From owner-freebsd-security Sun Jul 22 14:10: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from light.imasy.or.jp (light.imasy.or.jp [202.227.24.4]) by hub.freebsd.org (Postfix) with ESMTP id 7C4F437B406; Sun, 22 Jul 2001 14:09:57 -0700 (PDT) (envelope-from ume@mahoroba.org) Received: (from uucp@localhost) by light.imasy.or.jp (8.11.3+3.4W/8.11.3/light/smtpfeed 1.12) with UUCP id f6ML9sd18851; Mon, 23 Jul 2001 06:09:54 +0900 (JST) (envelope-from ume@mahoroba.org) Received: from peace.mahoroba.org (IDENT:vC0v9KIPS08hEVG4h5zYjibu75J1U5GJxUfr5LRR6jRFyaW9J43iRN8mRzN5DNPv@peace.mahoroba.org [3ffe:505:2:0:200:f8ff:fe05:3eae]) (authenticated as ume with CRAM-MD5) by mail.mahoroba.org (8.11.4/8.11.4/chaos) with ESMTP/inet6 id f6ML9ZL28750; Mon, 23 Jul 2001 06:09:36 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Mon, 23 Jul 2001 06:09:35 +0900 (JST) Message-Id: <20010723.060935.70171168.ume@mahoroba.org> To: ras@e-gerbil.net Cc: brian@Awfulhak.org, roam@orbitel.bg, freebsd-security@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip From: Hajimu UMEMOTO In-Reply-To: References: <20010723.053051.88524825.ume@mahoroba.org> X-Mailer: xcite1.38> Mew version 1.95b119 on Emacs 20.7 / Mule 4.0 =?iso-2022-jp?B?KBskQjJWMWMbKEIp?= X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC X-URL: http://www.imasy.org/~ume/ X-Operating-System: FreeBSD 5.0-CURRENT Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> On Sun, 22 Jul 2001 16:38:13 -0400 (EDT) >>>>> "Richard A. Steenbergen" said: ras> On Mon, 23 Jul 2001, Hajimu UMEMOTO wrote: > >>>>> On Sat, 21 Jul 2001 23:34:30 +0100 > >>>>> Brian Somers said: > > brian> Yes, there is a problem where we've basically trusted a DNS that we > brian> don't own -- and that is a risk. But I can't see why 9.8.7.6 is > brian> relevant, *except* that ``w -n'' may be mentioning it. > > brian> Am I misinterpreting things or is the real problem that a forward and > brian> reverse DNS can both conspire against you ? Or is the real problem > brian> just ``w''s -n flag ? > > It is problem of w(1). `w -n' does forward lookup for IPv4 only and > IPv6 is not supported at all. When available, login(1) writes > hostname into utmp instead of IP address. If hostname is saved, `w > -n' queries A RR for the hostname. > Real problem is that UT_HOSTSIZE is too short to hold IPv6 address. > Is there any chance to expand UT_HOSTSIZE in time to 5.0-RELEASE. It > apparently breaks binary compatibility. ras> This is not the problem here, login is writing the false IP to utmp. I cannot agree with you here. You did ssh via IPv6. login(1) cannot write IPv6 address into utmp. In this case, realhostname_sa(3) returns hostname. The cases that IP address is saved are: - reverse or forward lookup was failed, - the result of reverse -> forward lookup doesn't match against the address, or - IPv4 Even if IPv6 address is saved, since it is chopped, it will fail to do reverse lookup. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message