From what I'm reading this should only affect systems that use a compromised DNS server or in a MitM attack scenario. Which is serious but not so easily exploitable (I think).
It's worse than that. According to https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html any system that performs a DNS lookup may be hit. And it's not hard to cause DNS lookups to happen (think reverse DNS lookups when logging login attempts, hovering a link in an email or webpage, etc):
- A back of the envelope analysis
shows that it should be possible
to write correctly formed DNS
responses with attacker controlled
payloads that will penetrate a
DNS cache hierarchy and therefore
allow attackers to exploit machines
behind such caches.
So even if you trust your local ISP and DNS servers, any random domain on the internet may be resolving to an exploit.
Also, this vulnerability has apparently been around since 2008, and sitting in public view on the bugtracker for many months. Who knows who else has been sitting quietly on this for however long? :-/
If you request a network connection to an attacker-controlled host, your network software may try to resolve the attacker's host name. The DNS NS record of their domain may then specify your resolver directly look up the record using the attacker's own name server, meaning you are directly doing DNS queries against the attacker's NS.
So in theory, all you need to be exploited is to connect to a compromised host and resolve its hostname.
It could be even worse than that. If the attacker tries to connect to you, your server may try to reverse their IP for logging, and the attacker can control the PTR record. Or the attacker could send you an email that's guaranteed to bounce, and they control the return path that your mailer has to resolve.
> Which is serious but not so easily exploitable (I think).
Oh it is. All you need is an open wifi with a router only dealing IPv4 addresses... start up radvd and serve your machine as authoritative IPv6 DNS server, and profit.
0x0|10 years ago
Also, this vulnerability has apparently been around since 2008, and sitting in public view on the bugtracker for many months. Who knows who else has been sitting quietly on this for however long? :-/
peterwwillis|10 years ago
So in theory, all you need to be exploited is to connect to a compromised host and resolve its hostname.
thrownaway2424|10 years ago
mschuster91|10 years ago
Oh it is. All you need is an open wifi with a router only dealing IPv4 addresses... start up radvd and serve your machine as authoritative IPv6 DNS server, and profit.
tremon|10 years ago
Besides, how many distro's are actually configured for dhcpv6 stateful configuration out of the box?