[dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow

Mark Andrews marka at isc.org
Tue Feb 23 21:26:29 UTC 2016


In message <CAA=nHSLfFT9N9dLeLcTGnKrtAOapYpai4K4E0jzSE+XVV1Nrzg at mail.gmail.com>
, George Michaelson writes:
> 
> Second order Q:
> 
> if the question OR answer is cached, is there a multiplying factor for
> other [client] ?

If you can get a answer that will make a client fall over in these
senarios then yes it will be coming from the cache.

Mark

> On 24 February 2016 at 09:41, George Michaelson <ggm at apnic.net> wrote:
> 
> > possibly silly Q. apologies if this is well understood and covered.
> >
> > given [client] -> [resolver A] -> [resolver B] -> [resolver C] ->
> > [authority]
> >
> > who gets broken into and why?
> >
> > given [client] -> [8.8.8.8] -> [authority]
> >
> > who gets broken into and why?
> >
> > [client] is assumed to be { [client], [client] -> [NAT/Router DNS agent] }
> >
> > -G
> >
> > On 24 February 2016 at 09:34, Robert Edmonds <edmonds at mycre.ws> wrote:
> >
> >> Mukund Sivaraman wrote:
> >> > Assuming the 2nd message overflows on the stack and overwrites the
> >> > return address suitably,
> >>
> >> Once the attacker controls the instruction pointer, it's game over.
> >>
> >> --
> >> Robert Edmonds
> >> _______________________________________________
> >> dns-operations mailing list
> >> dns-operations at lists.dns-oarc.net
> >> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> >> dns-jobs
> >> <https://lists.dns-oarc.net/mailman/listinfo/dns-operationsdns-jobs>
> >> mailing list
> >> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> >>
> >
> >
> 
> --047d7b67823e273366052c75fee2
> Content-Type: text/html; charset="UTF-8"
> Content-Transfer-Encoding: quoted-printable
> 
> <div dir=3D"ltr">Second order Q:<div><br></div><div>if the question OR answ=
> er is cached, is there a multiplying factor for other [client] ?</div></div=
> ><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On 24 February 2=
> 016 at 09:41, George Michaelson <span dir=3D"ltr"><<a href=3D"mailto:ggm=
> @apnic.net" target=3D"_blank">ggm at apnic.net</a>></span> wrote:<br><block=
> quote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc=
>  solid;padding-left:1ex"><div dir=3D"ltr">possibly silly Q. apologies if th=
> is is well understood and covered.<div><br></div><div>given [client] -> =
> [resolver A] -> [resolver B] -> [resolver C] -> [authority]</div><=
> div><br></div><div>who gets broken into and why?</div><div><br></div><div>g=
> iven [client] -> [8.8.8.8] -> [authority]</div><div><br></div><div>wh=
> o gets broken into and why?</div><div><br></div><div>[client] is assumed to=
>  be { [client], [client] -> [NAT/Router DNS agent] }</div><span class=3D=
> "HOEnZb"><font color=3D"#888888"><div><br></div><div>-G</div></font></span>=
> </div><div class=3D"HOEnZb"><div class=3D"h5"><div class=3D"gmail_extra"><b=
> r><div class=3D"gmail_quote">On 24 February 2016 at 09:34, Robert Edmonds <=
> span dir=3D"ltr"><<a href=3D"mailto:edmonds at mycre.ws" target=3D"_blank">=
> edmonds at mycre.ws</a>></span> wrote:<br><blockquote class=3D"gmail_quote"=
>  style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><s=
> pan>Mukund Sivaraman wrote:<br>
> > Assuming the 2nd message overflows on the stack and overwrites the<br>
> > return address suitably,<br>
> <br>
> </span>Once the attacker controls the instruction pointer, it's game ov=
> er.<br>
> <span><font color=3D"#888888"><br>
> --<br>
> Robert Edmonds<br>
> </font></span><div><div>_______________________________________________<br>
> dns-operations mailing list<br>
> <a href=3D"mailto:dns-operations at lists.dns-oarc.net" target=3D"_blank">dns-=
> operations at lists.dns-oarc.net</a><br>
> <a href=3D"https://lists.dns-oarc.net/mailman/listinfo/dns-operationsdns-jo=
> bs" rel=3D"noreferrer" target=3D"_blank">https://lists.dns-oarc.net/mailman=
> /listinfo/dns-operations<br>
> dns-jobs</a> mailing list<br>
> <a href=3D"https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" rel=3D"nor=
> eferrer" target=3D"_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-=
> jobs</a><br>
> </div></div></blockquote></div><br></div>
> </div></div></blockquote></div><br></div>
> 
> --047d7b67823e273366052c75fee2--
> 
> --===============2410817667218319338==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> --===============2410817667218319338==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list