On January 27, 2015, Qualys publicly released a security advisory in glibc’s gethostbyname set of functions, also known as GHOST, which exposes a heap-based buffer overflow affecting a wide range of operating systems and applications using glibc between versions 2.2 and 2.18. CVE-2015-0235 was assigned to this issue.
The vulnerability was found during a code audit performed internally at Qualys (nice catch btw), and since its release, there have been some discussions around its remote exploitability and whether or not arbitrary code execution could be achieved.
The original advisory noted that Qualys researchers were able to “develop a full-fledged remote exploit against the Exim mail server” bypassing all existing protections, but this exploit was not initially published.
Qualys and CoreLabs have been collaborating to develop and coordinate the publishing of the exploit for Qualys and Core Security customers. Qualys has also been working on an exploit for testing the issue using the Metasploit framework.
Core Security has developed and tested remote code execution exploit targeting Exim mail server starting at version 4.80 for Debian 7 (32/64bits) based on a thoroughly detailed exploit provided by the Qualys team. A new update extending supported platforms will be published soon.
From a configuration standpoint, the target Exim server must be configured to perform extra security checks against the connected clients, either by helo_try_verify or helo_verify_hosts options, and the attacker’s IP address must also have both forward and reverse DNS entries that match each other at the target system’s configured DNS server. It’s also worth noting that this attack does not require the knowledge of any credentials on the target system.
This exploit allows customers to verify and analyze the consequences of an attacker with no credentials compromising the target vulnerable systems and pivoting through these systems, deeper into the target IT infrastructure. The result of exploiting this vulnerability is a Core Impact OS Agent running as a non-privileged user.
This exploit will be available through our Attack Intelligence Platform. For additional information, please contact our customer service team.
We would like to thank Qualys for reaching out and sharing their knowledge on this issue with us, making it possible to deliver this functionality to our customers in a timely manner.
Qualys blog post: https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/03/17/ghost-remote-code-execution-exploit
Qualys blog post: https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability
Qualys advisory: https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/03/17/ghost-remote-code-execution-exploit
GNU C Library: http://www.gnu.org/software/libc/
Oracle Enterprise Linux: https://oss.oracle.com/pipermail/el-errata/2015-January/004810.html