15-16 October 2016
The Fairmont Dallas
US/Central timezone

Exploring CVE-2015-7547, a Skeleton key in DNS

16 Oct 2016, 15:00
30m
Gold (The Fairmont Dallas)

Gold

The Fairmont Dallas

1717 N Akard St Dallas, TX 75201 USA
Standard Presentation Public Workshop Public Workshop: Security and Privacy

Speakers

Ms Jaime Cochran (CloudFlare Inc.) Mr Marek Vavrusa (CloudFlare Inc.)

Description

Earlier this year we investigated a buffer overflow error in GNU libc DNS stub resolver code known as CVE-2015-7547. Similar to *"Ghost"* vulnerability in `gethostbyname()`, this vulnerability allows RCE in every application calling it, from SSH to browsers. This made it very dangerous in theory, but the exploitability was still an enigma. The disclosure mentioned a back of the envelope analysis that the exploit could penetrate DNS caches in well formed DNS responses, so we set on answering the big question - how exploitable is it in the real world?

Summary

In this talk we'll walk through the timeline of this vulnerability, the proposed mitigations, and how we took the “back of the envelope” research to reality by leveraging djbdns’ behavior to exploit the vulnerability over a real recursor. We’ll go over the traits that an attacker, recursor and victim must have in order to be deemed vulnerable, and explore how feasible the exploitability really is and if there’s been any indication of this being done in the wild.

Furthermore, we’ll explore the state of things 9 months later, how we are affected now and our outlook on moving forward.

Talk duration 30 Minutes

Primary authors

Ms Jaime Cochran (CloudFlare Inc.) Mr Marek Vavrusa (CloudFlare Inc.)

Presentation Materials