GHOST Remote Code Execution Exploit
Last updated on: December 20, 2022
Table of Contents
A demonstration of remote code execution of the GHOST vulnerability, delivered as a standalone Metasploit module, is now available. The module remotely exploits CVE-2015-0235 (a.k.a. GHOST, a heap-based buffer overflow in the GNU C Library’s gethostbyname functions) on x86 and x86_64 GNU/Linux systems that run the Exim mail server.
About GHOST
The GHOST vulnerability can be triggered both locally and remotely via all the gethostbyname*() functions in the glibc library that is a core part of the Linux operating system.
The first vulnerable version of the GNU C Library affected by this is glibc-2.2, released on November 10, 2000. The bug was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat, and as a result, most stable and long-term-support distributions were left exposed, including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, and Ubuntu 12.04.
Qualys worked closely with Linux distribution vendors and released an advisory and blog post on January 27, 2015 in conjunction with patches for the major distributions available the same day. Qualys held this module until now to allow IT teams time to apply all necessary patches.
Demonstration of Exploit
This module enables Metasploit to get shell access, i.e. remote code execution, against an Exim mail server. If this module’s “check” or “exploit” method determines that a remote system is vulnerable, it is also exploitable.
As described in the notes in the attached exploit file, the Exim mail server and the client attempting remote code execution must meet the following requirements for this exploit to work:
————————————————————————
SERVER-SIDE REQUIREMENTS (Exim)
————————————————————————
The remote system must use a vulnerable version of the GNU C Library:
the first exploitable version is glibc-2.6, the last exploitable version
is glibc-2.17; older versions might be exploitable too, but this module
depends on the newer versions’ fd_nextsize (a member of the malloc_chunk
structure) to remotely obtain the address of Exim’s smtp_cmd_buffer in
the heap.
————————————————————————
The remote system must run the Exim mail server: the first exploitable
version is exim-4.77; older versions might be exploitable too, but this
module depends on the newer versions’ 16-KB smtp_cmd_buffer to reliably
set up the heap as described in the GHOST advisory.
————————————————————————
The remote Exim mail server must be configured to perform extra security
checks against its SMTP clients: either the helo_try_verify_hosts or the
helo_verify_hosts option must be enabled; the “verify = helo” ACL might
be exploitable too, but is unpredictable and therefore not supported by
this module.
————————————————————————
CLIENT-SIDE REQUIREMENTS (Metasploit)
————————————————————————
This module’s “exploit” method requires the SENDER_HOST_ADDRESS
option to be set to the IPv4 address of the SMTP client (Metasploit), as
seen by the SMTP server (Exim); additionally, this IPv4 address must
have both forward and reverse DNS entries that match each other
(Forward-Confirmed reverse DNS).
————————————————————————
The remote Exim server might be exploitable even if the Metasploit
client has no FCrDNS, but this module depends on Exim’s sender_host_name
variable to be set in order to reliably control the state of the remote
heap.
Metasploit Module
Update March 23, 2015: The exploit has been updated and republished. In the original exploit, the existence of certain characters in Exim’s heap address could cause the exploit to fail. In the updated exploit, the likelihood of this type of failure drops to almost zero.
The module is available as a standalone file that can be imported into Metasploit. Those who wish to add this module to their Metasploit Framework should copy the file to the following directory:
modules/exploits/linux/smtp/
Exploit Download: https://www.qualys.com/research/security-advisories/exim_ghost_bof.rb
This exploit is also available through the Core Security Attack Intelligence platform.