From owner-freebsd-security Sat Jul 21 15:35: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id B77CC37B40A; Sat, 21 Jul 2001 15:34:34 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12]) by Awfulhak.org (8.11.4/8.11.4) with ESMTP id f6LMYVL12752; Sat, 21 Jul 2001 23:34:32 +0100 (BST) (envelope-from brian@lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.4/8.11.4) with ESMTP id f6LMYUg79964; Sat, 21 Jul 2001 23:34:30 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200107212234.f6LMYUg79964@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: "Richard A. Steenbergen" Cc: Brian Somers , Peter Pentchev , freebsd-security@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org, brian@Awfulhak.org Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip (was: telnetd suckage) In-Reply-To: Message from "Richard A. Steenbergen" of "Sat, 21 Jul 2001 15:21:34 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 21 Jul 2001 23:34:30 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Sat, 21 Jul 2001, Brian Somers wrote: > > > The example in the PR means that someone connected from 199.95.76.12. > > Sorry, at the time of the PR writing, that was the correct IP for > www.senate.gov. > > traceroute to 199.95.76.12 (199.95.76.12), 64 hops max, 40 byte packets > ... > 10 senate-gw3.customer.alter.net (157.130.33.182) 14.671 ms 14.310 ms 14.885 ms > > It's very simple: > > You are 1.2.3.4, your reverse dns is your.domain.com. You control > domain.com, so you setup multiple CNAMES for "your", one pointing to > 1.2.3.4 and one pointing to the IP you wish to spoof (we'll call it > 9.8.7.6). When you connect to telnet, it reverses 1.2.3.4 to > your.domain.com, forwards your.domain.com to 9.8.7.6, reverses 9.8.7.6 to > www.senate.gov, and passes on 9.8.7.6 to the rest of the system. > > Spoofing at its finest... I must be getting something wrong. I wrote this stuff, and wrote it so that 1.2.3.4 is looked up giving your.domain.com, your.domain.com is looked up to give 1.2.3.4 and 9.8.7.6. As 1.2.3.4 is correct, your.domain.com is recorded in utmp (not 9.8.7.6). Yes, there is a problem where we've basically trusted a DNS that we don't own -- and that is a risk. But I can't see why 9.8.7.6 is relevant, *except* that ``w -n'' may be mentioning it. Am I misinterpreting things or is the real problem that a forward and reverse DNS can both conspire against you ? Or is the real problem just ``w''s -n flag ? > -- > Richard A Steenbergen http://www.e-gerbil.net/ras > PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6) -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message