Re: Ghost vulnerability
Anssi Saari wrote:
Steven D'Aprano steve+comp.lang.pyt...@pearwood.info writes:
Here's the one-liner:
python -c 'import socket;y=0*5000;socket.gethostbyname(y)'
I think it is likely that y=0*5000 would segfault due to lack of
memory on many machines. I wouldn't trust this as a test.
Hmm, how much RAM does that one-liner actually need? My router has 128
MB total RAM with about 90 MB free. So it can store the string once but
if it's copied with the gethostbyname call then it'll run out...
In Python 2, 0 is a byte (plus object header), so about 50MB give or take.
In Python 3, 0 is a unicode string, so depending on whether you have a
narrow or wide build, or version 3.3+, that could take 1, 2 or 4 bytes
per character. So potentially 50, 100 or 200MB (plus a few extra bytes for
the object header).
Anyways, here's an example calling gethostbyname directly in python:
from ctypes import CDLL
o = CDLL('libc.so.6')
for i in range(0, 2500):
o.gethostbyname('0'*i)
I don't have a vulnerable system to test on any more though.
I stuck a print i just before the call to gethostbyname, and it got to i =
1004 and then crashed:
*** glibc detected *** python2.7: realloc(): invalid next size: 0x08b9a7c0
***
with a page or three of diagnostics.
--
Steve
--
https://mail.python.org/mailman/listinfo/python-list
Re: Ghost vulnerability
Anssi Saari wrote: Rustom Mody rustompm...@gmail.com writes: How many people (actually machines) out here are vulnerable? http://security.stackexchange.com/questions/80210/ghost-bug-is-there-a-simple-way-to-test-if-my-system-is-secure shows a python 1-liner to check Does that check actually work for anyone? That code didn't segfalt on my vulnerable Debian system but it did on my router which isn't (since the router doesn't use glibc). Oh and of course I can't comment on stinkexchange since I don't have whatever mana points they require... Here's the one-liner: python -c 'import socket;y=0*5000;socket.gethostbyname(y)' I think it is likely that y=0*5000 would segfault due to lack of memory on many machines. I wouldn't trust this as a test. -- Steven -- https://mail.python.org/mailman/listinfo/python-list
Re: Ghost vulnerability
On Wed, Feb 4, 2015 at 6:38 AM, Anssi Saari a...@sci.fi wrote:
Anyways, here's an example calling gethostbyname directly in python:
from ctypes import CDLL
o = CDLL('libc.so.6')
for i in range(0, 2500):
o.gethostbyname('0'*i)
I don't have a vulnerable system to test on any more though.
That bombs on my internal disk server, which is said to be vulnerable
using the C implementation.
ChrisA
--
https://mail.python.org/mailman/listinfo/python-list
Re: Ghost vulnerability
On Tue, Feb 3, 2015 at 4:53 AM, Rustom Mody rustompm...@gmail.com wrote: How many people (actually machines) out here are vulnerable? http://security.stackexchange.com/questions/80210/ghost-bug-is-there-a-simple-way-to-test-if-my-system-is-secure shows a python 1-liner to check -- https://mail.python.org/mailman/listinfo/python-list Not very reliable in my experience, this python test does segfault on my *patched* Debian machine root@web:~# python -c 'import socket;y=0*5000;socket.gethostbyname(y)' Segmentation fault However, the other test proposed on stackechange correctly reports that I'm not vulnerable ;) root@web:/tmp# wget https://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c root@web:/tmp# gcc GHOST.c -o GHOST root@web:/tmp# ./GHOST not vulnerable -- Marc -- https://mail.python.org/mailman/listinfo/python-list
Re: Ghost vulnerability
On 02/03/2015 04:19 AM, Steven D'Aprano wrote: Anssi Saari wrote: Rustom Mody rustompm...@gmail.com writes: How many people (actually machines) out here are vulnerable? http://security.stackexchange.com/questions/80210/ghost-bug-is-there-a-simple-way-to-test-if-my-system-is-secure shows a python 1-liner to check Does that check actually work for anyone? That code didn't segfalt on my vulnerable Debian system but it did on my router which isn't (since the router doesn't use glibc). Oh and of course I can't comment on stinkexchange since I don't have whatever mana points they require... Here's the one-liner: python -c 'import socket;y=0*5000;socket.gethostbyname(y)' I think it is likely that y=0*5000 would segfault due to lack of memory on many machines. I wouldn't trust this as a test. I ran it on both my servers (each running a different version of the OS) which were recently updated to Red Hat's latest version of glibc that fixes the problem, and both of them segfault with this one liner. -- https://mail.python.org/mailman/listinfo/python-list
Re: Ghost vulnerability
Steven D'Aprano steve+comp.lang.pyt...@pearwood.info writes:
Here's the one-liner:
python -c 'import socket;y=0*5000;socket.gethostbyname(y)'
I think it is likely that y=0*5000 would segfault due to lack of
memory on many machines. I wouldn't trust this as a test.
Hmm, how much RAM does that one-liner actually need? My router has 128
MB total RAM with about 90 MB free. So it can store the string once but
if it's copied with the gethostbyname call then it'll run out...
According to a Reddit thread
(http://www.reddit.com/r/Python/comments/2u7ghu/python_socketgethostbyname_is_not_affected_by/)
Python's socket.gethostbyname() doesn't actually even call the
gethostbyname function in glibc, it uses the newer getaddrinfo instead.
So it's a little unlikely to cause a segfault because of the Ghost vuln :)
Anyways, here's an example calling gethostbyname directly in python:
from ctypes import CDLL
o = CDLL('libc.so.6')
for i in range(0, 2500):
o.gethostbyname('0'*i)
I don't have a vulnerable system to test on any more though.
--
https://mail.python.org/mailman/listinfo/python-list
Re: Ghost vulnerability
Rustom Mody rustompm...@gmail.com writes: How many people (actually machines) out here are vulnerable? http://security.stackexchange.com/questions/80210/ghost-bug-is-there-a-simple-way-to-test-if-my-system-is-secure shows a python 1-liner to check Does that check actually work for anyone? That code didn't segfalt on my vulnerable Debian system but it did on my router which isn't (since the router doesn't use glibc). Oh and of course I can't comment on stinkexchange since I don't have whatever mana points they require... -- https://mail.python.org/mailman/listinfo/python-list
Re: Ghost vulnerability
On Tue, Feb 3, 2015 at 2:53 PM, Rustom Mody rustompm...@gmail.com wrote: How many people (actually machines) out here are vulnerable? http://security.stackexchange.com/questions/80210/ghost-bug-is-there-a-simple-way-to-test-if-my-system-is-secure shows a python 1-liner to check Well, I have one internal disk server that's vulnerable. It's not accessible to the world, which is why it's still running Ubuntu 10.10, and it's affected. I'm not too concerned about Huix coming under attack. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
Ghost vulnerability
How many people (actually machines) out here are vulnerable? http://security.stackexchange.com/questions/80210/ghost-bug-is-there-a-simple-way-to-test-if-my-system-is-secure shows a python 1-liner to check -- https://mail.python.org/mailman/listinfo/python-list
