Date: Sat, 21 Jul 2001 15:21:34 -0400 (EDT) From: "Richard A. Steenbergen" <ras@e-gerbil.net> To: Brian Somers <brian@Awfulhak.org> Cc: Peter Pentchev <roam@orbitel.bg>, freebsd-security@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip (was: telnetd suckage) Message-ID: <Pine.BSF.4.21.0107211517160.53680-100000@overlord.e-gerbil.net> In-Reply-To: <200107211337.f6LDbag72093@hak.lan.Awfulhak.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 21 Jul 2001, Brian Somers wrote: > The example in the PR means that someone connected from 199.95.76.12. Sorry, at the time of the PR writing, that was the correct IP for www.senate.gov. traceroute to 199.95.76.12 (199.95.76.12), 64 hops max, 40 byte packets ... 10 senate-gw3.customer.alter.net (157.130.33.182) 14.671 ms 14.310 ms 14.885 ms It's very simple: You are 1.2.3.4, your reverse dns is your.domain.com. You control domain.com, so you setup multiple CNAMES for "your", one pointing to 1.2.3.4 and one pointing to the IP you wish to spoof (we'll call it 9.8.7.6). When you connect to telnet, it reverses 1.2.3.4 to your.domain.com, forwards your.domain.com to 9.8.7.6, reverses 9.8.7.6 to www.senate.gov, and passes on 9.8.7.6 to the rest of the system. Spoofing at its finest... -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0107211517160.53680-100000>