From owner-freebsd-security Sun Jul 22 17: 2:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from purgatory.unfix.org (purgatory.xs4all.nl [194.109.237.229]) by hub.freebsd.org (Postfix) with ESMTP id 99AA237B401; Sun, 22 Jul 2001 17:02:43 -0700 (PDT) (envelope-from jeroen@unfix.org) Received: from HELL (hell.unfix.org [::ffff:10.100.13.66]) by purgatory.unfix.org (Postfix) with ESMTP id 49E55319E; Mon, 23 Jul 2001 02:02:36 +0200 (CEST) From: "Jeroen Massar" To: "'Matt Dillon'" , "'Hajimu UMEMOTO'" Cc: , , , , , Subject: RE: bin/22595: telnetd tricked into using arbitrary peer ip Date: Mon, 23 Jul 2001 01:58:33 +0200 Organization: Unfix Message-ID: <000701c1130a$393e27e0$420d640a@HELL> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2479.0006 Importance: Normal In-reply-to: <200107222257.f6MMvuE12313@earth.backplane.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Matt Dillon wrote: > : 1234567890123456789012345678901234567890 > : NNNN:NNNN:NNNN:NNNN:NNNN:NNNN:NNNN:NNNN%fxp0\n > : > :There is one more consideration. `:' is conflict with X. I have no > :particular idea to solve this problem. Enclosing IPv6 address with > :`[' and `]' doesn't help without changing X side. > : > Ok, it sounds like 56 bytes ought to be sufficient. This will > increase the lastlog structure from 28 bytes to 68 bytes > and the utmp/wtmp structure from 44 bytes to 84 bytes. A > buildworld would be necessary to deal with the change and > certrain ports, such as ftpd, would have to be rebuilt > (for those people using them) to avoid corruption. utmp > is one of the few structures in the system which is > written out 'manually' by various programs, which is why > . changing the size of the structure is so nasty. > > The issue with X is a separate problem. And what if we get IP18 in a couple of years? Resize again??? Better to change it to: char Hostname[size]; char Address[size]; int AddressType; // AF_INET6, AF_INET, AF_* whatever... these are standardized (kinda :) And ofcourse... For 'filling' these info's there should be standard functions, for reading it too (in different formats ofcourse ;)... Which makes sure that you don't have to upgrade every util whenever the format of that file changes again.... If at all it stays a file in the future... Even then.... IMHO one should log both hostname _AND_ IP... Following situation: 23 June 2001 - I log into a machine from 10.1.2.3 which maps to bla.example.com which points to 10.1.2.3 thus bla.example.com is logged... 24 June 2001 - The bla.example.com A is changed to 192.168.2.1, 192.168.2.1 gets pointed back to bla.example.com... Now I actually did very evil things with that box on the 23rd.... So the admin of the box wants to hunt me down and checks his/her/it's logs: Ooe..... that evil user came from 'bla.example.com' let's find out his/her/it's IP....aha 192.168.2.1 <-------- OOOPS... Not even the same provider I actually came from to do all those very evil things... So long for your 'nice' loggin facility... (and thanks for all the fish... :) I know... It's been there for a long time and over many many unices but that doesn't say it's still acceptable... Only storing the IP is useless too ofcourse.. Because then you never know what the old hostname (for which you actually accepted) was... Especially if you got /etc/hosts.allow with the old reverse in it, but not the new one etc... Greets, Jeroen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message