[dns-operations] ShellShock exploit through the DNS

Florian Weimer fw at deneb.enyo.de
Sat Oct 18 20:23:58 UTC 2014

* P. Vixie:

> On October 18, 2014 4:06:07 PM EDT, Florian Weimer <fw at deneb.enyo.de> wrote:
>>Red Hat Enterprise Linux does not have this vector.  It uses the
>>regular glibc resolver, which is based on the old BIND stub resolver,
>>and this code has both escaping from wire format to the textual
>>representation (which destroys the magic pattern) and the res_hnok
>>check (which rejects shell meta-characters).
> Wow. That code has been hugely unpopular but it turns out there may
> have been a pont to it other than protecting sendmail qf files back
> in 1995. Thanks for sharing.
> What about getnameinfo and getaddrinfo?

nss_dns has the behavior I described above.  If you use other NSS
modules for host name resolution, you may get different behavior.
(I'm not even sure if reverse lookups through LDAP even work,
I have never seen such a thing.)

More information about the dns-operations mailing list