2016-02-16 00:28 jwhitmore has quit [Ping timeout: 248 seconds] 2016-02-16 02:05 archang has joined #qi-hardware 2016-02-16 02:17 archang has quit [Ping timeout: 265 seconds] 2016-02-16 02:25 archang has joined #qi-hardware 2016-02-16 04:11 DocScrutinizer05 has quit [Disconnected by services] 2016-02-16 04:11 DocScrutinizer05 has joined #qi-hardware 2016-02-16 07:46 tumdedum has joined #qi-hardware 2016-02-16 09:23 sandeepkr has quit [Ping timeout: 265 seconds] 2016-02-16 10:06 zrafa has quit [Ping timeout: 252 seconds] 2016-02-16 10:15 pcercuei has joined #qi-hardware 2016-02-16 10:22 sb0 has quit [Quit: Leaving] 2016-02-16 11:15 pcercuei has quit [Remote host closed the connection] 2016-02-16 11:25 FDCX has quit [Remote host closed the connection] 2016-02-16 11:34 jwhitmore has joined #qi-hardware 2016-02-16 11:49 sb0 has joined #qi-hardware 2016-02-16 12:49 sandeepkr has joined #qi-hardware 2016-02-16 13:09 rjeffries has quit [Ping timeout: 248 seconds] 2016-02-16 13:15 archang has quit [Ping timeout: 250 seconds] 2016-02-16 13:16 fengling has quit [Ping timeout: 272 seconds] 2016-02-16 13:21 FDCX has joined #qi-hardware 2016-02-16 14:08 pcercuei has joined #qi-hardware 2016-02-16 15:30 jwhitmore has quit [Ping timeout: 272 seconds] 2016-02-16 16:14 "fun¡" https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html 2016-02-16 16:49 jwhitmore has joined #qi-hardware 2016-02-16 17:18 is this a severe security threat or just a funny sidenote? 2016-02-16 17:22 nicely detailed report. sounds at if it might be nasty. i like this section: "Mitigations that don't work" :) 2016-02-16 17:23 disturbing thing is that this flaw has been there since 2008 2016-02-16 17:23 i wonder if the attacked person would know about the attack (for example, his dns lookup utility would segfault or what?) 2016-02-16 17:24 if it's just a nice way to execute code remotely from DNS server, who knows how many times this has already been exploited 2016-02-16 17:25 pcercuei has quit [Quit: leaving] 2016-02-16 17:27 the more eyes of "whitehats" that are looking at things, the more likely the fixed will be around by the time the blackhats get wind of their opportunity 2016-02-16 17:32 kyak: (2008) indeed 2016-02-16 17:33 sure, sure, but such reports only make me more suspicious and paranoid :) 2016-02-16 17:33 (who knows how many times) indeed 2 2016-02-16 17:33 anyway pretty 'recent' https://bugzilla.suse.com/show_bug.cgi?id=961721#c16 2016-02-16 17:34 not even on security sites yet 2016-02-16 17:37 https://github.com/fjserna/CVE-2015-7547 2016-02-16 17:37 people react fast 2016-02-16 17:45 I think it worked the other way round: they went CVE-public after the code got tested and available 2016-02-16 17:46 prior to that it looked like https://www.suse.com/security/cve/CVE-2015-7547.html 2016-02-16 17:46 >> Description ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.<< 2016-02-16 17:46 ah yeah, makes sense 2016-02-16 17:48 btw, the PoC dns server indeed crashes not only the test client, but any other application that attempts dns resolving (it segfaults) 2016-02-16 17:48 where there is a segfault, there is an opportunity for remote code execution, if i understand correctly 2016-02-16 17:48 not always 2016-02-16 17:49 time to reboot all the machines though 2016-02-16 17:50 this is how fast you updated? :) 2016-02-16 17:54 to slow? 2016-02-16 17:54 everything exploited already? 2016-02-16 17:58 you still have a chance, if you reboot now! 2016-02-16 17:58 already rebooted a few hours ago when the announcement came out 2016-02-16 18:07 how does reboot help? you need updates first, no? 2016-02-16 18:09 sandeepkr has quit [Ping timeout: 264 seconds] 2016-02-16 18:37 kyak: is there a *public* PoC server? 2016-02-16 18:38 kyak: anyway yes, when you suffered an exploit of this vuln, your app prolly would _not_ segfault 2016-02-16 18:39 pcercuei has joined #qi-hardware 2016-02-16 18:39 as a rule of thumb when it segfaults the process terminates and can't do further malicious stuff, so exploits will try to keep the process alive 2016-02-16 18:47 DocScrutinizer05: don't know if there is a public PoC server, i ran the code from github url above 2016-02-16 18:48 :nod: 2016-02-16 18:48 would be funny to have an IP ready 2016-02-16 18:49 of course you can run a LAN-local rogue server on your company's LAN ;-) BOFH leisure fun 2016-02-16 18:51 kyak: do yiu still have the thing working? could you test for me how much output a "host -a ct.de" produces before the process segfaults? does it show the DNS server IP before it gies south? 2016-02-16 18:53 would be a lame prank if the user could tell from stdout remanants that there's sth odd with the DNS server IP used 2016-02-16 18:53 sure you could handle this inside routes on router.... 2016-02-16 18:55 here is what it says: 2016-02-16 18:55 $ host -a ct.de 192.168.1.2 2016-02-16 18:55 Trying "ct.de" 2016-02-16 18:55 Trying "ct.de" 2016-02-16 18:55 ;; Warning: Message parser reports malformed message packet. 2016-02-16 18:55 ;; Question section mismatch: got ./NS/CLASS25460 2016-02-16 18:55 so it actually doesn't segfault.. However, another application that uses getaddrinfo, segfaults 2016-02-16 18:56 hehe 2016-02-16 19:00 alexst has joined #qi-hardware 2016-02-16 19:03 now how would we make shodan search for DNS servers that publish rogue packets? 2016-02-16 19:03 when quering the DNS server in TCP mode, funny thing happens 2016-02-16 19:04 it spits out the 2985 bytes packet in terminal 2016-02-16 19:04 wow 2016-02-16 19:04 dig +tcp @89.169.53.112 google.com 2016-02-16 19:05 i exposed the dns server for a while :) 2016-02-16 19:05 that's already sort of an exploit, since you could add esc sequences and other funny stuff 2016-02-16 19:05 :-D 2016-02-16 19:05 LOL 2016-02-16 19:05 many thanks 2016-02-16 19:06 this works for dig and nslookup, but host seems to handle this problem more gracefully 2016-02-16 19:07 http://paste.opensuse.org/54963443 2016-02-16 19:07 yep 2016-02-16 19:07 if you have dig, you can try that 2016-02-16 19:08 did 2016-02-16 19:08 fun 2016-02-16 19:08 i'll shut it down now :) 2016-02-16 19:08 what would actually segfault? 2016-02-16 19:08 oooooo! 2016-02-16 19:09 this is a simple app written in TCL that segfaults 2016-02-16 19:09 I guess it also depends on whether my app actually is supposed to use IPv6 aka AAAA, no? 2016-02-16 19:10 you only need python2 to play around with the PoC dns server, so.. :) 2016-02-16 19:10 I know 2016-02-16 19:10 via internet it feels so much more 'real' ;-) 2016-02-16 19:10 they mentioned in the report that disabling ipv6 won't help 2016-02-16 19:10 ah 2016-02-16 19:19 alexst has quit [Ping timeout: 252 seconds] 2016-02-16 19:34 alexst has joined #qi-hardware 2016-02-16 19:39 allegedly a >>apt update && apt upgrade<< is due already 2016-02-16 19:40 I can't comment, RPM here 2016-02-16 19:42 jwhitmore has quit [Ping timeout: 276 seconds] 2016-02-16 20:01 larsc has quit [Remote host closed the connection] 2016-02-16 20:02 lars__ has joined #qi-hardware 2016-02-16 20:02 lars__ is now known as larsc 2016-02-16 22:19 Luke-Jr has joined #qi-hardware 2016-02-16 22:37 sandeepkr has joined #qi-hardware 2016-02-16 22:38 pcercuei has quit [Quit: dodo] 2016-02-16 23:11 sandeepkr_ has joined #qi-hardware 2016-02-16 23:15 sandeepkr has quit [Ping timeout: 265 seconds] 2016-02-16 23:16 sandeepkr__ has joined #qi-hardware 2016-02-16 23:17 sandeepkr__ has quit [Remote host closed the connection] 2016-02-16 23:20 sandeepkr_ has quit [Ping timeout: 260 seconds] 2016-02-16 23:31 enyc_ has joined #qi-hardware 2016-02-16 23:36 dos11 has joined #qi-hardware 2016-02-16 23:37 newcup has quit [*.net *.split] 2016-02-16 23:37 enyc has quit [*.net *.split] 2016-02-16 23:37 dos1 has quit [*.net *.split] 2016-02-16 23:40 alexst has quit [Quit: leaving]