Timeline :

Vulnerability introduced in May 2008 as part of glibc 2.9
Vulnerability discovered and reported to the vendor by Robert Holiday the 2015-07-13
Vulnerability fixing in sleep mode from 2015-08-22 to 2016-02
Vulnerability re-discovered and reported to the vendor by Google team the beginning of 2016
Patch provided the 2016-02-16
Details of the vulnerability and PoC provided by Google the 2016-02-16

PoC provided by :

Robert Holiday
Fermin J. Serna
Gynvael Coldwind
Thomas Garnier

Reference(s) :


Affected version(s) :

All versions of glibc 2.9 until version 2.23

Tested on :

Ubuntu 15.10 with glibc 2.21

Description :

A stack-based buffer overflow was found in libresolv when invoked from libnss_dns, allowing specially crafted DNS responses to seize control of execution flow in the DNS client.  The buffer overflow occurs in the functions send_dg (send datagram) and send_vc (send TCP) for the NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC family. The use of AF_UNSPEC triggers the low-level resolver code to send out two parallel queries for A and AAAA.  A mismanagement of the buffers used for those queries could result in the response of a query writing beyond the alloca allocated buffer created by_nss_dns_gethostbyname4_r.  Buffer management is simplified to remove the overflow.  Thanks to the Google Security Team and Red Hat for reporting the security impact of this issue, and Robert Holiday of Ciena for reporting the related bug 18665. (CVE-2015-7547)

Commands :

aptitude show libc6
cat /etc/lsb-release
change you resolv.conf to
Start the server: python CVE-2015-7547-poc.py 
Launch the client: ./CVE-2015-7547-client