#qi-hardware IRC log for Tuesday, 2016-02-16

DocScrutinizer05"funĀ”" https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html16:14
DocScrutinizer05is this a severe security threat or just a funny sidenote?17:18
wpwraknicely detailed report. sounds at if it might be nasty. i like this section: "Mitigations that don't work" :)17:22
kyakdisturbing thing is that this flaw has been there since 200817:23
kyaki wonder if the attacked person would know about the attack (for example, his dns lookup utility would segfault or what?)17:23
kyakif it's just a nice way to execute code remotely from DNS server, who knows how many times this has already been exploited17:24
wpwrakthe more eyes of "whitehats" that are looking at things, the more likely the fixed will be around by the time the blackhats get wind of their opportunity17:27
DocScrutinizer05kyak: (2008) indeed17:32
kyaksure, sure, but such reports only make me more suspicious and paranoid :)17:33
DocScrutinizer05(who knows how many times) indeed 217:33
DocScrutinizer05anyway pretty 'recent' https://bugzilla.suse.com/show_bug.cgi?id=961721#c1617:33
DocScrutinizer05not even on security sites yet17:34
kyakhttps://github.com/fjserna/CVE-2015-754717:37
kyakpeople react fast17:37
DocScrutinizer05I think it worked the other way round: they went CVE-public after the code got tested and available17:45
DocScrutinizer05prior to that it looked like https://www.suse.com/security/cve/CVE-2015-7547.html17:46
DocScrutinizer05>> Description ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.<<17:46
kyakah yeah, makes sense17:46
kyakbtw, the PoC dns server indeed crashes not only the test client, but any other application that attempts dns resolving (it segfaults)17:48
kyakwhere there is a segfault, there is an opportunity for remote code execution, if i understand correctly17:48
larscnot always17:48
larsctime to reboot all the machines though17:49
kyakthis is how fast you updated? :)17:50
larscto slow?17:54
larsceverything exploited already?17:54
kyakyou still have a chance, if you reboot now!17:58
larscalready rebooted a few hours ago when the announcement came out17:58
DocScrutinizer05how does reboot help? you need updates first, no?18:07
DocScrutinizer05kyak: is there a *public* PoC server?18:37
DocScrutinizer05kyak: anyway yes, when you suffered an exploit of this vuln, your app prolly would _not_ segfault18:38
DocScrutinizer05as a rule of thumb when it segfaults the process terminates and can't do further malicious stuff, so exploits will try to keep the process alive18:39
kyakDocScrutinizer05: don't know if there is a public PoC server, i ran the code from github url above18:47
DocScrutinizer05:nod:18:48
DocScrutinizer05would be funny to have an IP ready18:48
DocScrutinizer05of course you can run a LAN-local rogue server on your company's LAN ;-) BOFH leisure fun18:49
DocScrutinizer05kyak: do yiu still have the thing working? could you test for me how much output a "host -a ct.de" produces before the process segfaults? does it show the DNS server IP before it gies south?18:51
DocScrutinizer05would  be a lame prank if the user could tell from stdout remanants that there's sth odd with the DNS server IP used18:53
DocScrutinizer05sure you could handle this inside routes on router....18:53
kyakhere is what it says:18:55
kyak$ host -a ct.de 192.168.1.218:55
kyakTrying "ct.de"18:55
MSG541[18:55:19] <kyak> ;; Warning: Message parser reports malformed message packet.18:55
kyak;; Question section mismatch: got ./NS/CLASS2546018:55
kyakso it actually doesn't segfault.. However, another application that uses getaddrinfo, segfaults18:55
DocScrutinizer05hehe18:56
DocScrutinizer05now how would we make shodan search for DNS servers that publish rogue packets?19:03
kyakwhen quering the DNS server in TCP mode, funny thing happens19:03
kyakit spits out the 2985 bytes packet in terminal19:04
DocScrutinizer05wow19:04
kyakdig +tcp @89.169.53.112 google.com19:04
kyaki exposed the dns server for a while :)19:05
DocScrutinizer05that's already sort of an exploit, since you could add esc sequences and other funny stuff19:05
DocScrutinizer05:-D19:05
DocScrutinizer05LOL19:05
DocScrutinizer05many thanks19:05
kyakthis works for dig and nslookup, but host seems to handle this problem more gracefully19:06
DocScrutinizer05http://paste.opensuse.org/5496344319:07
DocScrutinizer05yep19:07
kyakif you have dig, you can try that19:07
DocScrutinizer05did19:08
DocScrutinizer05fun19:08
kyaki'll shut it down now :)19:08
DocScrutinizer05what would actually segfault?19:08
DocScrutinizer05oooooo!19:08
kyakthis is a simple app written in TCL that segfaults19:09
DocScrutinizer05I guess it also depends on whether my app actually is supposed to use IPv6 aka AAAA, no?19:09
kyakyou only need python2 to play around with the PoC dns server, so.. :)19:10
DocScrutinizer05I know19:10
DocScrutinizer05via internet it feels so much more 'real' ;-)19:10
kyakthey mentioned in the report that disabling ipv6 won't help19:10
DocScrutinizer05ah19:10
DocScrutinizer05allegedly a >>apt update && apt upgrade<< is due already19:39
DocScrutinizer05I can't comment, RPM here19:40
--- Wed Feb 17 201600:00

Generated by irclog2html.py 2.9.2 by Marius Gedminas - find it at mg.pov.lt!