Created
January 27, 2015 17:32
-
-
Save amlweems/6e78d03810548b4867d6 to your computer and use it in GitHub Desktop.
ghost.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Qualys test program to check for presence of GHOST vulnerability | |
| * For more info: http://www.openwall.com/lists/oss-security/2015/01/27/9 | |
| */ | |
| #include <netdb.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #include <errno.h> | |
| #define CANARY "in_the_coal_mine" | |
| struct { | |
| char buffer[1024]; | |
| char canary[sizeof(CANARY)]; | |
| } temp = { "buffer", CANARY }; | |
| int main(void) { | |
| struct hostent resbuf; | |
| struct hostent *result; | |
| int herrno; | |
| int retval; | |
| /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/ | |
| size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1; | |
| char name[sizeof(temp.buffer)]; | |
| memset(name, '0', len); | |
| name[len] = '\0'; | |
| retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno); | |
| if (strcmp(temp.canary, CANARY) != 0) { | |
| puts("vulnerable"); | |
| exit(EXIT_SUCCESS); | |
| } | |
| if (retval == ERANGE) { | |
| puts("not vulnerable"); | |
| exit(EXIT_SUCCESS); | |
| } | |
| puts("should not happen"); | |
| exit(EXIT_FAILURE); | |
| } |
wget https://gist.githubusercontent.com/amlweems/6e78d03810548b4867d6/raw/69e2fb429dc6f020954405a9d55021db8db1d26e/gistfile1.c && gcc gistfile1.c -o GHOST && ./GHOST
for the people who don't understand C code, a oneliner 😃
glibc 2.20-6 Arch Linux x86_64 Linux 3.18.2-2-ARCH >> not vulnerable
(Ubuntu GLIBC 2.19-10ubuntu2.2) 2.19 >> not vulnerable
Ubuntu EGLIBC 2.19-0ubuntu6.3 >> not vulnerable
Mac 10.10.2 returns errors, so I'm assuming there's no glibc at all...
gistfile1.c:30:12: warning: implicit declaration of function 'gethostbyname_r' is invalid in
C99 [-Wimplicit-function-declaration]
retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
^
1 warning generated.
Undefined symbols for architecture x86_64:
"_gethostbyname_r", referenced from:
_main in gistfile1-00b79d.o
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
By reading this post I think that gethostbyname and gethostbyname2 should be the equivalent to gethostbyname_r, on MacOS
(Ubuntu EGLIBC 2.15-0ubuntu10.10) 2.15 >> not vulnarable
$ uname -a
Linux xxxxx 2.6.18-348.6.1.el5xen #1 SMP Tue May 21 16:10:52 EDT 2013 x86_64 x86_64 x86_64 GNU/Linux
$ ldd --version
ldd (GNU libc) 2.5
$ gcc --version
gcc (GCC) 4.1.2 20080704 (Red Hat 4.1.2-52)
VULNARABLE
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I have upgrade the libc6 to v2.13-38+deb7u7 on Debian 7.8.
Result of run the ghost.c:
We can upgrade it with under command.