Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <alpine.DEB.2.00.1303042019330.9653@legendary.xserve.fr>
Date: Mon, 4 Mar 2013 20:31:14 +0100 (CET)
From: Remi Gacogne <rgacogne-bugs@...edump.fr>
To: oss-security@...ts.openwall.com
Subject: Reverse lookup issue in Net::Server


Hi,

I think there is a security issue in the way the access control feature
of Net::Server (http://search.cpan.org/perldoc?Net%3A%3AServer) works.
Net::Server is used by various projects including Munin, Postgrey and 
SQLgrey.

The issue lies in the fact that the allow / deny access control
does not perform a valid DNS check when given a hostname parameter
and the 'reverse_lookups' option is enabled.
The current code only checks that the incoming connection source IP
address has a reverse DNS matching the given hostname, but does not
check that the hostname resolves back to this source IP address (see
how the $prop->{'peerhost'} property is set in get_client_info(),
lib/Net/Server.pm:553, then used in allow_deny(), lib/Net/Server.pm:597).
As it is trivial for an attacker to be able to set his own
source IP's reverse DNS, the current check is not safe (this probably
matches CWE-807: Reliance on Untrusted Inputs in a Security Decision).

I think that the valid way would be to do the same checks as
Apache HTTPd does for the Allow / Deny directives (see do_double_reverse()
and ap_get_remote_host() in server/core.c for more information):
"It will do a reverse DNS lookup on the IP address to find the
associated hostname, and then do a forward lookup on the hostname
to assure that it matches the original IP address.
Only if the forward and reverse DNS are consistent and the hostname
matches will access be allowed."

At the very least, the documentation of Net:Server should be updated to
specify exactly what is checked by Net:Server access control, as many
people seem to assume that the check is done in the same way as in Apache 
HTTPd.

So far, I have been unable to reach the Net-Server maintener to discuss 
this matter.

--
Regards,

Remi Gacogne

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.