CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
February 16, 2016
Sources:
- https://googleonlinesecurity.blogspot.fi/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
- https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
What?
During upstream review of the public open bug 18665 for glibc, it was
discovered that the bug could lead to a stack-based buffer overflow.
Exploitation
Remote code execution is possible, but not straightforward. It requires bypassing the security mitigations present on the system, such as ASLR
- Mitigating factors for UDP include:
- A firewall that drops UDP DNS packets > 512 bytes.
- A local resolver (that drops non-compliant responses).
- Avoid dual A and AAAA queries (avoids buffer management error) e.g.
Do not use AF_UNSPEC.
- No use of `options edns0` in /etc/resolv.conf since EDNS0 allows
responses larger than 512 bytes and can lead to valid DNS responses
that overflow.
- No use of `RES_USE_EDNS0` or `RES_USE_DNSSEC` since they can both
lead to valid large EDNS0-based DNS responses that can overflow.
- Mitigating factors for TCP include:
- Limit all replies to 1024 bytes.