rabbitt · August 29, 2015 14:14 · rabbitt · Jan 28, 2015
diff --git a/centos6.5-output.txt b/centos6.5-output.txt
 OS Version:
 CentOS release 6.5 (Final)

 GLIBC RPMS:
 glibc-headers-2.12-1.149.el6_6.4.x86_64
 glibc-2.12-1.149.el6_6.4.x86_64
 glibc-devel-2.12-1.149.el6_6.4.x86_64
 glibc-common-2.12-1.149.el6_6.4.x86_64

 Ghost Checker:
 canary before: [in_the_coal_mine]
 canary after : [         0000000]
 vulnerable: yes

 ClockDiff Test:
 clockdiff: socket: Operation not permitted
 vulnerable: unknown (exit code: 1)
diff --git a/centos7-output.txt b/centos7-output.txt
 OS Version:
 CentOS Linux release 7.0.1406 (Core)

 GLIBC RPMS:
 glibc-common-2.17-55.el7_0.5.x86_64
 glibc-2.17-55.el7_0.5.x86_64
 glibc-headers-2.17-55.el7_0.5.x86_64
 glibc-devel-2.17-55.el7_0.5.x86_64

 Ghost Checker:
 canary before: [in_the_coal_mine]
 canary after : [in_the_coal_mine]
 vulnerable: no

 ClockDiff Test:
 not vulnerable
diff --git a/ghost-report.sh b/ghost-report.sh
 #!/usr/bin/env bash

 WORK_PATH=/tmp/ghost-check
 trap "rm -rf ${WORK_PATH}" INT QUIT TERM EXIT

 if [[ ! $(uname -s) = "Linux" ]]; then
  echo "Not running on Linux - likely not vulnerable..."
  exit 0
 fi

 mkdir -p "${WORK_PATH}"
 cd  "${WORK_PATH}"

 have_ghost=1
 if [ ! -f ghost ]; then
  if [[ ! -z $(which gcc 2>&-) ]]; then
    [ ! -f ghost.c ] && curl -Lsko '#1' 'https://gist.github.com/rabbitt/5155cd0d1609943508c0/raw/79b82a8c833e4416c3eaeea81dd78b0baf0dff17/{ghost.c}'
    gcc -o ghost ghost.c || have_ghost=0
  else
    have_ghost=0
  fi
 fi

 if [ -f /etc/redhat-release ]; then
  echo -e "\nOS Version:"
  cat /etc/redhat-release
 fi

 if [[ ! -z $(which rpm 2>&-) ]]; then
  echo -e "\nGLIBC RPMS:";
  rpm -qa | grep glibc;
 fi

 if [[ $have_ghost -eq 1 ]]; then
  echo -e "\nGhost Checker:";
  ./ghost
 fi

 echo -e "\nClockdiff Test:";
 /usr/sbin/clockdiff `python -c "print '0' * $((0x10000-16*1-2*4-1-4))"` >&- && echo "not vulnerable" || \
   ( [ $? -eq 139 ] && echo "vulnerable: yes (exit code: $?)" || echo "vulnerable: unknown (exit code: $? - expected 0 or 139)" )
diff --git a/ghost.c b/ghost.c
 #include <netdb.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>

 #define CANARY "in_the_coal_mine"

 struct {
  char buffer[1024];
  char canary[sizeof(CANARY)];
 } temp = { "buffer", CANARY };

 int main(void) {
  struct hostent resbuf;
  struct hostent *result;
  int herrno;
  int retval;

  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
  char name[sizeof(temp.buffer)];
  memset(name, '0', len);
  name[len] = '\0';

  printf("canary before: [%.*s]\n", sizeof(CANARY), temp.canary);
  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

  if (strcmp(temp.canary, CANARY) != 0) {
    printf("canary after : [%.*s]\n", sizeof(CANARY), temp.canary);
    puts("vulnerable: yes");
    exit(EXIT_SUCCESS);
  }
  if (retval == ERANGE) {
    printf("canary after : [%.*s]\n", sizeof(CANARY), temp.canary);
    puts("vulnerable: no");
    exit(EXIT_SUCCESS);
  }
  puts("should not happen");
  exit(EXIT_FAILURE);
 }
	OS Version:
	CentOS release 6.5 (Final)

	GLIBC RPMS:
	glibc-headers-2.12-1.149.el6_6.4.x86_64
	glibc-2.12-1.149.el6_6.4.x86_64
	glibc-devel-2.12-1.149.el6_6.4.x86_64
	glibc-common-2.12-1.149.el6_6.4.x86_64

	Ghost Checker:
	canary before: [in_the_coal_mine]
	canary after : [ 0000000]
	vulnerable: yes

	ClockDiff Test:
	clockdiff: socket: Operation not permitted
	vulnerable: unknown (exit code: 1)
	OS Version:
	CentOS Linux release 7.0.1406 (Core)

	GLIBC RPMS:
	glibc-common-2.17-55.el7_0.5.x86_64
	glibc-2.17-55.el7_0.5.x86_64
	glibc-headers-2.17-55.el7_0.5.x86_64
	glibc-devel-2.17-55.el7_0.5.x86_64

	Ghost Checker:
	canary before: [in_the_coal_mine]
	canary after : [in_the_coal_mine]
	vulnerable: no

	ClockDiff Test:
	not vulnerable
	#!/usr/bin/env bash

	WORK_PATH=/tmp/ghost-check
	trap "rm -rf ${WORK_PATH}" INT QUIT TERM EXIT

	if [[ ! $(uname -s) = "Linux" ]]; then
	echo "Not running on Linux - likely not vulnerable..."
	exit 0
	fi

	mkdir -p "${WORK_PATH}"
	cd "${WORK_PATH}"

	have_ghost=1
	if [ ! -f ghost ]; then
	if [[ ! -z $(which gcc 2>&-) ]]; then
	[ ! -f ghost.c ] && curl -Lsko '#1' 'https://gist.github.com/rabbitt/5155cd0d1609943508c0/raw/79b82a8c833e4416c3eaeea81dd78b0baf0dff17/{ghost.c}'
	gcc -o ghost ghost.c \|\| have_ghost=0
	else
	have_ghost=0
	fi
	fi

	if [ -f /etc/redhat-release ]; then
	echo -e "\nOS Version:"
	cat /etc/redhat-release
	fi

	if [[ ! -z $(which rpm 2>&-) ]]; then
	echo -e "\nGLIBC RPMS:";
	rpm -qa \| grep glibc;
	fi

	if [[ $have_ghost -eq 1 ]]; then
	echo -e "\nGhost Checker:";
	./ghost
	fi

	echo -e "\nClockdiff Test:";
	/usr/sbin/clockdiff `python -c "print '0' * $((0x10000-161-24-1-4))"` >&- && echo "not vulnerable" \|\| \
	( [ $? -eq 139 ] && echo "vulnerable: yes (exit code: $?)" \|\| echo "vulnerable: unknown (exit code: $? - expected 0 or 139)" )
	#include <netdb.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <errno.h>

	#define CANARY "in_the_coal_mine"

	struct {
	char buffer[1024];
	char canary[sizeof(CANARY)];
	} temp = { "buffer", CANARY };

	int main(void) {
	struct hostent resbuf;
	struct hostent *result;
	int herrno;
	int retval;

	/*** strlen (name) = size_needed - sizeof (host_addr) - sizeof (h_addr_ptrs) - 1; ***/
	size_t len = sizeof(temp.buffer) - 16sizeof(unsigned char) - 2sizeof(char *) - 1;
	char name[sizeof(temp.buffer)];
	memset(name, '0', len);
	name[len] = '\0';

	printf("canary before: [%.*s]\n", sizeof(CANARY), temp.canary);
	retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

	if (strcmp(temp.canary, CANARY) != 0) {
	printf("canary after : [%.*s]\n", sizeof(CANARY), temp.canary);
	puts("vulnerable: yes");
	exit(EXIT_SUCCESS);
	}
	if (retval == ERANGE) {
	printf("canary after : [%.*s]\n", sizeof(CANARY), temp.canary);
	puts("vulnerable: no");
	exit(EXIT_SUCCESS);
	}
	puts("should not happen");
	exit(EXIT_FAILURE);
	}