Ghost glibc vulnerability extends to PHP

11 +1
in News

by Ryan Morben

Earlier this week, on the 27th, the Kaspersky Labs security news service announced that a critical vulnerability had been found in the GNU C library, glibc, which could impact all Linux distributions dating back to builds from 2000.

You can read more about the original announcement over on Threatpost but to quote an advisory from Linux distributor Red Hat:

“A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application”

Yesterday, Thursday the 29th of January 2015, Kaspersky Labs security news followed up with the revelation that PHP applications, including very popular services such as WordPress, are likely to be exploited by this vulnerability.

A senior vulnerability researcher and author for the sucuri.net blog, Marc-Alexandre Montpas has been confirming vulnerable applications including:

  • clockdiff
  • Exim mail server (*via helo_verify_hosts/helo_try_verify_hosts)
  • pppd
  • procmail (*via comsat/biff)

He also goes on to point out that the WordPress function wp_http_validate_url() calls a PHP gethostbyname() function wrapper which is vulnerable.

To quote Marc:

“an attacker could leverage this vector to insert a malicious URL that would trigger a buffer overflow bug, server-side, potentially allowing him to gain privileges on the server.”

Testing for the vulnerability

To test PHP the following command can be run on the shell and if you get a seg fault then you know an upgrade is needed:

php -r '$e="0";for($i=0;$i<2500;$i++){$e="0$e";} gethostbyname($e);' Segmentation fault

The following root command can be run on the shell to test Python:

/usr/sbin/clockdiff `python -c "print '0' * $((0x10000 - 16 * 1 - 2 * 4 - 1 - 4))" ` Segmentation fault

There are also bash scripts to test Red Hat getting circulated if you want to test vs. upgrade, but most advice is the same; Upgrade and then reboot or restart your core services.

Admins wishing to restart services vs. restarting the whole server may find this tip from wallarm.com really handy:

for s in $(lsof | grep libc | awk '{print $1}' | sort | uniq); do if [[ -f "/etc/init.d/$s" && "$(ps aufx | grep -v grep | grep $s)" ]]; then echo $s;service $s restart; fi; done

Caorda is Patched

Clients using Caorda hosting services should not be impacted by these exploits as we have been patching vulnerable systems as the announcements and updates have been coming out.

If you are an admin of a non-managed server you should take the time to update, reboot, and potentially run some quick tests against your patched server(s) to ensure nothing was missed.

Share your thoughts!