PoC attack server for CVE-2015-7547 vulnerability in glibc DNS resolver
To test on local machine with a vulnerable glibc version:
user@localhost:/# echo 'nameserver 127.0.0.127' | sudo tee /etc/resolv.conf
user@localhost:/# echo 'nameserver 127.0.0.127' | sudo tee -a /etc/resolv.conf
user@localhost:/# sudo python3 attack-server.py 127.0.0.127
Starting UDP server on 127.0.0.127:53...
Starting TCP server on 127.0.0.127:53...
Then, from another terminal session, execute the attacks as shown in the examples below.
Attack 1 (UDP+TCP)
Needs ability to send replies > 2048 bytes over UDP and TCP.
Attack Sequence:
-
UDP reply, > 2048 bytes, valid header/question, TC flag set (triggers buffer mismanagement and TCP retry)
-
TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)
-
TCP reply, > 2048 bytes (overflows stack-allocated buffer)
Example:
user@localhost:/# curl http://attack1
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
Attack 2 (UDP only)
Needs ability to send replies > 2048 bytes over UDP.
Attack Sequence:
-
UDP reply, > 2048 bytes, invalid header (triggers buffer mismanagement, not counted as a valid response)
-
Ignore next request (triggers UDP retry due to polling timeout)
-
UDP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)
-
UDP reply, > 2048 bytes (overflows stack-allocated buffer)
Example:
user@localhost:/# curl http://attack2
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
Attack 3 (UDP+TCP)
Needs ability to send replies > 1024 bytes over UDP and > 2048 bytes over TCP.
Attack Sequence:
-
UDP reply, 1024 bytes, valid header/question (fills up half of the stack-allocated buffer)
-
UDP reply, > 1024 bytes, valid header/question, TC flag set (triggers buffer mismanagement and TCP retry)
-
TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)
-
TCP reply, > 2048 bytes (overflows stack-allocated buffer)
Example:
user@localhost:/# curl http://attack3
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
Attack 4 (UDP only)
Needs ability to send replies > 2048 bytes over UDP.
Attack Sequence:
-
UDP reply, 2048 bytes, valid header/question (fills up the stack-allocated buffer)
-
UDP reply (triggers buffer mismanagement and UDP retry due to 0-byte socket receive)
-
UDP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)
-
UDP reply, > 2048 bytes (overflows stack-allocated buffer)
Example:
user@localhost:/# curl http://attack4
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)
Attack 5 (TCP only)
Needs ability to send replies > 2048 bytes over TCP and at least two nameserver entries in /etc/resolv.conf
.
Attack Sequence:
-
UDP reply, valid header/question, TC flag set (optional, triggers TCP retry if initial query is over UDP)
-
TCP reply, > 2048 bytes (triggers buffer mismanagement)
-
TCP reply, empty (triggers TCP retry due to 0-byte socket receive)
-
TCP reply, valid header/question (forces next reply to be stored in stack-allocated buffer)
-
TCP reply, > 2048 bytes (overflows stack-allocated buffer)
Example:
user@localhost:/# curl http://attack5
*** stack smashing detected ***: curl terminated
Segmentation fault (core dumped)