Buffer Overflow Fixed in GNU C

Thursday, February 18, 2016 @ 04:02 PM gHale

A patch ended up created to fix a hole in the GNU C Library (glibc) that could end up abused by rogue DNS servers.

Before researchers discovered this vulnerability allowed remote code execution in machines with glibc installed, the GNU team had already been aware of the issue and had been tracking it via an internal bug report, but without fully understanding its capabilities. Security researchers from Google’s Project Zero with help from Red Hat discovered the flaw.

Cisco Fixes Firewall Vulnerability
Cisco Patches Switch, Security Holes
Cisco Fixes Firewall Vulnerability
BlackEnergy using Tainted Word Documents

The Google and Red Hat teams worked together to investigate the bug, and after suspecting they could use it in a real attack, they crafted an exploit package that could utilize the bug’s characteristics to trigger a buffer overflow and later use it run code on the underlying computer.

The issue, tracked under the CVE-2015-7547 identifier, was in glibc’s DNS client-side resolver, in the getaddrinfo() library function, responsible for making DNS queries and receiving the responses.

An attacker in control of a rogue domain name or DNS server could send the client oversized DNS responses and force a buffer overflow and the inherent remote code execution, allowing them to run malicious code on the machine with the same privileges as glibc’s parent application.

Additionally, attackers could also leverage this bug via MitM (Man-in-the-Middle) attacks if they could intercept and alter DNS responses in the victim’s network.

“Remote code execution is possible, but not straightforward,” Google researchers said. “It requires bypassing the security mitigations present on the system, such as ASLR. We will not release our exploit code.”

On the other hand, Google released proof-of-concept code that will help system administrators detect if their systems are vulnerable to this issue.

According to researchers, the bug affected all glibc distributions since version 2.9, released in March 2009. The glibc team released a patch to address this vulnerability.

Glibc is one of the most important C libraries around, being used in applications, ranging from desktop apps to data center software, and from networking equipment to IoT devices.