Quick tests for GHOST gethostbyname () vulnerability (CVE-2015-0235)

Mattias Geniar, Thursday, January 29, 2015

If you're looking to test if your system is still vulnerable to GHOST (CVE-2015-0235), here are some simple one-liners. These can quickly be used in scripts to run tests.

One-liners

In python:

$ /usr/sbin/clockdiff `python -c "print '0' * $((0x10000 - 16 * 1 - 2 * 4 - 1 - 4))" `
Segmentation fault

$ echo $?
139

In PHP:

$ php -r '$e = "0";for($i = 0; $i < 2500; $i++){ $e = "0$e"; } gethostbyname($e);'
Segmentation fault 

$ echo $?
139

Both scripts will return a Segmentation Fault if the system is vulnerable. The PHP script can be run as a non-privileged user, for the Python example you'll need root privileges to run the clockdiff tool. You can use the exit/return code in scripts (should be 139) to test if your system is still vulnerable.

Red Hat bash script

Red Hat also offers a GHOST shell-script you can run, which verifies the changelog of the glibc packages in the RPM database.

#!/bin/bash
#Version 3

echo "Installed glibc version(s)"

rv=0
for glibc_nvr in $( rpm -q --qf '%{name}-%{version}-%{release}.%{arch}\n' glibc ); do
    glibc_ver=$( echo "$glibc_nvr" | awk -F- '{ print $2 }' )
    glibc_maj=$( echo "$glibc_ver" | awk -F. '{ print $1 }')
    glibc_min=$( echo "$glibc_ver" | awk -F. '{ print $2 }')
    
    echo -n "- $glibc_nvr: "
    if [ "$glibc_maj" -gt 2   -o  \
        \( "$glibc_maj" -eq 2  -a  "$glibc_min" -ge 18 \) ]; then
        # fixed upstream version
        echo 'not vulnerable'
    else
        # all RHEL updates include CVE in rpm %changelog
        if rpm -q --changelog "$glibc_nvr" | grep -q 'CVE-2015-0235'; then
            echo "not vulnerable"
        else
            echo "vulnerable"
            rv=1
        fi
    fi
done

if [ $rv -ne 0 ]; then
    cat <<EOF

This system is vulnerable to CVE-2015-0235. 
Please refer to  for remediation steps
EOF
fi

exit $rv

Save the script somewhere, make it executable and run it.

$ ./ghost.sh
Installed glibc version(s)
- glibc-2.12-1.149.el6_6.4.x86_64: vulnerable

This system is vulnerable to CVE-2015-0235.
Please refer to  for remediation steps

Happy patching!



Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear!. Follow me on Twitter as @mattiasgeniar.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

Alex Friday, February 26, 2016 at 23:21 - Reply

Excellent easy to follow, my server is vulnerable what next?


    Mattias Geniar Tuesday, March 1, 2016 at 19:10 - Reply

    Chances are, if you’re vulnerable and publicly available, the server has already been compromised and should be considered “hacked”.

    If you’re certain that the system is safe: update all packages (yup update / apt-get upgrade), reboot your server(s) and it’s probably done. Unless your OS, for some reason, does not have updated packages.


Leave a Reply

Your email address will not be published. Required fields are marked *

Inbound links