The Linux glibc Exploit – What You Need To Know

Use Netsparker


So the Internet exploded this week with news of a pretty serious glibc exploit, something that everyone pays attention to as every Linux server uses this library and in some cases it can yield remote code execution.

In basic terms the glibc DNS client (libresolv) is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used and plenty of stuff could trigger the exploit including SSH, sudo, curl, PHP, Rails and more.

glibc Exploit

The bug was actually reported last July here – In send_dg, the recvfrom function is NOT always using the buffer size of a newly created buffer (CVE-2015-7547) but was marked as ‘P2 Normal’ priority – which is clearly not very important even though this is a classic buffer overflow which could be exploited remotely.

Windows, OS X and Android devices are not vulnerable as they use different libraries. uClibc for example had this same bug fixed 6 years ago.

Technical Details

It was reported publicly by Google, here’s the technical summary:

glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query.

Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated.

Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow.

The vectors to trigger this buffer overflow are very common and can include ssh, sudo, and curl. We are confident that the exploitation vectors are diverse and widespread; we have not attempted to enumerate these vectors further.

SourceCVE-2015-7547: glibc getaddrinfo stack-based buffer overflow

Most actual exploit vectors are covered by protective technologies like ASLR (good discussion on Reddit) and non-executable stack protection, but there’s still a lot of potential and this has been in the wild for 8 years (since 2.9) – so it’s pretty likely the bad guys have jumped on it long ago.


And well this is not the first time is it, if you remember the GHOST Vulnerability In glibc from early last year.

The post from Redhat with mitigation solutions and an extremely detailed analysis of the actual code is here:

[PATCH] CVE-2015-7547 — glibc getaddrinfo() stack-based buffer overflow

You can also find a PoC on Github here – Proof of concept for CVE-2015-7547

Mitigations

Our suggested mitigation is to limit the response (i.e., via DNSMasq or similar programs) sizes accepted by the DNS resolver locally as well as to ensure that DNS queries are sent only to DNS servers which limit the response size for UDP responses with the truncation bit set.

Specifically you can prevent the attack by limiting all TCP DNS replies to 1024 bytes, and dropping UDP DNS packets larger than 512 bytes.

This will effectively stop the buffer from overflowing in the first place, so..no stack smashing.

Solution

Upgrade your packages and reboot!

To check your version on Ubuntu type:

It affects:

– Ubuntu 15.10 – fixed version is 2.21-0ubuntu4.1
– Ubuntu 14.04 LTS – fixed version is 2.19-0ubuntu6.7
– Ubuntu 12.04 LTS – fixed version is 2.15-0ubuntu10.13

So get it up to date, rebooted and you’ll be fine.

Posted in: Exploits/Vulnerabilities, Linux Hacking

, ,


Latest Posts:


BDFProxy - Patch Binaries via MITM - BackdoorFactory + mitmProxy BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy
BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads
Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.
Acunetix Vulnerability Scanner For Linux Now Available Acunetix Vulnerability Scanner For Linux Now Available
Acunetix Vulnerability Scanner For Linux is now available, now you get all of the functionality of Acunetix, with all of the dependability of Linux.
Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.


2 Responses to The Linux glibc Exploit – What You Need To Know

  1. Michael February 19, 2016 at 4:52 pm #

    Is a reboot really necessary??

    • Darknet February 19, 2016 at 5:00 pm #

      Well you could use something like http://tracer-package.com/ or needs-restart if you trust those and restart all necessary daemons. But with a core library like glibc which is used almost everywhere, I’d go for a reboot if possible.