Date: Sat, 21 Jul 2001 23:34:30 +0100 From: Brian Somers <brian@Awfulhak.org> To: "Richard A. Steenbergen" <ras@e-gerbil.net> Cc: Brian Somers <brian@Awfulhak.org>, Peter Pentchev <roam@orbitel.bg>, freebsd-security@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org, brian@Awfulhak.org Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip (was: telnetd suckage) Message-ID: <200107212234.f6LMYUg79964@hak.lan.Awfulhak.org> In-Reply-To: Message from "Richard A. Steenbergen" <ras@e-gerbil.net> of "Sat, 21 Jul 2001 15:21:34 EDT." <Pine.BSF.4.21.0107211517160.53680-100000@overlord.e-gerbil.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Sat, 21 Jul 2001, Brian Somers wrote: > > > The example in the PR means that someone connected from 199.95.76.12. > > Sorry, at the time of the PR writing, that was the correct IP for > www.senate.gov. > > traceroute to 199.95.76.12 (199.95.76.12), 64 hops max, 40 byte packets > ... > 10 senate-gw3.customer.alter.net (157.130.33.182) 14.671 ms 14.310 ms 14.885 ms > > It's very simple: > > You are 1.2.3.4, your reverse dns is your.domain.com. You control > domain.com, so you setup multiple CNAMES for "your", one pointing to > 1.2.3.4 and one pointing to the IP you wish to spoof (we'll call it > 9.8.7.6). When you connect to telnet, it reverses 1.2.3.4 to > your.domain.com, forwards your.domain.com to 9.8.7.6, reverses 9.8.7.6 to > www.senate.gov, and passes on 9.8.7.6 to the rest of the system. > > Spoofing at its finest... I must be getting something wrong. I wrote this stuff, and wrote it so that 1.2.3.4 is looked up giving your.domain.com, your.domain.com is looked up to give 1.2.3.4 and 9.8.7.6. As 1.2.3.4 is correct, your.domain.com is recorded in utmp (not 9.8.7.6). Yes, there is a problem where we've basically trusted a DNS that we don't own -- and that is a risk. But I can't see why 9.8.7.6 is relevant, *except* that ``w -n'' may be mentioning it. Am I misinterpreting things or is the real problem that a forward and reverse DNS can both conspire against you ? Or is the real problem just ``w''s -n flag ? > -- > Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras > PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6) -- Brian <brian@freebsd-services.com> <brian@Awfulhak.org> http://www.freebsd-services.com/ <brian@[uk.]FreeBSD.org> Don't _EVER_ lose your sense of humour ! <brian@[uk.]OpenBSD.org> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107212234.f6LMYUg79964>