[nsp-sec] [Fwd: PTR localhost attack?]
David Freedman
david.freedman at uk.clara.net
Thu Aug 6 08:49:06 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Forwarded from another mailing list, seems like a rather lame attempt
but may be of some interest to the community.
Dave.
- --------------------------------------------------------------
Hi All,
Whilst tailing some logs, I came across the following IP address. It
would seem they have a PTR record returning localhost. Whilst this
could obviously be an oversight, it does feel odd that a Vietnam
allocated IP would have reason to access this server.
$ host 222.253.138.210
210.138.253.222.in-addr.arpa domain name pointer localhost.
This made me wonder if this is a potential vector for attack. If the
rdns of an IP is checked in a poorly written application (ignoring
forward resolving of localhost via /etc/hosts), and is satisfied it is
infact localhost, then the IP address would be granted privileges
normally authorised only to localhost/127.0.0.1.
Has anybody previously come across this?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkp60UIACgkQtFWeqpgEZrLmTwCgjebW47pYtLNBWZlcObCjKK21
JG4An1mcKoXsioO5nGmzo6uMY+N12uGN
=n6MV
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list