[nsp-sec] [Fwd: PTR localhost attack?]
Thomas Hungenberg
th.lab at hungenberg.net
Thu Aug 6 09:21:49 EDT 2009
Heise published an article on this today (German language):
<http://www.heise.de/security/Namens-Trick-oeffnet-Mailserver--/news/meldung/143123>
- Thomas
CERT-Bund Incident Response & Anti-Malware Team
David Freedman schrieb:
> ----------- nsp-security Confidential --------
>
> Forwarded from another mailing list, seems like a rather lame attempt
> but may be of some interest to the community.
>
> Dave.
>
> --------------------------------------------------------------
>
>
> Hi All,
>
> Whilst tailing some logs, I came across the following IP address. It
> would seem they have a PTR record returning localhost. Whilst this
> could obviously be an oversight, it does feel odd that a Vietnam
> allocated IP would have reason to access this server.
>
> $ host 222.253.138.210
> 210.138.253.222.in-addr.arpa domain name pointer localhost.
>
> This made me wonder if this is a potential vector for attack. If the
> rdns of an IP is checked in a poorly written application (ignoring
> forward resolving of localhost via /etc/hosts), and is satisfied it is
> infact localhost, then the IP address would be granted privileges
> normally authorised only to localhost/127.0.0.1.
>
> Has anybody previously come across this?
>
>
>
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list