[nsp-sec] [Fwd: PTR localhost attack?]

Smith, Donald Donald.Smith at qwest.com
Mon Aug 10 18:20:40 EDT 2009 

tcpwrappers had a lot of default rules with localhost and this would by pass that.

While its pretty old I know some people still user tcpwrappers;)


(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia   

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Nick Hilliard
> Sent: Sunday, August 09, 2009 1:15 PM
> To: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] [Fwd: PTR localhost attack?]
> 
> ----------- nsp-security Confidential --------
> 
> > This made me wonder if this is a potential vector for 
> attack.  If the
> > rdns of an IP is checked in a poorly written application (ignoring
> > forward resolving of localhost via /etc/hosts), and is 
> satisfied it is
> > infact localhost, then the IP address would be granted privileges
> > normally authorised only to localhost/127.0.0.1.
> >
> > Has anybody previously come across this?
> 
> this sort of attack was all the rage in the early-mid 1990s, 
> during that 
> awkward transition where it could no longer be assumed that 
> dns was no 
> longer assumed to be controlled by responsible types and 
> ports below 1024 
> were safe and so forth.  I seem to remember using it on a couple of 
> occasions to regain access to machines whose root passwords 
> had been lost 
> or changed without permission or that sort of thing.
> 
> Once the trick became common knowledge, rsh/rlogin and 
> similar protocols 
> were hardened against it pretty quickly.  There is also code 
> in several 
> client resolvers to make noise when they see a/ptr mismatches.
> 
> In short, it's an old one, and if you're silly enough to grant access 
> authorization on the basis of /etc/hosts or DNS PTRs, then 
> you probably 
> deserve to be bitten in the bum anyway.
> 
> Nick
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
>

More information about the nsp-security mailing list