[nsp-sec] [Fwd: PTR localhost attack?]

Hank Nussbacher hank at efes.iucc.ac.il
Sun Aug 9 01:56:24 EDT 2009 

At 15:21 06/08/2009 +0200, Thomas Hungenberg wrote:

I brought this up on nsp-security-discuss in Nov 2008.  No one seemed too 
concerned.

-Hank

>----------- nsp-security Confidential --------
>
>
>Heise published an article on this today (German language):
><http://www.heise.de/security/Namens-Trick-oeffnet-Mailserver--/news/meldung/143123>
>
>
>      - Thomas
>
>CERT-Bund Incident Response & Anti-Malware Team
>
>
>David Freedman schrieb:
> > ----------- nsp-security Confidential --------
> >
> > Forwarded from another mailing list, seems like a rather lame attempt
> > but may be of some interest to the community.
> >
> > Dave.
> >
> > --------------------------------------------------------------
> >
> >
> > Hi All,
> >
> > Whilst tailing some logs, I came across the following IP address.  It
> > would seem they have a PTR record returning localhost.  Whilst this
> > could obviously be an oversight, it does feel odd that a Vietnam
> > allocated IP would have reason to access this server.
> >
> > $ host 222.253.138.210
> > 210.138.253.222.in-addr.arpa domain name pointer localhost.
> >
> > This made me wonder if this is a potential vector for attack.  If the
> > rdns of an IP is checked in a poorly written application (ignoring
> > forward resolving of localhost via /etc/hosts), and is satisfied it is
> > infact localhost, then the IP address would be granted privileges
> > normally authorised only to localhost/127.0.0.1.
> >
> > Has anybody previously come across this?
> >
> >
> >
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>community. Confidentiality is essential for effective Internet security 
>counter-measures.
>_______________________________________________
>
>
>
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>community. Confidentiality is essential for effective Internet security 
>counter-measures.
>_______________________________________________

More information about the nsp-security mailing list