[50] in bugtraq
Re: Internet Worm
daemon@ATHENA.MIT.EDU (smb@research.att.com)
Wed Oct 19 21:36:16 1994
From: smb@research.att.com
To: jim@Tadpole.COM
Cc: ccsis@bath.ac.uk, seeger@cis.ufl.edu, bugtraq@fc.net
Date: Wed, 19 Oct 94 19:44:08 EDT
> When ypserv doesn dns lookups on behalf of its clients with the -b h
ack,
> it is using libresolv, so this case also involves Sun's mucking.
Ok, I've always been speaking about libc(shared or not) here,
and at least two of you are now speaking about libresolv.a.
Was I confused, or did someone change the subject?
Yes, the gethostbyaddr() call in libresolv has the reverse lookup.
No, its done in a different place inside ypserv. ypserv has its
own, special version of the resolver library, and does:
if (!found_addr) { /* weve been spoofed */
syslog(LOG_CRIT, "nres_gethostbyaddr: %s != %s",
temp->name, inet_ntoa(temp->theaddr));
theans = NULL;
temp->h_errno = HOST_NOT_FOUND;
}
in nres_dorecv().
Well, some folks (like us) have put DNS routines into the shared libc,
so that everything not statically linked uses the DNS without needing
NIS.
But that's not the real point. The real point of this discussion is
that Sun has chosen (rightly, in my opinion) to put the cross-check
into the libraries, rather than the applications. Thus, Sun's rshd
and rlogind *don't* do the check themselves. If you replace the resolver
routines with ones that don't do the cross-check, you've opened up a
great gaping security hole.
