Bug#139879: marked as done (nscd reverse-lookup exploit (bug 120059 revisited))
Your message dated Mon, 30 Dec 2002 20:02:47 +0400
with message-id <000611c5eb71$bec21551$7512818d@mjuvgbnp>
and subject line Lonely this New Year ?
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 25 Mar 2002 19:43:53 +0000
>From stain@linpro.no Mon Mar 25 13:43:53 2002
Return-path: <stain@linpro.no>
Received: from mail.linpro.no (linpro.no) [213.203.57.2] (qmailr)
by master.debian.org with smtp (Exim 3.12 1 (Debian))
id 16paNj-00071R-00; Mon, 25 Mar 2002 13:43:51 -0600
Received: (qmail 20298 invoked from network); 25 Mar 2002 19:43:48 -0000
Received: from scruffy.trd.linpro.no (195.1.156.76)
by mail.linpro.no with SMTP; 25 Mar 2002 19:43:48 -0000
Received: from stain by scruffy.trd.linpro.no with local (Exim 3.35 #1 (Debian))
id 16paNf-0003ye-00
for <submit@bugs.debian.org>; Mon, 25 Mar 2002 20:43:47 +0100
Date: Mon, 25 Mar 2002 20:43:47 +0100
From: Stian Soiland <stain@linpro.no>
To: submit@bugs.debian.org
Subject: nscd reverse-lookup exploit (bug 120059 revisited)
Message-ID: <20020325194347.GD2338@linpro.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Mutt/1.3.27i
Delivered-To: submit@bugs.debian.org
Package: nscd
Version: 2.2.5-3
Severity: grave
This is the same issue as expired bug 120059, incorrectly=20
marked as "Done".
When running nscd:
stain@natalie:~$ host 80.82.160.10
Name: localhost
Address: 80.82.160.10
stain@natalie:~$ telnet localhost
Trying 80.82.160.10...
telnet: Unable to connect to remote host: Connection refused
stain@natalie:~$ ssh localhost
The authenticity of host 'localhost (80.82.160.10)' can't be
established.
RSA key fingerprint is 5e:41:6b:0c:14:fa:85:a1:f9:c9:f5:7c:cf:4b:89:1b.
Are you sure you want to continue connecting (yes/no)?=20
stain@natalie:~$ ping localhost
PING localhost (80.82.160.10) from 192.168.1.17 : 56(84) bytes of data.
64 bytes from localhost (80.82.160.10): icmp_seq=3D1 ttl=3D235 time=3D134=
ms
stain@natalie:~$ cat /etc/hosts
127.0.0.1 localhost
192.168.1.17 natalie natalie.linpro.no
192.168.0.1 oven
192.168.1.1 traad
This makes it possible for 80.82.160.10 (or anyone
else with access to his own reverse lookup zone)=20
to simply trigger a reverse lookup for his address
(simply: use a service on the victims server, such as
a web server or ssh login.)
The server will reverse-lookup the attackers IP address,=20
storing the lookup into the cache as if it had been a
A-record lookup.
Some service on the server (for instance PHP with database access)
tries to connect to localhost, supplying username, password or
some other vital data. nscd happily reports that=20
"localhost" is 80.82.160.10, even though localhost has never been
resolved that way, and even though localhost IS listed in
/etc/hosts AND /etc/nsswitch clearly says "hosts: files dns"
The dangerous part here is not that someone claims to be called
"localhost" by DNS spoofing, but that a reverse lookup is considered=20
authorative the other way around. If I claim to be www.google.com, would
I then become www.google.com? No. At least not in the normal world, but
with nscd I can.
(note: the example 80.82.160.10 is by no way associated with me, I found
it by rumour, it is probably just a misconfiguration)
The problem could be to nscd as behaviour is normal
(localhost -> 127.0.0.1) when stopping nscd.
(I'm using Debian Sid/686 with libc 2.2.5-3. Last dist-upgrade was
yesterday)
--=20
Stian S=F8iland C++ var et fors=F8k fra KGB p=E5 =E5 =F8deleg=
ge den
Trondheim, Norway vestlige sivilisasjon. De lyktes nesten. [Nytr=
=F8]
http://stain.portveien.to/ =20
---------------------------------------
Received: (at 139879-done) by bugs.debian.org; 31 Dec 2002 00:24:33 +0000
>From meyerind@hotmail.com Mon Dec 30 18:24:32 2002
Return-path: <meyerind@hotmail.com>
Received: from (hotmail.com) [200.52.208.41]
by master.debian.org with smtp (Exim 3.12 1 (Debian))
id 18TAAD-0003NL-00; Mon, 30 Dec 2002 18:21:47 -0600
Received: from 41.251.88.244 ([41.251.88.244]) by rsmail.alkoholic.net with SMTP; Mon, 30 Dec 2002 15:24:40 +0200
Received: from 190.189.24.133 ([190.189.24.133]) by public.micromail.com.au with esmtp; Mon, 30 Dec 2002 17:16:02 +0200
Received: from [153.88.44.195] by mts.locks.grgtween.net with NNFMP; Mon, 30 Dec 2002 19:07:24 +0500
Reply-To: <meyerind@hotmail.com>
Message-ID: <000611c5eb71$bec21551$7512818d@mjuvgbnp>
From: <meyerind@hotmail.com>
To: M
Subject: Lonely this New Year ?
Date: Mon, 30 Dec 2002 20:02:47 +0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Internet Mail Service (5.5.2650.21)
Importance: Normal
Delivered-To: 139879-done@bugs.debian.org
X-Spam-Status: No, hits=2.3 required=5.0
tests=EXCHANGE_SERVER,FORGED_HOTMAIL_RCVD,INVALID_MSGID,
MISSING_MIMEOLE,MISSING_OUTLOOK_NAME,NO_REAL_NAME,
SPAM_PHRASE_00_01,SUBJ_ENDS_IN_SPACE,TO_MALFORMED
version=2.41
X-Spam-Level: **
Hi,..
Please, please write again, hope you still have my email, to make things worse I am not
sure about yours either, anyway you can always catch me on http://www.singlers.com/index_vip.html
Hope to see you very, very soon.
Kisses and more :)
Dealy
Reply to: