GHOST glibc Vulnerability Affects WordPress and PHP applications

After the disclosure of extremely critical GHOST vulnerability in the GNU C library (glibc) — a widely used component of most Linux distributions, security researchers have discovered that PHP applications, including the WordPress Content Management System (CMS), could also be affected by the bug.

"GHOST" is a serious vulnerability (CVE-2015-0235), announced this week by the researchers of California-based security firm Qualys, that involves a heap-based buffer overflow in the glibc function name - "GetHOSTbyname()." Researchers said the vulnerability has been present in the glibc code since 2000.

Though the major Linux distributors such as Red Hat, Debian and Ubuntu, have already updated their software against the flaw, GHOST could be used by hackers against only a handful of applications currently to remotely run executable code and silently gain control of a Linux server.

As we explained in our previous article, heap-based buffer overflow was found in __nss_hostname_digits_dots() function, which is particularly used by the gethostbyname() and gethostbyname2() glibc function call.

Since, PHP applications including WordPress also use the gethostbyname() function wrapper, the chance of the critical vulnerability becomes higher even after many Linux distributions issued fixes.

GHOST - BIG ISSUE FOR WORDPRESS

According to the Sucuri researcher Marc-Alexandre Montpas, GHOST vulnerability could be a big issue for WordPress CMS, as it uses wp_http_validate_url() function to validate every pingback post URL.

"....And it does so by using gethostbyname()," wrote Montpas in an advisory published Wednesday. "So an attacker could leverage this vector to insert a malicious URL that would trigger a buffer overflow bug, server-side, potentially allowing him to gain privileges on the server."

The vulnerability affects all versions of glibc from glibc-2.17 and lower. However, it was patched in glibc-2.18 in May 2013, but was not marked as a security vulnerability so the fix did not make it into many common Linux distributions like RedHat and Ubuntu.

HOW TO CHECK YOUR SYSTEM AGAINST GHOST FLAW

"This is a very critical vulnerability and should be treated as such," Montpas said. "If you have a dedicated server (or VPS) running Linux, you have to make sure you update it right away."

Sucuri also provided the following test PHP code, which an admin can run on their server terminal. If the code returns a segmentation fault, then your Linux server is vulnerable to the GHOST vulnerability.

php -r '$e="0″;for($i=0;$i<2500;$i++){$e="0$e";} gethostbyname($e);' Segmentation fault

HOW TO PROTECT

Until now, Debian 7, Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7 and Ubuntu 12.04 have released software updates. So users of above Linux distributions are recommended to patch their systems, followed by a system reboot, as soon as possible. 

• Disable XML-RPC 

If you don’t want to use XML-RPC process, it is possible to disable it altogether. There are even Wordpress plugins that will totally disable XML-RPC process.

• Disable Pingback Requests 

You may also disable the pingback feature by adding the following code to your functions.php file:

add_filter( 'xmlrpc_methods' , function( $methods' ) { unset( $methods[ 'pingback.ping ] ); return $methods; } );