Last active
August 29, 2015 14:14
-
-
Save leucos/83c974973d824a5e281d to your computer and use it in GitHub Desktop.
Ghost vulnerability check tool (CVE-2015-0235)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Ansible playbook to check for CVE-2015-0235 | |
| # | |
| # Check mode only | |
| # ansible-playbook check_and_patch.yml | |
| # | |
| # To apply the fix : | |
| # ansible-playbook check_and_patch.yml -e fix=true | |
| # | |
| - hosts: all | |
| tasks: | |
| - name: Opens fw for outbound 443 | |
| command: iptables -I OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment 'ghost-temp' | |
| changed_when: false | |
| - name: Get source | |
| get_url: > | |
| url=https://gist.githubusercontent.com/leucos/83c974973d824a5e281d/raw/e45c6b2d25b3143b96be2fdceb9a56b29a408352/ghost.c | |
| dest=/tmp/ghost.c | |
| - name: Removes previous iptables rule | |
| command: iptables -D OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment 'ghost-temp' | |
| changed_when: false | |
| - name: Compile | |
| command: gcc /tmp/ghost.c -o /tmp/ghost | |
| - name: Check vulnerability | |
| command: /tmp/ghost | |
| register: result | |
| - name: Writes vuln info | |
| debug: msg="server {{ inventory_hostname }} is vulnerable" | |
| when: "'host is vulnerable' in result.stdout" | |
| - name: Upgrades packages | |
| apt: > | |
| pkg=libc6 update_cache=yes state=latest | |
| when: "'host is vulnerable' in result.stdout and fix is defined and fix" | |
| - name: Writes reboot recommandation | |
| debug: msg="libc6 updated - server should be rebooted" | |
| when: "'host is vulnerable' in result.stdout and fix is defined and fix" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* Looking for ghosts */ | |
| /* gcc ghost.c -o ghost */ | |
| #include <netdb.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #include <errno.h> | |
| #define CANARY "in_the_coal_mine" | |
| struct { | |
| char buffer[1024]; | |
| char canary[sizeof(CANARY)]; | |
| } temp = { "buffer", CANARY }; | |
| int main(void) { | |
| struct hostent resbuf; | |
| struct hostent *result; | |
| int herrno; | |
| int retval; | |
| /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/ | |
| size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1; | |
| char name[sizeof(temp.buffer)]; | |
| memset(name, '0', len); | |
| name[len] = '\0'; | |
| retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno); | |
| if (strcmp(temp.canary, CANARY) != 0) { | |
| puts("host is vulnerable"); | |
| exit(EXIT_SUCCESS); | |
| } | |
| if (retval == ERANGE) { | |
| puts("not vulnerable"); | |
| exit(EXIT_SUCCESS); | |
| } | |
| puts("should not happen"); | |
| exit(EXIT_FAILURE); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment