JavaScript must be enabled in order for you to see "WP Copy Data Protect" effect. However, it seems JavaScript is either disabled or not supported by your browser. To see full result of "WP Copy Data Protector", enable JavaScript by changing your browser options, then try again.

Patch and Protect the vulnerability of Glibc(GHOST) with the RHEL/SLES


話說原本打算上週遵守Rule按時Po廢文,但因某些因素,所以延宕到這週補PO,不然我的好基友噁溫不高興;直接切入正題,最近由Qualys安全研究人員發現Linux GNU C Library(glibc)中發現一個關於gethostbyname buffer overflowBug,進而會造成系統不知道ID與密碼的情況下拿走遠端主控權,雖然有人提到先前已經被發現,不過只是做一般性的修補而已,並沒Implement到新版的OS,所以導致RHEL 6.6/7.0, SLES 11 SP3, Ubuntu 10.04/12.04 LTS, Debian 7.x, Fedora 19 and etc都有該漏洞影響到的Processes也不少,為了避免Cracker透過DNS Resolver使用無效主機名稱觸發攻擊,因此話不多說,趕緊來看看怎麼做修補,如下:
I. RHEL 6.6 or order version
1) 透過下列代碼編譯成Binary或Redhat提供的Script來做判定(可從這邊複製或下載)
#cat ghosttest.c
/* ghosttest.c: GHOST vulnerability tester */
/* Credit: http://www.openwall.com/lists/oss-security/2015/01/27/9 */
#include
#include
#include
#include
#include
#define CANARY "in_the_coal_mine"
struct {
char buffer[1024];
char canary[sizeof(CANARY)];
}temp = { "buffer", CANARY };
int main(void) {
struct hostent resbuf;
struct hostent *result;
int herrno;
int retval;
/*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
char name[sizeof(temp.buffer)];
memset(name, '0', len);
name[len] = '\0';
retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
if (strcmp(temp.canary, CANARY) != 0) {
puts("vulnerable");
exit(EXIT_SUCCESS);
}
if (retval == ERANGE) {
puts("not vulnerable");
exit(EXIT_SUCCESS);
}
puts("should not happen");
exit(EXIT_FAILURE);
}
#gcc -o ghosttest ghosttest.c
#./ghosttest
vulnerable
#cat GHOST-test.sh
#!/bin/bash
# rhel-GHOST-test.sh - GHOST vulnerability tester. Only for CentOS/RHEL based servers. #
# Version 3
# Credit : Red Hat, Inc - https://access.redhat.com/labs/ghost/ #
echo "Installed glibc version(s)"
rv=0
for glibc_nvr in $( rpm -q --qf '%{name}-%{version}-%{release}.%{arch}\n' glibc ); do
glibc_ver=$( echo "$glibc_nvr" | awk -F- '{ print $2 }' )
glibc_maj=$( echo "$glibc_ver" | awk -F. '{ print $1 }')
glibc_min=$( echo "$glibc_ver" | awk -F. '{ print $2 }')
echo -n "- $glibc_nvr: "
if [ "$glibc_maj" -gt 2 -o \
\( "$glibc_maj" -eq 2 -a "$glibc_min" -ge 18 \) ]; then
# fixed upstream version
echo 'not vulnerable'
else
# all RHEL updates include CVE in rpm %changelog
if rpm -q --changelog "$glibc_nvr" | grep -q 'CVE-2015-0235'; then
echo "not vulnerable"
else
echo "vulnerable"
rv=1
fi
fi
done
if [ $rv -ne 0 ]; then
cat < This system is vulnerable to CVE-2015-0235.
Please refer to for remediation steps
EOF
fi
exit $rv
#./GHOST-test.sh
Installed glibc version(s)
- glibc-2.12-1.149.el6.x86_64: vulnerable
- glibc-2.12-1.149.el6.i686: vulnerable
This system is vulnerable to CVE-2015-0235.
Please refer to for remediation steps

2) 列出與Glibc有相依性Packages/Applications
#lsof +c 15 | grep libc- | awk '{print $1}' | sort -u
abrt-applet
abrtd
acpid
atd
audispd
auditd
automount
awk
bash
bluetooth-apple
bonobo-activati
cachefilesd
certmonger
cimserver
clock-applet
console-kit-dae
crond
cupsd
dbus-daemon
dbus-launch
devkit-power-da
dhclient
escd
fcoemon
gconfd-2
gconf-helper
gconf-im-settin
gdm-binary
gdm-session-wor
gdm-simple-slav
gdm-user-switch
gdu-notificatio
gnome-keyring-d
gnome-panel
gnome-power-man
gnome-pty-helpe
gnome-screensav
gnome-session
gnome-settings-
gnome-terminal
gnome-volume-co
gnote
gpk-update-icon
gpm
grep
gvfs-afc-volume
gvfsd
gvfsd-burn
gvfsd-trash
gvfs-fuse-daemo
gvfs-gdu-volume
gvfs-gphoto2-vo
hald
hald-addon-acpi
hald-addon-inpu
hald-addon-stor
hald-runner
im-settings-dae
init
irqbalance
lldpad
lsof
mcelog
metacity
mingetty
nautilus
nm-applet
notification-ar
packagekitd
pcscd
polkitd
polkit-gnome-au
portreserve
pulseaudio
python
rhsmcertd
rhsm-icon
rpcbind
rpc.statd
rsyslogd
rtkit-daemon
seahorse-agent
seahorse-daemon
sedispatch
sendmail
sftp-server
sort
sshd
trashapplet
udevd
udisks-daemon
uuidd
vmtoolsd
vmware-vmblock-
wnck-applet
xinetd
Xorg

3) 透過RPM指令更新套件依照這裡來做修補(這邊介紹Standalone的方式,至於透過yum請參考這裡)
#wget ftp://mirror01.idc.hinet.net/centos/6.6/updates/x86_64/Packages/glibc-2.12-1.149.el6_6.5.x86_64.rpm
#wget ftp://mirror01.idc.hinet.net/centos/6.6/updates/x86_64/Packages/glibc-common-2.12-1.149.el6_6.5.x86_64.rpm
#wget ftp://mirror01.idc.hinet.net/centos/6.6/updates/x86_64/Packages/glibc-devel-2.12-1.149.el6_6.5.x86_64.rpm
#wget ftp://mirror01.idc.hinet.net/centos/6.6/updates/x86_64/Packages/glibc-headers-2.12-1.149.el6_6.5.x86_64.rpm
#wget ftp://mirror01.idc.hinet.net/centos/6.6/updates/x86_64/Packages/glibc-static-2.12-1.149.el6_6.4.x86_64.rpm
#wget ftp://mirror01.idc.hinet.net/centos/6.6/updates/x86_64/Packages/glibc-utils-2.12-1.149.el6_6.5.x86_64.rpm
#wget ftp://mirror01.idc.hinet.net/centos/6.6/updates/x86_64/Packages/nscd-2.12-1.149.el6_6.5.x86_64.rpm
#rpm -Uvh *.rpm
warning: glibc-2.12-1.149.el6_6.5.i686.rpm: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY
Preparing... ########################################### [100%]
1:glibc-common ########################################### [ 10%]
2:glibc ########################################### [ 20%]
3:glibc-headers ########################################### [ 30%]
4:glibc-devel ########################################### [ 40%]
5:glibc-utils ########################################### [ 50%]
6:nscd ########################################### [ 60%]
7:glibc ########################################### [ 70%]
8:glibc-devel ########################################### [ 80%]
9:glibc-static ########################################### [ 90%]
10:glibc-static ########################################### [100%]

4) 驗證是否已修補GHOST的漏洞(也可以透過ldd做Glibc版本的查詢)
#cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.6 (Santiago)
#env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test
#./ghosttest
not vulnerable
#./GHOST-test.sh
Installed glibc version(s)
- glibc-2.12-1.149.el6_6.5.x86_64: not vulnerable
- glibc-2.12-1.149.el6_6.5.i686: not vulnerable
#rpm -qa | grep -i glibc
glibc-2.12-1.149.el6_6.5.i686
compat-glibc-2.5-46.2.x86_64
glibc-devel-2.12-1.149.el6_6.5.x86_64
compat-glibc-headers-2.5-46.2.x86_64
glibc-static-2.12-1.149.el6_6.5.x86_64
glibc-headers-2.12-1.149.el6_6.5.x86_64
glibc-devel-2.12-1.149.el6_6.5.i686
glibc-common-2.12-1.149.el6_6.5.x86_64
glibc-static-2.12-1.149.el6_6.5.i686
glibc-utils-2.12-1.149.el6_6.5.x86_64
glibc-2.12-1.149.el6_6.5.x86_64

II.RHEL 7.0
1) 透過Test C code編譯成Binary或Redhat提供的Script來做判定(可從這邊複製或下載)
#./ghosttest
vulnerable
#./GHOST-test.sh
Installed glibc version(s)
- glibc-2.17-55.el7.x86_64: vulnerable
This system is vulnerable to CVE-2015-0235.
Please refer to for remediation steps

2) 列出與Glibc有相依性Packages/Applications
#lsof +c 15 | grep libc- | awk '{print $1}' | sort -u
abrt-applet
abrtd
abrt-watch-log
accounts-daemon
alsactl
atd
at-spi2-registr
at-spi-bus-laun
audispd
auditd
avahi-daemon
awk
bash
bluetoothd
cal-client-dbus
chronyd
cleanup
colord
crond
cupsd
dbus-daemon
dbus-launch
dconf
dconf-service
dhclient
dispatch
escd
evolution-addre
evolution-calen
evolution-sourc
gconfd-2
gdbus
gdm
gdm-session-wor
gdm-simple-slav
gmain
gnome-keyring-d
gnome-pty-helpe
gnome-session
gnome-settings-
gnome-shell
gnome-shell-cal
gnome-terminal-
goa-daemon
grep
gsd-printer
gvfs-afc-volume
gvfsd
gvfsd-fuse
gvfsd-trash
gvfs-fuse-sub
gvfs-goa-volume
gvfs-gphoto2-vo
gvfs-mtp-volume
gvfs-udisks2-vo
ibus-daemon
ibus-dconf
ibus-engine-sim
ibus-x11
in:imjournal
iprdump
iprinit
iprupdate
irqbalance
JS
ksmtuned
libvirtd
lsmd
lsof
lvmetad
master
mission-control
ModemManager
nautilus
null-sink
pcscd
pickup
polkitd
pool
probing-thread
pulseaudio
qmgr
rhsmcertd
rhsm-icon
rngd
rpcbind
rpc.statd
rs:main
rsyslogd
rtkit-daemon
runaway-killer-
sedispatch
sftp-server
sleep
smartd
sort
ssh-agent
sshd
systemd
systemd-journal
systemd-logind
systemd-udevd
threaded-ml
timer
tracker-miner-f
tracker-store
tuned
udisksd
upowerd
vmtoolsd
Xorg

3) 透過RPM指令更新套件依照這裡來做修補(這邊介紹Standalone的方式,至於透過yum請參考這裡)
#wget ftp://mirror01.idc.hinet.net/centos/7.0.1406/updates/x86_64/Packages/glibc-2.17-55.el7_0.5.x86_64.rpm
#wget ftp://mirror01.idc.hinet.net/centos/7.0.1406/updates/x86_64/Packages/glibc-common-2.17-55.el7_0.5.x86_64.rpm
#wget ftp://mirror01.idc.hinet.net/centos/7.0.1406/updates/x86_64/Packages/glibc-devel-2.17-55.el7_0.5.x86_64.rpm
#wget ftp://mirror01.idc.hinet.net/centos/7.0.1406/updates/x86_64/Packages/glibc-headers-2.17-55.el7_0.5.x86_64.rpm
#wget ftp://mirror01.idc.hinet.net/centos/7.0.1406/updates/x86_64/Packages/glibc-static-2.17-55.el7_0.5.x86_64.rpm
#wget ftp://mirror01.idc.hinet.net/centos/7.0.1406/updates/x86_64/Packages/glibc-utils-2.17-55.el7_0.5.x86_64.rpm
#wget ftp://mirror01.idc.hinet.net/centos/7.0.1406/updates/x86_64/Packages/nscd-2.17-55.el7_0.5.x86_64.rpm
#rpm -Uvh *
warning: glibc-2.17-55.el7_0.5.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:glibc-common-2.17-55.el7_0.5 ################################# [ 9%]
2:glibc-2.17-55.el7_0.5 ################################# [ 18%]
3:glibc-headers-2.17-55.el7_0.5 ################################# [ 27%]
4:glibc-devel-2.17-55.el7_0.5 ################################# [ 36%]
5:glibc-static-2.17-55.el7_0.5 ################################# [ 45%]
6:glibc-utils-2.17-55.el7_0.5 ################################# [ 55%]
7:nscd-2.17-55.el7_0.5 ################################# [ 64%]
Cleaning up / removing...
8:glibc-devel-2.17-55.el7 ################################# [ 73%]
9:glibc-headers-2.17-55.el7 ################################# [ 82%]
10:glibc-common-2.17-55.el7 ################################# [ 91%]
11:glibc-2.17-55.el7 ################################# [100%]

4) 驗證是否已修補GHOST的漏洞(也可以透過ldd做Glibc版本的查詢)
#cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.0 (Maipo)
#env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable => CVE-2014-6271
#./ghosttest
not vulnerable
./GHOST-test.sh
Installed glibc version(s)
- glibc-2.17-55.el7_0.5.x86_64: not vulnerable
#rpm -qa | grep -i glibc
glibc-common-2.17-55.el7_0.5.x86_64
glibc-devel-2.17-55.el7_0.5.x86_64
glibc-static-2.17-55.el7_0.5.x86_64
compat-glibc-2.12-4.el7.x86_64
glibc-2.17-55.el7_0.5.x86_64
compat-glibc-headers-2.12-4.el7.x86_64
glibc-headers-2.17-55.el7_0.5.x86_64
glibc-utils-2.17-55.el7_0.5.x86_64

III. SLES 11 SP3 or order version
1) 透過Test C code編譯成Binary或Redhat提供的Script來做判定(可從這邊複製或下載)
#./ghosttest
vulnerable
#./GHOST-test.sh
Installed glibc version(s)
- glibc-2.11.3-17.54.1.x86_64: vulnerable
This system is vulnerable to CVE-2015-0235.
Please refer to for remediation steps

2) 列出與Glibc有相依性Packages/Applications
#lsof +c 15 | grep libc- | awk '{print $1}' | sort -u
lsof +c 15 | grep libc- | awk '{print $1}' | sort -u
X
acpid
audispd
auditd
awk
bash
bonobo-activati
console-kit-dae
cron
cupsd
dbus-daemon
dbus-launch
dhcp6c
dhcpcd
gconfd-2
gdm
gdm-session-wor
gdm-simple-slav
gnome-keyring-d
gnome-panel
gnome-power-man
gnome-pty-helpe
gnome-screensav
gnome-session
gnome-settings-
gnome-terminal
gnome-volume-co
gpg-agent
grep
gvfs-fuse-daemo
gvfs-gphoto2-vo
gvfs-hal-volume
gvfsd
gvfsd-burn
gvfsd-trash
hald
hald-addon-acpi
hald-addon-inpu
hald-addon-stor
hald-runner
haveged
init
irqbalance
klogd
lsof
main-menu
master
mcelog
metacity
mingetty
nautilus
nscd
pickup
pulseaudio
python
qmgr
rpcbind
sftp-server
sort
sshd
syslog-ng
udevd
vmtoolsd
vmware-vmblock-

3) 透過RPM指令更新套件依照這裡來做修補(這邊介紹Standalone的方式,至於透過zypper請參考這裡)
#ls
glibc-2.11.3-17.74.13.x86_64.rpm
glibc-32bit-2.11.3-17.74.13.x86_64.rpm
glibc-devel-2.11.3-17.74.13.x86_64.rpm
glibc-devel-32bit-2.11.3-17.74.13.x86_64.rpm
glibc-html-2.11.3-17.74.13.x86_64.rpm
glibc-i18ndata-2.11.3-17.74.13.x86_64.rpm
glibc-info-2.11.3-17.74.13.x86_64.rpm
glibc-locale-2.11.3-17.74.13.x86_64.rpm
glibc-locale-32bit-2.11.3-17.74.13.x86_64.rpm
glibc-profile-2.11.3-17.74.13.x86_64.rpm
glibc-profile-32bit-2.11.3-17.74.13.x86_64.rpm
nscd-2.11.3-17.74.13.x86_64.rpm 94.1 KB
#rpm -Uvh *
Preparing... ########################################### [100%]
1:glibc ########################################### [ 8%]
2:glibc-32bit ########################################### [ 17%]
3:glibc-devel ########################################### [ 25%]
4:glibc-locale-32bit ########################################### [ 33%]
5:glibc-locale ########################################### [ 42%]
6:glibc-devel-32bit ########################################### [ 50%]
7:glibc-html ########################################### [ 58%]
8:glibc-i18ndata ########################################### [ 67%]
9:glibc-info ########################################### [ 75%]
10:glibc-profile ########################################### [ 83%]
11:glibc-profile-32bit ########################################### [ 92%]
12:nscd ########################################### [100%]

4) 驗證是否已修補GHOST的漏洞(也可以透過ldd做Glibc版本的查詢)
#cat /etc/issue
Welcome to SUSE Linux Enterprise Server 11 SP3 (x86_64) - Kernel \r (\l).
#env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable => CVE-2014-6271
#./ghosttest
not vulnerable
#./GHOST-test.sh
Installed glibc version(s)
- glibc-2.11.3-17.74.13.x86_64: not vulnerable
#rpm -qa | grep -i glibc
glibc-locale-2.11.3-17.74.13
glibc-32bit-2.11.3-17.74.13
glibc-profile-2.11.3-17.74.13
glibc-devel-2.11.3-17.74.13
glibc-html-2.11.3-17.74.13
glibc-profile-32bit-2.11.3-17.74.13
glibc-locale-32bit-2.11.3-17.74.13
glibc-i18ndata-2.11.3-17.74.13
glibc-2.11.3-17.74.13
glibc-info-2.11.3-17.74.13
glibc-devel-32bit-2.11.3-17.74.13

◎、以上就是Patch and Protect the vulnerability of Glibc簡易操作,不過怎麼好像漏了一個SLES 12!?,因為它真的太靠譜了,CVE-2014-6271和CVE-2015-0235沒中槍唷,比起RHEL7.0好太多了,若看倌們想看Detail漏洞的介紹(或Ubuntu與Debian等)可以參考NISTCyberciti,另外Jamyy大大也有提到相關的網站,先到這嚕,收工哩!

  1. 你終於承認你跟噁溫都是基佬了

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

 
This site is protected by WP-CopyRightPro