Date: Mon, 23 Jul 2001 01:58:33 +0200 From: "Jeroen Massar" <jeroen@unfix.org> To: "'Matt Dillon'" <dillon@earth.backplane.com>, "'Hajimu UMEMOTO'" <ume@mahoroba.org> Cc: <aschneid@mail.slc.edu>, <brian@Awfulhak.org>, <ras@e-gerbil.net>, <roam@orbitel.bg>, <freebsd-security@FreeBSD.ORG>, <freebsd-gnats-submit@FreeBSD.ORG> Subject: RE: bin/22595: telnetd tricked into using arbitrary peer ip Message-ID: <000701c1130a$393e27e0$420d640a@HELL> In-Reply-To: <200107222257.f6MMvuE12313@earth.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Matt Dillon <dillon@earth.backplane.com> wrote: <SNIP> > : 1234567890123456789012345678901234567890 > : NNNN:NNNN:NNNN:NNNN:NNNN:NNNN:NNNN:NNNN%fxp0\n > : > :There is one more consideration. `:' is conflict with X. I have no > :particular idea to solve this problem. Enclosing IPv6 address with > :`[' and `]' doesn't help without changing X side. > : > Ok, it sounds like 56 bytes ought to be sufficient. This will > increase the lastlog structure from 28 bytes to 68 bytes > and the utmp/wtmp structure from 44 bytes to 84 bytes. A > buildworld would be necessary to deal with the change and > certrain ports, such as ftpd, would have to be rebuilt > (for those people using them) to avoid corruption. utmp > is one of the few structures in the system which is > written out 'manually' by various programs, which is why > . changing the size of the structure is so nasty. > > The issue with X is a separate problem. And what if we get IP18 in a couple of years? Resize again??? Better to change it to: char Hostname[size]; char Address[size]; int AddressType; // AF_INET6, AF_INET, AF_* whatever... these are standardized (kinda :) And ofcourse... For 'filling' these info's there should be standard functions, for reading it too (in different formats ofcourse ;)... Which makes sure that you don't have to upgrade every util whenever the format of that file changes again.... If at all it stays a file in the future... Even then.... IMHO one should log both hostname _AND_ IP... Following situation: 23 June 2001 - I log into a machine from 10.1.2.3 which maps to bla.example.com which points to 10.1.2.3 thus bla.example.com is logged... 24 June 2001 - The bla.example.com A is changed to 192.168.2.1, 192.168.2.1 gets pointed back to bla.example.com... Now I actually did very evil things with that box on the 23rd.... So the admin of the box wants to hunt me down and checks his/her/it's logs: Ooe..... that evil user came from 'bla.example.com' let's find out his/her/it's IP....aha 192.168.2.1 <-------- OOOPS... Not even the same provider I actually came from to do all those very evil things... So long for your 'nice' loggin facility... (and thanks for all the fish... :) I know... It's been there for a long time and over many many unices but that doesn't say it's still acceptable... Only storing the IP is useless too ofcourse.. Because then you never know what the old hostname (for which you actually accepted) was... Especially if you got /etc/hosts.allow with the old reverse in it, but not the new one etc... Greets, Jeroen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000701c1130a$393e27e0$420d640a>