During upstream review of the public open bug 18665 for glibc, it was discovered that the bug could lead to a stack-based buffer overflow.
The buffer overflow occurs in the function send_dg (UDP) and send_vc (TCP) for the NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC family and in some cases also with AF_INET6 before the fix in commit 8479f23a (only use gethostbyname4_r if PF_UNSPEC).
The use of AF_UNSPEC triggers the low-level resolver code to send out two parallel queries for A and AAAA. A mismanagement of the buffers used for those queries could result in the response writing beyond the alloca allocated buffer created by __res_nquery.
- Via getaddrinfo with family AF_UNSPEC or AF_INET6 the overflowed buffer is located on the stack via alloca (a 2048 byte fixed size buffer for DNS responses).
- At most 65535 bytes (MAX_PACKET) may be written to the alloca buffer of 2048 bytes. Overflowing bytes are entirely under the control of the attacker and are the result of a crafted DNS response.
- Local testing shows that we have been able to control at least the execution of one free() call with the buffer overflow and gained control of EIP. Further exploitation was not attempted, only this single attempt to show that it is very likely that execution control can be gained without much more effort. We know of no known attacksiii that use this specific vulnerability.
- Mitigating factors for UDP include:
- A firewall that drops UDP DNS packets > 512 bytes.
- A local resolver (that drops non-compliant responses).
- Avoid dual A and AAAA queries (avoids buffer management error) e.g. Do not use AF_UNSPEC.
- No use of `options edns0` in /etc/resolv.conf since EDNS0 allows responses larger than 512 bytes and can lead to valid DNS responses that overflow.
- No use of `RES_USE_EDNS0` or `RES_USE_DNSSEC` since they can both lead to valid large EDNS0-based DNS responses that can overflow.
- Mitigating factors for TCP include:
- Limit all replies to 1024 bytes.
- Mitigations that don't work:
- Setting `options single-request` does not change buffer management and does not prevent the exploit.
- Setting `options single-request-reopen` does not change buffer management and does not prevent the exploit.
- Disabling IPv6 does not disable AAAA queries. The use of AF_UNSPEC unconditionally enables the dual query.
- The use of `sysctl -w net.ipv6.conf.all.disable_ipv6=1` will not protect your system from the exploit.
- Blocking IPv6 at a local or intermediate resolver does not work to prevent the exploit. The exploit payload can be delivered in A or AAAA results, it is the parallel query that triggers the buffer management flaw.
- The code that causes the vulnerability was introduced in May 2008 as part of glibc 2.9.iv
- The code that causes the vulnerability is only present in glibc's copy of libresolv which has enhancements to carry out parallel A and AAAA queries. Therefore only programs using glibc's copy of the code have this problem.
- A back of the envelope analysis shows that it should be possible to write correctly formed DNS responses with attacker controlled payloads that will penetrate a DNS cache hierarchy and therefore allow attackers to exploit machines behind such caches.
The immediate solution to the buffer mismanagement issues are as follows:
- Remove buffer reuse.
- Always malloc the second response buffer if needed.
- Requires fix for sourceware bug 16574 to avoid memory leak.
- Correctly adjust pointer *and* size for buffer in use.
In order to validate and test the resulting changes, including valgrind validation, the following was fixed:
- Uninitialized uses of *herrno_p.
- With all uses initialized we have clean valgrind runs.
- Result of NSS_STATUS_SUCCESS masking the case where the second response has failed with an ERANGE failure. In this case the second response will contain whatever was on the stack last (alloca).
- With NSS_STATUS_TRYAGAIN returned if any of the results fail with ERANGE we have deterministic results that can be validated.
The defect is located in the glibc sources in the following file:
as part of the send_dg and send_vc functions which are part of the __libc_res_nsend (res_nsend) interface which is used by many of the higher level interfaces including getaddrinfo (indirectly via the DNS NSS module.)
One way to trigger the buffer mismanagement is like this:
- Have the target attempt a DNS resolution for a domain you control.
- Need to get A and AAAA queries.
- First response is 2048 bytes.
- Fills the alloca buffer entirely with 0 left over.
- send_dg attemps to reuse the user buffer but can't.
- New buffer created but due to bug old alloca buffer is used with new size of 65535 (size of the malloc'd buffer).
- Response should be valid.
- Send second response.
- This response should be flawed in such a way that it forces __libc_res_nsend to retry the query. It is sufficient for example to pick any of the listed failure modes in the code which return zero.
- Send third response.
- The third response can contain 2048 bytes of valid response.
- The remaining 63487 bytes of the response are the attack payload and the recvfrom smashes the stack with it.
The flaw happens because when send_dg is retried it restarts the query, but the second time around the answer buffer points to the alloca'd buffer but with the wrong size.
Please note that there are other ways to trigger the buffer management flaw, but they require slightly more control over the timing of the responses and use poll timeout to carry out the exploit with just two responses from the attacker (as opposed to three).
A similar exploit is possible with TCP, but requires closing the TCP connection (either with a TCP reset or a regular 3-way connection close), or sending an empty response with a zero length header. Any such action with forces send_vc to exit and retry with the wrong buffer size will trigger a similar failure as seen in send_dg.
While the fellow goes out of his way to point out that "turning off IPv6 won't work", he omits to point out that the only reason this hole exists in the first place is an inane attempt to be clever while implementing the spurious idiocyv that is IPv6. The situation is somewhat akin to a retarded girlfriend trying to flood your apartment, that not only opens all the faucets and stops all the drains, but also takes the "extremely clever" measure of puncturing the water pipes, so she can then preciously inform you that "turning off the faucets won't help" and you must work with her to somehow create a raft out of your widescreen TV so as to navigate the marshy terrain that used to be your living room. The correct solution in the case of the retarded girlfriend obviously is turning off the main and beating her black and blue, rather than entertaining her idiocy. Similarly in the case of the retarded Internet, the correct solution is turning off the main and beating these idiots black and bluevi, rather than entertaining their idiocy.
Which observation takes us to the thing he studiously does not mention, because he doesn't want you to think about the matter at allvii, which is that you don't need DNS, nor is there any conceivable reason DNS should be included in the first place, let alone turned on by default, let alone supported at the level of fucking glibc. Think about it : dns is an aliasing system. Why should it exist at the level of a linked library, when it could just be a random userland program, like bitmap displayers or archiving utilities, randomly chosen exact equivalents ? You see any reason lzw should be supported as a kernel function ?viii
Now suppose you decide to turn off DNS altogetherix. Your first step would be to figure out DNS happens on port 53 (and in the process inform NSA.Google that you're the sort of fellow that asks these sorts of questionsx). Your next step is to search for a method to turn off DNS (and discover that not only this is "not possible", but it is not even contemplated, anywhere!), or else to block access to port 53 via the firewall - and discover that this is only ever done for servers. There's five billion guides as to how you'd go about turning access to port 53 inbound, and exactly zero discussion of the converse.
If you're a thinking sort of fellow (specifically as opposed to an English as Single Language bovine) you might wonder why this is ? Perhaps your bizarre notions that "the Internet won't work without DNS" are principally built out of the fact that you've never encountered a counterexample, or even discussion of a counterexample, or of anything remotely like a counterexample ? What other ideas do you chiefly hold simply because you were raised in a carefully curated barn ? Ever wondered how that curation happens ? Do you know what "personalized google searches" are ?
But enough of that - you're invited to do the rest of the meditation on that line as private study. Let's move to something practical.
Step 1 : Remove your machine from the network by unplugging the UTP cable.
Step 2 : Open a terminal (such as by pressing ctrl-alt-T).
Step 3 : Type in that terminal "sudo ufwxi disable" and hit return.
This will turn off the firewall management tool.
Step 4 : sudo ufw default deny incoming && sudo ufw default deny outgoing
This will deny all networking traffic of all kinds either coming from anywhere or trying to get anywhere. Complete blackhole.
Step 5 : sudo ufw allow out 80,2096,8001,8333/tcpxii
Step 6 : sudo ufw enable.
Step 7 : You can now proceed to reconnect the network cable, and test that in fact "nothing works". This is a good thing.
Step 8 : Let's bypass the inanity of assigned names on a case by case basis : sudo nano /etc/hosts
In there, you add all the IPs of sites you actually mean to visit. Mine for instance, if you're curious, looks like this :
GNU nano 2.2.2 File: hosts Modified
Because that's pretty much all I use. Yours can look like anything you want it to look, and again, in so doing you gain the benefits of enumerated goodness. You'll never know what attacks you were immune to, because you simply don't care about the stories of swamp and maggot as they may happen outside your list. You'll never care what inane idiocy you were immune to.xiii
More generally speaking, the more crap you opt out of, the more resources you have available to use towards a purpose you actually care about. This is no small matter, think it through, and ponder it well.
The moral of this article being twofold. One is that your environment doesn't fuck you up by directly lying to you. Instead, it carefully curates your perceived options until you end up debating lively which of two cans of Pepsi. The other is that you don't need to do anything more to counter this completely and entirely other than default deny and enumerating goodness.
The good news is that you can start doing both of these today, that they require nothing you could possibily ever not have in ample abundance, and that they resolve the problem completely and without possibility of recourse. Which is why you've never read about such matters anywhere else.———
- By no means the first, nor in any case the last one. See nss. [↩]
- In "Carlos O'Donell" (carlos at redhat dot com)'s own, and very amusing, words. (Note that the patch he proposes is almost as idiotic as the thing it replaces, and should not be used in any case.) [↩]
- I suppose it is impolite to mention all the use NSA made of it, or something.
- It's easy enough to test if you have it, and to find out who to blame :
$ ldd --version
ldd (Ubuntu EGLIBC 2.11.1-0ubuntu7.20) 2.11.1
Copyright (C) 2009 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
- What, what, poor derps in the third world "need" IPv6 because there's "not enough IP for everyone" ? What else do poor derps in the third world "need" according to nsa.hq, nsa.rhel, nsa.mit and friends ? Larger Bitcoin blocks ? Bitcoin hard forks ? German passports ?
Take your poor derps in the thirld world and fuck them. They may, MAYBE, have some crumbs, IF and ONLY IF the crumbs they get come at exactly zero - not approximatively zero, EXACTLY zero - cost to the people who actually matter. 4bn IPs v4 may not be enough for everyone - but then again there's no rule everyone must have everything. In fact, there's a rule that everyone MUST NOT have any one thing if this to any degree degrades the quality of the thing in question.
No rights for poortards. [↩]
- Yes, I mean that. Everyone who now does or ever did work for a USG outfit, which includes Red Hat just like it includes Google et al should be assaulted in the street and beaten into a pulp. Every day. All the time.
- From the excellent Ballas piece on the shutdown, ad lib :
All of what is now being subverted by the media has been detailed in The Process Of Government, you should read it. But you won't, it has too many characters, and this is accurate no matter how you define characters. Come on, at least read Chapter XX, it's online. Jesus, here. "Umm, It's pretty boring." I know, I know, you want to know how the news relates to you, and boy oh boy do I have the news network for you.
"But that book was written in 1908. Based on what I've seen on Downton Abbey, things were a lot different then."
Well, yes, obviously, there had just been a massive leap forward in technology and industrialization, a booming economy fueling a wealth gap, temporarily course corrected by a financial panic "precipitated" by the failure of two overspeculating brokerage houses. There were also, simultaneously, great advances in progressive causes like worker's rights and food quality, all on the background of decreasing importance of religion among educated whites in favor of science. Not physics or chemistry, but evolution. Tabloids were incomprehensibly popular, partisan media the norm. A loosening of conventional morality manifested as bored promiscuity, female bisexuality, and a flood of new porn the likes of which never existed before.
"That does sound different. And awesome. What did their Millennial kids inherit, what did they experience over their adult lives, say 1929-1945?"
I totally don't know, Boardwalk Empire only goes up to 1924 and Mad Men starts 1960.
The "independent" demo actually has all the textbook characteristics of a group most susceptible to propaganda, more correctly "pre-propaganda", and by textbook I mean literally Propaganda.
They consider themselves leaderless. They can have representatives, they can have "evangelists" but they have to believe that their conclusions are all their own, through individual reflection and objective consideration. Interestingly, and on purpose, they believe their brains can handle such an analysis, any analysis. This isn't arrogance. They are told, by universities and the media, that their mind is prepared to do this heavy lifting as long as they are given just the right facts, filtered from the "noise." "Where can we get the right facts, in a world of liars?" Good question, maybe the news?
No doubt this sounds depressing, he's going to start drinking heavily, or become a cynic, or go the Hemingway. So the media=propaganda fosters his regression towards a much desired solution: total alienation. The media explains how things relate to him, and as long as he understands what's going on, he feels empowered. He is given an ideology without even knowing it. Now he doesn't actually have to do anything, indeed, it's way the hell better if he does nothing. All that's required is support, and through his support not only will "the right things" happen but he'll share in the credit.
You'll counter that there are right leaning and left leaning independents, isn't there a difference? but this misses the point: propaganda doesn't try to get you to believe something, but to do something, and in this case it is to do nothing-- it doesn't matter what you choose to believe, as long as your outrage is done from inside your house.
This is the whole gimmick of media, not polar but triangular, right, left, middle, mobilizing an army of assonauts to feel strongly enough about something that they don't do anything.
Propaganda doesn't succeed because it is manipulative, it works because people WANT it, NEED it, it gives their life a direction and meaning and guards against change.
In other words, there's a lot you don't know - and all of it because you're (justly) afraid of what it might mean. [↩]
- If you do, it would be for the exact opposite characteristics of dns. For one thing, lzw is universal - which is to say it can be applied equally on any and all buffers. For another, it is self-contained, it doesn't have to talk to anyone else to produce the packed result. DNS is nothing more than a glorified Windows messaging app, or a Netflix video player or somesuch. It doesn't belong in glibc, it doesn't belong as a so at all. It should be in the unrecommended-extras of any self-respecting repository, with the rest of the crud. [↩]
- "But MP! The Internet won't work anymore!"
Yeah, right. And if you put a blindfold on, your cunt won't work anymore either. Try it, who knows. [↩]
- "But MP! Google has other roles than to keep a handy archive of everything I do!"
Yeah, right. Ask that "drugs underground market" derp. You know, the one that was totally caught by an IRS agent doing google searches by hand as part of his full day of looking for small boys impaled on cocks. This happens, in parallel-construction-altworld. [↩]
- Yes yes, I know, you're special and don't need ufw.
Here's a passing thought : the kids that don't rightly know the difference betweeen ufw and iptables have the powerful excuse of their own ignorance. They don't fucking know. What's your excuse for running DNS ? You have no excuse. Get lost, go blush your shame somewhere else. [↩]
- I use the web (http - not https!), which is port 80 ; webmail, which is port 2096 ; irc, which is port 8001 and bitcoin, which is port 8333.
You can adjust this list to suit your own needs, by adding other things you want or subtracting any things you don't need - and in so doing you gain all the advantages of enumerated goodness. This concept is important, so let's spend a moment illustrating it.
To best understand it, let's define the concept of "node", as a primitive, the concept of "value" as a scalar measure, and on top of these two the concept of "transaction" as an exchange of value between two nodes. By this model, if node A engages in a transaction T1 with node B, then A will gain value T1a and lose value T1b, whereas B will gain value T1b and lose value T1a.
Consider that nodes aim to maximize their value over time, and in this context consider the policy where node A denies transactions with a given list of nodes while allowing all others, whereas node A' allows transactions with a given list of nodes while denying all others. A finds itself in the situation known as "enumerated badness", whereas A' finds itself in the opposite situation.
Let us now try to log and find out how well these two strategies are doing.
Node A will report a precise list of denied transactions, allowing us to calculate a precise count of value A might have lost without the rule, but due to the presence of the rule it did not lose. The transactions that went through are unknown, and generally speaking the value A did in fact lose or gain is not computable, unless and until we pin down every last single node it transacted with and evaluate its transaction (admitting such a wonder is even possible).
Contrarywise, node A' will report a precise list of allowed transactions, and so we'll be able to calculate a precise count of value A' did in fact gain, and without the presence of the rule it would not have gained. The transactions that were rejected are unknown, and generally speaking the value A' might have gained or lost is not computable, unless and until we pin down every last single node it might have transacted with and evaluate its transaction.
Strategy A allows one to justify his job to his boss, even while the entity sinks or plunges, unknown. Strategy A' allows one to certify he is gaining value at all junctures.
It should be directly apparent from this simple analysis that while strategy A may be better when managing other people's resources, especially people you don't like such as for instance in an office environment as such is commonly practiced in the retarded Anglo world, nevertheless when handling your own things you're much better off implementing A'.
Finally, please note that if you intend to also use Bitcoin, you are well advised to use the TRB version - all others are massively vulnerable to the hole discussed here as well as innumerable other holes, pores and assorted fistulae. [↩]
Because it's your god damned computer and your god damned browser and life and everything. Isn't it high time already ? [↩]