Ready to Start Your Career?

GlibC Linux Bug or Why Am I Making a New OS?

Rattar 's profile image

By: Rattar

February 25, 2016

GlibC Linux Bug or Why Am I Making a New OS? - CybraryIt's been made public by Google researchers that there's a severe bug in GlibC library (A GNU C Library). This is the most fundamental library used by almost every application and almost every Linux-based distribution.Many routers and other hardware devices that used this library could be exploited. Also, programming languages such as Python, PHP and Ruby are affected.The bug was originally found in 2008, however, it became a problem for many. The bug comes from a function "getaddrinfo()", which basically performs a domain-name lookup. The bug is caused by buffer overflow that allows attackers to remotely execute malicious code. When a vulnerable computer/device attempts to get the domain name, the attacker can take control of the computer.This also means that secure shell, and commands like sudo and curl are vulnerable, and can be similarly exploited.Maintainers of glibc released the following mitigation information"

Mitigating factors for UDP include:

- A firewall that drops UDP DNS packets > 512 bytes.- A local resolver (that drops non-compliant responses).- Avoid dual A and AAAA queries (avoids buffer management error) e.g.Do not use AF_UNSPEC.- No use of `options edns0` in /etc/resolv.conf since EDNS0 allows responses larger than 512 bytes and can lead to valid DNS responses that overflow.- No use of `RES_USE_EDNS0` or `RES_USE_DNSSEC` since they can both lead to valid large EDNS0-based DNS responses that can overflow. Mitigating factors for TCP include:- Limit all replies to 1024 bytes. Mitigations that don't work:- Setting `options single-request` does not change buffer management and does not prevent the exploit.- Setting `options single-request-reopen` does not change buffer management and does not prevent the exploit.- Disabling IPv6 does not disable AAAA queries. The use of AF_UNSPEC unconditionally enables the dual query.- The use of `sysctl -w net.ipv6.conf.all.disable_ipv6=1` will not protect your system from the exploit.- Blocking IPv6 at a local or intermediate resolver does not work to prevent the exploit. The exploit payload can be delivered in A or AAAA results, it is the parallel query that triggers the buffer management flaw. 
NOTE: Every version of glibc after 2.9 is vulnerable.
Schedule Demo