Menu
Ghost Linux vulnerability can be exploited through WordPress, other PHP apps

Ghost Linux vulnerability can be exploited through WordPress, other PHP apps

Some Web applications written in PHP call a vulnerable glibc function, potentially opening the door to attacks

A critical vulnerability in glibc, a core Linux library, can be exploited remotely through WordPress and likely other PHP applications to compromise Web servers.

The buffer overflow vulnerability, dubbed Ghost, was reported Tuesday by researchers from security vendor Qualys. It is identified as CVE-2015-0235 in the Common Vulnerabilities and Exposures database.

The bug is located in the gethostbyname*() functions of the glibc (GNU C Library) version 2.17 and older. It was fixed in glibc-2.18, released in May 2013, but it wasn't flagged as a security vulnerability at the time.

As a result, some Linux distributions, especially those developed for long-term support, did not backport the patch and were still using vulnerable glibc versions when the Qualys researchers identified the security implications of the bug during a code audit.

Exploiting the vulnerability for remote code execution also depends on other factors, like whether the targeted application uses the glibc gethostbyname*() functions and in what context. Researchers identified that clockdiff, procmail, pppd and the Exim mail server software could be used as attack vectors to some extent.

However, researchers from website security research firm Sucuri said Wednesday that they have good reasons to believe the flaw can also be exploited through Web applications written in PHP that use gethostbyname() function wrappers. This has the potentially to significantly expand the attack vectors.

One clear example of such a PHP application is WordPress, which uses a function called wp_http_validate_url() to validate the URLs of pingback posts.

"It does so by using gethostbyname(), so an attacker could leverage this vector to insert a malicious URL that would trigger a buffer overflow bug, server-side, potentially allowing him to gain privileges on the server," Sucuri senior vulnerability researcher Marc-Alexandre Montpas said in a blog post.

In a comment to Montpas's blog post, HD Moore, chief research officer at Rapid7 and main developer of the Metasploit penetration testing tool, posted a PHP command that can be used to check if a Web server is vulnerable.

Then Thursday, security researchers from Trustwave SpiderLabs created a proof-of-concept script to trigger the glibc buffer overflow though the WordPress pingback feature.

"This PoC allows users to remotely verify if a target web server is vulnerable to the CVE however it does not demonstrate exploitability," they said in a blog post.

Nevertheless, WordPress users are advised to disable the XML-RPC process completely or to block pingback requests. Server administrators are advised to update their versions of glibc as soon as possible.

Debian 7 (wheezy), Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7 and Ubuntu 12.04 were among the Linux distributions identified as vulnerable and which have since released patches.

"When attackers are attempting to exploit this vulnerability against your web servers, there will most likely be error messages (segmentation faults, etc...) that will indicate a problem," the Trustwave researchers said. "Organizations should be vigilant in monitoring their logs and following up on an anomalous errors."

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags patchesintrusiontrustwavesecuritypatch managementSucuriExploits / vulnerabilitiesqualys

Featured

Slideshows

Reseller News launches inaugural Hall of Fame lunch

Reseller News launches inaugural Hall of Fame lunch

Reseller News welcomed 2015 and 2016 inductees - Darryl Swann, Dave Rosenberg, Gary Bigwood, Keith Watson, Mike Hill and Scott Green - to the inaugural Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed how the channel can collectively work together to benefit New Zealand, the Kiwi skills shortage and the future of the industry. Photos by Maria Stefina.

Reseller News launches inaugural Hall of Fame lunch
Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Show Comments