glibc 2.20 getanswer_r, gethostbyname_r DNS response arbitrary code execution

2015.04.21

Credit: Arjun Shankar

Risk: High

Local: No

Remote: Yes

CVE: CVE-2015-1781

CWE: N/A

CVSS Base Score: 6.8/10

Impact Subscore: 6.4/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

Arjun Shankar of Red Hat discovered that the nss_dns code does not adjust the buffer length when the buffer start pointer is aligned. As a result, a buffer overflow can occur in the implementation of functions such as gethostbyname_r, and crafted DNS responses might cause application crashes or result in arbitrary code execution.
This can only happen if these functions are called with a misaligned buffer. I looked at quite a bit of source code, and tested applications with a patched glibc that logs misaligned buffers. I did not observe any such misaligned buffers.
Upstream bug:
https://sourceware.org/bugzilla/show_bug.cgi?id=18287
Upstream commit:
https://sourceware.org/git/?p=glibc.git;a=commit;h=2959eda9272a03386
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
int have_to_map = 0;
uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
buffer += pad;
- if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
+ buflen = buflen > pad ? buflen - pad : 0;
+ if (__glibc_unlikely (buflen < sizeof (struct host_data)))
{
/* The buffer is too small. */
too_small:

References:

https://sourceware.org/git/?p=glibc.git;a=commit;h=2959eda9272a03386

https://sourceware.org/bugzilla/show_bug.cgi?id=18287

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}