From owner-freebsd-bugs  Fri Nov  3 17:50: 9 2000
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 9BEBF37B4D7
	for <freebsd-bugs@FreeBSD.org>; Fri,  3 Nov 2000 17:50:01 -0800 (PST)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id RAA27031;
	Fri, 3 Nov 2000 17:50:01 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from overlord.e-gerbil.net (e-gerbil.net [207.91.110.247])
	by hub.freebsd.org (Postfix) with ESMTP id 1F71A37B4CF
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  3 Nov 2000 17:44:36 -0800 (PST)
Received: by overlord.e-gerbil.net (Postfix, from userid 1000)
	id 46C9B5D7A; Fri,  3 Nov 2000 20:44:35 -0500 (EST)
Message-Id: <20001104014435.46C9B5D7A@overlord.e-gerbil.net>
Date: Fri,  3 Nov 2000 20:44:35 -0500 (EST)
From: Richard Steenbergen <ras@e-gerbil.net>
Reply-To: ras@e-gerbil.net
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: bin/22595: telnetd tricked into using arbitrary peer ip
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         22595
>Category:       bin
>Synopsis:       telnetd tricked into using arbitrary peer ip
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Nov 03 17:50:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Richard A Steenbergen
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:


>Description:

	telnetd can be tricked into believing the source of the connection
	is any arbitrary ip. This applies to realhostname[_sa]() functions.

	telnetd uses realhostname_sa() to determine the remote hostname.
	The resolver reverses the ip to real.hostname.com and then resolves
	forward. If the forward dns has multiple cnames for round-robin load
	balancing it will resolve forward to a different ip. That ip will then
	be reversed and that host and ip will be used in telnetd. This poses
	obvious security implications.

ras@overlord:docs> w
 8:36PM  up 3 days, 15:44, 19 users, load averages: 0.58, 0.51, 0.50
USER             TTY      FROM              LOGIN@  IDLE WHAT
ras              pl       www.senate.gov    6:46PM     9 -

ras@overlord:docs> w -n
 8:37PM  up 3 days, 15:44, 19 users, load averages: 0.58, 0.51, 0.50
USER             TTY      FROM              LOGIN@  IDLE WHAT
ras              pl       199.95.76.12      6:46PM    10 -

>How-To-Repeat:

	Add multiple cnames to the real hostname of the machine you're
	connecting from, resolving to the ip you wish to spoof from.

>Fix:

	make realhostname*() not suck

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message