Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: Reverse lookup issue in Net::Server
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 11 Mar 2013 20:42:44 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/04/2013 12:36 PM, Russ Allbery wrote:
Remi Gacogne <rgacogne-bugs () coredump fr> writes:

I think there is a security issue in the way the access control
feature of Net::Server
(http://search.cpan.org/perldoc?Net%3A%3AServer) works. 
Net::Server is used by various projects including Munin, Postgrey
and SQLgrey.

The issue lies in the fact that the allow / deny access control
does not perform a valid DNS check when given a hostname
parameter and the 'reverse_lookups' option is enabled.  The
current code only checks that the incoming connection source IP
address has a reverse DNS matching the given hostname, but does
not check that the hostname resolves back to this source IP
address (see how the $prop->{'peerhost'} property is set in
get_client_info(), lib/Net/Server.pm:553, then used in
allow_deny(), lib/Net/Server.pm:597).  As it is trivial for an
attacker to be able to set his own source IP's reverse DNS, the
current check is not safe (this probably matches CWE-807:
Reliance on Untrusted Inputs in a Security Decision).

This is a very weak security measure, but yes, the need to check
the reverse DNS results with a forward DNS query to make the
security check at all useful has been well-known going all the way
back to the days when TCP wrappers was the UNIX firewalling system
of choice.  I remember discussion of this in security contexts in
1994, and I'm sure it was an old discussion even then.

Yup. Please use CVE-2013-1841 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRPpYkAAoJEBYNRVNeJnmTo74P/j9Yn/ESKT4ALfNJoAISZgIT
YSCewtRaMqI+LDr11Rg6kLC9NHO8BKsyo3DvlbEgFITpwkmCCOJKZOvR6PbFm9Ot
reLseaegLL6y7qDXgAi97hGjWgq2i+vIi+agyfSy1lhzpnR9bk6aa/rdbxxtERPH
N1CbKFpBvZ6RLHDtBtgEGqMznoswG8JIk5l/q15qLvnXgG1VA3H8PL/ZPsHUQ1iR
95tOKXWeHw0ZysK2mwwQHbv6xLxo1owpvILqbOMN7x5Jx/WgusahfjDhQ9eyUbpy
Ffxceha4M5LI8FgavALMFYMvAcymFkkjjuG08z/VhYa2/7FMqqF0gXIq4zuVKzAe
VJqAt0cd5B6Nx9Kff5f/Yx3WkoZaj+9ErTkIv1O3Rd+X6ubW5j8PdVpKn0hOGEL2
XKnNdOkKT6ZtWeRqfck1PZCPw4LUu/gBRNVl4vgr2QVPbRIRDjT5+PksIjd6U+dA
lHgz54FXX+X0Yqy4djhZXD1fC9LRahThkHws1U7GjAMcFzVdoGLjfoAFT7temdzF
iKpMCcCDoB9H1Pl03cJWk7pPKbZHSgRqYPlnqf6PNmTmJlYCGcqZorihU+S9xw2d
ziIO+75QPuxvVVb8Hbtv8RHuJbndqSaFtjncbn0MQ1bVU+/JdQQchy4GPlvrrtvi
kDHwPyl55Mrvy0lQAh7X
=5u6Y
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]