[nsp-sec] [Fwd: PTR localhost attack?]

[Nick Hilliard]

> This made me wonder if this is a potential vector for attack.  If the
> rdns of an IP is checked in a poorly written application (ignoring
> forward resolving of localhost via /etc/hosts), and is satisfied it is
> infact localhost, then the IP address would be granted privileges
> normally authorised only to localhost/127.0.0.1.
>
> Has anybody previously come across this?

this sort of attack was all the rage in the early-mid 1990s, during that 
awkward transition where it could no longer be assumed that dns was no 
longer assumed to be controlled by responsible types and ports below 1024 
were safe and so forth.  I seem to remember using it on a couple of 
occasions to regain access to machines whose root passwords had been lost 
or changed without permission or that sort of thing.

Once the trick became common knowledge, rsh/rlogin and similar protocols 
were hardened against it pretty quickly.  There is also code in several 
client resolvers to make noise when they see a/ptr mismatches.

In short, it's an old one, and if you're silly enough to grant access 
authorization on the basis of /etc/hosts or DNS PTRs, then you probably 
deserve to be bitten in the bum anyway.

Nick