Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)

A heap-based buffer overflow vulnerability in glibc (CVE-2015-0235) was announced this week.

9401_5813804a-f2b2-48b6-8e76-4b1b4811b79f

It seems as though all new vulnerabilities need to have catchy marketing names so this one was dubbed "GHOST" which was derived from the vulnerable glibc function name - "GetHOSTbyname()".

Vulnerability Notes

Here are the key points thus far:

  • The vulnerability affects all versions of glibc from glibc-2.17 and lower
  • The bug was patched in glibc-2.18 in May 2013, but was not marked as a security bug so the fix did not make it into many common Linux distributions like SUSE and Ubuntu until much later.
  • To our knowledge, this is not currently being exploited in the wild
  • Qualys has not released any PoC code but they plan to release a Metasploit module in the near future.
  • Qualys was able to remotely exploit a mail server running Exim mail software but it's unclear what other software might be vulnerable. (They are working on a metapsloit module specifically for the Exim exploit)

Regarding other Linux server software Qualys wrote:

"to the best of our knowledge, the buffer overflow cannot be triggered in any of [these]:

apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql,

nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd,

pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers,

vsftpd, xinetd."

Wordpress XML-RPC Pingback Vector

It has been speculated that the XML-RPC pingback functionality in Wordpress installs may be vulnerable to remote exploitation. We decided to run some tests to see if it is in fact vulnerable. We previously did a blog post outlining how the Wordpress XML-RPC "pingback" functionality could be abused by attackers to force unsuspecting websites into participating in DDoS attacks. To summarize, in that attack, the attacker sends an XML request to the "/xmlrpc.php" script:

7914_0e84b453-6d11-4060-b9b3-45417b674419

The YELLOW highlighted data is a WordPress "Patsy Proxy" site while the ORANGE highlighted data is the DDoS target/victim website. In this scenario, the XML-RPC "pingback" code in PHP is using the gethostbyname() function call on the ORANGE highlighted data so that it can resolve it to an IP address for the remote request it will send. This is the exploit vector we chose to focus on for GHOST testing.

Modifying Input for GHOST Vulnerability Testing

Instead of sending a normal sized URL in the XML pingback.ping method body, we need to send a large one. Here is a Ruby PoC script:

9512_5d390bcc-3a96-4591-a61b-150de8cdd6bc

The script takes command line arguments for the size of payload that you want to send. During our testing in SpiderLabs Research, we identified different size ranges that worked on different platform/versions of glibc, php and wordpress. After sending the attack payload, we have seen the HTTP process responds with the following:

  • 500 HTTP Response Status code with php-cgi
  • No HTTP Response with mod_php

There are errors in the Apache error_log file when the process crashes:

7919_0ecd800a-c988-4904-9ed6-4c8311441538

This PoC allows users to remotely verify if a target web server is vulnerable to the CVE however it does not demonstrate exploitability. Here is the glibc and php version information for the two systems we used during this test:

10941_a0a3ce16-8f5e-4849-b157-8deb5bec7220

8667_3432f0a1-144a-4820-b368-dd355acd458d

Recommendations

Install glibc Patches

Example for Ubuntu Linux Distributions:

sudo apt-get clean
sudo apt-get update
sudo apt-get upgrade

And don't forget to reboot!

Disable XML-RPC

It is possible to disable the XML-RPC process altogether if you do not want to use it. There are even plugins that will disable it.

Disable Pingback Requests

You may also disable the pingback feature by adding the following to your functions.php file:

10134_7b4e10a3-f193-457a-80be-e1feaf732026

WAF Protections

By using a WAF, you can identify initial pingback XML requests on your Wordpress site and look for attacks. The Trustwave WAF has a profiling and learning engine called "Adaption" that is able to identify these types of anomalies vs. normal user traffic. We have also added rules to our commercial SpiderLabs ModSecurity rules package to identify this specific PoC attack vector.

Monitor Your Logs

When attackers are attempting to exploit this vulnerability against your web servers, there will most likely be error messages (segmentation faults, etc...) that will indicate a problem. Organizations should be vigilant in monitoring their logs and following up on an anomalous errors.

Acknowledgments

I would like to thank my fellow SpiderLabs Research colleagues who helped with testing and the content of this blog post:

  • Robert Rowley
  • Christophe De La Fuente
  • Chaim Sanders
  • Felipe Costa
  • Jonathan Claudius
  • Karl Sigler

 

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo