >> #include >> #include >> #include >> #include >> >> #define CANARY "in_the_coal_mine" >> >> struct { >> char buffer[1024]; >> char canary[sizeof(CANARY)]; >> } temp = { "buffer", CANARY }; >> >> int main(void) { >> struct hostent resbuf; >> struct hostent *result; >> int herrno; >> int retval; >> >> /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof >> (*h_addr_ptrs) - 1; ***/ >> size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - >> 2*sizeof(char *) - 1; >> char name[sizeof(temp.buffer)]; >> memset(name, '0', len); >> name[len] = '\0'; >> >> retval = gethostbyname_r(name, &resbuf, temp.buffer, >> sizeof(temp.buffer), &result, &herrno); >> >> if (strcmp(temp.canary, CANARY) != 0) { >> puts("vulnerable"); >> exit(EXIT_SUCCESS); >> } >> if (retval == ERANGE) { >> puts("not vulnerable"); >> exit(EXIT_SUCCESS); >> } >> puts("should not happen"); >> exit(EXIT_FAILURE); >> } > > Tested with the code from your message (and the one directly > copied from the web page mentioned): > > % cc -Wall -o ghosttest ghosttest.c && ./ghosttest > should not happen > > But that's maybe because my home system isn't a _current_ > FreeBSD version, that's why it offers a 3rd choice... ;-) > It says "shouldn't happen" because people running systems with non-GNU libc shouldn't test glibc vulnerability, they should sit back and happily drink coffee or tea instead ;-) Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++