glibc function heap-based buffer overflow in glibc's __nss_hostname_digits_dots() called by gethostbyname()、gethostbyname2() CVE-2015-0235

目录

1. 漏洞基本描述
2. 漏洞带来的影响
3. 漏洞攻击场景重现
4. 漏洞的利用场景
5. 漏洞原理分析
6. 漏洞修复方案
7. 攻防思考

 

1. 漏洞基本描述

A heap-based buffer overflow was found in glibc's __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls.

Relevant Link:

https://access.redhat.com/security/cve/CVE-2015-0235

2. 漏洞带来的影响

1. RHEL6 
glibc-2.12-1.149.el6_6.4.x86_64
glibc-common-2.12-1.149.el6_6.4.x86_64
glibc-devel-2.12-1.149.el6_6.4.x86_64
glibc-headers-2.12-1.149.el6_6.4.x86_64

2. RHEL7 
glibc-common-2.17-55.el7_0.3.x86_64
glibc-2.17-55.el7_0.3.x86_64
glibc-headers-2.17-55.el7_0.3.x86_64
glibc-devel-2.17-55.el7_0.3.x86_64

2.2 <= version <= 2.17

3. 漏洞攻击场景重现

0x1: POC

#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

#define CANARY "in_the_coal_mine"

struct {
  char buffer[1024];
  char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };

int main(void) {
  struct hostent resbuf;
  struct hostent *result;
  int herrno;
  int retval;

  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
  char name[sizeof(temp.buffer)];
  memset(name, '0', len);
  name[len] = '\0';

  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

  if (strcmp(temp.canary, CANARY) != 0) {
    puts("vulnerable");
    exit(EXIT_SUCCESS);
  }
  if (retval == ERANGE) {
    puts("not vulnerable");
    exit(EXIT_SUCCESS);
  }
  puts("should not happen");
  exit(EXIT_FAILURE);
}

Relevant Link:

https://gist.githubusercontent.com/koelling/ef9b2b9d0be6d6dbab63/raw/de1730049198c64eaf8f8ab015a3c8b23b63fd34/gistfile1.c/

4. 漏洞的利用场景

漏洞的源头在操作系统的底层代码库Glibc，所以攻击者利用这个漏洞的方式可以是如下几种

1. 本地利用提权
黑客通过编写利用代码，构造特定格式的"输入数据"，并调用gethostbyname()，通过漏洞流将shellcode注入，获得应用权限

2. 远程发送畸形数据包提权
要利用gethostbyname()，需要构造一个特殊的DNS服务器，对客户端的DNS请求返回一个精心构造的畸形数据包

5. 漏洞原理分析

glibc-2.17\nss\digits_dots.c

int __nss_hostname_digits_dots (const char *name, struct hostent *resbuf,
                char **buffer, size_t *buffer_size,
                size_t buflen, struct hostent **result,
                enum nss_status *status, int af, int *h_errnop)
{
    ..
}

__nss_hostname_digits_dots由其他的包装函数负责调用

\glibc-2.17\nss\getXXbyYY.c

LOOKUP_TYPE *
FUNCTION_NAME (ADD_PARAMS)
{
  static size_t buffer_size;
  static LOOKUP_TYPE resbuf;
  LOOKUP_TYPE *result;
#ifdef NEED_H_ERRNO
  int h_errno_tmp = 0;
#endif

  /* Get lock.  */
  __libc_lock_lock (lock);

  if (buffer == NULL)
    {
      buffer_size = BUFLEN;
      buffer = (char *) malloc (buffer_size);
    }

#ifdef HANDLE_DIGITS_DOTS
  if (buffer != NULL)
    {
      //FUNCTION_NAME是对外的包装函数
      if (__nss_hostname_digits_dots (name, &resbuf, &buffer,
                      &buffer_size, 0, &result, NULL, AF_VAL,
                      H_ERRNO_VAR_P))
    goto done;
    }
#endif

  while (buffer != NULL
     && (INTERNAL (REENTRANT_NAME) (ADD_VARIABLES, &resbuf, buffer,
                    buffer_size, &result H_ERRNO_VAR)
         == ERANGE)
#ifdef NEED_H_ERRNO
     && h_errno_tmp == NETDB_INTERNAL
#endif
     )
    {
      char *new_buf;
      buffer_size *= 2;
      new_buf = (char *) realloc (buffer, buffer_size);
      if (new_buf == NULL)
    {
      /* We are out of memory.  Free the current buffer so that the
         process gets a chance for a normal termination.  */
      free (buffer);
      __set_errno (ENOMEM);
    }
      buffer = new_buf;
    }

  if (buffer == NULL)
    result = NULL;

#ifdef HANDLE_DIGITS_DOTS
done:
#endif
  /* Release lock.  */
  __libc_lock_unlock (lock);

#ifdef NEED_H_ERRNO
  if (h_errno_tmp != 0)
    __set_h_errno (h_errno_tmp);
#endif

  return result;
}

这个函数的调用是由#ifdef HANDLE_DIGITS_DOTS来定义的，这个宏定义只在这几个文件有：

1. inet/gethstbynm.c
2. inet/gethstbynm2.c
3. inet/gethstbynm_r.c
4. inet/gethstbynm2_r.c
5. nscd/gethstbynm3_r.c

Relevant Link:

http://drops.wooyun.org/papers/4780
https://sourceware.org/git/?p=glibc.git;a=commit;h=d5dd6189d506068ed11c8bfa1e1e9bffde04decd
http://www.openwall.com/lists/oss-security/2015/01/27/9
http://www.tuicool.com/articles/2YfEFz
http://ftp.gnu.org/gnu/glibc/

6. 漏洞修复方案

0x1: 升级Glibc库

1. RHEL/CentOS
sudo yum update glibc 

2. Ubuntu
sudo apt-get update
sudo apt-get install libc6

0x2: 重启应用

获取加载了glibc库的进程

lsof | grep libc | awk '{print $1}' | sort | uniq

如果当前系统中进程太多，最好的方式是重启系统

7. 攻防思考

Copyright (c) 2014 LittleHann All rights reserved