The glibc DNS Bug Explained
There are a lot of people talking about the glibc bug, and for good reason. As Dan Kaminsky says,
Here’s an explanation of the bug in 20 seconds:
When you look up google.com, or any other name, you’re using DNS to resolve those names
DNS queries happen billions of times per second, all around the world
Linux is the top operating system on the Internet, meaning most servers and other infrastructure run it
glibc is part of Linux that handles DNS lookups, and it is vulnerable to a nasty buffer overflow that can lead to code execution on the affected host
An attacker that can get an affected client to look up a malicious domain can then return a payload that exploits the buffer overflow in glibc
If the code is running as root or as sudo, this can lead to a complete compromise of the server/system
TL;DR: Millions of systems out there can potentially be man-in-the-middled to pull a malicious DNS reply that runs code on the system, and if that system is running with high privileges it can lead to complete compromise.
In short, patch.
The best full writeup on this issue is Dan Kaminsky’s blog post, which should fail to surprise.
There are a number of mitigating requirements here, e.g., being able to MiTM the traffic, the client running as root or sudo, etc. But even with these considerations it’s still quite bad.
There’s plenty more complexity to the vulnerability and to the ways it can be exploited, but this workflow explains the basics.
Image from informationsecuritybuzz.com