(dnsmasq �ؤ��ɵ�����) CVE-2015-7547 glibc��getaddrinfo �� stack buffer overflow ���ȼ���[Linux]

---

2016-02-17

---

�ס������礭���ȼ������Фޤ�����glibc2.9 �ʹߤ�ȯ�������ȼ����Ǥ���

�ܺ٤�

CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
https://googleonlinesecurity.blogspot.jp/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

�˾ܤ����Ǥ�����ʱƶ��������ǥ����ȥ�ӥ塼�����ϲ������̤�

Distribution	Vuluneable
RHEL5/CentOS5	�����ʤ�
RHEL6/CentOS6	������
RHEL7/CentOS7	������
Debian squeeze	������
Debian wheezy	������
Debian jessie	������

���ξ���ϲ�������

CVE-2015-7547: Critical Vulnerability in glibc getaddrinfo
https://isc.sans.edu/forums/diary/CVE20157547+Critical+Vulnerability+in+glibc+getaddrinfo/20737/

getaddrinfo() ��ȤäƤ���ˡ��ƶ���������ǽ��������ޤ���

���Ǥ� PoC �ϸ�������Ƥ��Ƥ��ޤ���

https://github.com/fjserna/CVE-2015-7547

�����˸�������Ƥ��� CVE-2015-7547-proc.py �Ȥ��� root �����դ��Ǽ¹Ԥ���ȡ����μ�� buffer overflow ������������ѥ��åȤ��֤��Ƥ��� DNS����å��奵���Ф�ɤ��ˤʤäƤ���ޤ���

�������������ư���������֤� /etc/resolv.conf ��

nameserver 127.0.0.1

�Ȥ���ȡ�

$ ssh www.example.jp
Segmentation fault

�Ȥ��������ǡ�����Ƥ���ޤ���

���������̤�DNS����å��奵���Фϡ����μ�� malformed packet �ϡ��꥾��Фˤ��֤��� SERVFAIL ���֤�ޤ���
�ʤΤǡ��ƶ�������� Linux �����Ȥ��Ƥ��� DNS����å��奵���Ф�����ʬ���������Ƥ���unbound ���ä��� bind ���ä��ꤹ����ˤϡ�ľ��ƶ�������ʤ��Ȥ��äƤ����Ȼפ��ޤ����ɵ�����Ҥ��ޤ�������ǰ�ʤ��餳������ǤϹ���β�ǽ���������ӽ��Ǥ��ʤ������Ǥ��ˡ�aws �Ǥϱƶ����ʤ��ȤΥ����Ȥ��Ф���Ƥ��ޤ���

CVE-2015-7547 Advisory
https://aws.amazon.com/jp/security/security-bulletins/cve-2015-7547-advisory/

EC2 customers using the AWS DNS infrastructure are unaffected and don��t need to take any action.

�Ȥϸ����ʤ���⡢�ȼ����ϻĤäƤ���Τǡ������ȥ��åץǡ��Ȥ��Ƥ����ޤ��礦�����åץǡ��ȸ�ϡ��Ť��饤�֥����ɤ߹�����ޤޤ��ä��Ȥ������Ȥ��ʤ��褦�ˡ������Ф� reboot ���Ƥ����Ȥ����Ȼפ��ޤ���

# lsof -d DEL

���ơ������äѤ����鳺������ daemon ��Ƶ�ư����äƤΤǤ⤤�����⤷��ޤ��󤬡�

����ä��԰¤ʤΤ�

@kunitake @tss_ontap Internet��Υ���å���DNS�����Ф򻲾Ȥ��Ƥ��Ƥ����硢spoof���줿�ѥ��åȤǹ����ǽ���ʡ����ȻפäƤ��ޤ���8.8.8.8�Ȥ���ȤäƤ������(��̾�ʤΤ�)�����٤������뤫�⤷��ޤ����

— Mitsuru SHIMAMURA (@smbd) 2016, 2�� 17

�ޤ�libc�ϥ����֥꥾��ФʤϤ��ʤΤǡ�����å��奵���Фǰ층Ū���䤤��碌�Υ��˥��������Ǥ���С��ե����०���������Ǥ��ʤ����郎���Ƥ�LAN�ʤ����ϤǤ������ʡ��Ǥ⡢�֥����ɥХ�ɥ롼���Ȥ����Ȥʤ��ʤ��񤷤�

— AoiMoe (@AoiMoe) 2016, 2�� 17

���Τ�����Ǥ����͡��Ķ��ˤ�äƤϡ���¤�ѥ��åȤȤ����������Ǻ������ޤ줿�ꤹ���ǽ���⤢��Τǡ����դ�ɬ�פǤ���
�������ä��԰¤�����Ķ��ǡ��ɤ����Ƥ⤹���ˤϥ��åץǡ��ȤǤ��ʤ��ʤ� dnsmasq ��Ź���Ǥ����Ĥ˥꥾��Ф�����ơ�����������Ƥ�餤�ޤ��礦�������ͭ���� workaround �Ȥʤ�ޤ�(�ɵ�����Ҥ��ޤ������ɤ��⤳�����������Ǥ���workaroundõ���Ƥ���֤˥��åץǡ��Ȥ��Ƥ��ޤ��ޤ��礦����

ps. �ɤ��Ǥ⤤���Ǥ�����unbound �� do-not-query-localhost �� default �� yes �ˤʤäƤ��뤳�Ȥ˵��Ť�����(�Ȥ����������⤽�⤽���������꤬���뤳�Ȥ˵��Ť����ˡˡ��ʤ��ʤ��ƥ��Ȥ��Ǥ����˥ϥޤ�ޤ����ġ�

�ɵ����Σ�: 2016/02/18 02:17 JST

@kunitake @AoiMoe @_hitsumabushi_ ����Ǥ��� https://t.co/pBmcmOiRis �ǡ�����Ǥ���꥾��з�ͳ�Ǥ����ȵ��ܤ���Ƥ�ȶ����Ƥ�餤�ޤ�����PoC�Υ�������DNSŪ���Ѥʱ����ʤΤ��ɤ��뤬��DNSŪ������������⤢�ꤦ���

— SODA Noriyuki (@n_soda) 2016, 2�� 17

�Ȥξ��󤬡�

https://access.redhat.com/articles/2161461

�ˤϡ������Τ褦�ʵ��ܤ�����ޤ���

2. Can a trusted DNS resolver protect against this issue?
A trusted resolver, in a default, protocol-compliant configuration,
cannot mitigate this issue because potential exploits could involve
syntactically well-formed DNS responses.

�ĤޤꡢDNS����å��奵���ФǤϻ��ͤ˱�äƤʤ��ѥ��åȤ� SERVFAIL ����Ȥ��뤱�ɡ����ͤ˱�ä��ѥ��åȤϥ꥾��Ф��֤��Ƥ��ޤ��Τǡ��������ä��ѥ��åȤ��̤��ƹ����ǽ���Ȥ������ȤΤ褦�Ǥ���

�ʤΤǡ�Google Online Security Blog �����Ƥ��̣���ƤޤȤ���

(1) DNS����å��奵���ФǤϡ������ˤϹ�����ɤ��ʤ�
(2) getaddrinfo() ���ȼ������դ��ˤ� 2048�Х��Ȥ�ۤ���쥹�ݥ󥹤Ǥ���ɬ�פ�����
(3) dnsmasq �Τ褦��(�ɵ����ɤ�����Ҥ���褦�ˡ�dnsmasq�ǤϽ�ʬ�����¤�ݤ����ʤ���ǽ��������ޤ��ˡ��쥹�ݥ�Ĺ������(2048�Х��Ȥ�ۤ������ʤ��ˤ��ݤ������Τ�����Ȥ��д��º��Ȥ��ƻȤ���

�Ȥ������ȤΤ褦�Ǥ���aws �����Ȥ�DNS����å��奵���Ф����Ѥ��Ƥ���¤�ˤ����Ƥϱƶ����ʤ��Ȥ��äƤ���Τϡ������֥꥾��Фؤ��ֿ���2048�Х��Ȥ�ۤ��ʤ��褦�ˤ��Ƥ��뤼���Ȥ������ȤʤΤ��⤷��ޤ���

�Ȥ⤢�졢�����˻�äƤϲ���˲������õ���ꡢ��ľ�˥ѥå������򥢥åץǡ��Ȥ��ƥ����Ф�Ƶ�ư���Ƥ���������̵��Ǥ��͡ġ�

�ɵ����Σ�: 2016/02/18 15:50 JST

dnsmasq �����º��Ȥ��ƻȤ���Ȥ���ޤ���������Ϥ����餯 2.73 ����Ƴ�����줿

/* src/config.h */
#define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */

�����ؤ��Ƥ������Ȼפ��ޤ����ϡ��ɥ����ǥ��󥰤� 1280�Х��Ȥ����¤���Ƥ���Τǡ�����ѥ��åȤ��Ϥ��ʤ��ʤ�ޤ���

On CVE-2015-7547 - glibc/getaddrinfo
http://lists.ipfire.org/pipermail/development/2016-February/001545.html

���ʤߤˡ��ǿ��� dnsmasq-2.75�Ǽ¹Ԥ���Ȥ���ʴ����Ǥ�(+ignore ��Ĥ��뤳�Ȥǡ�TCP�Υե�����Хå��򵯤����ʤ��褦�ˤ��Ƥ��ޤ���

$ dig +dnssec hiv dnskey +ignore

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.2 <<>> +dnssec hiv dnskey +ignore
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25086
;; flags: qr tc rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;hiv. IN DNSKEY

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: �¹Ԥ�������
;; MSG SIZE rcvd: 32

�Ǥ�����TCP�˥ե�����Хå��������

$ dig +dnssec hiv dnskey +short
;; Truncated, retrying in TCP mode.
256 3 7 AwEAAaaV7VJUrPL0rN5/eMz3l4v9ur0xPYz0+DWpioxK7hqSmsV18oGW Zq3mHfKH8fSAkaMIlmWvqT64m60hthhdW5YZC3GQ0HzI8mwAebEkiDuc WjKME3Lk3ktC0mhlTMWjsF8MwAF2cE+1CczLHeHWrgkR2Y5qPgd14fwo 474g2Nuf
257 3 7 AwEAAYM1Sl/orr8SqlvM6ShxKBdJMSOeD7HcTFP+TTDpVJpSHBhmAsMb 30JtMRo68dsG4rIBBpc69718m0j1l8zK1uNxoJx5UkfNWG0GoOp6EKur LkLTk3luzDNmj3jrgS4oz6ztb6QYsj0hnKgMA7HW335Cb14J+vSATDpj 79cnMa4h0Ik7pIufPmAYFmQWBZeOr+99QOdzqP5zX9j5nyOEbGv82+xD 4bcFstecZ6In8WdscwoglhXdPCY1ZEtbEGiIS21ENx+o2CWAaFHpiIua sjbYVQd6+HzNSBLagDx7+aRHqDCqux6ezHGw3wbVxkHB7OP1sAcRTJX+ 85rOjmXCJss=
257 3 7 AwEAAY/iJlahfRMvTBe89WI1KnkyOzhOapyM790ybtDXYd0Uf2C7T2VN DyMabc8mUaZA36F6aUpMmQW21SzoxtrJgzvJFgrxuhkU0reyczS/bOx7 lgH10VXdaFj2mDVeXJALl1P6JQ3gwMjD6O4+z/su2C6vrtIrSfexeI4o HWZxdMQ2Y123lq1nz1ZgIbJSWJOQbaFf3cZm1qETK4R8yEATgCfnZCQP rxb424FNsR8KgNsVNUevXDgbbzwVYY3y4dMqsDXMXj2pekJgzY2h2dAZ h50NvjXbWOcbcsurv5qEiY6lZ2F59KN6vn9zYiICE5c7BUbI6MgskRQ7 Ny53Oj4pMdk=
256 3 7 AwEAAa6bxHsMEnf15WewlIH4t8rtq2kFfk7XsOp78U+wRHfE5ycPx7WS hqNQ8lpcAQyEtob0GERdaaSA56pDVhBUt7FWgS0UKejhe/NUBEFXZ0J0 X2KzH25BNO0VFDutRbk9lbcv3jO9Is//mxRdFm3qQbdSXjyh7AGRWs/9 Bi8EhXBcX/bFnfdQDw6K5dsJTCzF5cp2+dUQ79ZAGlVacURkvvIPXd8N TJfuOgdNArXKbnEvUATuxwPM3rtnjWNTMIl5ONk5kn24eCpjyfzrOVVb KxvvhetNN9znv4xlZIQaLw+ybPfz4BgbKKwDjQr62H4E0fSyqRCBONaa 9sN+5TwV/i8=
256 3 7 AwEAAW+TjE1zmCMfjLHfwz0OlPh4daGbN50xIEFsXRmlPNQN8pVJHIpf 7NMooeg9yUj607O3cMN/T2I8TL2cjqOL+eLvepNc3Fp+J2ohlEI6tHmL C5mTZkU1xGD7myygnX/XelU7eAaHNdIkghRuzo3KSg0zvCBSeslCON4H 0xDYWYEr
257 3 7 AwEAAbwvxlNQlQoVmdOKIA6Mb3EpOCXFZicDnNEAkAz3I7xHmOm3kCbf Z/w2vY9VMiTLBafXqjFVgxH33+fKlOKL0gR5iwTLC6W3boH8up1icAZp X2wMcYhS2Mauj/MGBUtQokXoBuM758K7+rq2r3Or9KX5fHYbk6bNi8cH 6ThCWcmXEptAb1vLjYaIyJtj6IYjnkt0LOrUUOCDrj+oOkYXXvUX1ZP3 kVvS677Ch00jjDQuooTQ+l/AgI2cU7wIl2peTu/ZnaFzFVsvzD2vTD0d g0lzwMCa78smO/WLJpTtmptbPnK8ct1QdWbquALlrQ51bOOrjVaU32KU uAws7EgLnnE=
DNSKEY 7 1 86400 20160319061524 20160218061524 43515 hiv. odss/n3ue7l0Omba5suryXMZoRZiLZ9Qhq6Nv/az/y4HvrSqpRiB69XD /lVQGjKf44iNFtoxaL+K8qZxvDvHrWwVGpvGZjG8utB9Qhs0kaUUKnkT fbz1PamWT5BSvG6gSB2JSsN2BKlwBSuo8yQfgXNSNjO3Hf+mEVWzOB5i z6GRRohA9YjwdsRV3ZHqQMVhzCN3wTEH5fNg+cVunr41Kenx/glMOyjc nJseFXEiZJo3J3ejzerswYWMUcqjf62Yo81Kv47SLVa6pHHuUjA58Fhp z2btvLHy77YKOViYMzBIuiNluShjcnWJTWkeUGGZ4hpYE8dYYq4529VE wLLRMw==
DNSKEY 7 1 86400 20160319061524 20160218061524 56208 hiv. JtWLdWOmsDvis1P4kZad+CafHR/bLnY1u4vMe4ytqmOrvftqGidv3CYw n7cff13fusjBdnuoHpT/JP0NIpPg/W6gkNyF1iwLCAzFwFCYjb8mtOIc bWOYuJTdtY/aO0XngVr0QDTOLEUfns5NcXsqu82Ne40VOAhm+zo08CeY V66ex21CMgt33scYT9c8HzCloDn14ltAeG3aZcb9C7wCBOUnmRYvFDZZ t1eLsGBER+2pScQlhXTsx/+gmDphCULzvjoRUCzWw3gQ4+Bfk3AiLIqn aaSIJSLRhr+5Ak0XoVKCtYFaVhk9fyd2U7YGAUlF0pbng+WMGbe1KY2k QX4gGw==

�Τ褦�ˡ����̤����¤��Ƥ���Ϥ���1280�Х��Ȥ�ۤ���쥹�ݥ󥹤������äƤ��ޤäƤ��ޤ����ʤΤǡ����º��Ȥ��Ƥ��Խ�ʬ����ʤ��Ǥ��礦����(�ְ�äƤ������Ŧ�ꤤ�ޤ������ʤߤ�TCP�ʤΤǴط��Ϥʤ���Ǥ���ǰ�Τ��� edns-packet-max �����ꤷ�Ƥߤޤ�����������Ǥ�����
�������UDP��TCP�Ȥ�����¤��ݤ������Τ򤪻Ȥ��ʤ�Ф���Ǥ����Ȥϻפ��ޤ����������Ǥʤ���� workaround ������ơ��ĵ�Ū®�䤫�˳����ѥå������򥢥åץǡ��Ȥ��뤳�Ȥ򤪴��ᤷ�ޤ���

���ȡ�iptables/ip6tables �����¤�ݤ��褦�Ȥ��Ƥ������⤪���ޤ�����UDP�Ϥ�����Ǥ��� TCP�� MSS�Ǥ֤ä��ڤäƤ�����ʤΤǡ��ѥ��å�Ĺ�ǰ��óݤ��褦�Ȥ��Ƥ⡢�ޥå����ޤ���Ǥ����ʤ���ϻ�ⵤ�դ������ܤ������˶����Ƥ��������ޤ����ˡ��ʤΤǤ�����б��Ȥ��Ƥ��Խ�ʬ���Ȼפ��ޤ���

�Ȥ������Ȥǡ��ŤͤƤη����Ǥ��������ä��ȥ��åץǡ��Ȥ��ޤ��礦�ġ�

�ɵ����Σ�: 2016/02/18 18:15 JST

bind �� unbound �� max-udp-size �ˤ�����¤⡢���ץ����̾����ͤ��Ƥ⡢UDP����Ǥ�����ǰ�ʤ��顢���켫�Τϼºݤ˸��ڤ��ޤ���Ǥ�������TCP �ˤ�̵�ϤΤϤ��Ǥ�������� RedHat �����

Critical security flaw: glibc stack-based buffer overflow in getaddrinfo() (CVE-2015-7547)
https://access.redhat.com/articles/2161461

���ɤ��

The TCP-based vector could be mitigated by a trusted recursive resolver
on a trusted network which limits the size of individual DNS responses to
1023 bytes and below. However, such a capability is not common in DNS resolver
implementations because it breaks the DNS protocol. (The buffer size
configuration option offered by most resolvers only applies to UDP, not TCP.)
Rejecting AAAA responses, without also limiting the size of A responses, does
not mitigate the vulnerability.

�Ȥ���褦�ˡ���Ϥ� TCP�ؤ��к��ˤϤʤ�ʤ���Ƚ񤤤Ƥ���ޤ�����

�ɵ����Σ��� dnsmasq �˴ؤ��� dig �Υ��ԥڥߥ������ä��Τǡ�ľ���ޤ�����

�ɵ����Σ��� 2016/02/19 19:46 JST

IIJ������ܺ٤ʲ�����󤬽ФƤ��ޤ�����ή��IIJ����Ǥ��͡�

CVE-2015-7547 glibc�ˤ�����getaddrinfo���ȼ����ˤĤ���
https://sect.iij.ad.jp/d/2016/02/197129.html

�����ȯ������ Red Hat ���󶡤��� https://t.co/nzEP6vHJ3d �� FAQ 2. Can a trusted recursive DNS resolver ��� �Ȱۤʤ�����ˤʤäƤ�Τ����ˤʤ�ʤ� https://t.co/9fylO6Pnm6

— SODA Noriyuki (@n_soda) 2016, 2�� 19

@OrangeMorishita IIJ�οͤ�����Red Hat���⿼���ͤ��Ƥ��ǽ���ȡ�Red Hat�οͤ�IIJ�οͤε��Ť��Ƥʤ�����٥��������ΤäƤ��ǽ���Ρ�ξ���������Ǥ���ͤ���

— SODA Noriyuki (@n_soda) 2016, 2�� 19

�Ȥ�����ǰ��Τ��˵��ˤʤ�Ȥ����Ǥ�����IIJ����ιͻ��ˤ������ˤϤ�����Ǽ���������Ȥ����Ǥ���

Ǻ�ޤ����Ȥ����Ǥ������ɤä����������Ƥ� glibc ��夲�Ȥ�������ʤ��Τǡ���äѤ�夲�Ƥ������Ȥ򤪴��ᤷ�����Ǥ���

---

---