14 DAY TRIAL // Security experts from Google's Project Zero, aided by researchers from Red Hat, have identified and helped patch a security flaw in the GNU C Library (glibc) that could be exploited via rogue DNS servers.
Before researchers discovered that this vulnerability allowed remote code execution in machines with glibc installed, the GNU team had already been aware of the issue and had been tracking it via an internal bug report, but without fully understanding its capabilities.
The Google and Red Hat teams worked together to investigate the bug, and after suspecting that they could leverage it in real-world attacks, they crafted an exploit package that could utilize the bug's characteristics to trigger a buffer overflow and later use it run code on the underlying computer.
Vulnerability affects glibc's DNS resolver
The issue, tracked under the CVE-2015-7547 identifier, was found in glibc's DNS client-side resolver, in the getaddrinfo() library function, which is responsible for making DNS queries and receiving the responses.
An attacker in control of a rogue domain name or DNS server could send the client oversized DNS responses and force a buffer overflow and the inherent remote code execution, allowing them to run malicious code on the machine with the same privileges as glibc's parent application.
Additionally, attackers could also leverage this bug via MitM (Man-in-the-Middle) attacks if they could intercept and alter DNS responses in the victim's network.
Attackers can pwn everything that uses glibc
"Remote code execution is possible, but not straightforward," Google researchers explained. "It requires bypassing the security mitigations present on the system, such as ASLR. We will not release our exploit code."
On the other hand, Google released proof-of-concept code that will help sysadmins detect if their systems are vulnerable to this issue.
According to researchers, the bug affected all glibc distributions since version 2.9, released in March 2009. The glibc team released a patch to address this vulnerability.
Glibc is one of the most important C libraries around, being used in countless applications, ranging from desktop apps to data center software, and from networking equipment to IoT devices.
Yikes! Glibc client side resolver has an overflow in getaddrinfo() - overlong DNS can likely pwn anything. (!!!) https://t.co/Ess3frOGWU — dragosr (@dragosr) February 16, 2016