The glibc DNS Bug Explained

There are a lot of people talking about the glibc bug, and for good reason. As Dan Kaminsky says,

Here’s an explanation of the bug in 20 seconds:

1. When you look up google.com, or any other name, you’re using DNS to resolve those names

2. DNS queries happen billions of times per second, all around the world

3. Linux is the top operating system on the Internet, meaning most servers and other infrastructure run it

4. glibc is part of Linux that handles DNS lookups, and it is vulnerable to a nasty buffer overflow that can lead to code execution on the affected host

5. An attacker that can get an affected client to look up a malicious domain can then return a payload that exploits the buffer overflow in glibc

6. If the code is running as root or as sudo, this can lead to a complete compromise of the server/system

TL;DR: Millions of systems out there can potentially be man-in-the-middled to pull a malicious DNS reply that runs code on the system, and if that system is running with high privileges it can lead to complete compromise.

In short, patch.

Notes

1. The best full writeup on this issue is Dan Kaminsky’s blog post, which should fail to surprise.

2. There are a number of mitigating requirements here, e.g., being able to MiTM the traffic, the client running as root or sudo, etc. But even with these considerations it’s still quite bad.

3. There’s plenty more complexity to the vulnerability and to the ways it can be exploited, but this workflow explains the basics.

4. Image from informationsecuritybuzz.com

Related posts:

1. DNS Rebinding Attacks Explained

2. DNS Servers That Offer Privacy and Filtering

3. A @TomNomNom Recon Tools Primer