A serious problem in the Linux glibc library went unnoticed for almost 15 years. A simple coding mistake introduced into the code in November 2000 leaves servers including e-mail servers vulnerable to remote code execution. A buffer overflow in the GNU C Library function __nss_hostname_digits_dots(), which is called by the well used gethostbyname*() functions makes it possible to take over any type of server. In the case of e-mail servers — to take only one example — it is possible to take over a server remotely by sending a well-crafted e-mail exploiting the vulnerability.
However, there are clearly security implications to the bug that was found. As illustrated in the picture, taking over an unpatched e-mail server is rather simple as it does not require special credentials whatsoever. It requires detailed knowledge of the bug itself (and as Glibc is open source, the code can be inspected) and a malicious person with exploit writing capabilities to craft an attack vector in order to exploit this vulnerability. It requires the malicious person to send the e-mail to the mail server, which then calls one of the gethostbyname*() functions which will in turn call the problematic __nss_hostname_digits_dots(). If the attack is correctly designed, the attacker will get a shell on (and control over) the machine.
What we’ve learned from this vulnerability is that once again security issues can go unnoticed for a very long time. We often come across web-facing applications that feature code written years ago, sometimes over a decade old. A clear lesson is that these may no longer be considered safe, for the simple reason that new security issues have since emerged. Many organizations are addressing this issue by reviewing older code on critical and web-facing applications. We can only encourage everyone to do the same.
