gethostbyname buffer overflow

Question

I study about GHOST or CVE-2015-0235 vulnerability. I find out that my system is vulnerable. I write a test program to see the effect of this. but I cant see any thing. hear is my attemps:

    user@debian:~$ uname -a 
    Linux debian 3.2.0-4-686-pae #1 SMP Debian 3.2.57-3 i686 GNU/Linux
    user@debian:~$ ./GHOST
    vulnerable
    user@debian:~$ cat ghost-example.c 
    #include <string.h>
    #include <stdio.h>
    #define len 2000000

    struct{
    char buf[len];
    char canary[32];
    }buffer;

    void main()
    {
        memset(buffer.buf,'9',len);
        buffer.buf[len-1]='\0';
        strcpy(buffer.canary,"the vulnerable part of program\n");
        gethostbyname(buffer.buf);
        printf(buffer.canary);
    }
    user@debian:~$ gcc ghost-example.c -o ghost-example
    user@debian:~$ ./ghost-example 
    the vulnerable part of program

I cant find out what happen? what is the difference between gethostbyname() ,gethostbyname_r(), gethostbyname2() or gethostbyname2_r. I have a lot of study about this. can anybody help me? thanks.

Could you clarify what exactly are you having trouble with ? — Scis, Apr 10 '15 at 11:39
when I call gethostbyname_r in GHOST program it cause overwrite on memory in canary variable but not in this case. hear is GHOST.c source : https://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c — elahe, Apr 10 '15 at 11:44

score 0 · Answer 1 · answered Apr 10 '15 at 11:50

Perhaps you aren't using a large enough buffer? I find this difficult to believe, since 2000000 is huge in the world of buffer overflows.

Alternatively, by coincidence a ret address of 0x39393939 or 0x3939393939393939 is perfectly valid. I find this difficult to believe. You should be seeing a segfault with a trace that ends somewhere around that address.

Most likely, gethostbyname isn't overflowing. Perhaps your diagnosis is incorrect, and your machine is no longer susceptible.

gethostbyname buffer overflow

1 Answers1