Quick tests for GHOST gethostbyname () vulnerability (CVE-2015-0235)

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, January 29, 2015

Follow me on Twitter as @mattiasgeniar

If you’re looking to test if your system is still vulnerable to GHOST (CVE-2015-0235), here are some simple one-liners. These can quickly be used in scripts to run tests.


In python:

$ /usr/sbin/clockdiff `python -c "print '0' * $((0x10000 - 16 * 1 - 2 * 4 - 1 - 4))" `
Segmentation fault

$ echo $?


$ php -r '$e = "0";for($i = 0; $i < 2500; $i++){ $e = "0$e"; } gethostbyname($e);'
Segmentation fault 

$ echo $?

Both scripts will return a Segmentation Fault if the system is vulnerable. The PHP script can be run as a non-privileged user, for the Python example you’ll need root privileges to run the clockdiff tool. You can use the exit/return code in scripts (should be 139) to test if your system is still vulnerable.

Red Hat bash script

Red Hat also offers a GHOST shell-script you can run, which verifies the changelog of the glibc packages in the RPM database.

#Version 3

echo "Installed glibc version(s)"

for glibc_nvr in $( rpm -q --qf '%{name}-%{version}-%{release}.%{arch}\n' glibc ); do
    glibc_ver=$( echo "$glibc_nvr" | awk -F- '{ print $2 }' )
    glibc_maj=$( echo "$glibc_ver" | awk -F. '{ print $1 }')
    glibc_min=$( echo "$glibc_ver" | awk -F. '{ print $2 }')
    echo -n "- $glibc_nvr: "
    if [ "$glibc_maj" -gt 2   -o  \
        \( "$glibc_maj" -eq 2  -a  "$glibc_min" -ge 18 \) ]; then
        # fixed upstream version
        echo 'not vulnerable'
        # all RHEL updates include CVE in rpm %changelog
        if rpm -q --changelog "$glibc_nvr" | grep -q 'CVE-2015-0235'; then
            echo "not vulnerable"
            echo "vulnerable"

if [ $rv -ne 0 ]; then
    cat <<EOF

This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
Please refer to <https://access.redhat.com/articles/1332213> for remediation steps

exit $rv

Save the script somewhere, make it executable and run it.

$ ./ghost.sh
Installed glibc version(s)
- glibc-2.12-1.149.el6_6.4.x86_64: vulnerable

This system is vulnerable to CVE-2015-0235.
Please refer to  for remediation steps

Happy patching!

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.