[guardian-dev] gethostbyname() buffer overflow, nicknamed GHOST

Lee Azzarello lee at guardianproject.info
Thu Jan 29 12:44:08 EST 2015


If you haven't seen the fantastic (!) logo for the latest panic room
worthy C bug that will break the Internet into tiny bits which can
never be assembled again, check this awesome write up.

https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt


Of particular note is the PoC using the Exim email server. The author
gets arbitrary code execution by sending a string to a public network
port, which can determine the memory address of a specific piece of
configuration data which is held in memory and when modified can open
up an ACL in the mail server which unlocks the usage of a run()
command which allows the user to run shell code!

It's really impressive, though I do not believe it allows privilege escalation.

-lee


More information about the guardian-dev mailing list