From owner-freebsd-security Sat Jul 21 12:14:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from overlord.e-gerbil.net (e-gerbil.net [207.91.110.247]) by hub.freebsd.org (Postfix) with ESMTP id 84F3537B405; Sat, 21 Jul 2001 12:14:42 -0700 (PDT) (envelope-from ras@e-gerbil.net) Received: by overlord.e-gerbil.net (Postfix, from userid 1001) id D2670E5004; Sat, 21 Jul 2001 15:14:40 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by overlord.e-gerbil.net (Postfix) with ESMTP id A3171E4CFC; Sat, 21 Jul 2001 15:14:40 -0400 (EDT) Date: Sat, 21 Jul 2001 15:14:40 -0400 (EDT) From: "Richard A. Steenbergen" To: Brian Somers Cc: Jeroen Massar , 'Peter Pentchev' , freebsd-security@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip (was: telnetd suckage) In-Reply-To: <200107211838.f6LIcNg76517@hak.lan.Awfulhak.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 21 Jul 2001, Brian Somers wrote: > > Brian Somers wrote: > > > > $ host -t ptr 10.0.0.1 > > 1.0.0.10.IN-ADDR.ARPA domain name pointer www.fbi.gov > > > > $ host -t a www.fbi.gov > > www.fbi.gov has address 32.96.111.130 > > > > And then your average dumb admin does a 'who' and oooooh... That dude is > > leet he/she/it logs in from www.fbi.gov > > It's also great for your logs... "My box got hacked from www.fbi.gov, > > the feds are on to me" nice quotes :) > > If you log in from 10.0.0.1 and the above resolutions are in effect, > realhostname_sa() will put 10.0.0.1 in utmp. I think the problem would be obvious from a security prospective. You'll note that not only does the bad dns get passed to the system from telnetd, but the bad IP, an arbitrary IP. Not only is it a perfect spoof but its easy to control from the attackers side, they just need control over a domain forward. Did you ever hear of a little thing called trusted hosts? Infact, won't this be the IP that is passed to tcp wrappers and other security checks? > If realhostname*() doesn't see the PTR record pointing at a name that > resolves back to the IP, it records the IP. > > > And like Richard says: THAT REALLY SUCKS. > > Which is a pretty useless statement. Well there are two solutions, stop using realhostname*() or make those functions actually work. Anything which does reverse forward then reverse again and takes the forward and reverse IPs is so broken that calling it real anything is laughable at best. I figured that would be blatantly obvious, sorry for the false assumption. -- Richard A Steenbergen http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message