Speakers
Ms
Jaime Cochran
(CloudFlare Inc.)Mr
Marek Vavrusa
(CloudFlare Inc.)
Description
Earlier this year we investigated a buffer overflow error in GNU libc DNS stub resolver code known as CVE-2015-7547. Similar to *"Ghost"* vulnerability in `gethostbyname()`, this vulnerability allows RCE in every application calling it, from SSH to browsers. This made it very dangerous in theory, but the exploitability was still an enigma. The disclosure mentioned a back of the envelope analysis that the exploit could penetrate DNS caches in well formed DNS responses, so we set on answering the big question - how exploitable is it in the real world?
Summary
In this talk we'll walk through the timeline of this vulnerability, the proposed mitigations, and how we took the “back of the envelope” research to reality by leveraging djbdns’ behavior to exploit the vulnerability over a real recursor. We’ll go over the traits that an attacker, recursor and victim must have in order to be deemed vulnerable, and explore how feasible the exploitability really is and if there’s been any indication of this being done in the wild.
Furthermore, we’ll explore the state of things 9 months later, how we are affected now and our outlook on moving forward.
| Talk duration | 30 Minutes |
|---|
Primary authors
Ms
Jaime Cochran
(CloudFlare Inc.)
Mr
Marek Vavrusa
(CloudFlare Inc.)
