Date: Thu, 29 Jan 2015 04:53:43 +0100 From: Polytropon <freebsd@edvax.de> To: jd1008 <jd1008@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Linux "Ghost" Remote Code Execution Vulnerability Message-ID: <20150129045343.59f750ea.freebsd@edvax.de> In-Reply-To: <54C9A3A7.5080202@gmail.com> References: <20150128145247.5086e9a4@scorpio> <20150129033838.810254de.freebsd@edvax.de> <54C9A3A7.5080202@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 28 Jan 2015 20:06:15 -0700, jd1008 wrote: > > On 01/28/2015 07:38 PM, Polytropon wrote: > > On Wed, 28 Jan 2015 14:52:47 -0500, Jerry wrote: > >> Does this vulnerability affect FreeBSD? > >> > >> https://www.us-cert.gov/ncas/current-activity/2015/01/27/Linux-Ghost-Remote-Code-Execution-Vulnerability > > FreeBSD's gethostbyname() is located in the standard C library, > > which is libc, not glibc (that Linux is using), so probably > > FreeBSD is not affected. However, programs linked against > > glibc and run in the Linux ABI environment might be affected, > > I assume. > > > > You can find a demonstration program here: > > > > http://www.openwall.com/lists/oss-security/2015/01/27/9 > > > > It's in section 4. > > > > On my home system, I get this: > > > > % cc -Wall -o ghost ghost.c > > % ./ghost > > should not happen > > > > Surprise: Neither "vulnerable" nor "not vulnerable" is printed. > > That result is interesting. It might indicate ternary logic. > > YES, NO, FILE_NOT_FOUND. :-) > > > > Note that 4.1 explicitely talks about "The GNU C Library" > > which FreeBSD does not use (or have). Section 4 mentions > > other programs (such as mount.nfs, ping, procmail) for > > further explanation. > Then you do not have the real mccoy. I'm a doctor, not a cuckoo clock! :-) > This is the real Mccoy: > > /* ghosttest.c: GHOST vulnerability tester */ > /* Credit: http://www.openwall.com/lists/oss-security/2015/01/27/9 */ > #include <netdb.h> > #include <stdio.h> > #include <stdlib.h> > #include <string.h> > #include <errno.h> > > #define CANARY "in_the_coal_mine" > > struct { > char buffer[1024]; > char canary[sizeof(CANARY)]; > } temp = { "buffer", CANARY }; > > int main(void) { > struct hostent resbuf; > struct hostent *result; > int herrno; > int retval; > > /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof > (*h_addr_ptrs) - 1; ***/ > size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - > 2*sizeof(char *) - 1; > char name[sizeof(temp.buffer)]; > memset(name, '0', len); > name[len] = '\0'; > > retval = gethostbyname_r(name, &resbuf, temp.buffer, > sizeof(temp.buffer), &result, &herrno); > > if (strcmp(temp.canary, CANARY) != 0) { > puts("vulnerable"); > exit(EXIT_SUCCESS); > } > if (retval == ERANGE) { > puts("not vulnerable"); > exit(EXIT_SUCCESS); > } > puts("should not happen"); > exit(EXIT_FAILURE); > } Tested with the code from your message (and the one directly copied from the web page mentioned): % cc -Wall -o ghosttest ghosttest.c && ./ghosttest should not happen But that's maybe because my home system isn't a _current_ FreeBSD version, that's why it offers a 3rd choice... ;-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150129045343.59f750ea.freebsd>