Quick tests for GHOST gethostbyname () vulnerability (CVE-2015-0235)

Oh Dear monitors your entire site, not just the homepage. We crawl and search for broken pages and mixed content, send alerts when your site is down and notify you on expiring SSL certificates.

Start your free 10 day trial! »

Profile image of Mattias Geniar

Mattias Geniar, January 29, 2015

Follow me on Twitter as @mattiasgeniar

If you’re looking to test if your system is still vulnerable to GHOST (CVE-2015-0235), here are some simple one-liners. These can quickly be used in scripts to run tests.

One-liners

In python:

$ /usr/sbin/clockdiff `python -c "print '0' * $((0x10000 - 16 * 1 - 2 * 4 - 1 - 4))" `
Segmentation fault

$ echo $?
139

In PHP:

$ php -r '$e = "0";for($i = 0; $i < 2500; $i++){ $e = "0$e"; } gethostbyname($e);'
Segmentation fault 

$ echo $?
139

Both scripts will return a Segmentation Fault if the system is vulnerable. The PHP script can be run as a non-privileged user, for the Python example you’ll need root privileges to run the clockdiff tool. You can use the exit/return code in scripts (should be 139) to test if your system is still vulnerable.

Red Hat bash script

Red Hat also offers a GHOST shell-script you can run, which verifies the changelog of the glibc packages in the RPM database.

#!/bin/bash
#Version 3

echo "Installed glibc version(s)"

rv=0
for glibc_nvr in $( rpm -q --qf '%{name}-%{version}-%{release}.%{arch}\n' glibc ); do
    glibc_ver=$( echo "$glibc_nvr" | awk -F- '{ print $2 }' )
    glibc_maj=$( echo "$glibc_ver" | awk -F. '{ print $1 }')
    glibc_min=$( echo "$glibc_ver" | awk -F. '{ print $2 }')
    
    echo -n "- $glibc_nvr: "
    if [ "$glibc_maj" -gt 2   -o  \
        \( "$glibc_maj" -eq 2  -a  "$glibc_min" -ge 18 \) ]; then
        # fixed upstream version
        echo 'not vulnerable'
    else
        # all RHEL updates include CVE in rpm %changelog
        if rpm -q --changelog "$glibc_nvr" | grep -q 'CVE-2015-0235'; then
            echo "not vulnerable"
        else
            echo "vulnerable"
            rv=1
        fi
    fi
done

if [ $rv -ne 0 ]; then
    cat <<EOF

This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
Please refer to <https://access.redhat.com/articles/1332213> for remediation steps
EOF
fi

exit $rv

Save the script somewhere, make it executable and run it.

$ ./ghost.sh
Installed glibc version(s)
- glibc-2.12-1.149.el6_6.4.x86_64: vulnerable

This system is vulnerable to CVE-2015-0235.
Please refer to  for remediation steps

Happy patching!



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.