Academic co-authors Adam Bates, Joe Pletcher, Tyler Nichols, Dave Tian and iSEC engineer Braden Hollembaek had a pair of interesting papers published at the 2014 Conference on Computer and Communications Security and the 2014 Internet Measurement Conference, respectively.

In “Securing SSL Certificate Verification through Dynamic Linking”, the paper introduces CertShim, a lightweight retrofit to existing SSL/TLS implementations that provides new mechanisms to address: vulnerabilities in legacy software, improper usage of existing libraries, and the swift bootstrapping of new enhancements. This is accomplished by dynamically hooking calls to the certificate validation entry points in the OpenSSL, PolarSSL, and GnuTLS libraries via an LD_PRELOAD shim. The paper also demonstrates CertShim’s extensibility by adapting it to work with Convergence, DANE, and Client-Based Key Pinning. CertShim imposes only a modest 20ms overhead for an SSL verification call and, by coarse estimate, hooks the SSL dependencies of 94% of Ubuntu’s most popular packages with no changes necessary to existing applications. This work creates a framework to help increase the system-wide security of SSL communications in non-browser software, while simultaneously reducing the barriers to evaluating and adopting alternative proposals to the certificate authority system.

For context leading into the second paper, it should be pointed out that in 2011 Moxie Marlinspike proposed a CA alternative, Convergence, that extends the Network Perspectives system of multi-path probing to perform certificate verification. Unfortunately, adoption of Convergence and other SSL/TLS trust enhancements has been slow.

Some adoption concerns are addressed in “Forced Perspectives: Evaluating an SSL Trust Enhancement at Scale”, where the question is asked “What if all certificates were validated with Convergence?” In this paper, a case study of deploying Convergence under realistic workloads with a university-wide trace of real-world HTTPS activity is performed. By synthesizing Convergence requests, it is possible to effectively simulate perspectives-based verification on an entire university. The paper demonstrates that, through local and server caching, a single Convergence deployment can meet the requirements of millions of SSL flows while imposing under 0.1% network overhead and requiring as little as 108ms to validate a certificate, making Convergence a worthwhile candidate for further deployment and adoption.

Links to the papers and source code can be found here:

CertShim Paper: certshim_ccs14.pdf

Source code for CertShim: https://bitbucket.org/uf_sensei/cert-shim

Please keep in mind that CertShim is part of an ongoing research project that relies on unstable function hooks into version-dependent libraries, and as such, should not be used as a production security resource.

Forced Perspectives Paper: forced_perspectives_imc14.pdf

iSEC Partners is happy to announce the availability of a tool to help those wishing to better secure their database applications and users. It is a simple command line tool that can monitor Microsoft SQL Server for a period of query activity and then return the smallest set of permissions necessary to execute all of the monitored queries.

Unnecessary permissions granted to users and applications can be a significant threat if or when those credentials can be used by an attacker. Maybe a database user who normally only queries a couple of static views leaves their password on a text file on a laptop that gets compromised. Or perhaps an application has a SQL Injection flaw allowing nefarious ne’er do wells to issue arbitrary SQL statements against the database. Both of these cases can lead to painful breaches where large data sets are exfiltrated, modified or even just wantonly deleted. The SQL Permissions tool will help determine the most restrictive set of permissions that are actually needed.

This can be useful for developers of applications, as well as applications that already exist. The key in any case is to execute all of the logic or activities that permissions are desired for, as the tool will only calculate a permission for queries it observes. In some cases, an application developer could do even better by isolating high risk privileges to a different components using different database credentials, thereby segregating the risk that highly privileged operations have. Though the tool cannot help rearchitect an application, it can provide the list of permissions required and reviewing the list can provide a useful look at the necessary permissions.

The tool is now open sourced and available on iSEC’s GitHub page. It does not support every kind of potential SQL Statement that can be executed, but covers the most common queries used in runtime application scenarios. The tool uses assemblies only available from SQL Server Profiler, so this will require a SQL Server version that includes Profiler installed locally, even if using trace files. Notably, that does not include the SQL Express editions. These assemblies are not included in the tool, and are not available for redistribution. It has been tested on SQL Server 2012 and 2014, though it likely works on other editions as the underlying profiling and tracing technology has not significantly changed.

Good luck, and have fun locking down everything!

Executive Summary

An alert about a severe vulnerability discovered by the Qualys security team was issued on Tuesday, January 27 2015. This vulnerability allows a local or remote attacker to execute code within the context of an application linked with certain versions of the glibc library. The vulnerability is triggered by a buffer overflow in the gethostbyname() function, called when resolving a hostname to an IP.

Immediate patches are required to fix a vulnerability in glibc that allows arbitrary code execution from unauthenticated users. It is necessary to restart computers or processes following patching.

Ghost enables code execution, arbitrary data disclosure, and system compromise from unauthenticated remote attackers. The ways that a system could be vulnerable to this bug are numerous, and no exhaustive list could be compiled. Patching is required immediately, as a proof-of-concept is soon to be publicly released.

What is vulnerable?

This vulnerability has been in production glibc versions since November 2000, and was patched in source code since May 2013:

• glibc 2.2 through 2.17 (inclusive) are vulnerable
• glibc 2.18 through 2.20 (inclusive) are NOT vulnerable
• prior versions of glibc (<= 2.1.3) are NOT vulnerable

Even if you are not directly using the gethostbyname() function, a large number of software packages incorporate the call and are vulnerable.

Service and software that can be exploited include, but is not limited to:

• clockdiff
• procmail
• pppd (SUID root)
• Exim Internet Mailer

An exploit has been written against Exim, and a working PoC is soon to be publicly disclosed.

Who is vulnerable?

• Organizations that ship applications statically linked against vulnerable versions of glibc, or ship appliances built on Linux distributions that have a vulnerable version of glibc. This includes virtual appliances/virtual machines.
• Organizations or end users that have a Linux desktop or server running with a vulnerable version of glibc, or use applications statically linked against a vulnerable version of glibc. This also extends to appliances and virtual machines. Since this vulnerability has been present in glibc for over a decade, out of date or EOL’d devices are likely to be vulnerable as well.

The following Linux distributions contains a vulnerable version of the glibc: ***

</table> *** ## Patching iSEC and Matasano recommend performing the following discovery and remediation steps. ### Discovery First, determine if your Linux is vulnerable. Either consult the [table above](#versions), contact your vendor, or get the version from the version from the library itself. To do the latter, run `locate libc.so.6` to find the location of your libc, then run that file, and it will print out version information. ### Fix If your distribution has patches available, install those patches. Otherwise: * Update to glibc 2.18 or newer * Restart all processes that load the glibc library * Issue new binaries for software statically linked against a vulnerable version of the glibc library. ## Technical Overview The [__nss_hostname_digits_dots()](https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=nss/digits_dots.c;h=e007ef47a41b69437655c26565689be393705a82;hp=2b862956e9a8c39bbccbea982add1d7ab2d16ab2;hb=d5dd6189d506068ed11c8bfa1e1e9bffde04decd;hpb=fef94eab0bd308d5059a2588c753bf9a4926845d) function of the GNU C Library (glibc) is vulnerable to a buffer overflow. This function incorrectly calculates the size of a buffer to allocate, and under certain circumstances, arbitrary data can overwrite adjacent memory resulting in a heap based buffer overflow. While only a maximum of four (4) bytes of memory can be overwritten, it has been demonstrated that this was enough to bypass exploitation mitigations (such as ASLR and PIE) and grant code execution. The `__nss_hostname_digits_dots()` function is usually not called directly but is called from the `gethostbyname()` and `gethostbyname2()` glibc functions. In practice, this can be exploited whenever the hostname passed is long enough (at least 1KB) and passes other sanity checks: * The hostname is composed entirely of digits and dots * The hostname starts and ends with a digit * The hostname must be of the form of `a`, `a.b`, `a.b.c` or `a.b.c.d` ## References * [CVE-2015-0235](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235) * [https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability](https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability) * [https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt](https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt) * [http://ma.ttias.be/critical-glibc-update-cve-2015-0235-gethostbyname-calls/](http://ma.ttias.be/critical-glibc-update-cve-2015-0235-gethostbyname-calls/) * [http://www.frsag.org/pipermail/frsag/2015-January/005722.html](http://www.frsag.org/pipermail/frsag/2015-January/005722.html) * [https://sourceware.org/bugzilla/show_bug.cgi?id=15014](https://sourceware.org/bugzilla/show_bug.cgi?id=15014) * [https://rhn.redhat.com/errata/RHSA-2015-0090.html](https://rhn.redhat.com/errata/RHSA-2015-0090.html) * [https://launchpad.net/ubuntu/+source/eglibc](https://launchpad.net/ubuntu/+source/eglibc) * [https://security-tracker.debian.org/tracker/CVE-2015-0235](https://security-tracker.debian.org/tracker/CVE-2015-0235)

Ubuntu
10.04 LTS	fix available	fixed in libc6 2.11.1-0ubuntu7.20
12.04 LTS	fix available	fixed in libc6 2.15-0ubuntu10.10
14 and newer	not vulnerable
Debian
6.x - squeeze	vulnerable
6.x - squeeze (LTS)	vulnerable
7.x - wheezy	vulnerable </tr>
7.x - wheezy (security)	fix available	fixed in glib 2.13-38+deb7u7
8.0 - jesse	not vulnerable
dev - sid	not vulnerable
Red Hat Enterprise fix information</td> </tr>
Desktop (v. 5)	fix available	fixed in glibc-2.5-123.el5_11.1
Desktop (v. 6)	fix available	fixed in glibc-2.12-1.149.el6_6.5
Desktop (v. 7)	fix available	fixed in glibc-2.17-55.el7_0.5
HPC Node (v. 6)	fix available	fixed in glibc-2.12-1.149.el6_6.5
HPC Node (v. 7)	fix available	fixed in glibc-2.17-55.el7_0.5
Server (v. 5)	fix available	fixed in glibc-2.5-123.el5_11.1
Server (v. 6)	fix available	fixed in glibc-2.12-1.149.el6_6.5
Server (v. 7)	fix available	fixed in glibc-2.17-55.el7_0.5
Server EUS (v. 6.6.z)	fix available	fixed in glibc-2.12-1.149.el6_6.5
Workstation (v. 6)	fix available	fixed in glibc-2.12-1.149.el6_6.5
Workstation (v. 7)	fix available	fixed in glibc-2.17-55.el7_0.5
RHEL 4 ELS	fix available	fixed in glibc-2.3.4-2.57.el4.2
Mint
13 "Maya"	fix available	Tracks Ubuntu 12.04, should get update from Ubuntu servers
17 "Qiana"	not vulnerable
17.1 "Rebecca"	not vulnerable
Gentoo libc information
stable	not vulnerable	uses glibc 2.19-r1
Arch fixed in all releases since August 2013, discussion here and package info here
anything recent	not vulnerable
Fedora discussion
19 and earlier	vulnerable	uses glibc 2.17 and earlier
20	not vulnerable	uses glibc 2.18
21	not vulnerable	uses glibc 2.20
Mandriva Linux
all	vulnerable	appears to use glibc 2.16
openSUSE vulnerability information
Enterprise 11 & older	vulnerable
Enterprise 12	not vulnerable
openSUSE 13.1 & newer	not vulnerable
Slackware
current	not vulnerable	uses glibc 2.20
14.1 and earlier	vulnerable	uses glibc 2.17 and earlier </tr>
Knoppix information about glibc versions
7.2 and earlier	vulnerable	uses glibc 2.17 and earlier
7.4 and later	not vulnerable	uses glibc 2.19 and later
Slax
all	vulnerable	appears to use glibc 2.15
CentOS
CentOS-5	fix available	fixed in glibc-2.5-123.el5_11
CentOS-6	fix available	fixed in glibc-2.12-1.149.el6_6.5
CentOS-7	fix available	fixed in glibc-2.17-55.el7_0.5

Jailbreak allows a user to export certificates from Microsoft certificate stores even if the certificate has been marked as non-exportable; this can be useful if you need to make backups of the certificates or perform some other form of testing. The utility was first released in 2007, but at that time was closed source and OS version dependent, as it patched DLLs in memory. The new 4.0 release maintains all of the previous functionality but is now open source (under a BSD license) and uses a function hooking approach to remove OS version dependencies. There are pre-compiled binaries that should work on all versions of Windows from Windows XP up to Windows 8.1 on 32-bit and 64-bit systems.