[nsp-sec] [Fwd: PTR localhost attack?]

Chris Morrow morrowc at ops-netman.net
Sun Aug 9 11:49:00 EDT 2009 


On Sun, 9 Aug 2009, Hank Nussbacher wrote:

> ----------- nsp-security Confidential --------
>
> At 15:21 06/08/2009 +0200, Thomas Hungenberg wrote:
>
> I brought this up on nsp-security-discuss in Nov 2008.  No one seemed too 
> concerned.

I think because most folks assume people don't use dns or ptr's for 
'security' critical processing.

>
> -Hank
>
>> ----------- nsp-security Confidential --------
>> 
>> 
>> Heise published an article on this today (German language):
>> <http://www.heise.de/security/Namens-Trick-oeffnet-Mailserver--/news/meldung/143123>
>> 
>>
>>      - Thomas
>> 
>> CERT-Bund Incident Response & Anti-Malware Team
>> 
>> 
>> David Freedman schrieb:
>> > ----------- nsp-security Confidential --------
>> >
>> > Forwarded from another mailing list, seems like a rather lame attempt
>> > but may be of some interest to the community.
>> >
>> > Dave.
>> >
>> > --------------------------------------------------------------
>> >
>> >
>> > Hi All,
>> >
>> > Whilst tailing some logs, I came across the following IP address.  It
>> > would seem they have a PTR record returning localhost.  Whilst this
>> > could obviously be an oversight, it does feel odd that a Vietnam
>> > allocated IP would have reason to access this server.
>> >
>> > $ host 222.253.138.210
>> > 210.138.253.222.in-addr.arpa domain name pointer localhost.
>> >
>> > This made me wonder if this is a potential vector for attack.  If the
>> > rdns of an IP is checked in a poorly written application (ignoring
>> > forward resolving of localhost via /etc/hosts), and is satisfied it is
>> > infact localhost, then the IP address would be granted privileges
>> > normally authorised only to localhost/127.0.0.1.
>> >
>> > Has anybody previously come across this?
>> >
>> >
>> >
>> 
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>> 
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security 
>> counter-measures.
>> _______________________________________________
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>> 
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security 
>> counter-measures.
>> _______________________________________________
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security 
> counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list