[dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow
Mark Andrews
marka at isc.org
Tue Feb 23 21:23:12 UTC 2016
In message <CAA=nHSLvy=L3cMA8DKtPm1VgZr74N9ysk4vVg6kC-shZ29ChQQ at mail.gmail.com>
, George Michaelson writes:
>
> possibly silly Q. apologies if this is well understood and covered.
>
> given [client] -> [resolver A] -> [resolver B] -> [resolver C] ->
> [authority]
>
> who gets broken into and why?
The client. That is the entity calling getaddrinfo.
> given [client] -> [8.8.8.8] -> [authority]
>
> who gets broken into and why?
The client. That is the entity calling getaddrinfo.
getaddrinfo is dying on well formed DNS responses. Intermediate
resolvers aren't designed to protect you from well formed DNS
responses to queries initiated from the client. They should protect
you from malformed DNS responses which is one of the design goals
of BIND. getaddrinfo should also protect you from both well formed
and malformed DNS responses but in this case it doesn't though it
is attempting to. Bugs happen.
Mark
> [client] is assumed to be { [client], [client] -> [NAT/Router DNS agent] }
>
> -G
>
> On 24 February 2016 at 09:34, Robert Edmonds <edmonds at mycre.ws> wrote:
>
> > Mukund Sivaraman wrote:
> > > Assuming the 2nd message overflows on the stack and overwrites the
> > > return address suitably,
> >
> > Once the attacker controls the instruction pointer, it's game over.
> >
> > --
> > Robert Edmonds
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> > dns-jobs mailing list
> > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> >
>
> --047d7b2e459c48e655052c75fa70
> Content-Type: text/html; charset="UTF-8"
> Content-Transfer-Encoding: quoted-printable
>
> <div dir=3D"ltr">possibly silly Q. apologies if this is well understood and=
> covered.<div><br></div><div>given [client] -> [resolver A] -> [resol=
> ver B] -> [resolver C] -> [authority]</div><div><br></div><div>who ge=
> ts broken into and why?</div><div><br></div><div>given [client] -> [8.8.=
> 8.8] -> [authority]</div><div><br></div><div>who gets broken into and wh=
> y?</div><div><br></div><div>[client] is assumed to be { [client], [client] =
> -> [NAT/Router DNS agent] }</div><div><br></div><div>-G</div></div><div =
> class=3D"gmail_extra"><br><div class=3D"gmail_quote">On 24 February 2016 at=
> 09:34, Robert Edmonds <span dir=3D"ltr"><<a href=3D"mailto:edmonds at mycr=
> e.ws" target=3D"_blank">edmonds at mycre.ws</a>></span> wrote:<br><blockquo=
> te class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc so=
> lid;padding-left:1ex"><span class=3D"">Mukund Sivaraman wrote:<br>
> > Assuming the 2nd message overflows on the stack and overwrites the<br>
> > return address suitably,<br>
> <br>
> </span>Once the attacker controls the instruction pointer, it's game ov=
> er.<br>
> <span class=3D"HOEnZb"><font color=3D"#888888"><br>
> --<br>
> Robert Edmonds<br>
> </font></span><div class=3D"HOEnZb"><div class=3D"h5">_____________________=
> __________________________<br>
> dns-operations mailing list<br>
> <a href=3D"mailto:dns-operations at lists.dns-oarc.net">dns-operations at lists.d=
> ns-oarc.net</a><br>
> <a href=3D"https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs" rel=3D"noreferrer" target=3D"_blank">https://lists.dns-oarc.net/m=
> ailman/listinfo/dns-operations<br>
> dns-jobs</a> mailing list<br>
> <a href=3D"https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" rel=3D"nor=
> eferrer" target=3D"_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-=
> jobs</a><br>
> </div></div></blockquote></div><br></div>
>
> --047d7b2e459c48e655052c75fa70--
>
> --===============7144437757527182240==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> --===============7144437757527182240==--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list