[ale] glibc vulnerability

Michael H. Warfield mhw at WittsEnd.com
Wed Jan 28 18:12:34 EST 2015 

On Tue, 2015-01-27 at 17:57 -0500, Jim Kinney wrote:
> On Tue, 2015-01-27 at 16:33 -0500, James Sumners wrote:
> > It's just getting ridiculous at this point.
> 
> Actually, no. It's about time that some of the core capabilities of
> Linux were put under the security microscope. This particular issue
> doesn't allow a root access but does allow access as the user running a
> vulnerable process. So turn on selinux while this is getting patched and
> privilege escalations are mostly moot.

It's also very difficult to exploit (in spite of the EXIM example /
PoC).  You can only overwrite a very limited number of bytes (4 bytes on
32 bit machines and 8 bytes on 64 bit machines) and that's then just
beginning your your challenges for full RCE.  Not impossible, but far
FAR from a walk in the park.  Yes, even NULL derefs can be exploited
and, once you have a reliable exploit, difficulty of exploitation goes
out the window in a heartbeat.

Read the original Qualsys analysis.  The qualifiers are highly
amusing...  The buffer feed to the old gethostbyname() must start with a
digit can can not end with a dot and can only be composed of digits and
dots.  It to has syntactically be a legitimate IPv4 address in either
octal or decimal.  No IPv6 addresses and no hex.  Most old apps using
gethostbyname also check for addresses separately and are immune.  You
have to find a susceptible application and then know how to exploit it
for this very specific but and that exploit is going to vary from app to
app.

It's also been patched since 2013, if the distros had kept the libraries
up to date, it just wasn't flagged as a security fix.  Fixed in glibc
2.18 so it's not even a "new fix" it's just a "deploy the bloody fix".

This is not son-of-Heartbleed or son-of-Shellshock.

Mike

> > On Tue, Jan 27, 2015 at 3:34 PM, Beddingfield, Allen <allen at ua.edu>
> > wrote:
> >         FYI, for those who have not already seen this...
> >         Get ready for another round of emergency patches:
> >         http://ma.ttias.be/critical-glibc-update-cve-2015-0235-gethostbyname-calls/
> >         
> >         _______________________________________________
> >         Ale mailing list
> >         Ale at ale.org
> >         http://mail.ale.org/mailman/listinfo/ale
> >         See JOBS, ANNOUNCE and SCHOOLS lists at
> >         http://mail.ale.org/mailman/listinfo
> > 
> 

-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://mail.ale.org/pipermail/ale/attachments/20150128/6483b500/attachment.sig>

More information about the Ale mailing list