佚名MYHACK58:62201671834Linux, the underlying function library“glibc”reproduction is a major security vulnerability, a plurality of releases affected-vulnerability warning-the black bar safety net
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
Google’s security research team recently disclosed a glibc getaddrinfo-overflow vulnerability.
Vulnerability details the discovery process can be found in the [Google blog](<https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html?m=1> a). (Digression, Google engineers are genuine)
Vulnerability description:
The vulnerability cause is that the DNS Server Response to return an excess of the(2 0 4 8 ) bytes, leads to the next response trigger stack overflow.
The vulnerability relies on an oversized (2 0 4 8 bytes) UDP or TCP response, which is followed by another response that will overwrite the stack.
Impact range:
All of the Debian family, Red Hat series of Linux distributions, as long as the glibc version is greater than 2. 9 will be affected.
Currently Google has provided a POC, according to the Google blog, the vulnerability should be able to bypass the memory protection techniques, thereby forming a code execution vulnerability.
POC using the test
POC address: github.com/fjserna/CVE-2015-7547
In my own local lubuntu for testing, the libc version is 2.19 in. lubuntu series also belong to Debian release version, so in theory, meet the vulnerability criteria.
The test procedure is as follows:
According to the vulnerability Description, We can make a fake DNS Server as an intermediary, to verify the vulnerability.
- Change DNS to resolve to 127.0.0.1, refresh the DNS cache: sudo /etc/init. d/nscd restart
- Execute CVE-2015-7547-poc.py , note that without changing the ip_addr on.
- Compile CVE-2 0 1 5-7 5 4 7-client. c , execution CVE-2 0 1 5-7 5 4 7-client
If they contain vulnerabilities, it will cause Segmentation Fault.
! [](/Article/UploadPic/2016-2/2 0 1 6 2 1 8 9 3 1 8 2 3 0. png)
Due to the gilbc 2.9 in 2 0 0 8 was released, so a large number of Linux systems are affected by the vulnerability. If once bypass the Memory Protection Technology, the vulnerability can become a big kill.
A hijacked DNS server for MiTM attacks, can be directly in bulk to obtain a large number of host permissions.
Repair solutions:
1 play patch, refer to the official introduction
References:
Related
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%