Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #85119 > unrolled thread
| Started by | Rustom Mody <rustompmody@gmail.com> |
|---|---|
| First post | 2015-02-02 19:53 -0800 |
| Last post | 2015-02-03 18:47 +0100 |
| Articles | 9 — 6 participants |
Back to article view | Back to comp.lang.python
Ghost vulnerability Rustom Mody <rustompmody@gmail.com> - 2015-02-02 19:53 -0800
Re: Ghost vulnerability Chris Angelico <rosuav@gmail.com> - 2015-02-03 15:38 +1100
Re: Ghost vulnerability Anssi Saari <as@sci.fi> - 2015-02-03 11:53 +0200
Re: Ghost vulnerability Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2015-02-03 22:19 +1100
Re: Ghost vulnerability Michael Torrie <torriem@gmail.com> - 2015-02-03 10:31 -0700
Re: Ghost vulnerability Anssi Saari <as@sci.fi> - 2015-02-03 21:38 +0200
Re: Ghost vulnerability Chris Angelico <rosuav@gmail.com> - 2015-02-04 09:08 +1100
Re: Ghost vulnerability Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2015-02-04 13:13 +1100
Re: Ghost vulnerability Marc Aymerich <glicerinu@gmail.com> - 2015-02-03 18:47 +0100
| From | Rustom Mody <rustompmody@gmail.com> |
|---|---|
| Date | 2015-02-02 19:53 -0800 |
| Subject | Ghost vulnerability |
| Message-ID | <75fe0f21-3ffb-4649-ad06-0dcbdad631fa@googlegroups.com> |
How many people (actually machines) out here are vulnerable? http://security.stackexchange.com/questions/80210/ghost-bug-is-there-a-simple-way-to-test-if-my-system-is-secure shows a python 1-liner to check
[toc] | [next] | [standalone]
| From | Chris Angelico <rosuav@gmail.com> |
|---|---|
| Date | 2015-02-03 15:38 +1100 |
| Message-ID | <mailman.18414.1422938311.18130.python-list@python.org> |
| In reply to | #85119 |
On Tue, Feb 3, 2015 at 2:53 PM, Rustom Mody <rustompmody@gmail.com> wrote: > How many people (actually machines) out here are vulnerable? > > http://security.stackexchange.com/questions/80210/ghost-bug-is-there-a-simple-way-to-test-if-my-system-is-secure > > shows a python 1-liner to check Well, I have one internal disk server that's vulnerable. It's not accessible to the world, which is why it's still running Ubuntu 10.10, and it's affected. I'm not too concerned about Huix coming under attack. ChrisA
[toc] | [prev] | [next] | [standalone]
| From | Anssi Saari <as@sci.fi> |
|---|---|
| Date | 2015-02-03 11:53 +0200 |
| Message-ID | <vg3wq3zpbi9.fsf@coffee.modeemi.fi> |
| In reply to | #85119 |
Rustom Mody <rustompmody@gmail.com> writes: > How many people (actually machines) out here are vulnerable? > > http://security.stackexchange.com/questions/80210/ghost-bug-is-there-a-simple-way-to-test-if-my-system-is-secure > > shows a python 1-liner to check Does that check actually work for anyone? That code didn't segfalt on my vulnerable Debian system but it did on my router which isn't (since the router doesn't use glibc). Oh and of course I can't comment on stinkexchange since I don't have whatever mana points they require...
[toc] | [prev] | [next] | [standalone]
| From | Steven D'Aprano <steve+comp.lang.python@pearwood.info> |
|---|---|
| Date | 2015-02-03 22:19 +1100 |
| Message-ID | <54d0aeb9$0$12994$c3e8da3$5496439d@news.astraweb.com> |
| In reply to | #85128 |
Anssi Saari wrote: > Rustom Mody <rustompmody@gmail.com> writes: > >> How many people (actually machines) out here are vulnerable? >> >> http://security.stackexchange.com/questions/80210/ghost-bug-is-there-a-simple-way-to-test-if-my-system-is-secure >> >> shows a python 1-liner to check > > Does that check actually work for anyone? That code didn't segfalt on my > vulnerable Debian system but it did on my router which isn't (since the > router doesn't use glibc). Oh and of course I can't comment on > stinkexchange since I don't have whatever mana points they require... Here's the one-liner: python -c 'import socket;y="0"*50000000;socket.gethostbyname(y)' I think it is likely that y="0"*50000000 would segfault due to lack of memory on many machines. I wouldn't trust this as a test. -- Steven
[toc] | [prev] | [next] | [standalone]
| From | Michael Torrie <torriem@gmail.com> |
|---|---|
| Date | 2015-02-03 10:31 -0700 |
| Message-ID | <mailman.18437.1422984725.18130.python-list@python.org> |
| In reply to | #85135 |
On 02/03/2015 04:19 AM, Steven D'Aprano wrote: > Anssi Saari wrote: > >> Rustom Mody <rustompmody@gmail.com> writes: >> >>> How many people (actually machines) out here are vulnerable? >>> >>> > http://security.stackexchange.com/questions/80210/ghost-bug-is-there-a-simple-way-to-test-if-my-system-is-secure >>> >>> shows a python 1-liner to check >> >> Does that check actually work for anyone? That code didn't segfalt on my >> vulnerable Debian system but it did on my router which isn't (since the >> router doesn't use glibc). Oh and of course I can't comment on >> stinkexchange since I don't have whatever mana points they require... > > Here's the one-liner: > > python -c 'import socket;y="0"*50000000;socket.gethostbyname(y)' > > > I think it is likely that y="0"*50000000 would segfault due to lack of > memory on many machines. I wouldn't trust this as a test. I ran it on both my servers (each running a different version of the OS) which were recently updated to Red Hat's latest version of glibc that fixes the problem, and both of them segfault with this one liner.
[toc] | [prev] | [next] | [standalone]
| From | Anssi Saari <as@sci.fi> |
|---|---|
| Date | 2015-02-03 21:38 +0200 |
| Message-ID | <vg3r3u6pyyy.fsf@coffee.modeemi.fi> |
| In reply to | #85135 |
Steven D'Aprano <steve+comp.lang.python@pearwood.info> writes:
> Here's the one-liner:
>
> python -c 'import socket;y="0"*50000000;socket.gethostbyname(y)'
>
>
> I think it is likely that y="0"*50000000 would segfault due to lack of
> memory on many machines. I wouldn't trust this as a test.
Hmm, how much RAM does that one-liner actually need? My router has 128
MB total RAM with about 90 MB free. So it can store the string once but
if it's copied with the gethostbyname call then it'll run out...
According to a Reddit thread
(http://www.reddit.com/r/Python/comments/2u7ghu/python_socketgethostbyname_is_not_affected_by/)
Python's socket.gethostbyname() doesn't actually even call the
gethostbyname function in glibc, it uses the newer getaddrinfo instead.
So it's a little unlikely to cause a segfault because of the Ghost vuln :)
Anyways, here's an example calling gethostbyname directly in python:
from ctypes import CDLL
o = CDLL('libc.so.6')
for i in range(0, 2500):
o.gethostbyname('0'*i)
I don't have a vulnerable system to test on any more though.
[toc] | [prev] | [next] | [standalone]
| From | Chris Angelico <rosuav@gmail.com> |
|---|---|
| Date | 2015-02-04 09:08 +1100 |
| Message-ID | <mailman.18444.1423001304.18130.python-list@python.org> |
| In reply to | #85169 |
On Wed, Feb 4, 2015 at 6:38 AM, Anssi Saari <as@sci.fi> wrote:
> Anyways, here's an example calling gethostbyname directly in python:
>
> from ctypes import CDLL
> o = CDLL('libc.so.6')
> for i in range(0, 2500):
> o.gethostbyname('0'*i)
>
> I don't have a vulnerable system to test on any more though.
That bombs on my internal disk server, which is said to be vulnerable
using the C implementation.
ChrisA
[toc] | [prev] | [next] | [standalone]
| From | Steven D'Aprano <steve+comp.lang.python@pearwood.info> |
|---|---|
| Date | 2015-02-04 13:13 +1100 |
| Message-ID | <54d18066$0$12993$c3e8da3$5496439d@news.astraweb.com> |
| In reply to | #85169 |
Anssi Saari wrote:
> Steven D'Aprano <steve+comp.lang.python@pearwood.info> writes:
>
>> Here's the one-liner:
>>
>> python -c 'import socket;y="0"*50000000;socket.gethostbyname(y)'
>>
>>
>> I think it is likely that y="0"*50000000 would segfault due to lack of
>> memory on many machines. I wouldn't trust this as a test.
>
> Hmm, how much RAM does that one-liner actually need? My router has 128
> MB total RAM with about 90 MB free. So it can store the string once but
> if it's copied with the gethostbyname call then it'll run out...
In Python 2, "0" is a byte (plus object header), so about 50MB give or take.
In Python 3, "0" is a unicode string, so depending on whether you have a
"narrow" or "wide" build, or version 3.3+, that could take 1, 2 or 4 bytes
per character. So potentially 50, 100 or 200MB (plus a few extra bytes for
the object header).
> Anyways, here's an example calling gethostbyname directly in python:
>
> from ctypes import CDLL
> o = CDLL('libc.so.6')
> for i in range(0, 2500):
> o.gethostbyname('0'*i)
>
> I don't have a vulnerable system to test on any more though.
I stuck a "print i" just before the call to gethostbyname, and it got to i =
1004 and then crashed:
*** glibc detected *** python2.7: realloc(): invalid next size: 0x08b9a7c0
***
with a page or three of diagnostics.
--
Steve
[toc] | [prev] | [next] | [standalone]
| From | Marc Aymerich <glicerinu@gmail.com> |
|---|---|
| Date | 2015-02-03 18:47 +0100 |
| Message-ID | <mailman.18438.1422985645.18130.python-list@python.org> |
| In reply to | #85119 |
[Multipart message — attachments visible in raw view] — view raw
On Tue, Feb 3, 2015 at 4:53 AM, Rustom Mody <rustompmody@gmail.com> wrote: > How many people (actually machines) out here are vulnerable? > > > http://security.stackexchange.com/questions/80210/ghost-bug-is-there-a-simple-way-to-test-if-my-system-is-secure > > shows a python 1-liner to check > -- > https://mail.python.org/mailman/listinfo/python-list > Not very reliable in my experience, this python test does segfault on my *patched* Debian machine root@web:~# python -c 'import socket;y="0"*50000000;socket.gethostbyname(y)' Segmentation fault However, the other test proposed on stackechange correctly reports that I'm not vulnerable ;) root@web:/tmp# wget https://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c root@web:/tmp# gcc GHOST.c -o GHOST root@web:/tmp# ./GHOST not vulnerable -- Marc
[toc] | [prev] | [standalone]
Back to top | Article view | comp.lang.python
csiph-web