A Linux vulnerability that first appeared four years ago, and one thought fixed shortly after, is still haunting the OS and now Linux distributor Red Hat is working to ensure it finally gets fixed and shut down completely.
Aptly named Ghost, the flaw lets remote users take control of a Linux machine. Cloud security provider Qualys has conducted a proof-of-concept case that illustrates how hackers, sending a malicious email to a software client on Linux, can take over a targeted machine.
"During our testing, we developed a proof-of-concept in which we send a specially created e-mail to a mail server and can get a remote shell to the Linux machine," says Qualys. "This bypasses all existing protections (like ASLR, PIE and NX) on both 32-bit and 64-bit systems."
Most Linux vendors released patches to close up the Ghost vulnerability, says Amol Sarwate, Qualys' vulnerability labs director. The lab is recommending the patches be re-applied and the Linux system be rebooted to make sure they've been applied, a move that usually isn't needed with Linux systems.
The Ghost vulnerability was first discovered Nov. 10, 2010, and posed risk to all versions of glibc up to 2.17, according to Sarwate. While the exploit was addressed in 2010, it wasn't classified as a vulnerability, he says. Glibc stands for the GNU C Library, and is the GNU Project's implementation of the C standard library for the C programming language. It provides macros, type definitions, and functions for computing tasks and other services the operating system needs.
The Ghost got its name from the discrete manner in which hackers or malicious software can attack machines running Linux. The vulnerability is a buffer overflow issue that affects glibc's "gethostbyname()" and "gethostbyname2()" functions.
Hackers or malicious software can spam the gethostbyname() function with invalid names until the buffer overflows. The result opens the door to attackers and give the full control over the targeted machine.
"The gethostbyname() function calls are used for DNS resolving, which is a very common event," says Red Hat. "To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying an invalid hostname argument to an application that performs a DNS resolution."
Sarwate says Qualys will release its proof-of-concept exploit, after remediation and Ghost has reached its half-life -- the term "half-life," with regards to exploits, was coined by Qualys in reference to remediation times. So before other security firms and independent analysts can study the exploit, Qualys want to give everyone enough time to fix the issue for the second time.
"Half-life is the time interval measuring a reduction of a vulnerability's occurrence by half," says Qualys. "Over time, this metric shows how successful efforts have been to eradicate vulnerability. A shorter half-life indicates faster remediation."