Bug#139879: marked as done (nscd reverse-lookup exploit (bug 120059 revisited))
Your message dated Wed, 16 Apr 2003 00:27:16 +0900
with message-id <80he8z4w8b.wl@oris.opensource.jp>
and subject line Bug#139879: nscd reverse-lookup exploit (bug 120059 revisited)
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 25 Mar 2002 19:43:53 +0000
>From stain@linpro.no Mon Mar 25 13:43:53 2002
Return-path: <stain@linpro.no>
Received: from mail.linpro.no (linpro.no) [213.203.57.2] (qmailr)
by master.debian.org with smtp (Exim 3.12 1 (Debian))
id 16paNj-00071R-00; Mon, 25 Mar 2002 13:43:51 -0600
Received: (qmail 20298 invoked from network); 25 Mar 2002 19:43:48 -0000
Received: from scruffy.trd.linpro.no (195.1.156.76)
by mail.linpro.no with SMTP; 25 Mar 2002 19:43:48 -0000
Received: from stain by scruffy.trd.linpro.no with local (Exim 3.35 #1 (Debian))
id 16paNf-0003ye-00
for <submit@bugs.debian.org>; Mon, 25 Mar 2002 20:43:47 +0100
Date: Mon, 25 Mar 2002 20:43:47 +0100
From: Stian Soiland <stain@linpro.no>
To: submit@bugs.debian.org
Subject: nscd reverse-lookup exploit (bug 120059 revisited)
Message-ID: <20020325194347.GD2338@linpro.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Mutt/1.3.27i
Delivered-To: submit@bugs.debian.org
Package: nscd
Version: 2.2.5-3
Severity: grave
This is the same issue as expired bug 120059, incorrectly=20
marked as "Done".
When running nscd:
stain@natalie:~$ host 80.82.160.10
Name: localhost
Address: 80.82.160.10
stain@natalie:~$ telnet localhost
Trying 80.82.160.10...
telnet: Unable to connect to remote host: Connection refused
stain@natalie:~$ ssh localhost
The authenticity of host 'localhost (80.82.160.10)' can't be
established.
RSA key fingerprint is 5e:41:6b:0c:14:fa:85:a1:f9:c9:f5:7c:cf:4b:89:1b.
Are you sure you want to continue connecting (yes/no)?=20
stain@natalie:~$ ping localhost
PING localhost (80.82.160.10) from 192.168.1.17 : 56(84) bytes of data.
64 bytes from localhost (80.82.160.10): icmp_seq=3D1 ttl=3D235 time=3D134=
ms
stain@natalie:~$ cat /etc/hosts
127.0.0.1 localhost
192.168.1.17 natalie natalie.linpro.no
192.168.0.1 oven
192.168.1.1 traad
This makes it possible for 80.82.160.10 (or anyone
else with access to his own reverse lookup zone)=20
to simply trigger a reverse lookup for his address
(simply: use a service on the victims server, such as
a web server or ssh login.)
The server will reverse-lookup the attackers IP address,=20
storing the lookup into the cache as if it had been a
A-record lookup.
Some service on the server (for instance PHP with database access)
tries to connect to localhost, supplying username, password or
some other vital data. nscd happily reports that=20
"localhost" is 80.82.160.10, even though localhost has never been
resolved that way, and even though localhost IS listed in
/etc/hosts AND /etc/nsswitch clearly says "hosts: files dns"
The dangerous part here is not that someone claims to be called
"localhost" by DNS spoofing, but that a reverse lookup is considered=20
authorative the other way around. If I claim to be www.google.com, would
I then become www.google.com? No. At least not in the normal world, but
with nscd I can.
(note: the example 80.82.160.10 is by no way associated with me, I found
it by rumour, it is probably just a misconfiguration)
The problem could be to nscd as behaviour is normal
(localhost -> 127.0.0.1) when stopping nscd.
(I'm using Debian Sid/686 with libc 2.2.5-3. Last dist-upgrade was
yesterday)
--=20
Stian S=F8iland C++ var et fors=F8k fra KGB p=E5 =E5 =F8deleg=
ge den
Trondheim, Norway vestlige sivilisasjon. De lyktes nesten. [Nytr=
=F8]
http://stain.portveien.to/ =20
---------------------------------------
Received: (at 139879-done) by bugs.debian.org; 15 Apr 2003 15:27:18 +0000
>From gotom@debian.or.jp Tue Apr 15 10:27:18 2003
Return-path: <gotom@debian.or.jp>
Received: from oris.opensource.jp (oris.opensource.gr.jp) [218.44.239.73] (postfix)
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 195SL7-0004R6-00; Tue, 15 Apr 2003 10:27:17 -0500
Received: from oris.opensource.jp (oris.opensource.jp [218.44.239.73])
by oris.opensource.gr.jp (Postfix) with ESMTP
id 7D565C33C7; Wed, 16 Apr 2003 00:27:16 +0900 (JST)
Date: Wed, 16 Apr 2003 00:27:16 +0900
Message-ID: <80he8z4w8b.wl@oris.opensource.jp>
From: GOTO Masanori <gotom@debian.or.jp>
To: Petter Reinholdtsen <pere@hungry.com>,
139879-done@bugs.debian.org, 120059-done@bugs.debian.org
Subject: Re: Bug#139879: nscd reverse-lookup exploit (bug 120059 revisited)
In-Reply-To: <[🔎] E194HOV-0005LP-00@minerva.intern>
References: <[🔎] E194HOV-0005LP-00@minerva.intern>
User-Agent: Wanderlust/2.9.9 (Unchained Melody) SEMI/1.14.3 (Ushinoya)
FLIM/1.14.3 (=?ISO-8859-4?Q?Unebigory=F2mae?=) APEL/10.3 Emacs/21.2
(i386-debian-linux-gnu) MULE/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.3 - "Ushinoya")
Content-Type: text/plain; charset=US-ASCII
Delivered-To: 139879-done@bugs.debian.org
X-Spam-Status: No, hits=-1.8 required=4.0
tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_02_03,
USER_AGENT
version=2.44
X-Spam-Level:
Hi,
At Sat, 12 Apr 2003 11:33:55 +0200,
Petter Reinholdtsen wrote:
> The glibc developer Ulrich Drepper claims that this security problem
> is fixed in later versions of glibc. See
> <URL:http://sources.redhat.com/ml/libc-alpha/2003-04/msg00124.html>.
>
> I'm not sure in which version this was fixed.
Thanks for your checking and report. I've just closed #120059 and
#139879.
Regards,
-- gotom
Reply to: