Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 26 Mar 2003 13:17:15 -0600
From:      David J Duchscher <daved@nostrum.com>
To:        Terry Lambert <tlambert2@mindspring.com>
Cc:        Mark_Andrews@isc.org
Subject:   Re: Resolver Issues (non valid hostname characters)
Message-ID:  <8DBF2195-5FBF-11D7-8B57-0003930B3DA4@nostrum.com>
In-Reply-To: <3E816913.2B3E614E@mindspring.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday, March 26, 2003, at 02:47  AM, Terry Lambert wrote:

> David J Duchscher wrote:
>> On Tuesday, March 25, 2003, at 11:23  PM, Mark.Andrews@isc.org wrote:
>>>       This is a security matter.  Sendmail was compromised due to
>>>       lack of checking the results returned by gethostbyaddr().
>>>
>>>       get*by*() and get*info() enforce RFC 952 so that every
>>>       application written doesn't have to validate the results
>>>       returned.  Allowing underscore (or IHN) is a API change
>>>       and will potentially break applications that correctly
>>>       depend upon get*by*() and get*info() filtering out the
>>>       garbage.
>>>
>>>       If you want to be liberal in what you accept bypass
>>>       get*by*() and get*info() and call the resolver directly.
>>
>> Let me see, this is a matter of national security so we can't talk
>> about it.  This is very much a straw man argument when it comes to
>> underscore.
>
> It's not "national security", it's "computer security".  If you
> allow crap in host names, code which operates on host names, and
> uses globbing code which does not proactively ensure that the
> characters are escaped before applying globbing rules, particularly
> interpreted globbing code, becomes vulnerable to exploits.

The 'national security' comment as made do the shifting of arguments.
We go to from the maxim of being generous to to accept and then to its
a security issue.  With respect to the underscore character, I see this
as a week argument when balanced against the breakage that happens to 
users.

> Specifically, say I have an interpreter that interprets variables
> with an underscore prefix.  By contacting my server written in this
> interpreter from a host whose reverse address has been set to
> include this character, you could exploit the fact that people who
> call the resolver library expect strict RFC-952 conformnace in the
> returned host names, and obtain escalated priviledges on my server
> system.

I would say the program is broken if it doesn't check its input.  If 
many
operating systems where doing this your argument would be much stronger.
Secondly, we are talking about underscores in the middle of a hostname 
so
your example is off.

> Mark is pointing out that this is not just a theoretical possibility,
> it was in fact exploited against sendmail on the systems you are
> holding up as examples (but it was *not* exploited on FreeBSD,
> because FreeBSD complies with RFC-952).

And I am not advocating removal of all the checks, just he addition of 
one
very annoying character that cause grief to those that have to work in 
a mixed
OS enviroment.

>> Bypassing the resolver is also not an option that most
>> users have available to them.
>
> All programmers have this option, if they have the option to
> use the resolver in the first place.  The API is well, if
> obscurely, documented.

Users != programmers so this statement is moot.  Users that simply wish 
to hit
a web site are the ones that bump into this issue.  You really expect 
them to
modify code?

>> This argument also implies that all the other OS mentioned have
>> a security problem because they don't do this type of checking.
>
> They do, if they are running a version of sendmail which does not
> specifically provide it's own wrappers, ensuring RFC-952 conformance.
>
> Check the CERT advisories.
>
> Note that sendmail now wraps the calls itself, in case the host OS
> is not conformant with RFC-952.  You will not be able to send or
> receive email from non-compliant systems on any system running a
> corrected version of sendmail that does this enforcement.

Just so you know, sendmail does not conform to RFC 952.  It protects 
itself sure,
but it allows host names to have an underscore in the host name if the 
underline
resolver allows.  I have not tested this beyond a couple of machines 
but this seems
to be the case.

>>>       If the name contains a underscore it is not a hostname by
>>>       definition.  Nothing stops you talking to the DNS directly
>>>       and entering IP literals.
>>
>> CNAME virtual hosts.
>>
>> I have mailed the patch to PR/50299 that makes it an optional 
>> behavior.
>> You can also find it here:
>>
>>    http://magus.nostrum.com/~daved/resolver_patch.txt
>
> I have no objection, in principle, to such a patch, as long as
> it's not enabled by the default configuration distributed with
> the system.
>
> HOWEVER, this particular patch is not sufficient to put the
> argument to rest.
>
> This should probably not be "allow_underscore" in the resolv.conf.
>
> Instead, you should probably have:
>
> 	allow_chars "_"
>
> You will also need an escape charachter, which is usually "\",
> for specifying things like the escape character, special characters,
> and quotation marks, e.g.:
>
> 	allow_chars "_\\\010\x17\""
>
> Since the systems you are talking about are broken vs. RFC-952 for
> more than just underscore.
>
> Otherwise, next week, we are going to have people asking us to
> allow the next character not in RFC-952, and there will be a
> proliferation of these options.

I don't really agree that their will be proliferation of addition 
characters.
I would argue that the underscore is a special case as it shows up way 
to often
from the Windows world.  In any case, the point is moot.  The PR was 
closed and so
spending any additional effort on this issue is now just a waste of 
time.

DaveD



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8DBF2195-5FBF-11D7-8B57-0003930B3DA4>