Glibc: GHOST Vulnerability Test To See If a Linux Sever Is Secure

Author: Last updated: May 3, 2017 17 comments
The GHOST (CVE-2015-0235) is serious network function vulnerability in Glibc. How do I check and test if a my Linux based server is secure using command line options?

There are two methods to test and find out if your server or desktop powered by Linux is secure or not:

ADVERTISEMENTS

(a) A simple C test program for all Linux based servers (distro independent; generic method). [donotprint]

Tutorial details
DifficultyEasy (rss)
Root privilegesNo
RequirementsLinux
Time1m
[/donotprint]

(b) A simple bash shell test program for RHEL or CentOS or Scientifc Linux server only.

Method #1: GHOST.C Glibc Vulnerability Test C Program

Type the following wget command to download GHOST.C on a Linux based system:

wget https://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c
## OR
wget -O GHOST.c https://gist.githubusercontent.com/koelling/ef9b2b9d0be6d6dbab63/raw/de1730049198c64eaf8f8ab015a3c8b23b63fd34/gistfile1.c

Compile it:

gcc -o GHOST GHOST.c

Test i:

./GHOST

Sample outputs:

Fig. 01: GHOST.c bug: A simple way to test if Linux system is secure or not

Fig. 01: GHOST.c bug: A simple way to test if Linux system is secure or not

Method #2: GHOST-test.sh Vulnerability Test Bash Script

Visit this url to download a script (or grab it here). You need to have an account with RHN. The script tells whether your system is vulnerable or not. Run script as follows:

wget -O GHOST-test.sh http://www.cyberciti.biz/files/scripts/GHOST-test.sh.txt
bash GHOST-test.sh

Sample outputs:

Fig.02: Fig.02: GHOST-test.sh output on a RHEL/CentOS based system

Fig.02: Fig.02: GHOST-test.sh output on a RHEL/CentOS based system

What to do if my server is not secure or Vulnerable to the Ghost attack?

See this tutorial page for securing your server by applying patches to glibc.

This entry is 1 of 2 in the Linux GHOST Glibc Critical Security Vulnerability series. Keep reading the rest of the series:
  1. Check Ghost Vulnerability Test Programs
  2. Secure and Patch Your Linux Server For Ghost Bug
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
UP NEXT
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
17 comments… add one
  • Jon Zeolla Jan 28, 2015 @ 14:18

    Linux Sever should be Linux Server

    Reply Link
  • Deltaray Jan 28, 2015 @ 14:42

    The md5sum of the GHOST.c code from the uchicago.edu website that I tested with is

    a19b0657c80d74ea5c4f4544dc9998c5

    You should always check this before compiling downloaded code, otherwise the next exploit on you will be a man in the middle attack.

    Reply Link
  • Jacob Jan 28, 2015 @ 15:16

    Where’d you hear about ghost.c on uchicago’s webshare?

    Reply Link
  • Stu Jan 28, 2015 @ 18:23

    That’s odd, the MD5 I get is d0ed67a61753e568596a830e7171a8eb. Which one of has the right version?

    Reply Link
    • Deltaray Jan 28, 2015 @ 19:37

      There are probably slightly different versions going around with differing whitespace, etc. I mentioned the uchicago.edu site because its probably more static than the gist URL. Either way, just make sure that you’re downloading something legit.

      Reply Link
      • Stu Jan 29, 2015 @ 18:16

        I would agree with that last sentence. But then, how trustworthy am I? You might try to see if you can reverse the hash I posted.

        Reviewing the code might not be entirely sufficient as the MITM could exclude vulnerable versions but ilthe code could appear safe to run.

        Reply Link
    • Samir Jan 29, 2015 @ 3:07

      Try get MD5 hash of source code file => GHOST.c

      Reply Link
  • jmstrupp Jan 28, 2015 @ 19:27

    Single Step:

    # curl -L https://www.cyberciti.biz/files/scripts/GHOST-test.sh.txt | sh -s --
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2172  100  2172    0     0   7676      0 --:--:-- --:--:-- --:--:--  7674
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Vulnerable glibc version <= 2.12-1.148
Detected glibc version 2.17 revision 55
Not Vulnerable.
    Reply Link
    • Deltaray Jan 29, 2015 @ 18:28

      If your concern is security, then don’t pipe shell scripts directly into your shell.

      Reply Link
  • Y. Jan 28, 2015 @ 19:32

    $ md5sum GHOST.c
    a19b0657c80d74ea5c4f4544dc9998c5 GHOST.c
    $ md5sum GHOST-test.sh
    bd6fea3404950de06e024e2d8b924219 GHOST-test.sh

    $ ./GHOST
    vulnerable
    $ bash GHOST-test.sh
    Vulnerable glibc version <= 2.17-54
    Vulnerable glibc version <= 2.5-122
    Vulnerable glibc version <= 2.12-1.148
    Detected glibc version 2.12 revision 149
    Not Vulnerable.

    Reply Link
  • Palant Jan 29, 2015 @ 12:00

    A practical thing (hope it could be helpful for anyone). You don’t need to reboot the whole server after updating. If you are not able to do reboot — use this cmd which relaunchs only several applications that actually use vulnerable glibc:

    for s in $(lsof | grep libc | awk '{print $1}' | sort | uniq); do if [[ -f "/etc/init.d/$s" && "$(ps aufx | grep -v grep | grep $s)" ]]; then echo $s; service $s restart; fi; done

    From.

    Reply Link
  • Nhoya Feb 5, 2015 @ 11:50
    #!/bin/bash
#GHOST vulnerability detector (DEBIAN & co.)
libc_main_vers=$(dpkg -l | grep libc6 | awk '{ print $3 }' | awk -F . '{ print $1 }')
upd=$(dpkg -l | grep libc6| awk '{ print $3 }'| tail -c 2)
sub=$(dpkg -l | grep libc6| awk '{ print $3 }'| awk -F . '{print$2}' |head -c 2)
for ver in ${libc_main_vers}; do
    if (( ver = 2  && upd >= 7 && sub >= 12 )); then
        echo not vulnerable
    else
        if ((ver > 2 )); then
                echo not vulnerable
        else
                echo "vulnerable to GHOST (CVE-2015-0235)"
        fi
    fi
done
exit 0

    This is the script working for Debian (

    Reply Link
  • stb_in_va Feb 6, 2015 @ 20:37

    Great write up!

    Are Solaris glib packages vulnerable? Not finding anything online (or from Oracle) about it.

    Thanks!

    -S

    Reply Link
  • wan Mar 11, 2015 @ 15:22

    sorry guys…my server doesnt have rpm package..and i am unable to connect it to any internet connection since it is prohibited. But i still need to check the vulnerability of our system. How can i do it ? thx

    Reply Link
  • Deepu Apr 6, 2015 @ 11:49

    Method #2: GHOST-test.sh Vulnerability Test Bash Script

    as per the ghost shell script, it says glibc 2.12 is not vulnerable in the screen shot.

    But version in between 2.2 to 2.17 all are vulnerable to GHOST attack. refer link : https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235

    after referring the NVD, looks like the script is not working properly.

    Reply Link

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.

Next FAQ:

Previous FAQ: