Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.lang.python > #85119 > unrolled thread

Ghost vulnerability

Started byRustom Mody <rustompmody@gmail.com>
First post2015-02-02 19:53 -0800
Last post2015-02-03 18:47 +0100
Articles 9 — 6 participants

Back to article view | Back to comp.lang.python


Contents

  Ghost vulnerability Rustom Mody <rustompmody@gmail.com> - 2015-02-02 19:53 -0800
    Re: Ghost vulnerability Chris Angelico <rosuav@gmail.com> - 2015-02-03 15:38 +1100
    Re: Ghost vulnerability Anssi Saari <as@sci.fi> - 2015-02-03 11:53 +0200
      Re: Ghost vulnerability Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2015-02-03 22:19 +1100
        Re: Ghost vulnerability Michael Torrie <torriem@gmail.com> - 2015-02-03 10:31 -0700
        Re: Ghost vulnerability Anssi Saari <as@sci.fi> - 2015-02-03 21:38 +0200
          Re: Ghost vulnerability Chris Angelico <rosuav@gmail.com> - 2015-02-04 09:08 +1100
          Re: Ghost vulnerability Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2015-02-04 13:13 +1100
    Re: Ghost vulnerability Marc Aymerich <glicerinu@gmail.com> - 2015-02-03 18:47 +0100

#85119 — Ghost vulnerability

FromRustom Mody <rustompmody@gmail.com>
Date2015-02-02 19:53 -0800
SubjectGhost vulnerability
Message-ID<75fe0f21-3ffb-4649-ad06-0dcbdad631fa@googlegroups.com>
How many people (actually machines) out here are vulnerable?

http://security.stackexchange.com/questions/80210/ghost-bug-is-there-a-simple-way-to-test-if-my-system-is-secure

shows a python 1-liner to check

[toc] | [next] | [standalone]


#85120

FromChris Angelico <rosuav@gmail.com>
Date2015-02-03 15:38 +1100
Message-ID<mailman.18414.1422938311.18130.python-list@python.org>
In reply to#85119
On Tue, Feb 3, 2015 at 2:53 PM, Rustom Mody <rustompmody@gmail.com> wrote:
> How many people (actually machines) out here are vulnerable?
>
> http://security.stackexchange.com/questions/80210/ghost-bug-is-there-a-simple-way-to-test-if-my-system-is-secure
>
> shows a python 1-liner to check

Well, I have one internal disk server that's vulnerable. It's not
accessible to the world, which is why it's still running Ubuntu 10.10,
and it's affected. I'm not too concerned about Huix coming under
attack.

ChrisA

[toc] | [prev] | [next] | [standalone]


#85128

FromAnssi Saari <as@sci.fi>
Date2015-02-03 11:53 +0200
Message-ID<vg3wq3zpbi9.fsf@coffee.modeemi.fi>
In reply to#85119
Rustom Mody <rustompmody@gmail.com> writes:

> How many people (actually machines) out here are vulnerable?
>
> http://security.stackexchange.com/questions/80210/ghost-bug-is-there-a-simple-way-to-test-if-my-system-is-secure
>
> shows a python 1-liner to check

Does that check actually work for anyone? That code didn't segfalt on my
vulnerable Debian system but it did on my router which isn't (since the
router doesn't use glibc). Oh and of course I can't comment on
stinkexchange since I don't have whatever mana points they require...

[toc] | [prev] | [next] | [standalone]


#85135

FromSteven D'Aprano <steve+comp.lang.python@pearwood.info>
Date2015-02-03 22:19 +1100
Message-ID<54d0aeb9$0$12994$c3e8da3$5496439d@news.astraweb.com>
In reply to#85128
Anssi Saari wrote:

> Rustom Mody <rustompmody@gmail.com> writes:
> 
>> How many people (actually machines) out here are vulnerable?
>>
>>
http://security.stackexchange.com/questions/80210/ghost-bug-is-there-a-simple-way-to-test-if-my-system-is-secure
>>
>> shows a python 1-liner to check
> 
> Does that check actually work for anyone? That code didn't segfalt on my
> vulnerable Debian system but it did on my router which isn't (since the
> router doesn't use glibc). Oh and of course I can't comment on
> stinkexchange since I don't have whatever mana points they require...

Here's the one-liner:

python -c 'import socket;y="0"*50000000;socket.gethostbyname(y)'


I think it is likely that y="0"*50000000 would segfault due to lack of
memory on many machines. I wouldn't trust this as a test.




-- 
Steven

[toc] | [prev] | [next] | [standalone]


#85165

FromMichael Torrie <torriem@gmail.com>
Date2015-02-03 10:31 -0700
Message-ID<mailman.18437.1422984725.18130.python-list@python.org>
In reply to#85135
On 02/03/2015 04:19 AM, Steven D'Aprano wrote:
> Anssi Saari wrote:
> 
>> Rustom Mody <rustompmody@gmail.com> writes:
>>
>>> How many people (actually machines) out here are vulnerable?
>>>
>>>
> http://security.stackexchange.com/questions/80210/ghost-bug-is-there-a-simple-way-to-test-if-my-system-is-secure
>>>
>>> shows a python 1-liner to check
>>
>> Does that check actually work for anyone? That code didn't segfalt on my
>> vulnerable Debian system but it did on my router which isn't (since the
>> router doesn't use glibc). Oh and of course I can't comment on
>> stinkexchange since I don't have whatever mana points they require...
> 
> Here's the one-liner:
> 
> python -c 'import socket;y="0"*50000000;socket.gethostbyname(y)'
> 
> 
> I think it is likely that y="0"*50000000 would segfault due to lack of
> memory on many machines. I wouldn't trust this as a test.

I ran it on both my servers (each running a different version of the OS)
which were recently updated to Red Hat's latest version of glibc that
fixes the problem, and both of them segfault with this one liner.

[toc] | [prev] | [next] | [standalone]


#85169

FromAnssi Saari <as@sci.fi>
Date2015-02-03 21:38 +0200
Message-ID<vg3r3u6pyyy.fsf@coffee.modeemi.fi>
In reply to#85135
Steven D'Aprano <steve+comp.lang.python@pearwood.info> writes:

> Here's the one-liner:
>
> python -c 'import socket;y="0"*50000000;socket.gethostbyname(y)'
>
>
> I think it is likely that y="0"*50000000 would segfault due to lack of
> memory on many machines. I wouldn't trust this as a test.

Hmm, how much RAM does that one-liner actually need? My router has 128 
MB total RAM with about 90 MB free. So it can store the string once but
if it's copied with the gethostbyname call then it'll run out...

According to a Reddit thread
(http://www.reddit.com/r/Python/comments/2u7ghu/python_socketgethostbyname_is_not_affected_by/)
Python's socket.gethostbyname() doesn't actually even call the
gethostbyname function in glibc, it uses the newer getaddrinfo instead.
So it's a little unlikely to cause a segfault because of the Ghost vuln :)

Anyways, here's an example calling gethostbyname directly in python:

from ctypes import CDLL
o = CDLL('libc.so.6')
for i in range(0, 2500):
    o.gethostbyname('0'*i)

I don't have a vulnerable system to test on any more though.

[toc] | [prev] | [next] | [standalone]


#85178

FromChris Angelico <rosuav@gmail.com>
Date2015-02-04 09:08 +1100
Message-ID<mailman.18444.1423001304.18130.python-list@python.org>
In reply to#85169
On Wed, Feb 4, 2015 at 6:38 AM, Anssi Saari <as@sci.fi> wrote:
> Anyways, here's an example calling gethostbyname directly in python:
>
> from ctypes import CDLL
> o = CDLL('libc.so.6')
> for i in range(0, 2500):
>     o.gethostbyname('0'*i)
>
> I don't have a vulnerable system to test on any more though.

That bombs on my internal disk server, which is said to be vulnerable
using the C implementation.

ChrisA

[toc] | [prev] | [next] | [standalone]


#85190

FromSteven D'Aprano <steve+comp.lang.python@pearwood.info>
Date2015-02-04 13:13 +1100
Message-ID<54d18066$0$12993$c3e8da3$5496439d@news.astraweb.com>
In reply to#85169
Anssi Saari wrote:

> Steven D'Aprano <steve+comp.lang.python@pearwood.info> writes:
> 
>> Here's the one-liner:
>>
>> python -c 'import socket;y="0"*50000000;socket.gethostbyname(y)'
>>
>>
>> I think it is likely that y="0"*50000000 would segfault due to lack of
>> memory on many machines. I wouldn't trust this as a test.
> 
> Hmm, how much RAM does that one-liner actually need? My router has 128
> MB total RAM with about 90 MB free. So it can store the string once but
> if it's copied with the gethostbyname call then it'll run out...

In Python 2, "0" is a byte (plus object header), so about 50MB give or take.

In Python 3, "0" is a unicode string, so depending on whether you have a 
"narrow" or "wide" build, or version 3.3+, that could take 1, 2 or 4 bytes 
per character. So potentially 50, 100 or 200MB (plus a few extra bytes for 
the object header).


> Anyways, here's an example calling gethostbyname directly in python:
> 
> from ctypes import CDLL
> o = CDLL('libc.so.6')
> for i in range(0, 2500):
>     o.gethostbyname('0'*i)
> 
> I don't have a vulnerable system to test on any more though.


I stuck a "print i" just before the call to gethostbyname, and it got to i = 
1004 and then crashed:


*** glibc detected *** python2.7: realloc(): invalid next size: 0x08b9a7c0 
***


with a page or three of diagnostics.


-- 
Steve

[toc] | [prev] | [next] | [standalone]


#85167

FromMarc Aymerich <glicerinu@gmail.com>
Date2015-02-03 18:47 +0100
Message-ID<mailman.18438.1422985645.18130.python-list@python.org>
In reply to#85119

[Multipart message — attachments visible in raw view] — view raw

On Tue, Feb 3, 2015 at 4:53 AM, Rustom Mody <rustompmody@gmail.com> wrote:

> How many people (actually machines) out here are vulnerable?
>
>
> http://security.stackexchange.com/questions/80210/ghost-bug-is-there-a-simple-way-to-test-if-my-system-is-secure
>
> shows a python 1-liner to check
> --
> https://mail.python.org/mailman/listinfo/python-list
>



Not very reliable in my experience,

this python test does segfault on my *patched* Debian machine

root@web:~# python -c 'import socket;y="0"*50000000;socket.gethostbyname(y)'
Segmentation fault

However, the other test proposed on stackechange correctly reports that I'm
not vulnerable ;)
root@web:/tmp# wget
https://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c
root@web:/tmp# gcc GHOST.c -o GHOST
root@web:/tmp# ./GHOST
not vulnerable


-- 
Marc

[toc] | [prev] | [standalone]


Back to top | Article view | comp.lang.python


csiph-web