Date: Fri, 3 Nov 2000 20:44:35 -0500 (EST) From: Richard Steenbergen <ras@e-gerbil.net> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/22595: telnetd tricked into using arbitrary peer ip Message-ID: <20001104014435.46C9B5D7A@overlord.e-gerbil.net>
next in thread | raw e-mail | index | archive | help
>Number: 22595 >Category: bin >Synopsis: telnetd tricked into using arbitrary peer ip >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Nov 03 17:50:01 PST 2000 >Closed-Date: >Last-Modified: >Originator: Richard A Steenbergen >Release: FreeBSD 5.0-CURRENT i386 >Organization: >Environment: >Description: telnetd can be tricked into believing the source of the connection is any arbitrary ip. This applies to realhostname[_sa]() functions. telnetd uses realhostname_sa() to determine the remote hostname. The resolver reverses the ip to real.hostname.com and then resolves forward. If the forward dns has multiple cnames for round-robin load balancing it will resolve forward to a different ip. That ip will then be reversed and that host and ip will be used in telnetd. This poses obvious security implications. ras@overlord:docs> w 8:36PM up 3 days, 15:44, 19 users, load averages: 0.58, 0.51, 0.50 USER TTY FROM LOGIN@ IDLE WHAT ras pl www.senate.gov 6:46PM 9 - ras@overlord:docs> w -n 8:37PM up 3 days, 15:44, 19 users, load averages: 0.58, 0.51, 0.50 USER TTY FROM LOGIN@ IDLE WHAT ras pl 199.95.76.12 6:46PM 10 - >How-To-Repeat: Add multiple cnames to the real hostname of the machine you're connecting from, resolving to the ip you wish to spoof from. >Fix: make realhostname*() not suck >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001104014435.46C9B5D7A>