Ghost Linux vulnerability can be exploited through WordPress, other PHP apps

Some Web applications written in PHP call a vulnerable glibc function, potentially opening the door to attacks

A critical vulnerability in glibc, a core Linux library, can be exploited remotely through WordPress and likely other PHP applications to compromise Web servers.

The buffer overflow vulnerability, dubbed Ghost, was reported Tuesday by researchers from security vendor Qualys. It is identified as CVE-2015-0235 in the Common Vulnerabilities and Exposures database.

The bug is located in the gethostbyname*() functions of the glibc (GNU C Library) version 2.17 and older. It was fixed in glibc-2.18, released in May 2013, but it wasn't flagged as a security vulnerability at the time.

As a result, some Linux distributions, especially those developed for long-term support, did not backport the patch and were still using vulnerable glibc versions when the Qualys researchers identified the security implications of the bug during a code audit.

Exploiting the vulnerability for remote code execution also depends on other factors, like whether the targeted application uses the glibc gethostbyname*() functions and in what context. Researchers identified that clockdiff, procmail, pppd and the Exim mail server software could be used as attack vectors to some extent.

However, researchers from website security research firm Sucuri said Wednesday that they have good reasons to believe the flaw can also be exploited through Web applications written in PHP that use gethostbyname() function wrappers. This has the potentially to significantly expand the attack vectors.

One clear example of such a PHP application is WordPress, which uses a function called wp_http_validate_url() to validate the URLs of pingback posts.

"It does so by using gethostbyname(), so an attacker could leverage this vector to insert a malicious URL that would trigger a buffer overflow bug, server-side, potentially allowing him to gain privileges on the server," Sucuri senior vulnerability researcher Marc-Alexandre Montpas said in a blog post.

In a comment to Montpas's blog post, HD Moore, chief research officer at Rapid7 and main developer of the Metasploit penetration testing tool, posted a PHP command that can be used to check if a Web server is vulnerable.

Then Thursday, security researchers from Trustwave SpiderLabs created a proof-of-concept script to trigger the glibc buffer overflow though the WordPress pingback feature.

"This PoC allows users to remotely verify if a target web server is vulnerable to the CVE however it does not demonstrate exploitability," they said in a blog post.

Nevertheless, WordPress users are advised to disable the XML-RPC process completely or to block pingback requests. Server administrators are advised to update their versions of glibc as soon as possible.

Debian 7 (wheezy), Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7 and Ubuntu 12.04 were among the Linux distributions identified as vulnerable and which have since released patches.

"When attackers are attempting to exploit this vulnerability against your web servers, there will most likely be error messages (segmentation faults, etc...) that will indicate a problem," the Trustwave researchers said. "Organizations should be vigilant in monitoring their logs and following up on an anomalous errors."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags patchesintrusiontrustwavesecuritypatch managementSucuriExploits / vulnerabilitiesqualys

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?