[10713] in bugtraq
Re: weaknesses in dns label decoding,
daemon@ATHENA.MIT.EDU (Alexandre Oliva)
Fri Jun 4 13:33:47 1999
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0
Message-Id: <orn1yh30u5.fsf@lua.lbi.dcc.unicamp.br>
Date: Thu, 3 Jun 1999 09:50:10 -0300
Reply-To: Alexandre Oliva <oliva@DCC.UNICAMP.BR>
From: Alexandre Oliva <oliva@DCC.UNICAMP.BR>
X-To: Dag-Erling Smorgrav <des@IFI.UIO.NO>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Dag-Erling Smorgrav's message of "Wed, 2 Jun 1999 20:45:09 +0200"
On Jun 2, 1999, Dag-Erling Smorgrav <des@IFI.UIO.NO> wrote:
> bobk <bobk@SINISTER.COM> writes:
>> Imagine what could happen if some program did a strcmp() on the following
>> name:
>> rs.internic.net\0.xa.net
>> where, of course, \0 is a null
>> Interested readers may ponder what type of programs may be exploited with
>> this type of attack.
> Any .rhosts consumer. Xhost. Amanda (.amandahosts). Lpd (lpd.allow).
> What did I win?
:-)
Not Amanda. After reverse mapping the incoming IP address to a
hostname, it will lookup the IP addresses for the hostname and make
sure the incoming IP address is one of the IP addresses listed for
that name, so only DNS spoofing or a lame DNS cache would get Amanda
in trouble.
It is true that it will also check whether the canonical name obtained
for the direct mapping is the same that it got in reverse mapping, and
it uses strncasecmp here, which means it might miss a difference in
case `\0' is part of the name, but I don't think this is a critical
check; only the IP checking is.
--
Alexandre Oliva http://www.dcc.unicamp.br/~oliva IC-Unicamp, Bra[sz]il
{oliva,Alexandre.Oliva}@dcc.unicamp.br aoliva@{acm.org,computer.org}
oliva@{gnu.org,kaffe.org,{egcs,sourceware}.cygnus.com,samba.org}
*** E-mail about software projects will be forwarded to mailing lists
