10

I see on our RedHat Linux platform that "java" process has dependency over glibc library:

[root@hpproliant1 ~]# ldd /usr/bin/java
linux-gate.so.1 =>  (0xffffe000)
libpthread.so.0 => /lib/libpthread.so.0 (0xf7f77000)
libjli.so => /usr/java/32bit/jre1.6.0_26/bin/../lib/i386/jli/libjli.so (0xf7f6e000)
libdl.so.2 => /lib/libdl.so.2 (0xf7f69000)
libc.so.6 => /lib/libc.so.6 (0xf7e11000)
/lib/ld-linux.so.2 (0xf7f97000)

Does Java APIs call indirectly problematic glibc functions? If so is the jvm using the vulnerable function in a way that's vulnerable?

Mert Z.
  • 201
  • 2
  • 4

1 Answers1

6

Possibly.

The two functions that are vulnerable in glibc are gethostbyname and gethostbyname2. You noticed that java is linked to glibc, but to even be possible to be vulnerable it has to link to these specific functions.

It's possible to scan the ELF binary and look through the linked libraries with the program readelf.

It's recently come out that procmail is vulnerable, let's check this approach works with a known vulnerable program.

readelf --dyn-syms /usr/bin/procmail |grep gethostbyname
    46: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND gethostbyname@GLIBC_2.2.5 (2

And it does!

If you can the jvm executable, you won't find references to gethostbyname.

If you scan the libraries included with java, you will:

readelf --dyn-sym libdt_socket.so |grep gethostbyname
    19: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND gethostbyname@GLIBC_2.2.5 (4)

Whether this is exploitable or not requires further analysis. But until proven otherwise, you should update your glibc library.

Steve Sether
  • 21,480
  • 8
  • 50
  • 76
  • 2
    I believe this is based on the assumption that gethostbyname function in glibc is not referenced by any other glibc function. Is this correct? I mean how about this example of a Java trace `C [libnss_files.so.2+0x3471] _nss_files_gethostbyname_r+0x211 C [libc.so.6+0xeb19f] gethostbyname_r+0x10f C [libnet.so+0x4d61] Java_java_net_Inet4AddressImpl_getLocalHostName+0x91 j java.net.Inet4AddressImpl.getLocalHostName()Ljava/lang/String;+0 j java.net.InetAddress.getLocalHost()Ljava/net/InetAddress;+7` and how about what is written [here](http://www.circl.lu/pub/tr-31/) – Mert Z. Jan 31 '15 at 07:54
  • 1
    @MertZ. Unfortunately I didn't check the referenced libraries the JVM uses. You're right, the JVM does use gethostbyname. I'll change the answer. – Steve Sether Jan 31 '15 at 20:25