A Google security engineer studying an SSH connection to a host unexpectedly discovered a deeper, darker secret in the GNU C Library (glibc). Google later proved that a bug in this library could be used to remotely execute code and cause a stack-buffer overflow condition. Though most Linux operating systems are protected from such an attack by address space layout randomization (ASLR), Google security engineers were able to circumvent this mitigation method.
SSH is the Linux secure shell that provides an encrypted remote channel for authentication and a command line interface. The glibc library defines the system calls and other basic facilities used by many Linux distributions that C programs use to interact with the OS.
Google reported this bug in a Security Blog post yesterday, explaining that a security engineer was able to craft a full working exploit. Google also reported that “exploitation vectors are diverse and widespread,” highlighting how important it is to to patch or mitigate. Google won’t release the code, preventing it from being copied and used for malicious or criminal purposes. But it did make a non-weaponized proof of concept publicly available.
“The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.”
When serious exploits like this are discovered, security analysts follow disclosure rules that, in most cases, keep the exploit confidential until a patch is released. Security analysts only make a disclosure public when the maintainers of the software are unresponsive, though motivation for disclosure can sometimes be suspicious around the time of large security conferences, like RSA in just two weeks. In the case of the glibc exploit, however, Google’s announcement meets the standards of responsible disclosure because a patch is available.
In the course of Google’s investigation, engineers discovered that glibc maintainers knew about the bug and potential exploit since July. It wasn’t clear if the bug had been fixed. While seeking a solution, the company learned that two Red Hat developers were also working independently on a solution to the glibc bug. Google and Red Hat collaborated to create and test a patch that is available now.
The issue affects all glibc libraries after the 2.9 release, but updating older versions is also recommended. For those who can’t immediately apply a patch, Google has found some mitigation methods that may help prevent the exploit.