Less than 48 hours after the disclosure of the Ghost vulnerability in the GNU C library (glibc), researchers have uncovered that PHP applications, including the WordPress content management system, could be another weak spot and eventually in the crosshairs of attackers.
Ghost is a vulnerability in glibc that attackers can use against only a handful of applications right now to remotely run executable code and gain control of a Linux server. The vulnerability is a heap-based buffer overflow and affects all Linux systems, according to experts, and has been present in the glibc code since 2000.
The buffer overflow in glibc was found in the __nss_hostname_digits_dots() function; that particular function is used by the _gethostbyname function call. PHP applications such as WordPress also use the gethostbyname() function wrapper, which expands the scope of the vulnerability even as Linux distributions roll out patches.
“An example of where this could be a big issue is within WordPress itself: it uses a function named wp_http_validate_url() to validate every pingback’s post URL,” wrote Sucuri research Marc-Alexandre Montpas in an advisory published Wednesday. “And it does so by using gethostbyname(). So an attacker could leverage this vector to insert a malicious URL that would trigger a buffer overflow bug, server-side, potentially allowing him to gain privileges on the server.”
Until now, the only a proof-of-concept was built against the Exim mail transfer agent (MTA). Experts agree that such an exploit would have to climb some significant hurdles.
“The exploitation depends on being able to convince a program to perform a DNS lookup of a host name provided by the attacker,” said researcher Michal Zalewski said. “The lookup has to be done in a very particular way and must lack a couple of commonly-employed (but certainly not mandatory) sanity checks.”
Montpas told Threatpost that an attack against a PHP application such as WordPress would really depend on the context in which gethostbyname() is executed.
“In WordPress, one could easily flag an attack by looking at the domains that are ‘pingbacking’ his site,” Montpas said. “A domain containing more than 255 bytes should be considered as malicious (RFC2181 explicitly states that a full domain name is limited to this exact amount of bytes).”
Montpas said Sucuri does not have a working exploit, but did use a particular XMLRPC request to try to force gethostbyname() to crash, indicating the vulnerability is present.
“It makes servers more exposed to attacks, given XMLRPC is enabled by default in WordPress and that this CMS powers 23.3 percent of all websites,” Montpas said. “This is mostly a case-by-case type of vulnerability. A successful exploitation relies a lot on what code an attacker can use within the target application. Qualys apparently succeeded in exploiting Exim, a popular MTA. But chances are their exploit wouldn’t work on, say, PHP. That said, if someone came with a working GHOST-PHP exploit, there’s a lot we’d have to be worried about.”
-Marc-Alexandre Montpas, Sucuri
The vulnerability affects glibc 2.2 through 2.17, but was patched in May 2013, though the patch was not labeled a security vulnerability and as a result may not have been widely deployed. Several other mitigations have been made public. Exim, clockdiff, procmail and pppd have been identified as vulnerable to Ghost exploits.
“This is a very critical vulnerability and should be treated as such,” Montpas said. “If you have a dedicated server or VPN running Linux, you have to make sure you update it right away.”
Montpas provided test PHP code admins can run on a server terminal; if the code returns a segmentation fault, the Linux server is vulnerable to Ghost:
php -r ‘$e=”0″;for($i=0;$i<2500;$i++){$e="0$e";} gethostbyname($e);'
Segmentation fault
Patching Ghost in Linux systems figures to be a bit more streamlined than the Bash vulnerability affecting Linux, UNIX and Mac OS X systems last fall, with experts suggesting that patches from the respective Linux distributions followed by a system reboot should take care of the issue. So far, Debian 7, Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7 and Ubuntu 12.04 were running vulnerable versions glibc; all have released updates.
“To be clear, this is NOT the end of the Internet as we know it, nor is it another Heartbleed. In a general sense, it’s not likely to be an easy bug to exploit,” said Rapid7 CSO and Metasploit creator HD Moore. “Still, it could potentially be nasty if exploited so we strongly recommend immediate patching and rebooting. Without a reboot, services using the old library will not be restarted.”
