Skip to main content

GHOST Vulnerability Puts Linux Systems at Risk | Optiv

February 05, 2015

A critical security vulnerability in the GNU C library, CVE-2015-0235 (a.k.a. “GHOST”), was reported on January 27, 2015. Many Linux systems are vulnerable to remote code execution, including enterprise and Long Term Support distributions.

How serious is the risk?

This is an extremely serious flaw affecting a number of different Linux operating system versions. The vulnerability exists within a popular Linux library and is remotely exploitable for systems and applications that utilize a function common to network programming used to perform a lookup by hostname. Any networked service or application utilizing the function is potentially vulnerable. Exploitation could lead to a complete compromise of the underlying server, negatively impacting the availability, integrity and confidentiality of the system, application and/or data within. This could result in a negative business impact, including, but not limited to, a direct loss of revenue or brand image damage.

What is the flaw?

The vulnerability is due to an insufficient check of a buffer length, allowing for a memory overwrite equal to the size of a char pointer. This equates to a buffer overflow of up to 4 bytes on 32-bit systems and 8-bytes on 64-bit systems. The vulnerability affects the “gethostbyname() and “gethostbyname2()” functions; therefore, networked programs utilizing these function calls and vulnerable libraries are potentially exploitable. Although the overflow is relatively small, security researchers have announced a working proof-of-concept exploit to gain remote code execution on an affected system. A patch was introduced on May 21, 2013.

A patch exists, so what’s the big deal?

Patching glibc is a little different than a library like OpenSSL due to kernel and build tool dependencies. To work around this, vendors often standardize on one version of glibc and then backport the security patches as needed.

Although the bug was fixed in glibc-2.18, it was not categorized as security-related at that time. Therefore, the fix did not make it into most stable and LTS Linux distributions. As a result, many systems are currently unpatched and vulnerable, such as Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7 and Ubuntu 12.04. No public exploit code is currently known; however, Qualys plans on releasing a Metasploit module in the near future.

Am I vulnerable?

Linux systems running glibc-2.2 through glibc-2.17 are affected by the GHOST vulnerability. As mentioned above, the below distributions were identified as being vulnerable. Please note, this should not be considered a comprehensive list but includes the most notable distributions.

  • Debian 7 (wheezy)
  • RHEL 6 & 7
  • CentOS 6 & 7
  • Ubuntu 12.04

Exploiting the vulnerability for remote code execution also depends on other factors like whether the targeted application uses the glibc gethostname*() functions and in what context. Clockdiff, procmail, pppd, Wordpress and the Exim mail server software have been identified as being used as attack vectors to some extent.

Qualys provided the following proof-of-concept source code to test local Linux installations for susceptibility to the GHOST vulnerability:



#define CANARY "in_the_coal_mine"

struct {

  char buffer[1024];
  char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };

int main(void) {
  struct hostent resbuf;
  struct hostent *result;
  int herrno;
  int retval;

  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;

  char name[sizeof(temp.buffer)];
  memset(name, '0', len);
  name[len] = '\0';

  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

  if (strcmp(temp.canary, CANARY) != 0) {
if (retval == ERANGE) {
    puts("not vulnerable");
    puts("should not happen");

Compile the code with “gcc GHOST.c –o GHOST”, and you should expect to see one of the following messages depending on your version of glibc:

Running on Ubuntu 12.04.5 LTS (glibc-2.15):


Running on Ubuntu 14.04.1 LTS (glibc-2.19):

not vulnerable

Next Steps

Currently, FishNet Security is working with its partners and clients to help detect and remediate the GHOST vulnerability. Our Security Assessments team is offering a GHOST Vulnerability Assessment to help determine whether your system is at risk.


Related Blogs

March 14, 2018

Observations on Smoke Tests – Part 1

Smoke testing in the traditional definition is most often used to assess the functionality of key software features to determine if they work or perfo...

See Details

April 18, 2018

Testing Password Reset Token Predictability with the Reset-A-Tron Burp Extension

Most web applications provide a 'forgot my password' feature where a recovery or reset token is delivered to the associated account email address. Usu...

See Details

April 13, 2018

Observations on Smoke Tests – Part 2

There are a variety of scanning tools in the market today, from commercial to open source. Some are intended only for identifying a particular vulnera...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.