Proof of concept Wordpress Ghost attack appears

Hackers could exploit the Ghost Linux bug using Wordpress based cyber attacks, according to researchers at Trustwave.

Trustwave produced a proof of concept (POC) cyber attack to prove its claim. Vice president of security research at Trustwave Ziv Mador told V3 the POC will work on all vulnerable Linux systems and showcases how hackers could exploit Ghost.

"The Proof of Concept code can be used to check whether a remote web server is vulnerable to Ghost. It works by sending an XML request to the XML-RPC Pingback functionality of WordPress which includes a long URL," he explained.

"The POC code works both on patched and unpatched versions but they will respond in a different way thus allowing the researcher or administrator to determine whether the server is patched or not."

Amol Sarwate, director of Qualys' Vulnerability Labs, reported Ghost in a threat advisory on Tuesday, warning that it could be used to hijack control of a victim's system.

"The Ghost (CVE-2015-0235) vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials," read the advisory.

Ghost relates to a flaw in the GNU C Library (glibc) used in many Linux versions and affects several implementations of the operating system.

"The first vulnerable version of the GNU C Library affected by this is glibc-2.2, released on 10 November 2000," explained Sarwate.

"We identified a number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on 21 May 2013.

"Unfortunately, it was not recognised as a security threat; as a result, most stable and long-term support distributions were left exposed, including Debian 7 (wheezy), Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7, and Ubuntu 12.04, for example."

It is currently unclear whether Ghost is being actively exploited, although Qualys believes that hackers could bypass many traditional defences.

"During our testing, we developed a proof-of-concept in which we send a specially created email to a mail server and can get a remote shell to the Linux machine," read the advisory.

"This bypasses all existing protections (like ASLR, PIE and NX) on both 32-bit and 64-bit systems."

Other members of the security community seem less concerned about the Ghost bug. Pawan Kinger, director of Trend Micro's Deep Security Labs, said in a blog post that there are three key reasons why hackers are unlikely to take notice of Ghost.

"This vulnerability has long been patched. The underlying problem was first introduced into glibc in 2000, but was fixed by May 2013. This means that many newer Linux operating systems were never at risk," he said.

"Secondly, not all applications are at equal risk. Exploitation is very difficult as an attacker only has a small amount of initial exploit code that can be used: four or eight bytes.

"Third, the functions that are the subject of this vulnerability are obsolete. They cannot be used to translate domain names to IPv6 addresses; newer applications use the getaddrinfo() function, which does have IPv6 support."

Rapid7 chief research officer H D Moore agreed. "This is not the end of the internet as we know it, nor is it another Heartbleed. In a general sense, it's not likely to be an easy bug to exploit," he said.

"Still, it could potentially be nasty if exploited so we strongly recommend immediate patching and rebooting. Without a reboot, services using the old library will not be restarted."

Despite the researchers' claims Ghost did prompt the US Computer Emergency Response Team (CERT) to issue an advisory on the bug.

The CERT team issued the call in a threat advisory less than a day after the Ghost flaw was reported by researchers at Qualys.

"This bug is reachable locally and remotely via the gethostbyname*() functions, and arbitrary code execution can be achieved by use of the buffer overflow," read the CERT advisory.

"All versions of glibc from glibc-2.2 (released 2010-11-10) until glibc-2.17 are vulnerable."

Ghost follows the recent discovery of several dangerous cyber threats. Trend Micro engineers reported uncovering evolved versions of the kjw0rm and Sir DoOoM malwarebeing developed on a bogus computer enthusiast site earlier in January.