Pwnie Awards 2017

The 2016 Pwnie Award For Best Client-Side Bug

glibc getaddrinfo stack-based buffer overflow

Fermin J. Serna

This vulnerability was discovered when SSH kept segfaulting when a Google engineer tried to connect to a particular host. Rather than being a bug in SSH, it turned out that Google has ridiculously long internal hostnames that cause stack buffer overflows in glibc’s DNS resolution code. They also have some ridiculously talented security engineers who were able to bypass modern Linux security mitigations like ASLR and exploit this bug.