Date: Sat, 21 Jul 2001 15:14:40 -0400 (EDT) From: "Richard A. Steenbergen" <ras@e-gerbil.net> To: Brian Somers <brian@Awfulhak.org> Cc: Jeroen Massar <jeroen@unfix.org>, 'Peter Pentchev' <roam@orbitel.bg>, freebsd-security@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip (was: telnetd suckage) Message-ID: <Pine.BSF.4.21.0107211506000.53680-100000@overlord.e-gerbil.net> In-Reply-To: <200107211838.f6LIcNg76517@hak.lan.Awfulhak.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 21 Jul 2001, Brian Somers wrote: > > Brian Somers wrote: > > > > $ host -t ptr 10.0.0.1 > > 1.0.0.10.IN-ADDR.ARPA domain name pointer www.fbi.gov > > > > $ host -t a www.fbi.gov > > www.fbi.gov has address 32.96.111.130 > > > > And then your average dumb admin does a 'who' and oooooh... That dude is > > leet he/she/it logs in from www.fbi.gov > > It's also great for your logs... "My box got hacked from www.fbi.gov, > > the feds are on to me" nice quotes :) > > If you log in from 10.0.0.1 and the above resolutions are in effect, > realhostname_sa() will put 10.0.0.1 in utmp. I think the problem would be obvious from a security prospective. You'll note that not only does the bad dns get passed to the system from telnetd, but the bad IP, an arbitrary IP. Not only is it a perfect spoof but its easy to control from the attackers side, they just need control over a domain forward. Did you ever hear of a little thing called trusted hosts? Infact, won't this be the IP that is passed to tcp wrappers and other security checks? > If realhostname*() doesn't see the PTR record pointing at a name that > resolves back to the IP, it records the IP. > > > And like Richard says: THAT REALLY SUCKS. > > Which is a pretty useless statement. Well there are two solutions, stop using realhostname*() or make those functions actually work. Anything which does reverse forward then reverse again and takes the forward and reverse IPs is so broken that calling it real anything is laughable at best. I figured that would be blatantly obvious, sorry for the false assumption. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0107211506000.53680-100000>