A demonstration of remote code execution of the GHOST vulnerability, delivered as a standalone Metasploit module, is now available. The module remotely exploits CVE-2015-0235 (a.k.a. GHOST, a heap-based buffer overflow in the GNU C Library’s gethostbyname functions) on x86 and x86_64 GNU/Linux systems that run the Exim mail server.

About GHOST

The GHOST vulnerability can be triggered both locally and remotely via all the gethostbyname*() functions in the glibc library that is a core part of the Linux operating system.

The first vulnerable version of the GNU C Library affected by this is glibc-2.2, released on November 10, 2000. The bug was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat, and as a result, most stable and long-term-support distributions were left exposed, including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, and Ubuntu 12.04.

Qualys worked closely with Linux distribution vendors and released an advisory and blog post on January 27, 2015 in conjunction with patches for the major distributions available the same day. Qualys held this module until now to allow IT teams time to apply all necessary patches.

Demonstration of Exploit

This module enables Metasploit to get shell access, i.e. remote code execution, against an Exim mail server. If this module’s "check" or "exploit" method determines that a remote system is vulnerable, it is also exploitable.

As described in the notes in the attached exploit file, the Exim mail server and the client attempting remote code execution must meet the following requirements for this exploit to work:

———————————————————————— SERVER-SIDE REQUIREMENTS (Exim) ———————————————————————— The remote system must use a vulnerable version of the GNU C Library: the first exploitable version is glibc-2.6, the last exploitable version is glibc-2.17; older versions might be exploitable too, but this module depends on the newer versions' fd_nextsize (a member of the malloc_chunk structure) to remotely obtain the address of Exim’s smtp_cmd_buffer in the heap. ———————————————————————— The remote system must run the Exim mail server: the first exploitable version is exim-4.77; older versions might be exploitable too, but this module depends on the newer versions' 16-KB smtp_cmd_buffer to reliably set up the heap as described in the GHOST advisory. ———————————————————————— The remote Exim mail server must be configured to perform extra security checks against its SMTP clients: either the helo_try_verify_hosts or the helo_verify_hosts option must be enabled; the "verify = helo" ACL might be exploitable too, but is unpredictable and therefore not supported by this module. ———————————————————————— CLIENT-SIDE REQUIREMENTS (Metasploit) ———————————————————————— This module’s "exploit" method requires the SENDER_HOST_ADDRESS option to be set to the IPv4 address of the SMTP client (Metasploit), as seen by the SMTP server (Exim); additionally, this IPv4 address must have both forward and reverse DNS entries that match each other (Forward-Confirmed reverse DNS). ———————————————————————— The remote Exim server might be exploitable even if the Metasploit client has no FCrDNS, but this module depends on Exim’s sender_host_name variable to be set in order to reliably control the state of the remote heap.

Metasploit Module

Update March 23, 2015: The exploit has been updated and republished. In the original exploit, the existence of certain characters in Exim’s heap address could cause the exploit to fail. In the updated exploit, the likelihood of this type of failure drops to almost zero.

The module is available as a standalone file that can be imported into Metasploit. Those who wish to add this module to their Metasploit Framework should copy the file to the following directory:

modules/exploits/linux/smtp/

Exploit Download: https://www.qualys.com/research/security-advisories/exim_ghost_bof.rb

This exploit is also available through the Core Security Attack Intelligence platform.