Severe “Ghost” flaw leaves Linux systems vulnerable to takeover

A serious vulnerability in a key Linux library could let attackers take complete control of systems, such as servers, that are based on the open-source operating system. Those running Linux systems are advised to download a patch for their distribution immediately.

Qualys researchers discovered the “Ghost” vulnerability – named for the fact that it can be triggered by “gethostbyname” DNS resolution functions – during a recent code audit.

In a Tuesday blog post and video they said they had “developed a proof-of-concept in which we send a specially created e-mail to a mail server and can get a remote shell to the Linux machine,” though they won’t release this exploit until they see around half of the Linux servers out there have been patched appropriately.

The researchers said the buffer overflow flaw in the GNU C (“glibc”) library had been around since 2000 and had actually been fixed in 2013 (only versions before 2.18 are affected). However, it wasn’t recognized as a security threat at the time, so many long-term-support versions of Linux distros are still affected.

Distros that are known to be affected include: Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, and Ubuntu 12.04. Patches for these distros are now available to download, and doing so would be a very good idea. End-of-life distros are obviously also affected, but you shouldn’t be using those anyway.

It’s impossible to tell whether the vulnerability has been exploited, though Trend Micro has noted, “with only four or eight bytes as the initial exploit vector, gaining further access is highly dependent on application design and memory usage.” Also, as Robert Graham at Errata Security has pointed out, the gethostbyname() function is obsolete and people should rather be using the IPv6-friendly getaddrinfo() function instead.

This article was updated at 2.15am PT to include Trend Micro’s observation.

Yik Yak shown no slack in intern hack attack

Getting hacked seems to be a rite of passage for social media companies. It’s sign that they’ve grown big enough to attract the attention of the hacking community.

Right on schedule, anonymous local chatting app Yik Yak has been hit with a big security breach, a mere two weeks after closing its $62 million round led by Sequoia. An intern from a security firm figured out how to unearth people’s real life identities and take control of their accounts.

I reached out to Yik Yak for comment and a spokesperson said, “Upon being informed of the issue, Yik Yak acted immediately to address and remedy the situation.” The company released an updated app last week that fixes the hole, before SilverSky Labs, a security firm, disclosed the flaw on Monday.

Yik Yak is huge in U.S. colleges, where people within a two mile radius of each other can post anonymous, public messages to a feed.

A young intern at SilverSky Labs decided to test Yik Yak’s system given recent privacy controversies in the anonymous app space (see: Whisper). It didn’t take long to crack the app’s code — just a few days. “This attack is not particularly sophisticated,” Brandon Edwards, VP of SilverSky Labs, told me. “A lot of the tools [we used] are common place in network analysis.”

Intern Sanford Moskowitz figured out that although Yik Yak encrypted the messages sent over its network, it also communicated with third party service providers that didn’t do so. Therein lay the weakness, allowing Moskowitz to find unique Yik Yak user ID numbers (different from the publicly facing username).

Since Yik Yak doesn’t require passwords, anyone with this person’s user ID number could tamper with the Yik Yak app to log into said user’s account, see their content, and post under their identity. They could also use the ID to figure out someone’s real-life identity, by running it through Wireshark and linking it to the person’s smartphone cues. For example, if you’re logged into other social networks that have your name, a hacker could trace that through your Yik Yak ID.

Until recently, Yik Yak had been the bastard child of the Secret-Whisper triangle, largely forgotten by Silicon Valley. But with its star is on the rise, its days of anonymity are over. Its systems are now under scrutiny, from investors, press, and hackers alike.