A critical security flaw has been reported in GNU C Library. The bug discovered in glibc has been present since 2008. A huge amount of Linux software can be hijacked by miscreants from the other side of the internet.
The GNU C Library (glibc) is an essential component of Linux distributions. The researchers at Google and Red Hat were able to determine the flaw in glibc’s DNS resolver. The DNS resolver is used to translate human-readable domain names, such as www.secpod.com into a network IP address.
The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the call to function getaddrinfo() is made. This function is vulnerable and softwares using this can be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.
The glibc allocates 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query. Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated.
Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow.
The buffer overflow can be exploited when shoveling coals to ssh, sudo, and curl. The code that causes the vulnerability was introduced in May 2008 as part of glibc 2.9.
The flaw can be exploited when a device or app make queries to a malicious DNS server or clicking on a link to malicious DNS server, which returns too much information to a lookup request and floods the program’s memory with code.
This code then compromises the vulnerable device and tries to take control over the whole system. It is possible to inject the domain name into server log files, which when resolved will trigger remote code execution. However, it requires bypassing the security mitigation existing on the system, such as ASLR, and non-executable stack protection.
Affected versions: All versions of glibc after 2.9 are vulnerable.