From owner-freebsd-security  Sat Jul 21 12:21:39 2001
Delivered-To: freebsd-security@freebsd.org
Received: from overlord.e-gerbil.net (e-gerbil.net [207.91.110.247])
	by hub.freebsd.org (Postfix) with ESMTP
	id 12C6237B401; Sat, 21 Jul 2001 12:21:37 -0700 (PDT)
	(envelope-from ras@e-gerbil.net)
Received: by overlord.e-gerbil.net (Postfix, from userid 1001)
	id 21A90E5004; Sat, 21 Jul 2001 15:21:35 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
	by overlord.e-gerbil.net (Postfix) with ESMTP
	id EDF7EE4CFC; Sat, 21 Jul 2001 15:21:34 -0400 (EDT)
Date: Sat, 21 Jul 2001 15:21:34 -0400 (EDT)
From: "Richard A. Steenbergen" <ras@e-gerbil.net>
To: Brian Somers <brian@Awfulhak.org>
Cc: Peter Pentchev <roam@orbitel.bg>, freebsd-security@FreeBSD.org,
	freebsd-gnats-submit@FreeBSD.org
Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip (was:
 telnetd suckage)
In-Reply-To: <200107211337.f6LDbag72093@hak.lan.Awfulhak.org>
Message-ID: <Pine.BSF.4.21.0107211517160.53680-100000@overlord.e-gerbil.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Sat, 21 Jul 2001, Brian Somers wrote:

> The example in the PR means that someone connected from 199.95.76.12.

Sorry, at the time of the PR writing, that was the correct IP for
www.senate.gov.

traceroute to 199.95.76.12 (199.95.76.12), 64 hops max, 40 byte packets
...
10  senate-gw3.customer.alter.net (157.130.33.182)  14.671 ms  14.310 ms  14.885 ms

It's very simple:

You are 1.2.3.4, your reverse dns is your.domain.com. You control
domain.com, so you setup multiple CNAMES for "your", one pointing to
1.2.3.4 and one pointing to the IP you wish to spoof (we'll call it
9.8.7.6). When you connect to telnet, it reverses 1.2.3.4 to
your.domain.com, forwards your.domain.com to 9.8.7.6, reverses 9.8.7.6 to
www.senate.gov, and passes on 9.8.7.6 to the rest of the system.

Spoofing at its finest...

-- 
Richard A Steenbergen <ras@e-gerbil.net>       http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message