# Is FreeBSD vulnerable to Ghost?



## kjpetrie (Jan 27, 2015)

Does the Ghost exploit described in http://www.openwall.com/lists/oss-security/2015/01/27/9 and http://arstechnica.com/security/2015/01/highly-critical-ghost-allowing-code-execution-affects-most-linux-systems/ affect BSD systems or is it Linux-only?

As it's a vulnerability in glibc I'd expect it to affect all systems using the GNU library, or is there something in the way FreeBSD implements things that would prevent it?


----------



## Oko (Jan 28, 2015)

FreeBSD uses its own libc implementation just like all other BSDs. Yes all Linux systems are affected by the bug but BSDs are not affected.


----------



## protocelt (Jan 28, 2015)

Oko said:


> FreeBSD uses its own libc implementation just like all other BSDs. Yes all Linux systems are affected by the bug but BSDs are not affected.


Does this include BSD systems that use Linux glibc through Linux emulation?


----------



## worldi (Jan 28, 2015)

The disclosure comes with a piece of C code that checks for the vulnerability. So let's use it...


```
% uname -rms
FreeBSD 9.3-STABLE amd64
%
% ls -lF /compat/linux/lib/libc[\.-]*
-rwxr-xr-x  1 root  wheel  1902892 Oct 15 03:36 /compat/linux/lib/libc-2.12.so*
lrwxr-xr-x  1 root  wheel  12 Oct 15 03:05 /compat/linux/lib/libc.so.6@ -> libc-2.12.so
% pkg which /compat/linux/lib/libc-2.12.so
/compat/linux/lib/libc-2.12.so was installed by package linux_base-c6-6.6_1
%
% md5 ghost.c
MD5 (ghost.c) = aa8dbce88e54027dbd4723ccd142f717
% /compat/linux/usr/bin/gcc ghost.c -o ghost
% file ghost
ghost: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, BuildID[sha1]=d7ef7a7900cb7da62e80420f22c69bb8e7e6a2f5, not stripped
% ldd ghost
ghost:
  libc.so.6 => /lib/libc.so.6 (0x28070000)
  /lib/ld-linux.so.2 (0x28049000)
%
% ./ghost
vulnerable
%
```


----------



## junovitch@ (Jan 31, 2015)

For the record, vulnerability was resolved with an update in the ports collection the day after this thread.

http://www.vuxml.org/freebsd/0765de84-a6c1-11e4-a0c1-c485083ca99c.html


----------



## max21 (Jan 31, 2015)

Here I go again. This got to be the coolest catch/repair I ever seen but It broke packet filter. After updating and rebooting just minutes ago, I fired up pftop as usual but it fails to run.


```
:~ # pftop
Pftop: open(“/dev/pf”): No such file or directory
```
So switch from desktop mode to console ctrl/alt[F1] and this is in the boot text (I typed it by hand).


```
Starting ums0 moused.
Link_elf_obj: symbol altq_add undefined
Linker_load_file: Unsupported file type
KLD pflog.ko: depends on pf – not available or version mismatch
Linker_load_file: Unsupported file type
Kldload: an error occurred while loading the module.
/etc/rc: WARNING: Unable to load kernel module pflog
/etc/rc: WARNING: failed precmd routine for pflog
…
….
```
How do I roll-back so I can try it again and again until I find out what went wrong? I did in fact upgraded to gcc-49 but clang stills default and it build my custom kernel last night. I only added pf, ALTQ and I removed stuff that my machine don’t use. I been using it all day with many reboots as I do while test other stuff that I do. So I know that the machine was in very good shape until now.

btw; I don't mix Linux in my FreeBSD.


----------



## max21 (Jan 31, 2015)

This is really strange.  I did a [shutdown now] in gnome terminal and it froze.  It _NEVER_ did that before.  After a full 10 minutes I did a regular rebooted … it rebooted but hung about a full minute before syncing disk begun, than went to Single User Mode.  I exit and went to console mode to get a clean reboot.

I found the perfect thread for this occasion just in case someone else has a problem.

https://forums.freebsd.org/threads/...er-freebsd-update-rollback.47315/#post-264339


```
# mount -u /
# mount -a
# freebsd-update rollback
```

Packet Filter is back.  Now 10.1p4 is happy again.  I’ll be trying again within 24 hours.  Maybe it's all because I never enabled hald.  It make you wonder why it work for you and not for him.  It could be something as simple as that.


----------



## max21 (Feb 1, 2015)

After sleeping on it I realize doing it all over again would be useless because this latest update replace files needed to run pf.  So at this point upgrading and updating with this fix you most likely will lose pf, and who known when for the rest.  I really hope they fix this because I just gain know-how in upgrading, updating and a lot more (thanks to this forum and the handbook).  I was an 8.2 die-hard trusting PcBSD to handle all technical aspects up until just months ago.


----------



## Crivens (Feb 1, 2015)

It really looks like the modules and the kernel are diverging on your machine, or that there is a version mismatch somewhere. Because, when a module is build, the symbol should be available. Did you, by any chance, not install the kernel after some update to the source tree but then installed some modules buld from that? This happened to me once. The hunting is funny then...


----------



## max21 (Feb 3, 2015)

Hi Crivens I think you're on to something.  Some facts are needed here:

I installed FreeBSD-10.1 using the CD January 3 of this year.  I dump it because freebsdFreeBSD online port system would not install GNOME-2, but forced GNOME-3 to install. I quit, then I included my fully packed distfiles, but all I got was errors.  Since June of last year my FreeBSD 10.0 has never been connected to the INTERNET other than for freebsd-update,  portsnap and svn.  I have never build world or created custom kernel for it.  So I know that my system is pollution-free and has never been hosed.  It took until January 14, three weeks ago to be convinced to upgrade to FreeBSD 10.1 by way of freebsd-update and everything worked, including GNOME-2 (strange, right?).


> Did you, by any chance, not install the kernel after some update to the source tree but then installed some modules buld from that?


Crivens: Back in June when I first installed FreeBSD 10.0 from CD I did a freebsd-update, portsnap, and I got the  src from svn.  I was using an online _how-to_ that I found.  I posted a question for a problem that I thought I had and wblock@ replied something like *metadata is different and larger with Subversion*.  In another thread he said something like *don’t mix svn src with portsnap update’s; get them both from one place or the other*.   So this explains after all these months of reading, posting and experimenting; why things works for me and not for others and vice-versa, like now.  No wonder no one knew what I was talking about.  But still, no little ghost is going to scare me out of this system, and if I ever upgrade again, it will be based on what newer version of FreeBSD does inside Virtualbox now that I have better insight.  What I have now run better than XP, Win-8, and PC-BSD.

Thanks Crivens and kjpetrie.


----------



## Nelson Dominick (Feb 5, 2015)

If glibc is used with Linux emulation on FreeBSD then it is vulnerable, however I do not know if Monowall is affected.


----------

