PHP, WordPress GHOST
Just yesterday Ghost Vulnerability was posted and today researches have discovered PHP applications and WordPress could be vulnerable to ghost.
The buffer overflow in glibc was found in the __nss_hostname_digits_dots() function; that particular function is used by the _gethostbyname function call. PHP applications such as WordPress also use the gethostbyname() function wrapper, which expands the scope of the vulnerability even as Linux distributions roll out patches.
An example of where this could be a big issue is within WordPress itself: it uses a function named wp_http_validate_url() to validate every pingback’s post URL,” wrote Sucuri research Marc-Alexandre Montpas in an advisory published Wednesday. “And it does so by using gethostbyname(). So an attacker could leverage this vector to insert a malicious URL that would trigger a buffer overflow bug, server-side, potentially allowing him to gain privileges on the server
The exploitation depends on being able to convince a program to perform a DNS lookup of a host name provided by the attacker,” said researcher Michal Zalewski said. “The lookup has to be done in a very particular way and must lack a couple of commonly-employed (but certainly not mandatory) sanity checks.
In WordPress, one could easily flag an attack by looking at the domains that are ‘pingbacking’ his site,” Montpas said. “A domain containing more than 255 bytes should be considered as malicious (RFC2181 explicitly states that a full domain name is limited to this exact amount of bytes).
It makes servers more exposed to attacks, given XMLRPC is enabled by default in WordPress and that this CMS powers 23.3 percent of all websites,” Montpas said. “This is mostly a case-by-case type of vulnerability. A successful exploitation relies a lot on what code an attacker can use within the target application. Qualys apparently succeeded in exploiting Exim, a popular MTA. But chances are their exploit wouldn’t work on, say, PHP. That said, if someone came with a working GHOST-PHP exploit, there’s a lot we’d have to be worried about.
This is a very critical vulnerability and should be treated as such,” Montpas said. “If you have a dedicated server or VPN running Linux, you have to make sure you update it right away.
Now how to test if your server is vulnerable or not?
If the code below returns Segmentation fault then your Linux Server is vulnerable.
php -r ‘$e=”0″;for($i=0;$i<2500;$i++){$e="0$e";} gethostbyname($e);' Segmentation fault
Patches are available and it just requires a reboot after the patch. Debian 7, Red Hat, CentOS and Ubuntu 12.04, all have a patch ready for you.
While it is not an easy exploit, but it could cause some nasty issues researches say.
Still, it could potentially be nasty if exploited so we strongly recommend immediate patching and rebooting. Without a reboot, services using the old library will not be restarted.
