Presentation is loading. Please wait.

Presentation is loading. Please wait.

GHOST 2.0: What you need to know about the glibc getaddrinfo vulnerability (CVE 2015-7547) Johannes B. Ullrich, Ph.D, SANS https://isc.sans.edu.

Published byStanley Houston Modified over 8 years ago

Similar presentations

Presentation on theme: "GHOST 2.0: What you need to know about the glibc getaddrinfo vulnerability (CVE 2015-7547) Johannes B. Ullrich, Ph.D, SANS https://isc.sans.edu."— Presentation transcript:

1 GHOST 2.0: What you need to know about the glibc getaddrinfo vulnerability (CVE 2015-7547) Johannes B. Ullrich, Ph.D, SANS jullrich@sans.edu https://isc.sans.edu

2 from the most trusted name in information security The Basics: DNS 2

3 from the most trusted name in information security The Basics: DNS 3 isc.sans.edu

4 from the most trusted name in information security The Basics: DNS 4 isc.sans.edu 66.35.59.249

5 from the most trusted name in information security The Basics: DNS 5 isc.sans.edu 66.35.59.249 2607:f1c0:846:9100::15c

6 from the most trusted name in information security On the wire 10.128.0.8.50206 > 10.5.1.86.53: 36536+ A? isc.sans.edu. 10.128.0.8.50206 > 10.5.1.86.53: 55864+ AAAA? isc.sans.edu. 10.5.1.86.53 > 10.128.0.8.50206: 36536 1/4/4 A 66.35.59.249 10.5.1.86.53 > 10.128.0.8.50206: 55864 1/4/4 AAAA 2607:f1c0:846:… 6

7 from the most trusted name in information security On the wire 10.128.0.8.50206 > 10.5.1.86.53: 36536+ A? isc.sans.edu. 10.128.0.8.50206 > 10.5.1.86.53: 55864+ AAAA? isc.sans.edu. 10.5.1.86.53 > 10.128.0.8.50206: 36536 1/4/4 A 66.35.59.249 10.5.1.86.53 > 10.128.0.8.50206: 55864 1/4/4 AAAA 2607:f1c0:846:… 7

8 from the most trusted name in information security What went wrong? Victim sends A and AAAA query. 2048 bytes are allocated on the stack Attacker sends first response: Exactly 2048 bytes New buffer needs to be allocated on heap (not stack). But instead, old buffer is used with a claimed size of 64k. Attacker sends second response, that triggers a retry Attacker sends third response: 2048 bytes valid response data and 63487 bytes of attack payload 8

9 from the most trusted name in information security PoC Publicly available PoC python script that implements DNS server with corrupt response Crashes clients using a vulnerable version of glibc Google claims to have a remote code execution exploit Exploit most likely for UDP, but possible for TCP 9

10 from the most trusted name in information security Timeline November 2008: glibc 2.9 released (1 st vulnerable version) July 2015 bug created (not considered security issue initially) August 2015 identified as possible security issue February 2016 fixed / patch released for various versions of glibc. 10

11 from the most trusted name in information security Severity Remote code execution possible Many Linux systems affected (Debian, RedHat, Gentoo, Ubuntu…Cisco!) Not affected: BSD (OS X, iOS...) many embeded Linux version (typically using uClib), Android (uses Bionic) Non-affected system *may* be affected by software that includes glibc CVSS Base Score: 10.0 11

12 from the most trusted name in information security glibc version $ /lib/arm-linux-gnueabihf/libc.so.6 GNU C Library (Debian GLIBC 2.19-18+deb8u2 ) stable release version 2.19, by Roland McGrath et al. Copyright (C) 2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled by GNU CC version 4.8.2 Compiled on a Linux 3.13.11 system on 2016-02-16 12

13 from the most trusted name in information security How does it compare to GHOST (2015-0235)? Same library (glibc), similar function (gethostbyname) Simpler exploit (e.g. metasploit module available. GHOST typically affected older software, but overall scope similar GHOST affected glibc 2.6-2.17 If you had to patch for GHOST, then you also have to patch for CVE-2015-7547 13

14 from the most trusted name in information security Mitigation: Recursive Resolvers 14 isc.sans.edu 66.35.59.249 2607:f1c0:846:9100::15c

15 from the most trusted name in information security Mitigation: Recursive Resolvers 15 isc.sans.edu 66.35.59.249 2607:f1c0:846:9100::15c.edu. sans.edu.

16 from the most trusted name in information security Mitigation: Recursive Resolvers Likely helps, but can probably be bypassed Helps detect exploitation and blocking exploits “best practice” anyway. Lots of advantages of using DNS as a choke point for network monitoring Helps with DNS blacklists Monitoring for DNS data exfiltration Improves performance Using a “known good” forwarder can help (OpenDNS, Google DNS, ISP…) 16

17 from the most trusted name in information security Mitigation: Recursive Resolvers “A back of the envelope analysis shows that it should be possible to write correctly formed DNS responses with attacker controlled payloads that will penetrate a DNS cache hierarchy and therefore allow attackers to exploit machines behind such caches. 17

18 from the most trusted name in information security Mitigation: Turning off EDNS0 Helps prevent UDP vector. Will prevent first large packet from being received. May not help with TCP vector, but TCP vector is considered more difficult to exploit. TCP session size has to be limited to 1024 Bytes May break DNSSEC May affected performance 18

19 from the most trusted name in information security Mitigation: Turn off / blocking IPv6 Does not help! Client may still send A/AAAA queries Only if getaddrinfo isn’t called with “AF_UNSPEC” (which is bad … breacks IPv6) 19

20 from the most trusted name in information security Demo – ”telnet” and “dig” against PoC 20 isc.sans.edu PoC

21 from the most trusted name in information security Demo: Recursive Resolver 21 isc.sans.edu ? PoC

22 from the most trusted name in information security Risk A limited remote code execution exploit is likely (my guess: 2 weeks?) Exploitation requires the victim to request a malicious DNS record, which is easy to accomplish for web clients, mail servers. Less likely for DB server, Web Servers (but possible Detection can be tricky No complete “simple” mitigation Test resolvers! 22

23 from the most trusted name in information security Risk A limited remote code execution exploit is likely (my guess: 2 weeks?) Exploitation requires the victim to request a malicious DNS record, which is easy to accomplish for web clients, mail servers. Less likely for DB server, Web Servers (but possible Detection can be tricky No complete “simple” mitigation 23 PATCH

24 from the most trusted name in information security Questions? Thank You! jullrich@sans.edu https://isc.sans.edu Daily Podcast * Data * Diaries Join our Raspberry Pi Sensor Network 24

Download ppt "GHOST 2.0: What you need to know about the glibc getaddrinfo vulnerability (CVE 2015-7547) Johannes B. Ullrich, Ph.D, SANS https://isc.sans.edu."

Similar presentations

DNSSEC Support in SOHO CPE OARC Workshop Ottawa 24 th September 2008.

DNSSEC Support in SOHO CPE OARC Workshop Ottawa 24 th September 2008.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.

IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.
GHOST glibc gethostbyname() Vulnerability CVE-2015-0235 Johannes B. Ullrich, Ph.D. SANS Technology Institute https://isc.sans.edu.

GHOST glibc gethostbyname() Vulnerability CVE Johannes B. Ullrich, Ph.D. SANS Technology Institute
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
HTTP.sys Vulnerability CVE-2015-1635 MS15-034 Johannes B. Ullrich, Ph.D. 1.

HTTP.sys Vulnerability CVE MS Johannes B. Ullrich, Ph.D. 1.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
DNS Poisoning Attacks November 2005 John (Jenya) Neystadt Security Test Lead Microsoft Israel R&D.

DNS Poisoning Attacks November 2005 John (Jenya) Neystadt Security Test Lead Microsoft Israel R&D.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.

Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.
A question of protocol Geoff Huston APNIC 36. Originally there was RFC791: “All hosts must be prepared to accept datagrams of up to 576 octets (whether.

A question of protocol Geoff Huston APNIC 36. Originally there was RFC791: “All hosts must be prepared to accept datagrams of up to 576 octets (whether.
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Botnets An Introduction Into the World of Botnets Tyler Hudak

Botnets An Introduction Into the World of Botnets Tyler Hudak

Similar presentations

Ads by Google