[guardian-dev] gethostbyname() buffer overflow, nicknamed GHOST
lee at guardianproject.info
Thu Jan 29 12:44:08 EST 2015
If you haven't seen the fantastic (!) logo for the latest panic room
worthy C bug that will break the Internet into tiny bits which can
never be assembled again, check this awesome write up.
Of particular note is the PoC using the Exim email server. The author
gets arbitrary code execution by sending a string to a public network
port, which can determine the memory address of a specific piece of
configuration data which is held in memory and when modified can open
up an ACL in the mail server which unlocks the usage of a run()
command which allows the user to run shell code!
It's really impressive, though I do not believe it allows privilege escalation.
More information about the guardian-dev