Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 23 Jul 2001 06:09:35 +0900 (JST)
From:      Hajimu UMEMOTO <ume@mahoroba.org>
To:        ras@e-gerbil.net
Cc:        brian@Awfulhak.org, roam@orbitel.bg, freebsd-security@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org
Subject:   Re: bin/22595: telnetd tricked into using arbitrary peer ip
Message-ID:  <20010723.060935.70171168.ume@mahoroba.org>
In-Reply-To: <Pine.BSF.4.21.0107221637470.53680-100000@overlord.e-gerbil.net>
References:  <20010723.053051.88524825.ume@mahoroba.org> <Pine.BSF.4.21.0107221637470.53680-100000@overlord.e-gerbil.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

>>>>> On Sun, 22 Jul 2001 16:38:13 -0400 (EDT)
>>>>> "Richard A. Steenbergen" <ras@e-gerbil.net> said:

ras> On Mon, 23 Jul 2001, Hajimu UMEMOTO wrote:

> >>>>> On Sat, 21 Jul 2001 23:34:30 +0100
> >>>>> Brian Somers <brian@Awfulhak.org> said:
> 
> brian> Yes, there is a problem where we've basically trusted a DNS that we 
> brian> don't own -- and that is a risk.  But I can't see why 9.8.7.6 is 
> brian> relevant, *except* that ``w -n'' may be mentioning it.
> 
> brian> Am I misinterpreting things or is the real problem that a forward and 
> brian> reverse DNS can both conspire against you ?  Or is the real problem 
> brian> just ``w''s -n flag ?
> 
> It is problem of w(1).  `w -n' does forward lookup for IPv4 only and
> IPv6 is not supported at all.  When available, login(1) writes
> hostname into utmp instead of IP address.  If hostname is saved, `w
> -n' queries A RR for the hostname.
> Real problem is that UT_HOSTSIZE is too short to hold IPv6 address.
> Is there any chance to expand UT_HOSTSIZE in time to 5.0-RELEASE.  It
> apparently breaks binary compatibility.

ras> This is not the problem here, login is writing the false IP to utmp.

I cannot agree with you here.  You did ssh via IPv6.  login(1) cannot
write IPv6 address into utmp.  In this case, realhostname_sa(3)
returns hostname.  The cases that IP address is saved are:

    - reverse or forward lookup was failed,
    - the result of reverse -> forward lookup doesn't match against
      the address, or
    - IPv4

Even if IPv6 address is saved, since it is chopped, it will fail to do
reverse lookup.

--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
ume@mahoroba.org  ume@bisd.hitachi.co.jp  ume@{,jp.}FreeBSD.org
http://www.imasy.org/~ume/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010723.060935.70171168.ume>